Flow-Based Intrusion Detection for SCADA networks using Supervised Learning
Resumo
Recent attacks on industrial networks have brought the question of their protection, given the importance of the equipment that they control. In this paper, we address the application of Machine Learning (ML) algorithms to build an Intrusion Detection System (IDS) for these networks. As network traffic usually has much less malicious packets than normal ones, intrusion detection problems have class imbalance as a key characteristic, which can be a challenge for ML algorithms. Therefore, we study the performance of nine different ML algorithms in classifying IP flows of an industrial network, analyzing the impact of class imbalance in the results. The algorithms were evaluated taking as main metrics the F1-Score and Averaged Accuracy. Our experiments showed that the three algorithms based on decision trees were superior to the others. Particularly, the Decision Jungle algorithm outperformed all the others.Referências
Claise, B., Trammell, B., and Aitken, P. (2013). Specification of the IP Flow Information Export (IPFIX) Protocol for the exchange of flow information (2013).
He, H. and Ma, Y. (2013). Imbalanced learning: foundations, algorithms, and applications. John Wiley & Sons.
Junejo, K. N. and Goh, J. (2016). Behaviour-based attack detection and classification in cyber physical systems using machine learning. In Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, pages 34–43. ACM.
Lemay, A. and Fernandez, J. M. (2016). Providing SCADA network data sets for intrusion detection research. 9th USENIXWorkshop on Cyber Security Experimentation and Test (CSET ’16), pages 1–8.
Linda, O., Vollmer, T., and Manic, M. (2009). Neural network based intrusion detection system for critical infrastructures. In Neural Networks, 2009. IJCNN 2009. International Joint Conference on, pages 1827–1834. IEEE.
Loukas, G. (2015). Cyber-physical attacks: A growing invisible threat. Butterworth- Heinemann.
Microsoft (2017). How to choose algorithms for Microsoft Azure machine learning.
Miller, B. and Rowe, D. (2012). A survey SCADA of and critical infrastructure incidents. In Proceedings of the 1st Annual conference on Research in information technology, pages 51–56. ACM.
Ntalampiras, S. (2015). Detection of integrity attacks in cyber-physical critical infrastructures using ensemble modeling. IEEE Transactions on Industrial Informatics, 11(1):104–111.
Piggin, R. (2015). Are industrial control systems ready for the cloud? International Journal of Critical Infrastructure Protection, 9(C):38–40.
Schuster, F., Paul, A., Rietz, R., and König, H. (2015). Potentials of using one-class SVM for detecting protocol-specific anomalies in industrial networks. In Computational Intelligence, 2015 IEEE Symposium Series on, pages 83–90. IEEE.
Shotton, J., Sharp, T., Kohli, P., Nowozin, S.,Winn, J., and Criminisi, A. (2013). Decision jungles: Compact and rich models for classification. In Proc. NIPS.
Swales, A. et al. (1999). Open ModBus/TCP specification. Schneider Electric, 29.
Yang, Y., McLaughlin, K., Littler, T., Sezer, S., Pranggono, B., and Wang, H. (2013). Intrusion detection system for IEC 60870-5-104 based SCADA networks. In Power and Energy Society General Meeting (PES), 2013 IEEE, pages 1–5. IEEE.
Yusheng, W., Kefeng, F., Yingxu, L., Zenghui, L., Ruikang, Z., Xiangzhen, Y., and Lin, L. (2017). Intrusion detection of industrial control system based on Modbus TCP protocol. In Autonomous Decentralized System (ISADS), 2017 IEEE 13th International Symposium on, pages 156–162. IEEE.
Yussof, S., Rusli, M. E., Yusoff, Y., Ismail, R., and Ghapar, A. A. (2014). Financial impacts of smart meter security and privacy breach. In Information Technology.
He, H. and Ma, Y. (2013). Imbalanced learning: foundations, algorithms, and applications. John Wiley & Sons.
Junejo, K. N. and Goh, J. (2016). Behaviour-based attack detection and classification in cyber physical systems using machine learning. In Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, pages 34–43. ACM.
Lemay, A. and Fernandez, J. M. (2016). Providing SCADA network data sets for intrusion detection research. 9th USENIXWorkshop on Cyber Security Experimentation and Test (CSET ’16), pages 1–8.
Linda, O., Vollmer, T., and Manic, M. (2009). Neural network based intrusion detection system for critical infrastructures. In Neural Networks, 2009. IJCNN 2009. International Joint Conference on, pages 1827–1834. IEEE.
Loukas, G. (2015). Cyber-physical attacks: A growing invisible threat. Butterworth- Heinemann.
Microsoft (2017). How to choose algorithms for Microsoft Azure machine learning.
Miller, B. and Rowe, D. (2012). A survey SCADA of and critical infrastructure incidents. In Proceedings of the 1st Annual conference on Research in information technology, pages 51–56. ACM.
Ntalampiras, S. (2015). Detection of integrity attacks in cyber-physical critical infrastructures using ensemble modeling. IEEE Transactions on Industrial Informatics, 11(1):104–111.
Piggin, R. (2015). Are industrial control systems ready for the cloud? International Journal of Critical Infrastructure Protection, 9(C):38–40.
Schuster, F., Paul, A., Rietz, R., and König, H. (2015). Potentials of using one-class SVM for detecting protocol-specific anomalies in industrial networks. In Computational Intelligence, 2015 IEEE Symposium Series on, pages 83–90. IEEE.
Shotton, J., Sharp, T., Kohli, P., Nowozin, S.,Winn, J., and Criminisi, A. (2013). Decision jungles: Compact and rich models for classification. In Proc. NIPS.
Swales, A. et al. (1999). Open ModBus/TCP specification. Schneider Electric, 29.
Yang, Y., McLaughlin, K., Littler, T., Sezer, S., Pranggono, B., and Wang, H. (2013). Intrusion detection system for IEC 60870-5-104 based SCADA networks. In Power and Energy Society General Meeting (PES), 2013 IEEE, pages 1–5. IEEE.
Yusheng, W., Kefeng, F., Yingxu, L., Zenghui, L., Ruikang, Z., Xiangzhen, Y., and Lin, L. (2017). Intrusion detection of industrial control system based on Modbus TCP protocol. In Autonomous Decentralized System (ISADS), 2017 IEEE 13th International Symposium on, pages 156–162. IEEE.
Yussof, S., Rusli, M. E., Yusoff, Y., Ismail, R., and Ghapar, A. A. (2014). Financial impacts of smart meter security and privacy breach. In Information Technology.
Publicado
06/11/2017
Como Citar
VASQUEZ, Gabriel; MIANI, Rodrigo S.; ZARPELÃO, Bruno B..
Flow-Based Intrusion Detection for SCADA networks using Supervised Learning. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 168-181.
DOI: https://doi.org/10.5753/sbseg.2017.19498.
