| Title | Exploiting Bro for Intrusion Detection in a SCADA System |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Udd, Robert, Asplund, Mikael, Nadjm-Tehrani, Simin, Kazemtabrizi, Mehrdad, Ekstedt, Mathias |
| Conference Name | Proceedings of the 2Nd ACM International Workshop on Cyber-Physical System Security |
| Date Published | May 2016 |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-4288-9 |
| Keywords | anomaly detection, Bro, compositionality, Human Behavior, IDS, iec 60870-5-104, pubcrawl, Resiliency, SCADA, SCADA Systems Security |
| Abstract | Supervisory control and data acquisition (SCADA) systems that run our critical infrastructure are increasingly run with Internet-based protocols and devices for remote monitoring. The embedded nature of the components involved, and the legacy aspects makes adding new security mechanisms in an efficient manner far from trivial. In this paper we study an anomaly detection based approach that enables detecting zero-day malicious threats and benign malconfigurations and mishaps. The approach builds on an existing platform (Bro) that lends itself to modular addition of new protocol parsers and event handling mechanisms. As an example we have shown an application of the technique to the IEC-60870-5-104 protocol and tested the anomaly detector with mixed results. The detection accuracy and false positive rate, as well as real-time response was adequate for 3 of our 4 created attacks. We also discovered some additional work that needs to be done to an existing protocol parser to extend its reach. |
| URL | https://dl.acm.org/doi/10.1145/2899015.2899028 |
| DOI | 10.1145/2899015.2899028 |
| Citation Key | udd_exploiting_2016 |
Exploiting Bro for Intrusion Detection in a SCADA System