EE Seminar: A new Burst-DFA model for SCADA Anomaly Detection and Traffic Phase Detection
Speaker: Chen Markman
M.Sc. student under the supervision of Prof. Avishai Wool
Wednesday, April 10th, 2019 at 15:00
Room 011, Kitot Bldg., Faculty of Engineering
A new Burst-DFA model for SCADA Anomaly Detection and Traffic Phase Detection
Abstract
In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Past work showed that in many cases, it is possible to model the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server by a cyclic Deterministic Finite Automaton (DFA), and to use the model to detect anomalies in the traffic. However, a recent analysis of network traffic in a water facility in the U.S, showed that cyclic-DFA models have limitations. In our research, we examine the same data corpus; our study shows that the communication on all of the channels in the network is done in bursts of packets, and that the bursts have semantic meaning---the order within a burst depends on the messages. Using these observations, we suggest a new burst-DFA model that fits the data much better than previous work. Our model treats the traffic on each channel as a series of bursts, and matches each burst to the DFA, taking the burst's beginning and end into account.
Furthermore, we show that in many cases the traffic exhibits phases in time, where each phase has a unique pattern, and the transition between the different phases is rather sharp. We suggest a method to automatically detect traffic phase shifts, and an improvement to the model that incorporates multiple phases of the traffic. Furthermore, we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity.
Our burst-DFA model successfully explains between 95\% and 99\% of the packets in the data-corpus, and goes a long way toward the construction of a practical anomaly detection system. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traffic phases.
