Team for Research in
Ubiquitous Secure Technology

Using Model Based Intrusion Detection for SCADA Networks
Alfonso Valdes

Citation
Alfonso Valdes. "Using Model Based Intrusion Detection for SCADA Networks". Talk or presentation, 18, January, 2007.

Abstract
In a model-based intrusion detection approach for protecting SCADA networks, we construct models that characterize the expected/acceptable behavior of the system, and detect attacks that cause violations of these models. Process control networks tend to have static topologies, regular traffic patterns, and a limited number of applications and protocols running on them. Thus, we believe that model-based monitoring, which has the potential for detecting unknown attacks, is more feasible for control networks than for general enterprise networks. To this end, we describe three model-based techniques that we have developed and a prototype implementation of them for monitoring Modbus TCP networks.

Electronic downloads

Citation formats  
  • HTML
    Alfonso Valdes. <a
    href="http://www.truststc.org/pubs/155.html"
    ><i>Using Model Based Intrusion Detection for SCADA
    Networks</i></a>, Talk or presentation,  18,
    January, 2007.
  • Plain text
    Alfonso Valdes. "Using Model Based Intrusion Detection
    for SCADA Networks". Talk or presentation,  18,
    January, 2007.
  • BibTeX
    @presentation{Valdes07_UsingModelBasedIntrusionDetectionForSCADANetworks,
        author = {Alfonso Valdes},
        title = {Using Model Based Intrusion Detection for SCADA
                  Networks},
        day = {18},
        month = {January},
        year = {2007},
        abstract = {In a model-based intrusion detection approach for
                  protecting SCADA networks, we construct models
                  that characterize the expected/acceptable behavior
                  of the system, and detect attacks that cause
                  violations of these models. Process control
                  networks tend to have static topologies, regular
                  traffic patterns, and a limited number of
                  applications and protocols running on them. Thus,
                  we believe that model-based monitoring, which has
                  the potential for detecting unknown attacks, is
                  more feasible for control networks than for
                  general enterprise networks. To this end, we
                  describe three model-based techniques that we have
                  developed and a prototype implementation of them
                  for monitoring Modbus TCP networks.},
        URL = {http://www.truststc.org/pubs/155.html}
    }
    

Posted by Alvaro Cardenas on 23 Jan 2007.
Groups: trustseminar
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.