ferling sequence attacks on scada systems - uni-muenster.de
TRANSCRIPT
Sequence attacks on SCADA systemsBachelor thesis
presented to theWestfälische Wilhelms-Universität MünsterFaculty of mathematics and computer scienceDepartment of computer sciencebyBenedikt Ferling
AssessorProf. Dr. Anne RemkeDr. Dietmar LammersWestfälische Wilhelms-UniversitätMünster
SupervisorJustyna ChromikUniversity of Twente
Münster, July 2016
Declaration of Academic Integrity
I hereby confirm that this thesis on Sequence attacks on SCADA systems is solely my ownwork and that I have used no sources or aids other than the ones stated. All passages inmy thesis for which other sources, including electronic media, have been used, be it directquotes or content references, have been acknowledged as such and the sources cited.Münster, den 12. Juli 2016 signature of student
I agree to have my thesis checked in order to rule out potential similarities with otherworks and to have my thesis stored in a database for this purpose.Münster, den 12. Juli 2016 signature of student
Acknowledgement
I express my gratitude to all those who gave me the possibility to complete this thesis.Thanks to Prof. Dr. Remke without whom this work and the cooperation with the Universityof Twente didn’t come about. Special thanks to Justyna Chromik for her assistance especiallyin the technical parts and who always had answers for me when I got stuck. FurthermoreI would like to thank Marco Caselli for his time for giving me a deeper look into his work.I also thank Maria Berens who looked closely at the final version of the thesis for Englishstyle and grammar. Thanks to my parents Agnes and Norbert Ferling and my wife KatharinaFerling for supporting me in all other areas while writing the thesis. And last but not leastthanks to Franziska, who always had a smile for me.
Contents
1 Introduction 1
2 SCADA networks and their security 22.1 SCADA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 IEC 60870-5-104 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3 Intrusion detection systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.4 Sequence attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Discrete Time Markov Chains and sequences 143.1 Discrete Time Markov Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.1.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2 Minimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.3 Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.4 Representation of sequences in a DTMC . . . . . . . . . . . . . . . . . . . . . 204 Sequence attacks 234.1 Detecting sequence violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.2 Sequence attack scenarios and minimization . . . . . . . . . . . . . . . . . . . 275 Experiments and results 335.1 Implementation and representation of the graphs . . . . . . . . . . . . . . . . . 335.2 Implementation of the minimization . . . . . . . . . . . . . . . . . . . . . . . . . 345.3 Experiments on traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Summary and conclusion 44
List of Figures 46
List of Tables 47
Introduction 11 Introduction
Supervisory Control and Data Acquisition (SCADA) systems are deeply ingrained in thefabric of critical infrastructure sectors [1]. These systems are commonly deployed to aid theoperation of these infrastructures by providing automated processes that ensure the correctfunctioning of these infrastructures.Due to their standardization and their connectivity to other networks, they are increasinglya subject to serious damage and disruption [1]. The US grid hack [2] and the Ukrainiangrid hack [3] are two examples that show the consequences of poor security. As a result ofcyber-attacks on networks controlling mentioned grids, many people were left without elec-tricity for hours. In general, these systems are barely protected from the escalating cyberthreats [1]. Even if the security of the SCADA system is addressed, the attacker can usemore sophisticated approaches to perform the attack. Stuxnet has demonstrated that skilledattackers can strike critical infrastructures by leveraging knowledge about the controlledprocess, especially by sending misplaced legal messages [4]. Common intrusion detectionsystems are only able to identify messages with malicious content within the network. Oneway to exploit those systems using the knowledge about the processes are the so-calledsequence attacks. They subvert infrastructure operations by sending misplaced industrialcontrol system messages [4]. Industrial systems show regular and consistent communicationpatterns, thus analyzing the communication using a stochastic approach in order to identifysequence attacks is an appropriate choice to investigate [5][6].M. Caselli et al. showed, that it is possible to detect sequence attacks within SCADAnetworks [4]. However, the analysis of the structure they used may be time consuming,depending on the complexity of the communication within the network. In this thesis werebuild the approach of M. Caselli and show that it is possible to successfully reduce thecomplexity of the structure in order to identify most types of sequence attacks.
2 SCADA networks and their security2 SCADA networks and their security
This section introduces the basics of SCADA. It provides an overview of the hard- and soft-ware components used in SCADA networks. Furthermore the IEC 60870-5-104 protocol- one of the important protocols used in combination with these networks - is introduced.Besides, a brief summary of the protocol, a detailed explanation of the structure is provided.In addition an introduction to intrusion detection systems is given and a description of what“sequence attacks“ are.Chapter 2.1 describes the SCADA system with its components and communication models.In Chapter 2.2 the IEC-104 protocol is described with all the relevant parts needed forthis thesis. Chapter 2.3 introduces the different kinds of intrusion detection systems. InChapter 2.4 the sequence attacks are introduced.
2.1 SCADA
Modern industrial processes and industries have systems and equipment which are often sep-arated by large distances. The management of these systems can be very time-consuming.Collect data from devices, evaluate the data and execute actions depending on the data areregular jobs in the process of managing industrial systems. The devices within the systemare often wide spread, which makes the useage of modern IT indispensable [7].A Supervisory Control and Data Acquisition (SCADA) system is a computer-basedsystem for monitoring and controlling industrial processes [4] [1]. The system refers to acombination of telemetry and data acquisition which it does by interconnecting field net-
works and a control network. The field network hosts devices that are directly connectedto the physical process. The control network hosts the servers that supervise the controlof the physical process. More and more SCADA systems are connected to the businessmanagement which usually refers to the enterprise network [8]. Furthermore it is possibleto transmit data from the field network to the internet. An example of a SCADA system isshown in Fig. 1. This example uses multiple firewalls to connect the networks.The field network hosts devices like sensors, actuators, RTUs and PLCs. Sensors trans-mit the values of the monitored process over serial wires to the PLCs. Actuators are systemcomponents which are responsible for controlling a systems behaviour. They control a phys-ical process, i.e., open or closing a valve, changing the pressure inside a pipe or tank orsetting the temperature of a systems component. RTUs and PLCs which collect the fielddata and send it back to the data acquisition server via the communication system. Theyalso receive commands, usually from the control network, which are then executed on theappropriate actuator, e.g., closing a valve. Today the difference between RTUs and PLCs is
SCADA networks and their security 3infinitesimal, although PLCs are more often used in areas where output arrangements andmultiple inputs are needed. This is due to their nature of having electrical noise immunityand vibration and impact resistance [9]. Besides their main purpose to collect data and sendthis data to a central station, PLCs may also communicate on a peer-to-peer basis with otherPLCs. Furthermore, they may act like a relay station, i.e., they collect data from other PLCsand forward them to the central station. Today the RTUs are mostly replaced by PLCs asPLCs can easily be set up for a variety of different functions [7]. In this thesis both RTUsand PLCs will be referred to as PLCs.
The process control network, also refered to as control network, is responsible for con-trolling the process by evaluating the data of the field network and triggering appropriateactions. The data acquisition server within the control network is responsible for collecting,storing and providing the data of the field devices such as RTUs and PLCs. HMIs are respon-sible to enable human operators to interact with the physical process, e.g, the HMI presentsthe data of the data acquisition server and the human operator can initiate commands thataffect the process.SCADA software is used to interact with the components of the SCADA system, e.g.monitoring data, watching trends, sending commands, etc. On the one hand it can be dividedinto open source and proprietary software for interaction with the operators. On the otherhand it can be divided into the different communication protocols used for the communi-cation between the devices. An example of proprietary protocol is the S7 protocol of theSiemens company. Open source protocols are for example Modbus or IEC 60870-5-104. Inthe early days of industrial systems most companies developed proprietary protocols. Themain problem with proprietary protocols is the reliance on the supplier of the system. Openprotocols have nowadays gained popularity because of their interoperability - hardware ofdifferent manufacturers can be installed on the same system. This thesis focuses on the IEC60870-5-104 protocol [7].The communication channels are responsible for transferring the data between the de-vices. They can be wired, fiber optic, radio, telephone line, microwave and possibly evensatellite. They connect the components of the SCADA system, such that they can communi-cate [7].The SCADA communication model consists of two approaches in which devices can com-municate. The first one is called master-slave. This approach uses the idea that the masterdevice is in total control of the communication system. The device makes regular request fordata to be transferred to/ from each of the slave devices in the network. This request could befor instance a software update request, or a restart command. An example for the download
4 SCADA networks and their securityof data is the sensors data the PLC is connected to. The slave only answers to request inthis configuration. There are some advantages of this approach. First the software is simpleand reliable due to the simplicity of the communication. Second, link failures between themaster and a slave node are detected quickly and third, no collisions can occur on the net-work. However there are also some disadvantages. The slave is unable to communicate tothe master for urgent actions. Even if this function is enabled, the master may be processinganother slave at that moment. Another disadvantage is, that slaves that need to communicatewith each other have to do this through the master. This adds complexity to the design ofthe master station.
The other approach to communicate is called peer-to-peer. In this approach each devicewithin the network can initialize a connection, therefore collisions of requests and responsesare unavoidable and need to be handled appropriately [7]. One method handling thosecollisions and controlling the communication is known as “carrier sense with multiple ac-cess/ collision detection“ (CSMA/CD). This and other methods are handled by the underlyingprotocols.The important communication part, within a peer-to-peer network, is the PLC-to-PLC com-munication. In this situation a request from a PLC is first sent to the master station. Howeverthe destination of the request is not the master station itself, but another PLC. The masterstation needs to forward the message and when it receives the reply it needs to forward itappropriate to the requesting PLC. Additional logic is used to handle this process withoutlosing requests or responses [7]. The main advantage of this system is the low cost of theinstallation. What can be an advantage on the one hand - no central station is in controlof the data - can be an disadvantage on the other hand. In industrial networks the centralorganisation of the data leads to an improvement of the precise statements that often can onlybe made by comparing data of different field devices. Another disadvantage is the software.Peer-to-peer networks needs a more complex software in order to guarantee a collision freecommunication. The disadvantages however overweight the advantages in terms of industrialcontrol systems.SCADA encompasses the collecting of the sensor information via a PLC, transferring itback to the data aquisition server, carrying out any necessary analysis and displaying theinformation on the HMIs. The required control actions are then conveyed back to the process[7]. The accurate and timely data allows for optimization of the systems operation and process.Further benefits are more efficiency, reliability and most importantly, safer operations. Thisall results in a lower cost of operation compared to earlier non-automated systems. Adisadvantages of SCADA systems is, that the system is more complicated. Furthermore it isonly possible to see as far as the PLCs. This is an important part as the PLC might transmitwrong data. Another disadvantage are the additional skills that are needed to manage the
SCADA networks and their security 5system [7]. Nevertheless, the advantages overweight the disadvantages for modern industrialprocesses and industries.
Figure 1: Architecture of a SCADA system [8]Today SCADA systems use special communication protocols like Modbus, MMS, IEC60870-5-104 or S7 for efficient and optimum data transfer. Since we analyze the com-munication between two devices only, the difference of the approaches “master-slave“ and“peer-to-peer“ are small. The difference is that both stations may request data or respondto requests. This thesis focuses on the IEC 60870-5-104 protocol.
2.2 IEC 60870-5-104 Protocol
The standard IEC 60870-5 refers to a collection of standards produced by the InternationalElectronical Commission (IEC), to provide an open standard for the transmission of SCADAtelemetry control and information [7]. It provides a detailed functional description for tele-control equipment and systems for controlling geographically widespread processes. Thestandard is intended but not limited to applications in the electrical industries, since its dataobjects are applicable to general SCADA applications in any industry [7].The standard was initially completed in 1995 with its profile IEC 60870-5-101(IEC-101)and is titled “Companion standard for basic telecontrol tasks“. At this point it covered onlytransmission over relatively low bandwidth bit-serial communication circuits. With the in-creasingly widespread use of network communications technology, the standard needed to
6 SCADA networks and their securitybe extended. With the protocol IEC 60870-5-104(IEC-104) - titled “Network Access usingStandard Transport Profiles“- the standard now provides the possibility to communicate overnetworks using TCP/IP. To be precise the changes compared to IEC-101 lay in the transport,network, link and physical layer services to suit the complete network access. The protocoluses TCP/IP to establish connections. This enables the communication over networks, e.g.,local area networks or wide area networks. Thereby, known technology like routers or virtualprivate networks can be used to connect different facilities.
Figure 2: Telegram format with variable length (I-format) [10]The overall message structure of IEC-104 is rather complex. This section introduces -apart from some basic information - those parts of the protocol that are relevant for this thesis.The overall structure of an IEC-104 packet, that we consider in this thesis, is shown in Fig. 2.It consists of the application protocol control information (APCI) and the application service
data units (ASDU) which both together are called the application protocol data unit (APDU).There are three types of control field formats. The I-format, the S-format and the U-format.Since this thesis focuses on the ASDU, only packets with the I-format are considered, whichare the only packets containing an ASDU. The ASDU is the part of the packet where allthe relevant information for this thesis is found. Furthermore, only fields considered in thisthesis are explained. Since third party libraries are used in this thesis for the parsing of thepackets, the exact bytes are not covered here. For further information about the protocol andthe exact structure we refer the reader to [7] or [10].
SCADA networks and their security 7The application protocol control information (APCI) is the application header. It con-tains general information about the structure found in the packet. Since this thesis focuseson the ASDU within the APDU, the important bytes are the first two bytes of the firstcontrol field octet inside the APCI. This is where the type (I, S or U) is defined. If thefirst byte is 0, the control field format is from the type I and the packet has an ASDU. Thisis then used for further analysis. All other fields inside the APCI are not covered in this thesis.
Figure 3: Structure of the ASDU [10]The application service data unit (ASDU) structure is slightly more complicated. It isshown in Fig. 3. The important fields for this thesis are: “Type identification“, “Number ofobjects“, “ASDU address fields“ and the “Information object address fields“. These fields areimportant, because they identify a special operation within the network. This will be ad-dressed later in the thesis in Sec. 3.4. In addition the network address of the communicatingdevices would be needed, but this thesis concentrates on the analysis of the communicationbetween two devices only. Therefore the communicating devices are always known. The Type
8 SCADA networks and their securityidentification (TypeId) refers to a list of known values in the range from 1 to 127, althoughnot all numbers are in use. Each number is mapped to a function that the device shouldexecute, e.g., 103 → clock synchronization command or 102 → read command. Number ofobjects defines the number of information objects found in the ASDU. This can be more thanone. The TypeId is assigned to all these information objects inside this packet. The ASDUaddress field (ASDU-Address) contains the address which all objects of the ASDU refer to.The Information object address (IOA) refers to an specific information object. A packet mayhave up to 127 information objects, with the depending object information. An informationobject can be an actuator or a sensor attached to the device. The device in this case is, forexample, a PLC. Attached to the PLC are various sensors and actuators over serial lines.Each sensor or actuator is connected to a port, which is then refered to by an IOA. It isto note that each vendor has its own specification for their devices, although the generalstructure found in [7] and [10] applies.
As shown in Fig. 1, PLCs are part of the field network and sometimes also of the controlnetwork. This depends on the architecture of each particular network. Sometimes the fieldnetwork and the control network are ingrained into the same physical network. The systemof Fig. 1 is connected to the internet. Although the networks are protected by firewalls, anattacker might still be able to infiltrate the system. Various ways of bypassing firewalls andother system protections exist. As soon as an attacker has access to the industrial network,the field and control devices are no longer safe.The IEC-104 protocol is based on TCP/IP - a reliable network protocol. Furthermore thecommunication between the master station and a PLC can be encrypted. Thus the systemis able to exchange messages in a reliable and secure way. But these two facts do notlead to a secure system. The IEC-104 protocol is only responsible for the exchange ofinformation between devices within an industrial network. It has no built in security, whichguarantees the communication with a special host or device. Furthermore no mechanism forintrusion detection, intergrity or confidentiality is implemented. Most of the SCADA-systemstoday are not encrypted and the TCP/IP-protocol also does not control what is sent withina communication. This leads to the problem that an attacker can compromise the field or thecontrol network. This thesis focuses on sequence attacks, an attack scenario which is notdetected by most of the IDS-systems today because they focus on packets with maliciouscontent [4]. Before the sequence attacks are discussed an introduction into the terminologyIDS is given.2.3 Intrusion detection systems
When it comes to security there are several approaches to protect a system. They all targeton a specific type of security, e.g., removing malicious software, blocking content that is not
SCADA networks and their security 9allowed to enter or exit a system or detecting suspicious activities. All these systems tryto be as precise as possible. However not all systems are equally precise and some alertactivities are malicious although these activities are absolute legit to the system. Thesealerts can be classified using a confusion matrix.
A confusion matrix is a specific table layout that allows one to see if an algorithm,used for the classification of something, works as expected. Within the matrix each columnrepresents the instances of a predicted class and each row represents the instances of theactual class. In this work we classify malicious activities and valid activities. However interms of security an activity might also be a network packet or a file. An algorithm thatworks 100% correctly will classify every valid activity or file as valid and every maliciousactivity or file as malicious. However this does not apply to many algorithms and leads usto four classifications in our thesis:A true positive occurs when something that is recognized as malicious and is in realitymalicious. This can be a virus for example. A true negative occurs when something thatis recognized as harmless and is in reality harmless. This can be a normal picture or asimple text document. A false positive occurs when something that is recognized as mali-cious although it is not. This can be a Microsoft Word document with macros, whereby themacro is just used for the forms inside the document but is recognized as harmful to thesystem. A false negative occurs when something that is recognized as harmless is in realityharmful and malicious. An example is a program that hides inside a file. The file is scannedand recognized as harmless. But by opening the file the malicious program inside the fileexecutes and compromises the system. This is the worst of all scenarios since no alarm istriggered although the system is compromised.This thesis focuses on intrusion detection systems. The other approaches were just ex-amples of other ways to secure a system. An intrusion detection system (IDS) is a securitysystem that monitors computer systems or network traffic and analyzes the behavior of trafficfor possible hostile attacks [11]. Computer systems and networks can be secured in multipleways e.g., firewalls, anti-virus-software or physical access limitation etc. All these systemshave a specific aim - none of them can handle them all. An IDS aims to detect hostile attackson a system or network. IDSs can be divided into two dimensions. The first dimension isthe target the IDS is monitoring. It consists of two types, host and network based IDSs. Thesecond dimension can be distinguished between the method they identify attacks - staticversus heuristic versus anomaly detection method [11] [12].The first dimension is separated into host based and network based IDSs. The questionthis dimension answers is, what the IDS should monitor. If it is a special host and theactivities inside the host, then the host based approach is to select. If the network is the
10 SCADA networks and their securitytarget to monitor, then the network based approach is to select. Below the two types areexplained.
A host based IDS must be installed on every monitored computer. The advantages ofsuch a system are that they can make very specific statements of an attack on the systemand the system is comprehensively monitored. What is an advantage on the one hand is adisadvantage on the other hand - the IDS is specialized for that operating system and canbarely be used on other operating systems. Another disadvantage is that the system can bevictim itself by a denial of service attack - i.e., a technique where a system is paralyzed dueto overloading [12].Network based IDSs record the network traffic, analyze it and report malicious activities.Since the network traffic can be tapped at a central point of the network only one system isneeded to monitor the whole traffic for a network segment - this applies to switched networksonly. However the bandwidth of networks may be greater than the bandwidth a system cananalyze on the fly. To be able to continuously monitor the network, some packets need tobe dropped if the throughput is greater than the system can analyze in the same time. Thisresults in a loss of precision of statements. Another disadvantage is that the failure of thenetwork IDS leads to a complete unmonitored network. There are several places where toimplement the network based IDS. Fig. 4 shows three different options [11].1. The IDS is connected to “SWITCH A“ (red line). In this scenario the IDS recognizes allhostile activity leaving or entering the network. However it will not recognize hostileactivity within the network itself. An attacker inside the network can still harm thesystem.2. The IDS is connected to “SWITCH B“ (purple line). This is nearly the same scenarioas in option one. The difference is, that the IDS will not “see“ hostile activity that isblocked by the router. It might be of interest to see what is happening outside andwho is trying to get into the network.3. The IDS is placed at “SWITCH C“ (blue line). The IDS now recognizes hostile activitywithin the network as well as malicious activity that comes through the firewall. It stilldoes not recognize hostile activity from outside that is blocked by the firewall or therouter [11] [12].The second dimension follows up with the question how an intrusion is detected. Thereare three main approaches how a malicious activity can be detected - static analysis, heuris-
tic analysis and anomaly based detection.
SCADA networks and their security 11
Figure 4: Integration of an network based IDS [13]Static analysis is based on signatures. A signature is a unique sequence of bytes usedto identify a specific type of data, e.g., a file, a virus or a network packet. The IDS has adatabase of different signatures which are known to be malicious. They are often classifiedby the potential of their danger [11].IDSs with the static analysis passes four main stages. In the first stage the system mustbe trained with the signatures it should identify. In the second stage the IDS perceives thetraffic. This is an essential part of the IDS because if the system is placed on the wrong partof the system it may not be able to recognize anything. The third stage is the analysis ofthe traffic. Within this stage the database with the signatures, which was set up in the firststage, is essential, since the IDS identifies the malicious activities based on the databasesknowledge. Stage four is the action that is triggered if a malicious activity is recognized.This can be an email, a pop up on the operators screen, a text message, etc. The operatormay manually initiate an action if necessary [11].Heuristic methods take place everywhere, where unknown attacks or attacks with avariation shall be detected. Based on little information they can produce relatively goodstatements that are close to reality. However due to their nature they also produce morefalse positive alerts - i.e., an alert that is in reality no alert [11].The process of this method is similar to the static analysis. In stage one the needed in-formation is stored in a database. There may be a lack of information so that the systemcan not fully guarantee the identification of a hostile attack. This may be intended if thealgorithm works significantly faster. Otherwise it may be caused if the defenders have notcollected enough information so far. Stage two applies equally. In stage three the analysisof the traffic is different. It will no longer create a signature of the packet comparing it with
12 SCADA networks and their securitysignatures in the database but rather tries to get an answer from a complex algorithm. Thereare several approaches how to search for unknown attacks or those with a little variation.Since this thesis does not focus on heuristic methods, these approaches are not discussedhere. Stage four is the same as in the static analysis [14].
Anomaly based detection is a method of identifying a hostile attack by considering everyactivity as hostile if it is not known to be normal to the system. This presupposes that theIDS is trained with activities that are allowed in the system. The system is therefore dividedinto four stages as well. In the first stage the system is trained to recognize normal activities.Stage two is the same as in the static analysis. In the third stage the recognized activitiesare tested against the known activities. If the tested activity is not known to the system, itis potentially hostile. Stage four then applies and a message is sent to the operator [14] [11].This work will focus on the network based IDSs. Furthermore we use the anomaly baseddetection approach. The reason is that the build system can be interpreted as a databaseof known and good activities. All activities that are unknown to the system are potentiallymalicious. Therefore one is able to detect nearly every attack that may harm the systemno matter if known or unknown. However the system still underlies a dependency. Thedependency of the training data itself. The training data is the data set that is used to tellthe IDS which activities are good and legit. This data set should include all activities thatdo not harm the system and that will occur. Activities that do not harm the system and thatdo not occur in normal traffic will inflate the training system. This results in a long analysis,thus the traffic is not analyzed in real time anymore.
2.4 Sequence attacks
Sequence attacks are a class of attack, which are specific to industrial control systems. Theycan harm a system by sending misplaced messages or commands although each of the sentmessages or commands is valid to the system [4].Long time industrial systems have been considered safe because of the nature of theirexistence. They were often proprietary and separated from other networks. With the devel-opment of open protocols and the need to be able to remotely control multiple networks, e.g.,connecting multiple systems over the internet, the attack vector increased. Moreover, mostof the systems are not encrypted, because they are considered safe, e.g., behind a firewall.Thus an attacker can easily gain control over the system once he is inside the network. Theattacker can then attempt to take control of the industrial processes by leveraging the lackof integrity and authentication mechanisms. To take control of the process, an attacker can
SCADA networks and their security 13either try to reprogram the logic of a PLC or directly control the process from the networkusing the same control messages used by legitimate operators. When having control overthe process, an attacker may send commands in such order or timing that is not intendedby the process. The sequence of these commands, that may harm the physical process, isinterpreted as an attack - the sequence attack [4].
Anomaly based IDSs may recognize those attacks. But this depends on the approach,i.e., how they detect anomalies. There are several approaches for anomaly based IDSs, sincethere are several ways on how to harm a system with legit commands.One way to harm a system is to use commands that are valid within the whole system.However, not every legit command is valid for every device in the system. If an IDS isjust looking for valid commands within the system, it may not recognize commands that areinvalid for a specific device. The device may not handle the command appropriately and maycrash. An IDS, that looks for system wide valid commands only, will not recognize this kindof attack. Furthermore, an IDS, that only looks for commands that are valid within the wholesystem, will not recognize sequences that lead to a compromised system. They only detectsingle commands that are not normal for the system.Another way to harm a system is to use valid commands in such an order, that a devicemisbehaves. Experiments showed that it is possible to successfully attack some PLCs merelyby sending messages in an inconsistent order. For example sending a “start program“ whilethe program is running causes an error that is not properly handled by the controller. Thisleads to a crash of the PLC. This kind of attack may impede the process of communicatingwith the device. Furthermore the physical process may be compromised as well, e.g., if anactuator for opening and closing a pipe is not reachable anymore [4].A third way is to interfere directly with the underlying physical process. In a report by theU.S. President’s Commission on Critical Infrastructure Protection there is an attack scenariodescribed, that involves a water distribution facility. The scenario describes that major controlvalves on a water pipeline can be rapidly opened and closed to cause water hammer. Waterhammer can cause up to serious damage to a physical system, e.g., noise and vibration or apipe collapse [15].Stuxnet is one of the best known malware that used sequence attacks to disturb physicalprocesses and damage plants. Stuxnet focuses on SCADA systems of the Siemens company.It interfered with the control of the frequency converter, that are inter alia used to controlthe speed of engines. By constantly changing the speed, slowing down and accelerating, thecentrifuges were damaged. Since these commands were valid and no known anomaly wasdetected, Stuxnet was able to leave behind a lot of damage.In order to be able detect attacks to initiate countermeasures and protect our infrastructure,an IDS is required.
14 Discrete Time Markov Chains and sequences3 Discrete Time Markov Chains and sequences
In this section the DTMC is introduced. Besides the formal definition and attributes usedin this thesis, the minimization is discussed. Two approaches of minimizing the DTMC us-ing bisimulation minimization are provided. This is followed by the definition of sequences.The definition involves the mapping of the IEC-104 protocol to a sequence. In additionthe representation of such a sequence within a DTMC is explained. An algorithm for build-ing a DTMC of a given IEC-104 communication is provided which is used throuout the thesis.Chapter Chapter 3.1 introduces the Discrete Time Markov Chain and the used termi-nology in this thesis. In Chapter 3.2 the minimization of Discrete Time Markov Chains isexplained. Chapter 3.3 defines a sequence in context of the communication within SCADAnetworks and the IEC-104 protocol. Chapter 3.4 describes the process a sequence is repre-sented by a Discrete Time Markov Chain. Furthermore an algorithm is provided.
3.1 Discrete Time Markov Chain
A Discrete Time Markov Chain (DTMC) is a stochastic process. What distinguishes aDTMC from other stochastic processes is a specific kind of “memorylessness“ which is knownas the “Markov property“. This property defines that within a stochastic process a futurestate depends maximally on its first predecessor [16].DTMCs have many applications as statistical models of real world processes. They aresuitable for modeling random state changes of a system, in which changes have few or noinfluence on the future of the system. A simple example is the coin toss. The previous tossdoes not give you a higher probability in predicting the outcome of the next toss. If the coinshows tails in the current toss the outcome of the next toss is either tail or head, both witha probability of 50%. This applies vice versa as well [16].A more complex example, where the current state has influence on the process, is a personthat stands in one corner of a room [17]. The corners of the room are labeled s1, s2, s3 ands4 and the person stands in the corner s1 as initially shown in Fig. 5. The person throwsa coin to decide whether he moves clock-wise or counterclock-wise through the room. Theperson repeats this any number of times. One question may be: Where does the personafter n steps stand? A possible stochastic process is (Xn, Xn+1, Xn+2, ...), whereby X is astochastic variable and n ε N an index from a discrete state space. Possible values Xn are{s1, s2, s3, s4}. Let
P(X0 = s1) = 1
Discrete Time Markov Chains and sequences 15be the starting condition, i.e., the person starts in corner s1: Then the probability of beingin state s2 is
P(X1 = s2) = 1/2,and for being in state s4
P(X1 = s4) = 1/2.To calculate the distribution for Xn with n ≥ 2 we need conditional probabilities. Forexample the probability of being in state s3 in the next step, given that one is currently ins4:
P(Xn+1 = s3 | Xn = s4) = 1/2.Based on the decision rules moving around in the room the probability of Xn+1 with nε{1, 2, 3, 4}depends only on Xn [17].
Figure 5: Initial situation of the person in a room [17]
3.1.1 Definition
Let S be a discrete set of states and P be a function that assigns a probability to everytransition between two states such that the sum of all outgoing transitions of each specificstate is 1. A DTMC is described by Eq. (1) [18] [16] [16]DTMC = (S,P, sinit , AP, L), (1)
whereby• S is a set of states• P is the probability function described by (2) and (3)
16 Discrete Time Markov Chains and sequences• sinit is the initial state• AP is a set of atomic propositions• L is a labeling function - described by (4) - that assigns a (possible empty) set ofatomic propositions L(s) to a state s ε S
The probability function is defined by:P : S × S → [0, 1], (2)
such that the sum of the probability for all outgoing transitions of s equals 1.∑s′εS
P(s, s′) = 1 ∀ s ε S (3)The labeling function assigns a set of atomic propositions, from the atomic proposition setAP, to each state. It is defined by:
L : S → 2AP (4)
Figure 6: DTMC representing the person in a corner example [17]Fig. 6 represents the resulting DTMC of the person in a corner example. From each cornerthe probability is 0.5 moving clock- or counterclock-wise.
A path σ in a DTMC is an infinite sequenceσ = s0 → s1 → s2 → · · · → si → · · · (5)
with si ε S . It is a concrete walk along transitions of the DTMC with a probability greater0 - a possible realization of the stochastic process [19]. Sometimes it is also called anexecution of the DTMC [20]. For example (s1, s2, s3, s2, s3) is a valid path whereas (s1, s3)
Discrete Time Markov Chains and sequences 17is not a valid path since there does not exist a transition between s1 and s3.
Properties are characteristics that a DTMC or state have. Each concrete DTMC or statemay have different properties [20] [21]. The properties that are important for this thesis are:Reachability: The reachability of a state is described as:Let S be a set of states, P be the probability function and (S,P) is the DTMC. Let s ε S and
S ′ ⊆ S be a set of states (s1, s2, ...), thenPDTMC (s, S ′), (6)
is the probability of reaching a state of S’ from the state s. For the reachability of S’ it isrequired, that the probability is greater 0. However the exact value of the probability playsno role in this thesis, thus the calculation of these probabilities is not discussed here. Theimportant part is that a state can be reached from another one, e.g., there exists a path froms to a state of S’. A counterexample is shown in Fig. 7. In this example and all following weuse the following formalism: s_i =̂ si ∀ i N. Let S’ be {s1}. ThenPDTMC (s3, S ′) = 0,
because there does not exist a path from s3 to a state of S’.
s_1 s_2 1.0 s_3 1.0 0.5 s_4
0.5 0.5
0.5
Figure 7: DTMC with non-reachable statesIrreducibility: This property plays a role for the size of a DTMC. It answers the questionwhether all states of a DTMC are reachable [21].A DTMC is irreducible if from each state, one can reach any other state in a finite numberof steps. Otherwise it is called reducible. In Fig. 7 state s1 cannot be reached from state s2,thus the DTMC is reducible. In Fig. 6 the DTMC is irreducible because every state can bereached from anywhere in the DTMC.
3.2 Minimization
Ensuring the correctness of the identification of sequence attacks is important. If the IDSdoes not work correctly, it may see attacks that are not there, thus binding too many re-
18 Discrete Time Markov Chains and sequencessources trying to find the non-existent source of the false alarm. An even wors scenario is ifit does not even recognize the attacks. In addition the software needs to work without delaysin real time to detect current attacks. To test traffic in real time against the training DTMC,it needs to be at a reasonable size. Thus the size of the training DTMC plays an impor-tant role identifying sequence attacks. The DTMCs, built using the approach in this thesis,represent the communication between one PLC and its master station. In power stations orhydroelectric power station the installation of the SCADA network typically involves morethan one PLC. An IDS needs to keep track of the communication of all components in thenetwork segment as discussed in Sec. 2.3. Thus the size of the DTMC plays an even biggerrole in terms of the complexity of the IDS [4] [22].
Using a small amount of training data will held the resulting DTMC small. This impliesthat the identification may not be precise, as states may be missing or relations between thestates may be inaccurate. A well trained DTMC is needed for precise statements. This leadsto the question how the DTMC can be held at a manageable size without losing the specificproperties used to identify sequence attacks. One existing approach is the bisimulationminimization [22] [16]. Let DTMC = (S,P, sinit , AP, L) be a DTMC as described in Sec. 3.1.A relation R ⊆ SxS is a strong bisimulation if for any (s1, s2) ε R :L(s1) = L(s2) (7)
both states hold the same atomic propositionsP(s1, C ) = P(s2, C ), (8)
for all equivalence classes C of S under R.In our representation of a sequence in a DTMC, states with the same atomic propositionsare merged together - which will be covered later in Sec. 3.4. Since we merge the eventsinto one state from scratch, the resulting state holds the same atomic propositions for allevents. Hence there is just one equivalence class for each state (multiple events), thus thereaching probabilities are equal. Although the algorithm implements the required propertiesfrom (7) and (8) the number of states within the resulting DTMC obtains more than 50 states.The number of states for longer time capture will only increase. Moreover, the presentedDTMC is only created for one pair of devices. Since one DTMC is needed for each pair ofdevices communicating, a further minimization is needed. A first approach is to delete allnon reachable states. Since we are interested in reachable states within the DTMC the nonreachable states can be removed. Looking at how we build the DTMC this can be done witha small algorithm:
Discrete Time Markov Chains and sequences 19The input of Alg. 1 is a DTMC and the output is the corresponding irreducible DTMCthat we can use in this thesis. Lines 1 till 9 define a loop that repeats itself until no stateis removed from the DTMC anymore. In line 2 the variable “statesRemoved“ is defined andset to the value “False“. Line 3 till 8 define a loop that iterates over all states in the DTMC.Line 4 and 7 define a conditional statement. It the state is not accessible, then line 5 and 6are executed. In these lines the state is removed from the DTMC and the variable “states-Removed“ is set to the value “True“. After the loop of line 3 and 8 has passed through allstates of the DTMC, the condition of the outer loop is tested. If the value of the variable“statesRemoved“ is “False“, there is no further state to remove in the DTMC and the algorithmreturns the DTMC. Otherwise the algorithm jumps to line 2 and repeats the steps from there.This approach makes an irreducible DTMC of the original DTMC, i.e., a DTMC where everystate can be reached from every other state. The effect of this approach is very small, sincethere are only a few states at the beginning that can be deleted.Data: DTMCResult: irreducible DTMC
1 repeat2 statesRemoved ← False;3 foreach state ε DTMC do4 if state not accessible then5 remove(state);6 statesRemoved ← True;7 end8 end9 until statesRemoved == False;
Algorithm 1: Creating a irreducible DTMCA further possible approach is to merge properties that are not needed for the identifica-tion of a specific type of sequence attack, but this might influence the identification of othersequence attacks. The introduction of possible approaches for minimizing the DTMC willbe part of Sec. 4. Beforehand the sequences themselves, the representation within a DTMCand the detection of sequence violations need to be discussed.
3.3 Sequences
In order to detect sequence attacks one needs to be able to extract a sequence of messagesfrom the network traffic and identify information that is needed to construct an IDS. Theeasiest way to define an event in the context of network communications is to consider allthe traffic frames one by one. However, all traffic frames are not equally important and not
20 Discrete Time Markov Chains and sequencesall frames need to be included in a sequence. Therefore, it is necessary to group trafficframes. This thesis considers the communication between two devices only and therefore thefollowing definition of an event applies [4]:Let tn be the time, n ε N such that tn < tn+1. An event stn is a six tupel <Direction, Service,Data, FO, LO, Count> whereby:
• Direction contains the information :“request“ or “response“• Address contains the “ASDU-address“ and the “IOAs“• Service is the “Type-Id“• FO is the first occurrence of the event• LO is the last occurrence of the event• Count represents how often the state is visited
Each event is identified by “Direction“, “Address“ and “Service“. “FO“, “LO“ and “Count“ areused to calculate the probabilities of the outgoing transitions and the median time for a jumpto another state.A sequence (l), is a time ordered list of events stn in a system.
3.4 Representation of sequences in a DTMC
In Sec. 3.3 the communication was transformed into a time-ordered list. In order to identifysequence attacks this list needs to be modeled. A DTMC as described in Sec. 3.1 is used tomodel the communication patterns and protocol behavior. This is done for two reasons [4]:1. A flexible definition of event is needed that does not necessarily consider all theattributes used to build the sequence. We show in Sec. 4 that it might be useful tomerge parts of the event’s six tupel that are used for identification.2. It is necessary to identify temporal consequent events. But only the predecessor isnecessary, which is exactly what the “Markov property“ demands. The transitions areused to
(a) indicate the strength of the relationship between an event and its predecessor.(b) understand the relationship changes over time.The algorithm for creating a DTMC from a sequence is presented in Alg. 2. This algo-rithm is used whether we use the minimization or not, since the minimization consists of the
Discrete Time Markov Chains and sequences 21attribute abstraction. This abstraction is handled by the algorithm in step two, which will benow explained. The algorithm in total consists of 5 steps. The input data is the sequenceof events. The sequence is time ordered, oldest event first and newest last. The outcome orreturn value of the algorithm is the DTMC which represents the sequence [4].The first step is a loop over all events in the sequence. It is defined in line 1 and closedin line 14. The loop processes the events in the order of time, the oldest event first and thenewest last.Step two is the extraction of the attributes from an event. The extracted attributes are storedin the variable “StateDTMC “. These attributes are those needed for identification of thecorresponding state of the event: Request, Response, ASDU-Address, IOSs, TypeId and the“control field format“. This happens in line 2.Step three handles the new created state. The lines 3, 5 and 7 define a conditional statementthat handle the created state and execute the appropriate action. If the new created state iselement of the DTMC, line four is executed. In this line the state in the DTMC that equalsthe new created state from line 2 is updated. The update involves a counter that counts howoften this event occurred in the sequence. If the State does not equal any existing state inthe DTMC, the new created state is added to the DTMC. This happens in line 6.Step four handles the transitions. It is a conditional statement which is defined in lines 8, 10and 12. Line 8 tests whether the transition from “previousState“ to “StateDTMC “ is elementof the DTMC. If so line 9 is executed. In this line the appropriate transition is updated. Theupdate involves the time of the jump and a counter that counts how often this special jumphappens in the sequence. If the transition is not already part of the DTMC, then line 11is executed. In this line a transition from “previousState“ to “StateDTMC “ is added to theDTMC.In Step five, which consists only of line 13, the variable “previousState“ is updated. The newvalue of the variable is the created state of line 2.
22 Discrete Time Markov Chains and sequencesData: Sequence of EventsResult: DTMC representing the sequence of events
1 for all etn ε sequence do2 StateDTMC ← extractAttributes(etn );3 if StateDTMC ε DTMC then4 update(StateDTMC , DTMC);5 else6 add(StateDTMC , DTMC);7 end8 if T ransitionpreviousState,StateDTMC ε DTMC then9 update(T ransitionpreviousState,StateDTMC );
10 else11 add(T ransitionpreviousState,StateDTMC , DTMC);12 end13 previousState ← StateDTMC14 end
Algorithm 2: DTMC modeling of sequences found in [4]
Sequence attacks 234 Sequence attacks
Traditional IDSs focus on malicious packets rather than finding sequences of legal commandsthat can harm the system. This thesis focuses on legal commands that are either sent in thewrong order or with incorrect timing. This chapter shows what kind of sequence attacks existand how to detect them using a DTMC. Furthermore possible limitations are discussed. Inaddition the sequence attacks in combination with possible minimizations are discussed.Chapter 4.1 describes the different kinds of sequence attacks and how they can be de-tected using DTMCs. In Chapter 4.2 the possible minimizations and their limitations arediscussed.
4.1 Detecting sequence violations
Before the system can detect malicious activities a system description is needed. This de-scription needs to be clean and violation free. Of course this can be done by hand, but thiswould include possible mistakes that occur while entering the data. Furthermore it takes alot resources and is all in all not practicable. Another yet naive approach is to consider allvalid commands as violation free. This section shows that this approach is insecure becausethere exist ways how a system can be damaged by using only valid commands. Furthermorethe resulting DTMC would be far too big because of the state explosion problem. This applieshere because one needs all possible transitions between all states which is exponential. Athird approach is giving the IDS a description of the system in form of a network trace. Thistrace needs to be clean and free of violations. The training itself was discussed in Sec. 2. Thedisadvantage of this approach is that there might be information missing if the trace with atoo short period of time was used. If the period is too large the resulting system might be toobig so that the analysis in real time may fail. However this seems to be the only approachthat has a good trade-off between used resources and possible mistakes. Furthermore theDTMC can be held at an appropriate size while still being able to detect sequence attacks.The resulting DTMC is called the “training DTMC“.A sequence is a succession of events in a system. The succession can be described bya DTMC whereby the transitions are jumps to other states. For example consider a systemconsisting of two pipes A and B which should never be open at the same time. Furthermoreis it not usual to rapidly open and close the same pipe again and again. Legal commandsfor the pipes are ’open’ and ’close’. Let the initial state of the system be s1 with both pipesclosed. In terminology of a DTMC one have 3 states: S = {s1, s2, s3} whereby• s1 is the initial state with both pipes closed
24 Sequence attacks• in s2 pipe A is open and pipe B is closed• in s3 pipe A is closed and pipe B is openP is defined such that every pipe is opened with probability 0.5 and closed with aprobability of 1:• P(s1, s2) = P(s1, s3) = 0.5• P(s2, s1) = P(s3, s1) = 1Fig. 8 describes the system. The black state with the label ’ENTRY’ is the entry pointto the system. The blue states describe the safe states of the system.
s_1Pipe A: closedPipe B: closed
s_2Pipe A: open
Pipe B: closed 0.5
s_3Pipe A: closedPipe B: open
0.5
1.0
1.0
Figure 8: DTMC representing the simple pipe exampleTo open a closed pipe one has to make sure to be in state s1 first, e.g closing pipe B beforeopening pipe A. There are three possible violations that can occur to the system, which arediscussed using a simple pipe example.
1. State exists and transition does not existA transition-violation occurs when a command or request is sent to the controller ata point the controller wasn’t expecting this command. This violates the sequence ofcommands which the controller expects and may crash it [4]. Consider the system is instate s2 of the simple pipe example. Pipe A might get the command to open althoughit is already open. The controller may try to open again, resulting in a force that isunexpected to the physical system. Fig. 9 shows the violation in red.2. State and transition do not existA state-violation occurs when either a command or request is sent to the controller ata point the controller wasn’t expecting it or the physical process wasn’t prepared forit. In terminology of the simple pipe example the controller for pipe A may receive the
Sequence attacks 25
s_1Pipe A: closedPipe B: closed
s_2Pipe A: open
Pipe B: closed 0.5
s_3Pipe A: closedPipe B: open
0.5
0.5
0.5
1.0
Figure 9: DTMC with a violation compared to Fig. 8 by using a non-existing transitioncommand to open although pipe B is still open. The controller Controller A reacts tothe command by opening the pipe. The system is now in a state where both pipes areopen. This may result in physical damage of the system e.g., too much pressure in oneof the pipes. Fig. 10 shows the violation in red.
s_1Pipe A: closedPipe B: closed
s_2Pipe A: open
Pipe B: closed 0.5
s_3Pipe A: closedPipe B: open
0.5
1.0
0.5 s_4Pipe A: openPipe B: open
0.5
Figure 10: DTMC with a violation compared to Fig. 8 by accessing a non-existent state3. State and transition exists but a transition is used too frequentlyA timing-violation occurs when a single transition is used unusually frequently. Thecommands are correctly executed at a point the system expects them but the physi-cal process may be harmed. This happens if the physical laws apply that were notforeseen. For example the system is rapidly getting commands to open and close thesame valve. This may cause “water hammer“, resulting in a number of simultaneouswater main breaks. Fig. 11 shows the violated transition-probability in red. It hasa significant higher probability - P(s1, s2) = 0.975 - than the same transition in theoriginal DTMC. Since the probability of all outgoing transitions of one state equalsone, P(s1, s3) equals 0.025.There is a limitation in this scenario. If the training data was collected from severaldays and pipe B is far less used than pipe A, then it is normal for the transition of
26 Sequence attacks(s1, s2) to have a higher probability. A sequence attack cannot be identified in themoment of the command, since the transition exists in the system. If the transition isused frequently over a short period of time, the transition probability might still layin an interval around the probability that is defined as “not harmful“. Therefore a me-dian time is needed to get statements on how frequently over time a transition can beused. The median time can be calculated using the first occurrence of an event and itslast occurrence. This means that a single event cannot be tested against the trainingDTMC. A parallel DTMC need to be built and tested against the training DTMC.
s_1Pipe A: closedPipe B: closed
s_2Pipe A: open
Pipe B: closed 0.975
s_3Pipe A: closedPipe B: open
0.025 1.0
Figure 11: DTMC with a violation compared to Fig. 8 by using a transition too frequentlyApart from the limitation in scenario three which can be handled by looking at the fre-quency of the transition, there is a general limitation in using DTMCs for detecting sequenceattacks. Given a PLC that has two groups of components. Each group behaves differentlyand consists of different components, but the groups depend on each other. This dependencycannot be mapped within a DTMC. There are always details lost and an attack might notbe identified. Consider therefore the following example:Given a PLC with three pipes – A, B and C. Pipe A always has to be closed when B or Care open. B and C can both be open or closed the same time. “o_X “ be “open pipe X“ and“c_X “ be “close pipe X“ with X ε {A, B, C} and let all pipes be closed at the beginning. Avalid path is:
o_A → c_A → o_B → c_B → o_A → c_A, (9)since pipe B and C are closed. Other valid paths are:
o_A → c_A → o_C → c_C → o_A → c_A, (10)o_A → c_A → o_B → o_C → c_B → c_C → o_A → c_A, (11)
o_A → c_A → o_A → c_A. (12)
Sequence attacks 27Let these paths in the order (9), (10), (11) and (12) be the training data. Fig. 12 showsthe corresponding DTMC, without probabilities for a clearer graph. The blue and the redtransitions are those which might be critical. In this scenario however the blue transition issafe, since it can only be taken when all pipes are closed. The red transitions are those totake care of.
o_A
c_A c_B
c_C
o_C
o_B
Figure 12: DTMC representing a general limitationConsider the following path: o_A → c_A → o_B → o_C → c_C → o_A. It isvalid, looking at the transitions, but now pipe B and A are open which is a violation to thedefinition. The reason for this violation is the “Markov property“. In this scenario a sequencedepends on more than just its predecessor, resulting in possible violations of the system. Thisscenario shows that there is a limitation in identifying sequence attacks with DTMCs.
In two cases one can identify a violation of the sequence by detecting non-existing tran-sitions in the system. The third needs a deeper look into the transition probability. A fourthscenario showed a limitation by using DTMCs for detecting sequence attacks. This thesis willnow focus on the three violations that can be detected. These three violations show that it ispossible to use unintended paths within the DTMC by using valid commands only. It leadsto the question whether there exists paths with valid commands that can harm the system.In addition possible minimization are discussed with which the violations can still be detected.4.2 Sequence attack scenarios and minimization
Order based device Compromise: A typical sequence is the upload of new programs to aPLC. The majority of application level protocols provide functionality for this process. Thisincludes messages from unloading and deleting existing programs to transferring, storing andloading new programs. These functionalities are typically achieved by sending sequences ofmessages. The sequence of messages for uploading a logic program to a PLC looks typically
28 Sequence attackslike Fig. 13. The states represent the events of the process:• s_1: “unlock the PLC“• s_2: “lock the PLC“• s_3: “stop the running program“• s_4: “delete the existing program“• s_5: “transfer the new program code to the PLC“• s_6: “create program“• s_7: “start program“
s_2s_3 1.0
s_5 s_6 1.0
s_4 1.0
s_1 1.0
1.0s_7 1.0
1.0
Figure 13: Order based device reprogrammingThe process starts in state “s_1“. Now the PLC is running. The transition from state “s_1“to state “s_2“ is triggered by the command “lock the PLC“. Then the command “stop therunning program“ is sent to the controller and the process is in the state “s_3“. The processfollows with the commands “delete the existing program“, “transfer the new program code tothe PLC“, “create program“, “start program“ and “unlock the PLC“ and ends in the state “s_7“.Experiments in an industrial control laboratory environment have revealed that it is possibleto attack some PLCs merely by sending some of these messages in an inconsistent order[4]. For example, sending a valid “start program“ message when the program is still runningcauses an error that is not properly handled by the PLC controller firmware, which causesthe PLC controller to crash. Fig. 14 shows the malicious transition in red which causes thePLC controller to crash [4]. The controller is in state “s_7“, thus already running. If it nowgets the command “start program“ it crashes.
Now consider a more complex version of Fig. 13. The controller has 3 sensors attachedto it. One can read those values by sending the command “read value“ with the specifiedsensor address. They are addressed accordingly to Sec. 3.3. The IOAs shall be 1, 2 and 3.Fig. 15 is an example DTMC. The result is depending on the count of read commands andjumps to “s_2“. In all the new states “s_8“, “s_9“ and “s_10“ the PLC is running. It is valid
Sequence attacks 29
s_2s_3 1.0 s_4 s_5 1.0
s_1 0.5
s_7 0.5
s_6 1.0 1.0 1.0 1.0
Figure 14: Compromised order based device reprogrammingreading multiple values and after some time executing the command “lock the PLC“ since thecontroller is running.
s_2
s_3 1.0s_4 s_5 1.0
s_8
s_10 0.25
s_9 0.75 0.5
0.5
1.0 s_1
0.5
0.5
0.25
0.5
0.25
s_6 s_7 1.0 1.0 1.0
Figure 15: DTMC representing order based device reprogramming incl. other trafficNow consider this DTMC, being in state “s_8“ and executing the command “start program“.A transition is used that is not present in the training DTMC. Figure Fig. 16 shows theviolation in red.
s_2
s_3 1.0s_5 s_6 1.0
s_8
s_9
0.6s_10
0.2s_7 0.2
s_4 1.0 1.0
s_1 0.33 0.67
0.25 0.5 0.25
0.5
0.5
1.0 1.0
Figure 16: DTMC representing order based device reprogramming incl. other traffic and aviolationNow that a sequence attack can be detected, one wants to try to minimize the DTMC fora faster analysis. This can be done by merging the IOAs, i.e., a state is now identified onlyby its “Direction“, “Service“ and “ASDU address“. The states “s_8“, “s_9“ and “s_10“ resultin one state. They use the same “direction“, “ASDU type“, “ASDU address“ and the IOAsare merged. The “ASDU type“ of the commands, needed for the PLC update, differ for allstates. Accordingly these states are not merged although they share the same IOA. This isshown in Fig. 18. There is no transition from state “s_8“ to “s_7“. Thus the sequence attack
30 Sequence attacksof using the command “start program“ while being in state “s_8“ can still be identified - seeFig. 17. This means the IOAs can be merged while still being able to identify this type ofsequence attack. But the following example shows, that this minimization needn’t apply toall scenarios.
s_2 s_3 1.0 s_4 s_5 1.0
s_8 0.1
0.9s_1
0.5
0.5s_6 1.0 s_7 1.0 1.0 1.0
Figure 17: DTMC representing order based device reprogramming incl. other traffic - mergedIOAs
s_2 s_3 1.0 s_4 1.0 s_8
0.09 0.82
s_7 0.09s_5 1.0
s_1 1.0
0.33 0.67
s_6 1.0 1.0
Figure 18: DTMC representing order based device reprogramming incl. other traffic and aviolation - merged IOAs
Sequence attacks 31
o_A
c_A c_B
o_C
o_D
c_C
c_D
o_B
Figure 19: DTMC representing the system of four pipesLet a system consist of four pipes – A,B,C and D – that can be opened and closed. Initiallythey are all closed. Pipes C and D can be opened and closed at any time, while A and Balways follow the sequence: open A → close A → open B → close B. The resultingDTMC is shown in Fig. 19. It has 8 states in total and 17 transitions. The black states indicatethe sequence that the system must apply. oX stands for “open pipe X“ and c_X means “closepipe X“, whereby X ε {A, B, C,D}. A sequence attack by opening pipe B without closing pipeA first would be detected because of the missing transition. If we follow the minimization fromabove and merge all IOAs, the system would consist of two states. All opening commands aremerged together and all closing commands are merged together. Fig. 20 shows the resultingDTMC. oABCD stands for “open pipe A or B or C or D“ and c_ABCD means “close pipe Aor B or C or D“. Now the system can only distinguish between opening and closing any pipe.Since it was possible to open pipe C and directly open pipe D a self loop is attached to theopen command. The same applies to the close command. Now it is not possible to detect thesequence violation anymore since there exists a transition from open pipe A to open pipe B.This means a new minimization is needed in order to be able to detect this kind of attack.A slightly different minimization would be to merge only specific states. In this example thestates o_C and o_D are mereged as well as c_C and c_D. The corresponding DTMC isshown in Fig. 21. oCD stands for “open pipe C or D“ and c_CD means “close pipe C or D“.The resulting DTMC now has only 6 states and 10 transitions, but the attack scenario willstill be detected by the DTMC.This minimization can be applied to the “order based device programming“ example. Theresulting DTMC might look like Fig. 18, depending on which read commands would be merged.That minimization would not effect the detection of the sequence attack and still lead to a
32 Sequence attacks
o_ABCD
c_ABCD
Figure 20: DTMC representing the system of four pipes by merging all reading commandsand all closing commands
o_A
c_A c_B
o_CD
c_CD
o_B
Figure 21: DTMC representing the system of four pipes by merging some commandssmaller DTMC. This means, that the minimization depends strongly on the sequence attacksthat need to be detected.
Experiments and results 335 Experiments and results
This section discusses how the analysis of the data was realized and shows the results ofthe experiments. A brief instruction into the used tools is given and the software writtenfor the analysis is briefly explained. In addition, possible implementations of minimizationsare discussed. At last the tool is run against data of a company which provided real datafor this thesis. The differences between the original DTMC and its corresponding minimizedDTMC are shown. The traces the company provided didn’t include sequence attacks. Theywere clean traces with which one can train their IDS. The traces were not customized toinclude sequence attacks. Thus, the detection of sequence attacks using this approach andthe minimization is not discussed in this thesis.Chapter 5.1 briefly describes how the tool developed for the experiments was written. Italso explains how the graphs are to be interpreted. In Chapter 5.2 two approaches of howthe minimization can be implemented are described. Chapter 5.3 finally presents the resultsof the experiments. Non-minimized and minimized graphs are compared and discussed.
5.1 Implementation and representation of the graphs
The tool written for this thesis is based on the programming language python version 3.5. Itis a high level language and known to be good for rapid application developing. Furthermore,it is open source and has a large library of additional functionality that can be used withina project. The tool integrates two libraries: “pyshark“ [23] for reading the trace of packetsand performing a deep packet inspection and “digraph“ of the package “graphviz“ [24] forgenerating the graphs.Alg. 2 was implemented straightforward. There is no additional logic in creating thegraphs or generating the DTMC other than structuring the code to keep it readable. Foreasy identification of the entry to DTMC there is an “entry“ state at each graph, which islabeled “entry“ and marked with the color magenta. All other states are marked with col-ors as well. States with same colors indicate that they are bisimilar if the minimization -merging all IOAs - applies. Each state has multiple attributes listed. Direction indicateswhether the packet was a response or a request. The I indicates that the events representedby the state were ASDU-Type I events. The Type-ID is the type-id from the packet. The
ASDU-Addr shows the ASDU-address. IOAs shows the addressed IOAs. First Occuranceis the timestamp of the first occurrence of the event in the trace. Last occurance is the lastoccurence of such an event within the trace. Count is the number of events merged into thisstate.The transitions were labeled as well. There is a fraction and a number p ε ]0, 1]. The first
34 Experiments and resultsnumber of the fraction indicates how often this transition was used. The second number ofthe fraction indicates how many jumps in total were made from that state. The number p isthe probability, using that transition. The transition lines have different levels of thickness.The thicker a line is, the more likely it is to use that transition within the whole graph. It isnot leaned to the transition probability. Instead it is leaned to the number of jumps comparedto all jumps inside the graph. This way one can indicate the main path within the DTMC.5.2 Implementation of the minimization
The minimization was done in two ways. In case (i), the DTMC was built as described inAlg. 2 and afterwards be minimized step by step, which is described by Alg. 3. In case (ii),the DTMC was built using Alg. 2 with another abstraction of the definition state. Thereby astate was identified by only using its “Direction“, “Service“ and “ASDU address“. Both wayslead to the same result. In the following the two approaches are discussed in detail andbeforehand Alg. 3 - used by case (i) - is explained.Data: DTMCResult: minimized DTMC
1 repeat2 statesMerged ← False;3 foreach statep ε DTMC do4 foreach stateo ε DTMC do5 if statep == stateo then6 merge(statep, stateo);7 remove(stateo);8 statesMerged ← True;9 break;
10 end11 end12 if statesMerged == True; then13 break;14 end15 end16 until statesMerged == False;
Algorithm 3: Minimization of a DTMC step by stepAlg. 3 expects a DTMC as input and its output is a minimized DTMC. Line 1 till 16 forma loop which repeats until the variable “statesMerged“ equals “False“. In line 2 the variable
Experiments and results 35“statesMerged“ is set to “False“. Line 3 till 14 form a loop over all states of the DTMC. Astate inside the loop is referenced as statep. The p stands for “persistent“. Line 4 till 11 formanother loop over all states of the DTMC. This time a state is referenced as stateo, wherebythe o stands for “obsolete“. Inside both loops lines 5 till 10 form a conditional statement.If statep equals stateo in all atomic propositions, line 6, 7, 8 and 9 are executed. Theatomic propositions in this algorithm are: Request, Response, ASDU-Address, Type-Id andthe control field format. The IOAs are not part of the atomic propositions anymore. In line 6stateo is merged into statep. This means the counter of how often this state occurred needsto be set, the first and last occurrence for the median time calculation needs to be updated.This also implies the transitions. The source of every outgoing transition from stateo needsto be set to statep. If the transition already exists in statep it is updated, otherwise it isadded to statep. Also all incoming transition into stateo need to be redirected to statep.In this thesis the IOAs were merged as well, as shown in the graphs. In line 7 the obsoletestate stateo is deleted from the DTMC. Line 8 sets the variable “statesMerged“ to “True“.Line 9 consists of the simple statement to jump out of the inner loop. Line 12 and 14 form aconditional statement: If the variable “statesMerged“ equals “True“, then line 13 is executed.Line 13 jumps out of the second loop into the first loop. This means as long as one state canbe merged into another one, both inner loops are executed. Only one state is merged intoanother one at a time.
In case (i), Fig. 22 and Fig. 23 show how states can be merged together. Fig. 22 showsthe originating DTMC and Fig. 23 is the resulting DTMC after the minimization using Alg. 3.In the figures the colors show bisimular states that are equal. Both yellow states can bemerged together, since they equal in the atomic propositions of the minimization algorithm.During the merge, the outgoing transition of the upper yellow state into the other yellowstate results in a self-loop. The source of the outgoing transition of the lower yellow stateis set to the upper yellow state. Furthermore the first and last occurrences are adjusted andthe count of events in the lower state is added to the count of events of the upper state. Thisis one possible way of minimizing the DTMC.In case (ii), generating a minimized DTMC of the data, Alg. 2 is used for building theDTMC. Instead of identifying an event with the attributes Request, Response, ASDU-Address,IOAs, Type-Id and the control field format, it is identified using all the attributes but the IOAs.This is a variation of the identification of a state as explained in Alg. 2, where events withthe same atomic propositions are merged together. Using the same data as in case (i), theresulting DTMC is identical to Fig. 23. Therefore both ways lead to the same result butusing the method in case (i) may lead to unnecessary mistakes because of the extended logic.Thus, a minimization should be done from scratch using Alg. 2 and an appropriate abstractionof the atomic propositions used for the identification.
36 Experiments and results
Direction: RES --- I -- TypeID: 100ASDU-Addr: 132
IOA(s): ['0']First occurance: 2011-06-30 00:18:14Last occurance: 2011-07-01 00:38:00
Count: 147
Direction: REQ --- I -- TypeID: 103ASDU-Addr: 132
IOA(s): ['0']First occurance: 2011-06-30 00:41:40Last occurance: 2011-07-01 00:41:23
Count: 38
24/1470.163
Direction: REQ --- I -- TypeID: 100ASDU-Addr: 132
IOA(s): ['0']First occurance: 2011-06-30 00:18:15Last occurance: 2011-07-01 00:38:00
Count: 294
123/1470.837
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 132
IOA(s): ['1','2','201','202','203','205','3','4','5','6','8']
First occurance: 2011-06-30 00:18:15Last occurance: 2011-07-01 00:38:00
Count: 147
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 132IOA(s): ['1225']
First occurance: 2011-06-30 00:18:15Last occurance: 2011-07-01 00:38:00
Count: 147
147/1471.0
13/370.351
24/370.649
ENTRY
1/11.0
Direction: RES --- I -- TypeID: 103ASDU-Addr: 132
IOA(s): ['0']First occurance: 2011-06-30 00:41:40Last occurance: 2011-07-01 00:41:23
Count: 14
14/141.0
147/1471.0
133/2940.452
147/2940.5
14/2940.048
Figure 22: DTMC representing legit activities of device B over the period of one day
Experiments and results 37
Direction: RES --- I -- TypeID: 100ASDU-Addr: 132
IOA(s): ['0']First occurance: 2011-06-30 00:18:14Last occurance: 2011-07-01 00:38:00
Count: 147
Direction: REQ --- I -- TypeID: 103ASDU-Addr: 132
IOA(s): ['0']First occurance: 2011-06-30 00:41:40Last occurance: 2011-07-01 00:41:23
Count: 38
24/1470.163
Direction: REQ --- I -- TypeID: 100ASDU-Addr: 132
IOA(s): ['0']First occurance: 2011-06-30 00:18:15Last occurance: 2011-07-01 00:38:00
Count: 294
123/1470.837
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 132
IOA(s): ['1','1225','2','201','202','203','205','3','4','5','6','8']
First occurance: 2011-06-30 00:18:15Last occurance: 2011-07-01 00:38:00
Count: 294
147/2940.5
147/2940.5
13/370.351
24/370.649
ENTRY
1/11.0
Direction: RES --- I -- TypeID: 103ASDU-Addr: 132
IOA(s): ['0']First occurance: 2011-06-30 00:41:40Last occurance: 2011-07-01 00:41:23
Count: 14
14/141.0
133/2940.452
147/2940.5
14/2940.048
Figure 23: Minimized DTMC representing legit activities of device B over the period of oneday
38 Experiments and results5.3 Experiments on traces
Direction: REQ --- I -- TypeID: 103ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-30 00:41:47Last occurance: 2011-07-01 00:41:30
Count: 39
4/390.103
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8206']
First occurance: 2011-06-30 00:13:13Last occurance: 2011-07-01 00:44:38
Count: 229
2/390.051
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8197']
First occurance: 2011-06-30 00:09:53Last occurance: 2011-07-01 00:44:53
Count: 837
15/390.385
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8195']
First occurance: 2011-06-30 00:11:52Last occurance: 2011-07-01 00:45:15
Count: 294
3/390.077
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8201']
First occurance: 2011-06-30 00:15:38Last occurance: 2011-07-01 00:35:05
Count: 136
1/390.026
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8204']
First occurance: 2011-06-30 00:09:17Last occurance: 2011-07-01 00:11:10
Count: 238
6/390.154
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8196']
First occurance: 2011-06-30 00:09:31Last occurance: 2011-07-01 00:42:12
Count: 356
4/390.103
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8202']
First occurance: 2011-06-30 00:16:14Last occurance: 2011-06-30 23:51:53
Count: 82
3/390.077
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8207']
First occurance: 2011-06-30 00:26:40Last occurance: 2011-06-30 23:41:02
Count: 25
1/390.026
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['100','101','102','103','104','201','202','203','205','97','98','99']
First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:01
Count: 144
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170IOA(s): ['1225']
First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:01
Count: 147
141/1440.979
1/1440.007
1/1440.007
Direction: REQ --- I -- TypeID: 9ASDU-Addr: 170IOA(s): ['9253']
First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:01
Count: 147
1/1440.007
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8201']First occurance: 2011-06-30 01:03:35Last occurance: 2011-06-30 01:03:35
Count: 1
1/11.0
Direction: RES --- I -- TypeID: 103ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-30 00:41:47Last occurance: 2011-07-01 00:41:29
Count: 14
14/141.0
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69',
'8']First occurance: 2011-06-30 01:18:15Last occurance: 2011-06-30 09:58:11
Count: 3
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['100','101','102','103','104','201','202','203','205','70','71','72','73','74','75','76','77','78','79','80','81','82','83','84','85','86','87','88','89','90','91','92','93','94','95','96','97','98','99']
First occurance: 2011-06-30 01:18:15Last occurance: 2011-06-30 09:58:11
Count: 3
3/31.0
Direction: REQ --- I -- TypeID: 9ASDU-Addr: 170
IOA(s): ['8193','8194','8195','8196','8197','8198','8199','8200','8201','8202','8203','8204','8205','8206','8207','8208']
First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:02
Count: 147
147/1471.0
Direction: REQ --- I -- TypeID: 9ASDU-Addr: 170
IOA(s): ['9255','9256','9257','9258','9259','9260','9261','9262','9263','9264','9265','9266','9267','9268','9269','9270','9271','9272','9273',
'9274','9275','9276','9277','9278','9279','9280']First occurance: 2011-06-30 00:18:17Last occurance: 2011-07-01 00:38:02
Count: 147
Direction: REQ --- I -- TypeID: 100ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:02
Count: 294
147/1471.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8197']First occurance: 2011-06-30 00:15:16Last occurance: 2011-06-30 23:49:18
Count: 10
Direction: RES --- I -- TypeID: 100ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:01
Count: 149
1/100.1
1/100.1
5/100.5
1/100.1
1/100.1
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8200']
First occurance: 2011-06-30 04:22:21Last occurance: 2011-06-30 12:51:22
Count: 5
1/100.1
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8205']First occurance: 2011-06-30 13:58:05Last occurance: 2011-06-30 13:58:05
Count: 1
1/11.0
Direction: RES --- I -- TypeID: 102ASDU-Addr: 170IOA(s): ['9253']
First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:01
Count: 147
147/1490.987
2/1490.013
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8193','8205']First occurance: 2011-06-30 12:49:16Last occurance: 2011-06-30 12:49:16
Count: 1
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8193']
First occurance: 2011-06-30 00:12:34Last occurance: 2011-06-30 23:46:28
Count: 32
1/11.0
1/2290.004
1/2290.004
2/2290.009
1/2290.004
10/2290.044
76/2290.332
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8203']
First occurance: 2011-06-30 06:23:41Last occurance: 2011-06-30 23:35:15
Count: 6
1/2290.004
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8198']First occurance: 2011-06-30 03:22:02Last occurance: 2011-06-30 05:46:40
Count: 2
1/2290.004
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8204','8206']First occurance: 2011-06-30 09:34:50Last occurance: 2011-06-30 09:34:50
Count: 1
1/2290.004
33/2290.144
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8198']
First occurance: 2011-06-30 00:13:41Last occurance: 2011-07-01 00:40:35
Count: 77
30/2290.131
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8206']First occurance: 2011-06-30 09:33:58Last occurance: 2011-06-30 13:57:49
Count: 3
2/2290.009
16/2290.07
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8198','8204','8206']First occurance: 2011-06-30 09:23:31Last occurance: 2011-06-30 09:23:31
Count: 1
1/2290.004
6/2290.026
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8201']First occurance: 2011-06-30 09:49:19Last occurance: 2011-06-30 09:49:19
Count: 1
1/2290.004
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8206','8207']First occurance: 2011-06-30 16:53:34Last occurance: 2011-06-30 16:53:34
Count: 1
1/2290.004
17/2290.074
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8198','8206']First occurance: 2011-06-30 09:33:35Last occurance: 2011-06-30 11:45:40
Count: 5
1/2290.004
11/2290.048
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8198']First occurance: 2011-06-30 02:07:56Last occurance: 2011-06-30 02:07:56
Count: 1
1/2290.004
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8205']
First occurance: 2011-06-30 02:07:59Last occurance: 2011-07-01 00:41:03
Count: 31
3/2290.013
6/2290.026
4/2290.017
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8203','8206']First occurance: 2011-06-30 07:51:16Last occurance: 2011-06-30 07:51:16
Count: 1
1/2290.004
1/2290.004
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8206']First occurance: 2011-06-30 03:55:34Last occurance: 2011-06-30 03:55:34
Count: 1
1/11.0
1/60.167
4/60.667
1/60.167
2/21.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8197']First occurance: 2011-06-30 00:40:01Last occurance: 2011-06-30 22:31:57
Count: 13
1/130.077
1/130.077
1/130.077
8/130.615
1/130.077
1/130.077
1/11.0
6/8370.007
3/8370.004
1/8370.001
2/8370.002
43/8370.051
35/8370.042
2/8370.002
1/8370.001
332/8370.397
12/8370.014
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8201']First occurance: 2011-06-30 19:21:30Last occurance: 2011-06-30 19:21:30
Count: 1
1/8370.001
106/8370.127
45/8370.054
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8202']First occurance: 2011-06-30 18:22:42Last occurance: 2011-06-30 18:22:42
Count: 1
1/8370.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8205']First occurance: 2011-06-30 23:24:37Last occurance: 2011-06-30 23:24:37
Count: 1
1/8370.001
66/8370.079
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8204']First occurance: 2011-06-30 13:02:23Last occurance: 2011-06-30 17:45:31
Count: 2
2/8370.002
135/8370.161
3/8370.004
16/8370.019
5/8370.006
9/8370.011
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8196']First occurance: 2011-06-30 00:24:08Last occurance: 2011-06-30 20:54:17
Count: 14
8/8370.01
2/8370.002
1/770.013
5/770.065
14/770.182
11/770.143
5/770.065
5/770.065
3/770.039
4/770.052
4/770.052
8/770.104
7/770.091
5/770.065
2/770.026
2/770.026
1/770.013
Direction: REQ --- I -- TypeID: 9ASDU-Addr: 170
IOA(s): ['9217','9218','9219','9220','9221','9222','9223','9224','9225','9226','9227','9228','9229','9230','9231','9232','9233','9234','9235','9236','9237','9238','9239','9240','9241','9242','9243','9244','9245',
'9246','9247','9248','9249','9250','9251','9252','9253','9254']First occurance: 2011-06-30 00:18:17Last occurance: 2011-07-01 00:38:02
Count: 147
147/1471.0
1/11.0
3/31.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8207']First occurance: 2011-07-01 00:38:00Last occurance: 2011-07-01 00:38:00
Count: 1
1/11.0
3/2930.01
3/2930.01
2/2930.007
21/2930.072
14/2930.048
1/2930.003
89/2930.304
6/2930.02
7/2930.024
16/2930.055
31/2930.106
81/2930.276
1/2930.003
3/2930.01
9/2930.031
1/2930.003
5/2930.017
1/11.0
2/1470.014
1/1470.007
144/1470.98
3/1360.022
1/1360.007
10/1360.074
7/1360.051
1/1360.007
1/1360.007
34/1360.25
4/1360.029
1/1360.007
17/1360.125
3/1360.022
19/1360.14
23/1360.169
5/1360.037
2/1360.015
4/1360.029
1/1360.007
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69','70','71','72','73','74','75','76','77','78','79','8','80','81','82','83','84','85','86','87','88',
'89','90','91','92','93','94','95','96']First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:01
Count: 144
144/1441.0
1/11.0
1/11.0
147/1471.0
ENTRY
1/11.0
1/11.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8205','8206']First occurance: 2011-06-30 05:18:10Last occurance: 2011-06-30 05:18:10
Count: 1
1/11.0
1/11.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8204']First occurance: 2011-06-30 17:56:52Last occurance: 2011-06-30 17:56:52
Count: 1
1/11.0
2/2380.008
1/2380.004
1/2380.004
1/2380.004
22/2380.092
23/2380.097
1/2380.004
2/2380.008
1/2380.004
79/2380.332
2/2380.008
15/2380.063
15/2380.063
16/2380.067
26/2380.109
1/2380.004
26/2380.109
1/2380.004
1/2380.004
2/2380.008
1/20.5
1/20.5
1/50.2
4/50.8
3/31.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8204','8205']First occurance: 2011-06-30 12:51:16Last occurance: 2011-06-30 12:51:16
Count: 1
1/11.0
2/3560.006
1/3560.003
3/3560.008
1/3560.003
19/3560.053
16/3560.045
7/3560.02
120/3560.337
4/3560.011
1/3560.003
100/3560.281
22/3560.062
31/3560.087
18/3560.051
2/3560.006
7/3560.02
1/3560.003
1/3560.003
1/11.0
1/2940.003
16/2940.054
1/2940.003
66/2940.224
2/2940.007
5/2940.017
11/2940.037
1/2940.003
19/2940.065
21/2940.071
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8204']First occurance: 2011-06-30 09:39:23Last occurance: 2011-06-30 09:39:23
Count: 1
1/2940.003
1/2940.003
146/2940.497
2/2940.007
1/2940.003
1/11.0
1/310.032
2/310.065
1/310.032
5/310.161
1/310.032
4/310.129
2/310.065
1/310.032
2/310.065
1/310.032
4/310.129
4/310.129
2/310.065
1/310.032
3/1470.02
1/1470.007
143/1470.973
2/820.024
1/820.012
8/820.098
5/820.061
21/820.256
3/820.037
7/820.085
4/820.049
1/820.012
14/820.171
11/820.134
2/820.024
2/820.024
1/820.012
1/250.04
2/250.08
3/250.12
6/250.24
1/250.04
3/250.12
2/250.08
2/250.08
2/250.08
1/250.04
1/250.04
1/250.04
1/11.0
1/320.031
1/320.031
4/320.125
11/320.344
2/320.062
1/320.031
1/320.031
1/320.031
3/320.094
2/320.062
1/320.031
3/320.094
1/320.031
1/140.071
6/140.429
2/140.143
5/140.357
1/50.2
1/50.2
1/50.2
1/50.2
1/50.2
Figure 24: DTMC representing legit activities of device A over the period of one dayIn order to demonstrate the advantages of the minimization, an experiment was created.In this experiment graphs with and without minimization were build, using the same data.The minimization used in this experiment was merging all IOAs together, thus identifying astate by all attributes but the IOAs. A possible application for this minimization was givenin Sec. 4. The resulting DTMC for a given trace from a company over a period of one dayfor one particular device A looks like Fig. 24. Although the period of time is still small fora training DTMC, the resulting graph is complex. It already consists of 52 states and 282transitions. Executing the algorithm on the same data by merging the IOAs results in thegraph represented by Fig. 25. The graph now consists of 8 states and 23 transitions. Forthe states this is a reduction of approximately 84% and for the transitions of approximately
Experiments and results 3991%. This is a significant reduction of the state space.
Direction: REQ --- I -- TypeID: 100ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:02
Count: 294
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8193','8195','8196','8197','8198','8200','8201','8202','8203','8204','8205','8206','8207']
First occurance: 2011-06-30 00:09:17Last occurance: 2011-07-01 00:45:15
Count: 2415
147/2940.5
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['100','101','102','103','104','1225','201','202','203','205','41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69','70','71','72','73','74','75','76','77','78','79','8','80','81','82','83','84','85','86','87','88','89','90','91','92','93','94','95','96','97','98',
'99']First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:01
Count: 441
1/2940.003
Direction: REQ --- I -- TypeID: 9ASDU-Addr: 170
IOA(s): ['8193','8194','8195','8196','8197','8198','8199','8200','8201','8202','8203','8204','8205','8206','8207','8208','9217','9218','9219','9220','9221','9222','9223','9224','9225','9226','9227','9228','9229','9230','9231','9232','9233','9234','9235','9236','9237','9238','9239','9240','9241','9242','9243','9244','9245','9246','9247','9248','9249','9250','9251','9252','9253','9254','9255','9256','9257','9258','9259','9260','9261','9262','9263','9264','9265','9266','9267','9268','9269','9270','9271','9272','9273','9274','9275','9276','9277','9278','9279',
'9280']First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:02
Count: 588
146/2940.497
1/24140.0
2229/24140.923
2/24140.001
Direction: RES --- I -- TypeID: 103ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-30 00:41:47Last occurance: 2011-07-01 00:41:29
Count: 14
14/24140.006
Direction: RES --- I -- TypeID: 100ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:01
Count: 149
147/24140.061
Direction: REQ --- I -- TypeID: 103ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-30 00:41:47Last occurance: 2011-07-01 00:41:30
Count: 39
21/24140.009
2/4410.005
291/4410.66
148/4410.336
14/141.0
ENTRY
1/11.0
Direction: RES --- I -- TypeID: 102ASDU-Addr: 170IOA(s): ['9253']
First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:01
Count: 147
144/1470.98
1/1470.007
2/1470.014
2/1490.013
147/1490.987
35/390.897
4/390.103
147/5880.25
147/5880.25
294/5880.5
Figure 25: DTMC representing legit activities of device A over the period of one day usingthe minimization
40 Experiments and resultsComparing the reduction on a trace of a complete week, the reduction is even moresignificant. Fig. 26 shows the graph representing the trace of one week. It consists of 81states and 579 transitions. The related graph generated using the minimization is shownin Fig. 27. It only consists of 10 states and 36 transitions. This complies a reduction ofapproximately 88% for the states and approximately 94% for the transitions. This approachis promising regarding the possible reduction of the state space. However it may not alwaysbe possible to detect every sequence attack one wants to look at. Since the detection ofsequence attacks is the essential part of the IDS, another approximation may be used.
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8204']
First occurance: 2011-06-27 01:02:42Last occurance: 2011-07-04 00:24:28
Count: 1448
85/14480.059
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8201']First occurance: 2011-06-27 04:06:27Last occurance: 2011-07-02 20:34:48
Count: 6
1/14480.001
Direction: RES --- I -- TypeID: 103ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-27 02:42:28Last occurance: 2011-07-03 23:40:50
Count: 84
8/14480.006
Direction: REQ --- I -- TypeID: 103ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-27 01:43:36Last occurance: 2011-07-03 23:40:50
Count: 251
14/14480.01
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8206']
First occurance: 2011-06-27 02:18:12Last occurance: 2011-07-04 00:28:39
Count: 1625
112/14480.077
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8195']
First occurance: 2011-06-27 01:02:55Last occurance: 2011-07-04 00:28:28
Count: 2001
114/14480.079
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8198']
First occurance: 2011-06-27 01:08:27Last occurance: 2011-07-04 00:18:12
Count: 399
13/14480.009
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8193']
First occurance: 2011-06-27 03:33:09Last occurance: 2011-07-04 00:20:20
Count: 276
19/14480.013
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8197']First occurance: 2011-06-27 01:21:22Last occurance: 2011-07-04 00:12:16
Count: 60
6/14480.004
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8207']
First occurance: 2011-06-27 07:45:09Last occurance: 2011-07-04 00:19:30
Count: 670
44/14480.03
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8197']First occurance: 2011-06-27 09:01:58Last occurance: 2011-07-03 20:14:07
Count: 68
5/14480.003
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8197']
First occurance: 2011-06-27 00:58:37Last occurance: 2011-07-04 00:29:13
Count: 6168
502/14480.347
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8205']
First occurance: 2011-06-27 04:03:50Last occurance: 2011-07-03 06:41:19
Count: 120
4/14480.003
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8203']
First occurance: 2011-06-27 15:55:18Last occurance: 2011-07-03 23:04:11
Count: 51
9/14480.006
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8196']First occurance: 2011-06-27 02:00:53Last occurance: 2011-07-04 00:18:29
Count: 71
7/14480.005
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8201']
First occurance: 2011-06-27 01:04:55Last occurance: 2011-07-03 23:01:15
Count: 606
60/14480.041
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170IOA(s): ['1225']
First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:17
Count: 1006
1/14480.001
Direction: RES --- I -- TypeID: 100ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:17
Count: 1008
135/14480.093
Direction: REQ --- I -- TypeID: 30ASDU-Addr: 170
IOA(s): ['58']First occurance: 2011-06-27 02:05:50Last occurance: 2011-06-29 04:47:23
Count: 440
1/14480.001
Direction: REQ --- I -- TypeID: 30ASDU-Addr: 170IOA(s): ['54','58']
First occurance: 2011-06-28 02:54:27Last occurance: 2011-06-29 04:35:23
Count: 44
1/14480.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8202']First occurance: 2011-06-28 20:47:02Last occurance: 2011-07-03 19:51:55
Count: 6
2/14480.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8206']First occurance: 2011-06-27 06:52:32Last occurance: 2011-07-03 03:19:20
Count: 7
3/14480.002
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8202']
First occurance: 2011-06-27 01:02:58Last occurance: 2011-07-04 00:05:54
Count: 477
129/14480.089
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8196']
First occurance: 2011-06-27 00:58:01Last occurance: 2011-07-04 00:29:15
Count: 2416
172/14480.119
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8201','8206']First occurance: 2011-06-28 19:43:58Last occurance: 2011-06-29 13:24:44
Count: 3
1/14480.001
2/60.333
4/60.667
Direction: REQ --- I -- TypeID: 9ASDU-Addr: 170
IOA(s): ['9217','9218','9219','9220','9221','9222','9223','9224','9225','9226','9227','9228','9229','9230','9231','9232','9233','9234','9235','9236','9237','9238','9239','9240','9241','9242','9243','9244','9245',
'9246','9247','9248','9249','9250','9251','9252','9253','9254']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:18
Count: 1006
Direction: REQ --- I -- TypeID: 9ASDU-Addr: 170
IOA(s): ['9255','9256','9257','9258','9259','9260','9261','9262','9263','9264','9265','9266','9267','9268','9269','9270','9271','9272','9273',
'9274','9275','9276','9277','9278','9279','9280']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:18
Count: 1006
1006/10061.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8207']First occurance: 2011-07-01 00:38:00Last occurance: 2011-07-03 15:29:33
Count: 4
1/40.25
2/40.5
1/40.25
84/841.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8205']First occurance: 2011-07-01 04:06:17Last occurance: 2011-07-01 04:06:17
Count: 1
1/11.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8198','8205']First occurance: 2011-06-27 13:35:08Last occurance: 2011-07-01 10:51:17
Count: 2
1/20.5
1/20.5
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8201','8204']First occurance: 2011-06-28 16:06:58Last occurance: 2011-07-03 22:32:07
Count: 3
1/30.333
1/30.333
1/30.333
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8204']First occurance: 2011-06-28 20:02:58Last occurance: 2011-06-30 09:39:23
Count: 4
1/40.25
1/40.25
2/40.5
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8206','8207']First occurance: 2011-06-30 16:53:34Last occurance: 2011-07-03 19:34:14
Count: 6
1/60.167
3/60.5
1/60.167
1/60.167
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8193','8206']First occurance: 2011-07-03 16:15:14Last occurance: 2011-07-03 21:42:22
Count: 2
2/21.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8204','8206']First occurance: 2011-06-30 09:34:50Last occurance: 2011-07-03 15:46:07
Count: 5
3/50.6
1/50.2
1/50.2
19/2510.076
1/2510.004
35/2510.139
15/2510.06
19/2510.076
3/2510.012
2/2510.008
4/2510.016
2/2510.008
89/2510.355
1/2510.004
1/2510.004
11/2510.044
11/2510.044
37/2510.147
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8205']First occurance: 2011-06-30 13:58:05Last occurance: 2011-07-04 00:18:31
Count: 3
1/2510.004
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69','70','71','72','73','74','75','76','77','78','79','8','80','81','82','83','84','85','86','87','88',
'89','90','91','92','93','94','95','96']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:17
Count: 975
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['100','101','102','103','104','201','202','203','205','97','98','99']
First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:17
Count: 973
973/9750.998
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['97','98','99']First occurance: 2011-07-01 03:18:00Last occurance: 2011-07-01 03:57:59
Count: 2
2/9750.002
Direction: RES --- I -- TypeID: 102ASDU-Addr: 170IOA(s): ['9253']
First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:17
Count: 858
3/8580.003
1/8580.001
3/8580.003
1/8580.001
2/8580.002
Direction: REQ --- I -- TypeID: 100ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:18
Count: 2012
847/8580.987
1/8580.001
112/16250.069
2/16250.001
8/16250.005
1/16250.001
1/16250.001
1/16250.001
2/16250.001
2/16250.001
2/16250.001
10/16250.006
621/16250.382
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8198','8201']First occurance: 2011-06-28 14:44:22Last occurance: 2011-06-28 14:44:22
Count: 1
1/16250.001
73/16250.045
185/16250.114
17/16250.01
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8198']First occurance: 2011-06-27 23:08:21Last occurance: 2011-07-01 14:32:56
Count: 5
1/16250.001
2/16250.001
32/16250.02
3/16250.002
291/16250.179
15/16250.009
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8198','8207']First occurance: 2011-07-03 01:34:32Last occurance: 2011-07-03 01:34:32
Count: 1
1/16250.001
5/16250.003
30/16250.018
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8206']First occurance: 2011-07-01 03:45:59Last occurance: 2011-07-02 12:29:19
Count: 3
1/16250.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8193','8196']First occurance: 2011-06-27 10:13:34Last occurance: 2011-07-01 21:06:15
Count: 2
1/16250.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8204']First occurance: 2011-06-27 04:14:01Last occurance: 2011-07-03 15:56:46
Count: 12
2/16250.001
1/16250.001
65/16250.04
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8206']First occurance: 2011-06-27 09:48:13Last occurance: 2011-07-03 15:34:38
Count: 19
4/16250.002
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8199']
First occurance: 2011-06-27 08:59:47Last occurance: 2011-06-29 12:10:39
Count: 28
1/16250.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8201']First occurance: 2011-06-27 01:15:55Last occurance: 2011-06-30 09:49:19
Count: 2
1/16250.001
2/16250.001
26/16250.016
94/16250.058
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8198']First occurance: 2011-06-30 02:07:56Last occurance: 2011-06-30 02:07:56
Count: 1
1/16250.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8198','8204','8206']First occurance: 2011-06-30 09:23:31Last occurance: 2011-06-30 09:23:31
Count: 1
1/16250.001
2/16250.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8198','8206']First occurance: 2011-06-27 02:38:42Last occurance: 2011-07-03 00:22:19
Count: 12
3/16250.002
1/16250.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8203','8206']First occurance: 2011-06-30 07:51:16Last occurance: 2011-07-01 08:11:22
Count: 2
1/16250.001
1/11.0
164/20010.082
10/20010.005
1/20010.0
18/20010.009
116/20010.058
42/20010.021
23/20010.011
21/20010.01
Direction: REQ --- I -- TypeID: 9ASDU-Addr: 170
IOA(s): ['8193','8194','8195','8196','8197','8198','8199','8200','8201','8202','8203','8204','8205','8206','8207','8208']
First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:18
Count: 1006
1/20010.0
2/20010.001
34/20010.017
23/20010.011
673/20010.336
8/20010.004
4/20010.002
3/20010.001
79/20010.039
2/20010.001
Direction: REQ --- I -- TypeID: 30ASDU-Addr: 170
IOA(s): ['54']First occurance: 2011-06-28 02:54:31Last occurance: 2011-06-29 04:35:38
Count: 276
5/20010.002
130/20010.065
3/20010.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8204','8207']First occurance: 2011-07-03 07:03:57Last occurance: 2011-07-03 07:03:57
Count: 1
1/20010.0
4/20010.002
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8202','8204']First occurance: 2011-07-01 14:13:40Last occurance: 2011-07-02 11:02:36
Count: 3
1/20010.0
1/20010.0
3/20010.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8208']
First occurance: 2011-06-27 02:37:54Last occurance: 2011-06-29 01:58:03
Count: 8
1/20010.0
1/20010.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8197','8207']First occurance: 2011-07-03 23:19:58Last occurance: 2011-07-03 23:19:58
Count: 1
1/20010.0
49/20010.024
573/20010.286
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8198']First occurance: 2011-07-03 06:41:05Last occurance: 2011-07-03 06:41:05
Count: 1
1/20010.0
1/20010.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8196','8197']First occurance: 2011-06-27 11:40:02Last occurance: 2011-07-02 23:51:16
Count: 4
1/20010.0
1/20010.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8198','8201','8206']First occurance: 2011-07-01 02:40:28Last occurance: 2011-07-01 02:40:28
Count: 1
1/11.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8197','8204']First occurance: 2011-06-29 09:52:50Last occurance: 2011-06-29 09:52:50
Count: 1
1/11.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8197','8204','8205']First occurance: 2011-06-30 12:51:16Last occurance: 2011-06-30 12:51:16
Count: 1
1/11.0
31/3990.078
2/3990.005
1/3990.003
1/3990.003
2/3990.005
77/3990.193
26/3990.065
14/3990.035
15/3990.038
1/3990.003
22/3990.055
2/3990.005
86/3990.216
33/3990.083
2/3990.005
2/3990.005
9/3990.023
22/3990.055
4/3990.01
1/3990.003
1/3990.003
11/3990.028
28/3990.07
5/3990.013
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170IOA(s): ['8200']
First occurance: 2011-06-28 02:27:05Last occurance: 2011-07-04 00:21:50
Count: 16
1/3990.003
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['100','101','102','103','104','201','202','203','205','70','71','72','73','74','75','76','77','78','79','80','81','82','83','84','85','86','87','88','89','90','91','92','93','94','95','96','97','98','99']
First occurance: 2011-06-27 02:38:59Last occurance: 2011-07-03 22:27:20
Count: 31
31/311.0
13/2760.047
1/2760.004
17/2760.062
13/2760.047
10/2760.036
64/2760.232
16/2760.058
1/2760.004
74/2760.268
11/2760.04
1/2760.004
3/2760.011
3/2760.011
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8205','8206']First occurance: 2011-06-30 05:18:10Last occurance: 2011-06-30 05:18:10
Count: 1
1/2760.004
1/2760.004
21/2760.076
1/2760.004
4/2760.014
20/2760.072
1/2760.004
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['100','101','102','103','104','201','202','203','205']First occurance: 2011-07-01 03:18:00Last occurance: 2011-07-01 03:57:59
Count: 2
2/21.0
1/50.2
1/50.2
1/50.2
2/50.4
1006/10061.0
1006/10061.0
5/600.083
1/600.017
1/600.017
1/600.017
1/600.017
1/600.017
1/600.017
1/600.017
12/600.2
1/600.017
1/600.017
3/600.05
31/600.517
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8204']First occurance: 2011-06-30 13:02:23Last occurance: 2011-06-30 17:45:31
Count: 2
1/20.5
1/20.5
51/6700.076
2/6700.003
5/6700.007
3/6700.004
6/6700.009
38/6700.057
28/6700.042
10/6700.015
14/6700.021
3/6700.004
279/6700.416
1/6700.001
111/6700.166
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8207']First occurance: 2011-07-03 02:25:02Last occurance: 2011-07-03 02:25:02
Count: 1
1/6700.001
9/6700.013
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8207']First occurance: 2011-06-28 05:05:09Last occurance: 2011-07-02 09:00:35
Count: 2
1/6700.001
1/6700.001
4/6700.006
16/6700.024
25/6700.037
1/6700.001
9/6700.013
51/6700.076
1/6700.001
1/9730.001
1/9730.001
2/9730.002
Direction: REQ --- I -- TypeID: 9ASDU-Addr: 170IOA(s): ['9253']
First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:17
Count: 858
3/9730.003
963/9730.99
3/9730.003
6/680.088
1/680.015
5/680.074
29/680.426
1/680.015
3/680.044
10/680.147
3/680.044
5/680.074
2/680.029
2/680.029
1/680.015
473/61680.077
2/61680.0
1/61680.0
25/61680.004
1/61680.0
44/61680.007
286/61680.046
780/61680.126
65/61680.011
62/61680.01
2/61680.0
2/61680.0
9/61680.001
2/61680.0
98/61680.016
16/61680.003
2488/61680.403
18/61680.003
1/61680.0
14/61680.002
42/61680.007
204/61680.033
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8193','8205']First occurance: 2011-06-30 12:49:16Last occurance: 2011-07-03 18:39:46
Count: 2
1/61680.0
5/61680.001
8/61680.001
2/61680.0
333/61680.054
7/61680.001
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8205']First occurance: 2011-06-30 23:24:37Last occurance: 2011-06-30 23:24:37
Count: 1
1/61680.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8193','8207']First occurance: 2011-06-28 03:55:41Last occurance: 2011-06-28 03:55:41
Count: 1
1/61680.0
26/61680.004
2/61680.0
2/61680.0
3/61680.0
4/61680.001
2/61680.0
2/61680.0
1/61680.0
106/61680.017
1018/61680.165
1/61680.0
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8193','8197']First occurance: 2011-06-29 15:10:45Last occurance: 2011-07-02 16:55:32
Count: 2
2/61680.0
6/61680.001
1/11.0
10/1200.083
2/1200.017
3/1200.025
13/1200.108
7/1200.058
1/1200.008
12/1200.1
6/1200.05
1/1200.008
16/1200.133
22/1200.183
4/1200.033
4/1200.033
1/1200.008
7/1200.058
1/1200.008
4/1200.033
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8195','8201']First occurance: 2011-06-29 00:37:40Last occurance: 2011-06-30 01:03:35
Count: 3
1/1200.008
5/1200.042
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69',
'8']First occurance: 2011-06-27 02:38:59Last occurance: 2011-07-03 22:27:20
Count: 31
31/311.0
1/11.0
1/20.5
1/20.5
5/510.098
4/510.078
6/510.118
21/510.412
3/510.059
3/510.059
1/510.02
3/510.059
5/510.098
11/710.155
1/710.014
2/710.028
5/710.07
1/710.014
1/710.014
2/710.028
1/710.014
1/710.014
33/710.465
3/710.042
5/710.07
1/710.014
3/710.042
1/710.014
73/6060.12
1/6060.002
5/6060.008
1/6060.002
9/6060.015
39/6060.064
52/6060.086
10/6060.017
8/6060.013
3/6060.005
11/6060.018
1/6060.002
210/6060.347
3/6060.005
2/6060.003
3/6060.005
20/6060.033
1/6060.002
47/6060.078
1/6060.002
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8196','8202']First occurance: 2011-06-29 19:00:36Last occurance: 2011-06-29 19:00:36
Count: 1
1/6060.002
5/6060.008
1/6060.002
1/6060.002
19/6060.031
79/6060.13
1/30.333
2/30.667
1/11.0
1/20.5
1/20.5
1/20.5
1/20.5
828/8580.965
27/8580.031
3/8580.003
5/120.417
1/120.083
2/120.167
1/120.083
3/120.25
1/2760.004
9/2760.033
1/2760.004
191/2760.692
52/2760.188
16/2760.058
6/2760.022
ENTRY
1/11.0
Direction: REQ --- I -- TypeID: 30ASDU-Addr: 170
IOA(s): ['101','102']First occurance: 2011-06-29 04:19:19Last occurance: 2011-06-29 04:19:20
Count: 2
1/20.5
1/20.5
1/10060.001
1002/10060.996
2/10060.002
1/10060.001
858/10080.851
1/10080.001
1/10080.001
1/10080.001
147/10080.146
1/190.053
12/190.632
2/190.105
1/190.053
1/190.053
2/190.105
1/11.0
1/11.0
1/11.0
1/11.0
1/4400.002
1/4400.002
3/4400.007
1/4400.002
1/4400.002
1/4400.002
1/4400.002
37/4400.084
4/4400.009
48/4400.109
3/4400.007
324/4400.736
13/4400.03
2/4400.005
1/440.023
1/440.023
17/440.386
13/440.295
12/440.273
1/30.333
1/30.333
1/30.333
1/280.036
5/280.179
2/280.071
19/280.679
1/280.036
128/20120.064
3/20120.001
1/20120.0
6/20120.003
147/20120.073
90/20120.045
39/20120.019
1/20120.0
3/20120.001
12/20120.006
8/20120.004
33/20120.016
8/20120.004
489/20120.243
1/20120.0
4/20120.002
3/20120.001
46/20120.023
855/20120.425
1/20120.0
1/20120.0
1/20120.0
3/20120.001
3/20120.001
1/20120.0
16/20120.008
106/20120.053
3/20120.001
2/60.333
2/60.333
2/60.333
1/80.125
2/80.25
3/80.375
1/80.125
1/80.125
1/20.5
1/20.5
1/11.0
3/70.429
3/70.429
1/70.143
81/4770.17
2/4770.004
1/4770.002
7/4770.015
37/4770.078
40/4770.084
7/4770.015
3/4770.006
4/4770.008
1/4770.002
156/4770.327
2/4770.004
2/4770.004
16/4770.034
1/4770.002
40/4770.084
1/4770.002
30/4770.063
45/4770.094
1/4770.002
2/21.0
175/24150.072
10/24150.004
1/24150.0
1/24150.0
9/24150.004
114/24150.047
708/24150.293
24/24150.01
26/24150.011
24/24150.01
59/24150.024
5/24150.002
805/24150.333
8/24150.003
11/24150.005
91/24150.038
2/24150.001
2/24150.001
5/24150.002
3/24150.001
155/24150.064
2/24150.001
5/24150.002
1/24150.0
1/24150.0
1/24150.0
53/24150.022
110/24150.046
1/24150.0
2/24150.001
1/24150.0
1/11.0
1/11.0
1/11.0
1/30.333
1/30.333
1/30.333
2/120.167
5/120.417
2/120.167
1/120.083
1/120.083
1/120.083
1/30.333
1/30.333
1/30.333
1/20.5
1/20.5
1/30.333
1/30.333
1/30.333
2/160.125
2/160.125
1/160.062
1/160.062
1/160.062
2/160.125
1/160.062
1/160.062
2/160.125
3/160.188
1/40.25
2/40.5
1/40.25
2/21.0
Figure 26: DTMC representing legit activities of device A over the period of one week
Experiments and results 41
Direction: REQ --- I -- TypeID: 34ASDU-Addr: 170
IOA(s): ['8193','8195','8196','8197','8198','8199','8200','8201','8202','8203','8204','8205','8206','8207','8208']First occurance: 2011-06-27 00:58:01Last occurance: 2011-07-04 00:29:15
Count: 16650
15349/166490.922
Direction: RES --- I -- TypeID: 100ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:17
Count: 1008
1002/166490.06
Direction: REQ --- I -- TypeID: 100ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:18
Count: 2012
12/166490.001
Direction: REQ --- I -- TypeID: 1ASDU-Addr: 170
IOA(s): ['100','101','102','103','104','1225','201','202','203','205','41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69','70','71','72','73','74','75','76','77','78','79','8','80','81','82','83','84','85','86','87','88',
'89','90','91','92','93','94','95','96','97','98','99']
First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:17
Count: 3020
7/166490.0
Direction: REQ --- I -- TypeID: 30ASDU-Addr: 170
IOA(s): ['101','102','54','58']First occurance: 2011-06-27 02:05:50Last occurance: 2011-06-29 04:47:23
Count: 762
69/166490.004
Direction: RES --- I -- TypeID: 103ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-27 02:42:28Last occurance: 2011-07-03 23:40:50
Count: 84
81/166490.005
Direction: REQ --- I -- TypeID: 9ASDU-Addr: 170
IOA(s): ['8193','8194','8195','8196','8197','8198','8199','8200','8201','8202','8203','8204','8205','8206','8207','8208','9217','9218','9219','9220','9221','9222','9223','9224','9225','9226','9227','9228','9229','9230','9231','9232','9233','9234','9235','9236','9237','9238','9239','9240','9241','9242','9243','9244','9245','9246','9247','9248','9249','9250','9251','9252','9253','9254','9255','9256','9257','9258','9259','9260','9261','9262','9263','9264','9265','9266','9267','9268','9269','9270','9271','9272','9273','9274','9275','9276','9277','9278','9279',
'9280']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:18
Count: 3876
3/166490.0
Direction: REQ --- I -- TypeID: 103ASDU-Addr: 170
IOA(s): ['0']First occurance: 2011-06-27 01:43:36Last occurance: 2011-07-03 23:40:50
Count: 251
126/166490.008
Direction: RES --- I -- TypeID: 102ASDU-Addr: 170IOA(s): ['9253']
First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:17
Count: 858
9/8580.01
2/8580.002
847/8580.987
3/10080.003
858/10080.851
147/10080.146
991/20120.493
1/20120.0
151/20120.075
5/20120.002
3/20120.001
855/20120.425
6/20120.003
ENTRY
1/11.0
10/30200.003
2004/30200.664
1/30200.0
1005/30200.333
71/7620.093
3/7620.004
687/7620.902
1/7620.001
84/841.0
1006/38760.26
858/38760.221
2012/38760.519
216/2510.861
35/2510.139
Figure 27: Minimized DTMC representing legit activities of device A over the period of oneweek
42 Experiments and resultsThe results from above are experiments on two traces. In order to be able to give rea-sonable statements, more real data needs to be tested. This was done in the following. Thetool was run to create a DTMC without and with minimization. In both cases the states andthe transitions were counted and the results are shown in Tab. 1, Tab. 2 and Tab. 3. Sevendevices were chosen by random. For each device the test was run using a timeinterval ofone hour, one day and one week. The column Label is the label of the trace. Columns
States and Transitions list the states and transitions for a given trace without minimization.The Columns StatesM and T ransitionsM list the states and the transitions for the corre-sponding minimized DTMC. σ represents the fraction StatesMStates and τ represents the fraction
T ransitionsMT ransitions . Thus, the last two columns show the level of minimization. The smaller the levelof minimization, the more effective the algorithm worked.
It is to mention, that the time needed for the generation of a DTMC only depends onthe count of packets within a given trace. The more packets to analyse, the more time thegeneration of the DTMC takes. The connection is linear. The tool written for this thesiswas using a single core of one cpu only. On an Intel Xeon E312xx (Sandy Bridge) with afrequency of 2Ghz the analysis of a trace with 33166 packets needed approximately 141 sec.The number of packets does not contain any information about the time interval of the trace.There are devices with a lot of communication and devices with less communication. A tracecontaining all the communication within one facility in the company over the time interval ofone hour had around 1.400.000 packets. The analysis of this trace took slightly more thanone hour. The most time consuming part in this algorithm is the analysis of the packet itself.In addition, a not irrelevant part of constructing the DTMC needs to be taken into account.As the runtime optimization was not part of this thesis, further adjustments on the algorithmneed to be considered for real time application. This includes speeding up the deep packetinspection as shown in [25] and possible optimization of the code.Tab. 1, Tab. 2 and Tab. 3 show that the minimization can lead to significant improvement,but there still remain cases for which the chosen minimization is not that effective. Asexpected, more states and transitions give more possibilities for minimization. Additionaly,improvements can be seen when comparing the effectivity of one week to one hour.In summary, the results presented show that the approach of minimization can lead to greatimprovements and should be considered when using DTMCs for the detection of sequenceattacks.
Experiments and results 43
Label States Transitions StatesM T ransitionsM σ τA 27 70 9 16 0.33 0.23B 7 11 6 11 0.86 1.0C 20 34 10 20 0.5 0.59D 12 17 9 16 0.75 0.94E 11 16 7 12 0.64 0.75F 25 44 11 23 0.44 0.52G 10 14 8 14 0.8 1.0Table 1: Results using a timeinterval of one hour
Label States Transitions StatesM T ransitionsM σ τA 52 282 8 23 0.15 0.08B 7 11 6 11 0.86 1.0C 28 85 10 33 0.36 0.39D 15 33 9 21 0.6 0.64E 11 19 7 14 0.64 0.74F 34 92 11 30 0.32 0.33G 13 26 8 21 0.62 0.81Table 2: Results using a timeinterval of one day
Label States Transitions StatesM T ransitionsM σ τA 81 579 10 36 0.12 0.06B 7 12 6 12 0.86 1.0C 67 185 12 44 0.18 0.24D 36 84 12 37 0.33 0.44E 11 24 7 16 0.64 0.67F 73 238 11 48 0.15 0.2G 13 31 8 24 0.62 0.77Table 3: Results using a timeinterval of one week
44 Summary and conclusion6 Summary and conclusion
SCADA networks controlling often critical infrastructures are increasingly a subject to cyberattacks. One of the promising methods for improving the security of SCADA networks is theuse of intrusion detection systems. This thesis has investigated the approach of [4] and triedto improve it. For this reason, this thesis first introduced SCADA system and the relatedhard- and software components. The IEC-104 protocol, one of the important protocols usedwithin SCADA networks, was then discussed. Regarding the security of these networks, theterm IDS was explained. Several approaches to intrusion detection were discussed and itwas shown, that these approaches aim at a specific and not always the same goal. This wasfollowed by the introduction of sequence attacks. Chapter three gave an introduction intothe underlying structures of this thesis and its approach to build an IDS. The question whya minimization may be interesting and how a minimization in general works were explained.The representation of sequences in a DTMC is an essential step in this work and was dis-cussed in Sec. 3.4. Furthermore, an algorithm was provided, that builds a DTMC out of asequence. Sec. 3.3 addressed the sequence attacks and how to detect them using a DTMC. Inaddition, possible minimizations were shown as well as some problems regarding sequenceattacks and DTMCs. Finally, Sec. 5 presented results of one possible minimization, usingreal data from a company.Marco Caselli et al. showed that it is possible to detect sequence attacks within SCADAnetworks regarding the IEC-104 protocol [4]. They used a DTMC to model the commu-nication between two devices and anlyzed the resulting structure. This thesis took up theapproach and went one step further. The structure was minimized in order to handle thestate space explosion problem. It was shown that a significant minimization of the DTMCis possible, while still be able to detect the appropriate sequence attack. We were able toreduce the state space of a DTMC describing sequences from a week by over 80% and thetransitions by over 90%. This shows the potential of this approach and was the main aim ofthis work.Nevertheless, it was also shown that the minimization strongly depends on the attackscenario that should be identified, thus each attack scenario needs its own minimization.In order to find a suitable minimization that detects all attack scenarios, one first needs todescribe each minimization for each attack scenario on its own. Afterwards, these minimiza-tions need to be merged into one. It might happen that the minimizations cannot be merged.In that case there does not exist a minimization for that configuration. Furthermore, thisthesis showed that using a DTMC for the detection of sequence attacks lacks an identifica-tion problem. Not all kinds of sequence attacks are possible to describe within a DTMC,since some sequence attacks depend on more than just one time step. Furthermore, some
Summary and conclusion 45of the sequence attacks need precise physical description since some processes like “waterhammer“ strongly depend on the underlying physical process. For precise statements the fre-quence is essential and this may differ, depending if the target is a pipe, a tank or somethingelse. Nevertheless, it is possible with this approach to detect some kinds of sequence attacks.
There is still space for further research, especially the structure which is used to modelthe sequences. It may not be practical to find a new minimization for each device and attackscenario for companies with large installations. Future research may therefore focus onfinding other approaches, that allow faster analysis out of the box. This faces especially theproblem of the expense used to find appropriate minimizations. Upon that, further researchmay also find other approaches that focus on detecting sequence attacks, which depend onmore than one time step. Moreover this thesis didn’t investigate in detecting real sequenceattacks within network traces. Thus, further research may also focus on detecting attacks onreal network traffic. In addition it is worth investigating research in finding out how muchtime can be saved using these minimizations in order to detect sequence attacks.
46 List of FiguresList of Figures
1 Architecture of a SCADA system [8] . . . . . . . . . . . . . . . . . . . . . . . . . 52 Telegram format with variable length (I-format) [10] . . . . . . . . . . . . . . . 63 Structure of the ASDU [10] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Integration of an network based IDS [13] . . . . . . . . . . . . . . . . . . . . . 115 Initial situation of the person in a room [17] . . . . . . . . . . . . . . . . . . . . 156 DTMC representing the person in a corner example [17] . . . . . . . . . . . . 167 DTMC with non-reachable states . . . . . . . . . . . . . . . . . . . . . . . . . . 178 DTMC representing the simple pipe example . . . . . . . . . . . . . . . . . . . 249 DTMC with a violation compared to Fig. 8 by using a non-existing transition 2510 DTMC with a violation compared to Fig. 8 by accessing a non-existent state 2511 DTMC with a violation compared to Fig. 8 by using a transition too frequently 2612 DTMC representing a general limitation . . . . . . . . . . . . . . . . . . . . . . 2713 Order based device reprogramming . . . . . . . . . . . . . . . . . . . . . . . . . 2814 Compromised order based device reprogramming . . . . . . . . . . . . . . . . . 2915 DTMC representing order based device reprogramming incl. other traffic . . 2916 DTMC representing order based device reprogramming incl. other traffic anda violation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2917 DTMC representing order based device reprogramming incl. other traffic -merged IOAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3018 DTMC representing order based device reprogramming incl. other traffic anda violation - merged IOAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3019 DTMC representing the system of four pipes . . . . . . . . . . . . . . . . . . . 3120 DTMC representing the system of four pipes by merging all reading com-mands and all closing commands . . . . . . . . . . . . . . . . . . . . . . . . . . 3221 DTMC representing the system of four pipes by merging some commands . . 3222 DTMC representing legit activities of device B over the period of one day . 3623 Minimized DTMC representing legit activities of device B over the period ofone day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3724 DTMC representing legit activities of device A over the period of one day . . 3825 DTMC representing legit activities of device A over the period of one dayusing the minimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3926 DTMC representing legit activities of device A over the period of one week . 4027 Minimized DTMC representing legit activities of device A over the period ofone week . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
REFERENCES 47List of Tables
1 Results using a timeinterval of one hour . . . . . . . . . . . . . . . . . . . . . . 432 Results using a timeinterval of one day . . . . . . . . . . . . . . . . . . . . . . 433 Results using a timeinterval of one week . . . . . . . . . . . . . . . . . . . . . 43References
1. Zhu, B., Joseph, A. & Sastry, S. A Taxonomy of Cyber Attacks on SCADA Systemsin Proceedings of the 2011 International Conference on Internet of Things and 4thInternational Conference on Cyber, Physical and Social Computing (IEEE ComputerSociety, 2011), 380–388.2. Garance Burke, J. F. AP Investigation: U.S. power grid vulnerable to foreign hacks<http://lasvegassun.com/news/2015/dec/21/ap-investigation-us-power-
grid-vulnerable-to-forei/> (viewed 06.06.2015).3. Goodin, D. First known hacker-caused power outage signals troubling escalation <http:
//arstechnica.com/security/2016/01/first-known-hacker-caused-power-
outage-signals-troubling-escalation/> (viewed 06.06.2015).4. Caselli, M., Zambon, E., Petit, J. & Kargl, F. Modeling Message Sequences For IntrusionDetection in Industrial Control Systems. IFIP (2015).5. Caselli, M., Zambon, E. & Kargl, F. Sequence-aware Intrusion Detection in IndustrialControl Systems in Proceedings of the 1st ACM Workshop on Cyber-Physical SystemSecurity (ACM, 2015), 13–24.6. Barbosa, R. R. R., Sadre, R. & Pras, A. A first look into SCADA network traffic in NetworkOperations and Management Symposium (NOMS), 2012 IEEE (2012), 518–521.7. Clarke, G. & Reynders, D. Practical Modern SCADA Protocols: DNP3, 60870.5 andRelated Systems (Newnes, 2004).8. Wang, C., Fang, L. & Dai, Y. A Simulation Environment for SCADA Security Analy-sis and Assessment in 2010 International Conference on Measuring Technology andMechatronics Automation 1 (2010), 342–347.9. Sherif, Y. S. & Zahir, S. On power line carrier communication (PLC). MicroelectronicsReliability 24, 781 –791 (1984).10. Garance Burke, J. F. LIAN 98(en) : Protocol IEC 60870-5-104, Telegram structure<http://www.mayor.de/lian98/doc.en/html/u_iec104_struct.htm> (2016).11. Mitchell, R. & Chen, I.-R. A Survey of Intrusion Detection Techniques for Cyber-physicalSystems. ACM Comput. Surv. 46, 55:1–55:29 (Mar. 2014).
48 References12. Intrusion Detection Systems; Definition, Need And Challenges. SANS Institute Reading
Room (2001).13. Reiner, M. Is your Network Intrusion Detecton System blind in one eye? <https:
//misterreiner.wordpress.com/2010/05/17/is-your-network-intrusion-
detecton-system-blind-in-one-eye/> (viewed 20.06.2015).14. Shah, B. How to Choose Intrusion Detection Solution. SANS Institute Reading Room(2001).15. Clark, R. M. & Deininger, R. A. Protecting the Nation’s Critical Infrastructure: TheVulnerability of U.S. Water Supply Systems. Journal of Contingencies and Crisis Man-agement 8, 73–80 (2000).16. Baier, C. & Katoen, J.-P. Principles of Model Checking (Massachusetts Institute ofTechnology, 2008).17. Schomaker, J. Einführung in die Theorie der Markov-Ketten <http : / / wwwmath .
uni-muenster.de/statistik/lehre/SS12/SeminarAnwendungenWT/Vortraege/
Schomaker.pdf> (viewed 10.06.2015).18. Dehnert, C., Katoen, J.-P. & Parker, D. in Verification, Model Checking, and AbstractInterpretation: 14th International Conference, VMCAI 2013, Rome, Italy, January 20-22,2013. Proceedings 28–47 (Springer Berlin Heidelberg, 2013).19. Hansson, H. & Jonsson, B. A logic for reasoning about time and reliability. FormalAspects of Computing 6, 512–535 (1994).20. Kwiatkowska, M., Norman, G. & Parker, D. Stochastic Model Checking in Formal Meth-ods for the Design of Computer, Communication and Software Systems: PerformanceEvaluation (SFM’07) 4486 (Springer, 2007), 220–270.21. Ross, S. M. Introduction to Probability Models 193–194 (Academic Press, 2006).22. Katoen, J.-P., Kemna, T., Zapreev, I. & Jansen, D. N. in, 87–101 (Springer Berlin Hei-delberg, Berlin, Heidelberg, 2007).23. Combs, G. Wireshark <https://www.wireshark.org/#aboutWS> (2004).24. Gansner, E. R. & North, S. C. An open graph visualization system and its applications tosoftware engineering. SOFTWARE - PRACTICE AND EXPERIENCE 30, 1203–1233(2000).25. Smith, R., Estan, C., Jha, S. & Kong, S. Deflating the Big Bang: Fast and Scalable DeepPacket Inspection with Extended Finite Automata. SIGCOMM Comput. Commun. Rev.38, 207–218 (Aug. 2008).