EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

Protocol study and anomaly detection for server-driven traffic in SCADA networks

Chih-Yuan Lin and Simin Nadjm-Tehrani

International Journal of Critical Infrastructure Protection, 2023, vol. 42, issue C

Abstract: Attacks against Supervisory Control and Data Acquisition (SCADA) systems operating critical infrastructures have largely appeared in the past decades. There are several anomaly detection systems that model the traffic of request–response mechanisms, where a client initiates a request to a server and the server sends back a response later. However, many modern SCADA protocols also allow server-driven traffic without a paired request, and anomaly detection for server-driven traffic has not been well-studied. This paper provides a comprehensive understanding of server-driven traffic across different protocols, such as MMS, Siemens S7, S7-plus, and IEC 60870-5-104 (IEC-104), with traffic analysis. The analysis results show that the common postulation of periodicity and correlation within SCADA traffic holds true for most of the analyzed datasets. The paper then proposes a Multivariate Correlation Anomaly Detection (MCAD) approach for server-driven traffic that presents complicated correlations among flows. The proposed approach is compared with a univariate correlation anomaly detection approach designed for SCADA and a general purpose anomaly detection approach based on neural network techniques. These approaches are tested with an IEC-104 dataset from a real power utility with injected timing perturbations resulting from a Stuxnet-like stealthy attack scenario. The detection accuracy of MCAD outperforms the compared methods and the time-to-detection performance is promising.

Keywords: SCADA; Anomaly detection; Traffic characterization; IEC-104; MMS; S7; Server-driven (search for similar items in EconPapers)
Date: 2023
References: View references in EconPapers View complete reference list from CitEc
Citations:

Downloads: (external link)
http://www.sciencedirect.com/science/article/pii/S1874548223000252
Full text for ScienceDirect subscribers only

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:eee:ijocip:v:42:y:2023:i:c:s1874548223000252

DOI: 10.1016/j.ijcip.2023.100612

Access Statistics for this article

International Journal of Critical Infrastructure Protection is currently edited by Leon Strous

More articles in International Journal of Critical Infrastructure Protection from Elsevier
Bibliographic data for series maintained by Catherine Liu ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-03-19
Handle: RePEc:eee:ijocip:v:42:y:2023:i:c:s1874548223000252