| Title | SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Jardine, William, Frey, Sylvain, Green, Benjamin, Rashid, Awais |
| Conference Name | Proceedings of the 2Nd ACM Workshop on Cyber-Physical Systems Security and Privacy |
| Date Published | October 2016 |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-4568-2 |
| Keywords | active monitoring, industrial control systems, Intrusion Detection Systems, Metrics, pubcrawl, Resiliency, Scalability |
| Abstract | Current intrusion detection systems (IDS) for industrial control systems (ICS) mostly involve the retrofitting of conventional network IDSs, such as SNORT. Such an approach is prone to missing highly targeted and specific attacks against ICS. Where ICS-specific approaches exist, they often rely on passive network monitoring techniques, offering a low cost solution, and avoiding any computational overhead arising from actively polling ICS devices. However, the use of passive approaches alone could fail in the detection of attacks that alter the behaviour of ICS devices (as was the case in Stuxnet). Where active solutions exist, they can be resource-intensive, posing the risk of overloading legacy devices which are commonplace in ICSs. In this paper we aim to overcome these challenges through the combination of a passive network monitoring approach, and selective active monitoring based on attack vectors specific to an ICS context. We present the implementation of our IDS, SENAMI, for use with Siemens S7 devices. We evaluate the effectiveness of SENAMI in a comprehensive testbed environment, demonstrating validity of the proposed approach through the detection of purely passive attacks at a rate of 99%, and active value tampering attacks at a rate of 81-93%. Crucially, we reach recall values greater than 0.96, indicating few attack scenarios generating false negatives. |
| URL | https://dl.acm.org/doi/10.1145/2994487.2994496 |
| DOI | 10.1145/2994487.2994496 |
| Citation Key | jardine_senami:_2016 |
SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection