Visible to the public CAPTAR: Causal-Polytree-based Anomaly Reasoning for SCADA Networks

TitleCAPTAR: Causal-Polytree-based Anomaly Reasoning for SCADA Networks
Publication TypeConference Paper
Year of Publication2019
AuthorsRen, Wenyu, Yu, Tuo, Yardley, Timothy, Nahrstedt, Klara
Conference Name2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)
Keywordsanomaly reasoning, anomaly reasoning framework, Bayes methods, belief propagation, CAPTAR, causal analysis, causal polytrees, causal-polytree-based anomaly reasoning, Cognition, compositionality, Correlation, Databases, EDMAND anomaly detection framework, Human Behavior, industrial control system, Intrusion Detection Systems, meta-alerts, naïve Bayes classifier, Noise measurement, pattern classification, power engineering computing, protected SCADA network, pubcrawl, real-time reasoning requirement, Resiliency, SCADA, SCADA networks, SCADA systems, SCADA Systems Security, security of data, security state, situational awareness, Smart grid, smart power grids, supervisory control and data acquisition system
AbstractThe Supervisory Control and Data Acquisition (SCADA) system is the most commonly used industrial control system but is subject to a wide range of serious threats. Intrusion detection systems are deployed to promote the security of SCADA systems, but they continuously generate tremendous number of alerts without further comprehending them. There is a need for an efficient system to correlate alerts and discover attack strategies to provide explainable situational awareness to SCADA operators. In this paper, we present a causal-polytree-based anomaly reasoning framework for SCADA networks, named CAPTAR. CAPTAR takes the meta-alerts from our previous anomaly detection framework EDMAND, correlates the them using a naive Bayes classifier, and matches them to predefined causal polytrees. Utilizing Bayesian inference on the causal polytrees, CAPTAR can produces a high-level view of the security state of the protected SCADA network. Experiments on a prototype of CAPTAR proves its anomaly reasoning ability and its capabilities of satisfying the real-time reasoning requirement.
DOI10.1109/SmartGridComm.2019.8909766
Citation Keyren_captar_2019