Using anomalous event patterns in control systems for tamper detection

William Sousan, Robin Gandhi, Qiuming Zhu, William Mahoney

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Supervisory Control And Data Acquisition (SCADA) systems are used for geographically distributed process control by collecting sensory data that are processed by a central computer. These systems are used in critical domains such as nuclear power plants, public power grids, railway scheduling and ticketing, and others. The malfunctioning of these systems, e.g., if being comprised, could cause severe equipment damage, loss of life, and possibly shutdown of facilities that affect an entire community. As a result, SCADA systems provide nefarious actors, both insiders and outsiders, with great temptation as possible attack targets. In this paper, we present our work for monitoring SCADA systems through the development of a technology that incrementally learns normal behaviors of the system and then continuously watches for the occurrence of abnormal behaviors. Our technology exploits the repeating patterns of normal behavior in SCADA system operation. We describe the system architecture, prototype implementation and results in this paper.

Original languageEnglish (US)
Title of host publication7th Annual Cyber Security and Information Intelligence Research Workshop
Subtitle of host publicationEnergy Infrastructure Cyber Protection, CSIIRW11
DOIs
StatePublished - Dec 1 2011
Event7th Annual Cyber Security and Information Intelligence Research Workshop: Energy Infrastructure Cyber Protection, CSIIRW11 - Oak Ridge, TN, United States
Duration: Oct 12 2011Oct 14 2011

Publication series

NameACM International Conference Proceeding Series

Conference

Conference7th Annual Cyber Security and Information Intelligence Research Workshop: Energy Infrastructure Cyber Protection, CSIIRW11
CountryUnited States
CityOak Ridge, TN
Period10/12/1110/14/11

Fingerprint

SCADA systems
Control systems
Plant shutdowns
Watches
Nuclear power plants
Process control
Scheduling
Monitoring

Keywords

  • Event Player
  • SCADA Event Taxonomy
  • SCADA Systems
  • Snap-Shot learning

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this

Sousan, W., Gandhi, R., Zhu, Q., & Mahoney, W. (2011). Using anomalous event patterns in control systems for tamper detection. In 7th Annual Cyber Security and Information Intelligence Research Workshop: Energy Infrastructure Cyber Protection, CSIIRW11 (ACM International Conference Proceeding Series). https://doi.org/10.1145/2179298.2179326

Using anomalous event patterns in control systems for tamper detection. / Sousan, William; Gandhi, Robin; Zhu, Qiuming; Mahoney, William.

7th Annual Cyber Security and Information Intelligence Research Workshop: Energy Infrastructure Cyber Protection, CSIIRW11. 2011. (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Sousan, W, Gandhi, R, Zhu, Q & Mahoney, W 2011, Using anomalous event patterns in control systems for tamper detection. in 7th Annual Cyber Security and Information Intelligence Research Workshop: Energy Infrastructure Cyber Protection, CSIIRW11. ACM International Conference Proceeding Series, 7th Annual Cyber Security and Information Intelligence Research Workshop: Energy Infrastructure Cyber Protection, CSIIRW11, Oak Ridge, TN, United States, 10/12/11. https://doi.org/10.1145/2179298.2179326
Sousan W, Gandhi R, Zhu Q, Mahoney W. Using anomalous event patterns in control systems for tamper detection. In 7th Annual Cyber Security and Information Intelligence Research Workshop: Energy Infrastructure Cyber Protection, CSIIRW11. 2011. (ACM International Conference Proceeding Series). https://doi.org/10.1145/2179298.2179326
Sousan, William ; Gandhi, Robin ; Zhu, Qiuming ; Mahoney, William. / Using anomalous event patterns in control systems for tamper detection. 7th Annual Cyber Security and Information Intelligence Research Workshop: Energy Infrastructure Cyber Protection, CSIIRW11. 2011. (ACM International Conference Proceeding Series).
@inproceedings{e2631e000d814e1d8999fb2507037b10,
title = "Using anomalous event patterns in control systems for tamper detection",
abstract = "Supervisory Control And Data Acquisition (SCADA) systems are used for geographically distributed process control by collecting sensory data that are processed by a central computer. These systems are used in critical domains such as nuclear power plants, public power grids, railway scheduling and ticketing, and others. The malfunctioning of these systems, e.g., if being comprised, could cause severe equipment damage, loss of life, and possibly shutdown of facilities that affect an entire community. As a result, SCADA systems provide nefarious actors, both insiders and outsiders, with great temptation as possible attack targets. In this paper, we present our work for monitoring SCADA systems through the development of a technology that incrementally learns normal behaviors of the system and then continuously watches for the occurrence of abnormal behaviors. Our technology exploits the repeating patterns of normal behavior in SCADA system operation. We describe the system architecture, prototype implementation and results in this paper.",
keywords = "Event Player, SCADA Event Taxonomy, SCADA Systems, Snap-Shot learning",
author = "William Sousan and Robin Gandhi and Qiuming Zhu and William Mahoney",
year = "2011",
month = "12",
day = "1",
doi = "10.1145/2179298.2179326",
language = "English (US)",
isbn = "9781450309455",
series = "ACM International Conference Proceeding Series",
booktitle = "7th Annual Cyber Security and Information Intelligence Research Workshop",

}

TY - GEN

T1 - Using anomalous event patterns in control systems for tamper detection

AU - Sousan, William

AU - Gandhi, Robin

AU - Zhu, Qiuming

AU - Mahoney, William

PY - 2011/12/1

Y1 - 2011/12/1

N2 - Supervisory Control And Data Acquisition (SCADA) systems are used for geographically distributed process control by collecting sensory data that are processed by a central computer. These systems are used in critical domains such as nuclear power plants, public power grids, railway scheduling and ticketing, and others. The malfunctioning of these systems, e.g., if being comprised, could cause severe equipment damage, loss of life, and possibly shutdown of facilities that affect an entire community. As a result, SCADA systems provide nefarious actors, both insiders and outsiders, with great temptation as possible attack targets. In this paper, we present our work for monitoring SCADA systems through the development of a technology that incrementally learns normal behaviors of the system and then continuously watches for the occurrence of abnormal behaviors. Our technology exploits the repeating patterns of normal behavior in SCADA system operation. We describe the system architecture, prototype implementation and results in this paper.

AB - Supervisory Control And Data Acquisition (SCADA) systems are used for geographically distributed process control by collecting sensory data that are processed by a central computer. These systems are used in critical domains such as nuclear power plants, public power grids, railway scheduling and ticketing, and others. The malfunctioning of these systems, e.g., if being comprised, could cause severe equipment damage, loss of life, and possibly shutdown of facilities that affect an entire community. As a result, SCADA systems provide nefarious actors, both insiders and outsiders, with great temptation as possible attack targets. In this paper, we present our work for monitoring SCADA systems through the development of a technology that incrementally learns normal behaviors of the system and then continuously watches for the occurrence of abnormal behaviors. Our technology exploits the repeating patterns of normal behavior in SCADA system operation. We describe the system architecture, prototype implementation and results in this paper.

KW - Event Player

KW - SCADA Event Taxonomy

KW - SCADA Systems

KW - Snap-Shot learning

UR - http://www.scopus.com/inward/record.url?scp=84862869090&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84862869090&partnerID=8YFLogxK

U2 - 10.1145/2179298.2179326

DO - 10.1145/2179298.2179326

M3 - Conference contribution

AN - SCOPUS:84862869090

SN - 9781450309455

T3 - ACM International Conference Proceeding Series

BT - 7th Annual Cyber Security and Information Intelligence Research Workshop

ER -