Detecting Process-Aware Attacks in Sequential Control Systems

Oualid Koucham 1, 2, * Stéphane Mocanu 1 Guillaume Hiet 3 Jean-Marc Thiriet 2 Frédéric Majorczyk 4, 3
* Auteur correspondant
1 GIPSA-SYSCO - SYSCO
GIPSA-DA - Département Automatique
2 GIPSA-SAIGA - SAIGA
GIPSA-DA - Département Automatique, GIPSA-DIS - Département Images et Signal
3 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : Industrial control systems (ICS) can be subject to highly sophisticated attacks which may lead the process towards critical states. Due to the particular context of ICS, protection mechanisms are not always practical, nor sufficient. On the other hand, developing a process-aware intrusion detection solution with satisfactory alert characterization remains an open problem. This paper focuses on process-aware attacks detection in sequential control systems. We build on results from runtime verification and specification mining to automatically infer and monitor process specifications. Such specifications are represented by sets of temporal safety properties over states and events corresponding to sensors and actuators. The properties are then synthesized as monitors which report violations on execution traces. We develop an efficient specification mining algorithm and use filtering rules to handle the large number of mined properties. Furthermore, we introduce the notion of activity and discuss its relevance to both specification mining and attack detection in the context of sequential control systems. The proposed approach is evaluated in a hardware-in-the-loop setting subject to targeted process-aware attacks. Overall, due to the explicit handling of process variables, the solution provides a better characterization of the alerts and a more meaningful understanding of false positives.
Type de document :
Communication dans un congrès
21st Nordic Conference on Secure IT Systems (NordSec 2016), Nov 2016, Oulu, Finland. 〈http://nordsec.oulu.fi〉
Liste complète des métadonnées

https://hal.inria.fr/hal-01361081
Contributeur : Guillaume Hiet <>
Soumis le : mardi 6 septembre 2016 - 16:17:50
Dernière modification le : mercredi 16 mai 2018 - 11:23:35

Identifiants

  • HAL Id : hal-01361081, version 1

Citation

Oualid Koucham, Stéphane Mocanu, Guillaume Hiet, Jean-Marc Thiriet, Frédéric Majorczyk. Detecting Process-Aware Attacks in Sequential Control Systems. 21st Nordic Conference on Secure IT Systems (NordSec 2016), Nov 2016, Oulu, Finland. 〈http://nordsec.oulu.fi〉. 〈hal-01361081〉

Partager

Métriques

Consultations de la notice

1587