Detecting Process-Aware Attacks in Sequential Control Systems - Archive ouverte HAL Access content directly
Conference Papers Year :

Detecting Process-Aware Attacks in Sequential Control Systems

(1, 2) , (1, 3, 4) , (5) , (2) , (6, 5)
1
2
3
4
5
6

Abstract

Industrial control systems (ICS) can be subject to highly sophisticated attacks which may lead the process towards critical states. Due to the particular context of ICS, protection mechanisms are not always practical, nor sufficient. On the other hand, developing a process-aware intrusion detection solution with satisfactory alert characterization remains an open problem. This paper focuses on process-aware attacks detection in sequential control systems. We build on results from runtime verification and specification mining to automatically infer and monitor process specifications. Such specifications are represented by sets of temporal safety properties over states and events corresponding to sensors and actuators. The properties are then synthesized as monitors which report violations on execution traces. We develop an efficient specification mining algorithm and use filtering rules to handle the large number of mined properties. Furthermore, we introduce the notion of activity and discuss its relevance to both specification mining and attack detection in the context of sequential control systems. The proposed approach is evaluated in a hardware-in-the-loop setting subject to targeted process-aware attacks. Overall, due to the explicit handling of process variables, the solution provides a better characterization of the alerts and a more meaningful understanding of false positives.
Not file

Dates and versions

hal-01361081 , version 1 (06-09-2016)

Identifiers

Cite

Oualid Koucham, Stéphane Mocanu, Guillaume Hiet, Jean-Marc Thiriet, Frédéric Majorczyk. Detecting Process-Aware Attacks in Sequential Control Systems. NordSec 2016 - 21st Nordic Conference on Secure IT Systems (NordSec 2016), Nov 2016, Oulu, Finland. p.20-36, ⟨10.1007/978-3-319-47560-8_2⟩. ⟨hal-01361081⟩
807 View
0 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More