Skip to Main content Skip to Navigation
Conference papers

Network forensic analysis of electrical substation automation traffic

Abstract : The computations and input/output values of intelligent electronic devices that monitor and operate an electrical substation depend strongly on the state of the power system. This chapter presents an approach that correlates the physical parameters of an electrical substation with the network traffic that intelligent electronic devices send over a substation automation network. Normal network traffic in a substation automation network is modeled as a directed, weighted graph, yielding what is referred to as a model graph. Similar graph modeling is performed on unknown network traffic. The research problem of determining whether or not unknown network traffic is normal involves a subgraph isomorphism search algorithm. Normal network packets in unknown network traffic form a graph that is a subgraph of the model graph. In contrast, malware-generated network packets present in unknown network traffic produce a graph that is not a subgraph of the model graph. Time series analysis of network traffic is performed to estimate the weights of the edges in the graphs. This analysis enables the subgraph isomorphism search algorithm to find structural matches with portions of the model graph as well matches with the timing characteristics of normal network traffic. The approach is validated using samples drawn from recent industrial control system malware campaigns.
Document type :
Conference papers
Complete list of metadata

Cited literature [8 references]  Display  Hide  Download

https://hal.inria.fr/hal-01819141
Contributor : Hal Ifip <>
Submitted on : Wednesday, June 20, 2018 - 9:24:06 AM
Last modification on : Wednesday, June 20, 2018 - 11:46:01 AM
Long-term archiving on: : Tuesday, September 25, 2018 - 7:34:57 PM

File

460140_1_En_4_Chapter.pdf
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Megan Leierzapf, Julian Rrushi. Network forensic analysis of electrical substation automation traffic. 11th International Conference on Critical Infrastructure Protection (ICCIP), Mar 2017, Arlington, VA, United States. pp.63-78, ⟨10.1007/978-3-319-70395-4_4⟩. ⟨hal-01819141⟩

Share

Metrics

Record views

433

Files downloads

85