 Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systemsNoam Erez and Avishai Wool International Journal of Critical Infrastructure Protection, 2015, vol. 10, issue C, 59-70 Abstract: This paper describes a novel domain-aware anomaly detection system that detects irregular changes in Modbus/TCP SCADA control register values. The research discovered the presence of three classes of registers: (i) sensor registers; (ii) counter registers; and (iii) constant registers. An automatic classifier was developed to identify these classes. Additionally, parameterized behavior models were created for each class. During its learning phase, the anomaly detection system used the classifier to identify the different types of registers and instantiated the model for each register based on its type. During the enforcement phase, the system detected deviations from the model. The anomaly detection system was evaluated using 131h of traffic from a production SCADA system. The classifier had a true positive classification rate of 93%. During the enforcement phase, a 0.86% false alarm rate was obtained for the correctly-classified registers. Keywords: SCADA Systems; Modbus/TCP Protocol; Security; Anomaly Detection (search for similar items in EconPapers) Downloads: (external link) Related works: Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text Persistent link: https://EconPapers.repec.org/RePEc:eee:ijocip:v:10:y:2015:i:c:p:59-70 DOI: 10.1016/j.ijcip.2015.05.001 Access Statistics for this article International Journal of Critical Infrastructure Protection is currently edited by Leon Strous More articles in International Journal of Critical Infrastructure Protection from Elsevier |
Is your work missing from RePEc? Here is how to contribute.
Questions or problems? Check the EconPapers FAQ or send mail to .
EconPapers is hosted by the
School of Business at Örebro University.