Skip to Main content Skip to Navigation
Conference papers

Detecting Process-Aware Attacks in Sequential Control Systems

Oualid Koucham 1, 2, * Stéphane Mocanu 1, 3, 4 Guillaume Hiet 5 Jean-Marc Thiriet 2 Frédéric Majorczyk 6, 5
* Corresponding author
2 GIPSA-SAIGA - GIPSA - Signal et Automatique pour la surveillance, le diagnostic et la biomécanique
GIPSA-DA - Département Automatique, GIPSA-DIS - Département Images et Signal
3 CTRL-A - Control for Autonomic computing systems
Inria Grenoble - Rhône-Alpes, LIG - Laboratoire d'Informatique de Grenoble
5 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : Industrial control systems (ICS) can be subject to highly sophisticated attacks which may lead the process towards critical states. Due to the particular context of ICS, protection mechanisms are not always practical, nor sufficient. On the other hand, developing a process-aware intrusion detection solution with satisfactory alert characterization remains an open problem. This paper focuses on process-aware attacks detection in sequential control systems. We build on results from runtime verification and specification mining to automatically infer and monitor process specifications. Such specifications are represented by sets of temporal safety properties over states and events corresponding to sensors and actuators. The properties are then synthesized as monitors which report violations on execution traces. We develop an efficient specification mining algorithm and use filtering rules to handle the large number of mined properties. Furthermore, we introduce the notion of activity and discuss its relevance to both specification mining and attack detection in the context of sequential control systems. The proposed approach is evaluated in a hardware-in-the-loop setting subject to targeted process-aware attacks. Overall, due to the explicit handling of process variables, the solution provides a better characterization of the alerts and a more meaningful understanding of false positives.
Complete list of metadata
Contributor : Guillaume Hiet Connect in order to contact the contributor
Submitted on : Tuesday, September 6, 2016 - 4:17:50 PM
Last modification on : Wednesday, November 3, 2021 - 5:09:20 AM



Oualid Koucham, Stéphane Mocanu, Guillaume Hiet, Jean-Marc Thiriet, Frédéric Majorczyk. Detecting Process-Aware Attacks in Sequential Control Systems. 21st Nordic Conference on Secure IT Systems (NordSec 2016), Nov 2016, Oulu, Finland. p.20-36, ⟨10.1007/978-3-319-47560-8_2⟩. ⟨hal-01361081⟩



Les métriques sont temporairement indisponibles