Using Model Based Intrusion Detection for SCADA Networks

Using Model Based Intrusion Detection for SCADA Networks
Alfonso Valdes

Citation
Alfonso Valdes. "Using Model Based Intrusion Detection for SCADA Networks". Talk or presentation, 18, January, 2007.

Abstract
In a model-based intrusion detection approach for protecting SCADA networks, we construct models that characterize the expected/acceptable behavior of the system, and detect attacks that cause violations of these models. Process control networks tend to have static topologies, regular traffic patterns, and a limited number of applications and protocols running on them. Thus, we believe that model-based monitoring, which has the potential for detecting unknown attacks, is more feasible for control networks than for general enterprise networks. To this end, we describe three model-based techniques that we have developed and a prototype implementation of them for monitoring Modbus TCP networks.

Electronic downloads

ModelBasedIDS_SCADARev4.ppt · application/vnd.ms-powerpoint · 3174 kbytes

Citation formats

HTML

Alfonso Valdes. <a
href="http://www.truststc.org/pubs/155.html"
><i>Using Model Based Intrusion Detection for SCADA
Networks</i></a>, Talk or presentation,  18,
January, 2007.

Plain text

Alfonso Valdes. "Using Model Based Intrusion Detection
for SCADA Networks". Talk or presentation,  18,
January, 2007.

BibTeX

@presentation{Valdes07_UsingModelBasedIntrusionDetectionForSCADANetworks,
    author = {Alfonso Valdes},
    title = {Using Model Based Intrusion Detection for SCADA
              Networks},
    day = {18},
    month = {January},
    year = {2007},
    abstract = {In a model-based intrusion detection approach for
              protecting SCADA networks, we construct models
              that characterize the expected/acceptable behavior
              of the system, and detect attacks that cause
              violations of these models. Process control
              networks tend to have static topologies, regular
              traffic patterns, and a limited number of
              applications and protocols running on them. Thus,
              we believe that model-based monitoring, which has
              the potential for detecting unknown attacks, is
              more feasible for control networks than for
              general enterprise networks. To this end, we
              describe three model-based techniques that we have
              developed and a prototype implementation of them
              for monitoring Modbus TCP networks.},
    URL = {http://www.truststc.org/pubs/155.html}
}

Posted by Alvaro Cardenas on 23 Jan 2007.
Groups: trustseminar
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.