The increasing interconnectivity and the opening of industrial networks to the outside creates the need for security measures.
e.g. firewall, antivirus software or Intrusion Detection System (IDS),
have been used in office Information Technology (IT) for a long time.
new to industrial applications.
Security was not an issue in industry for two reasons :
Supervisory Control And Data Acquisition (SCADA) systems were physically separated from the internet.
each system is unique due to its singular purpose,
making it hard for an attacker to exploit it.
Both assumptions hold no longer true as the recent and not-so-recent spectacularly show.
This lead to the drastic increase in software and network security for industrial applications.
Since industrial networks are different in structure and purpose than office networks,
the same solutions cannot be transferred readily.
new security solutions have to be developed.
Industrial networks are highly specialised,
creating unique but very repetitive traffic .
industrial networks are connected to Cyber Physical Systems,
meaning they are intended to interact with the real world.
most protocols in the industrial environment do not employ security mechanisms such as authentication and encryption[3, 4],
as is standard in the office world.
This work is structured as follows. In section II, the state of the art is described. After that, the use case that is considered in this work is introduced in section III. The corresponding formal model is derived in section IV. In section V, the analysis is conducted and the results are presented. A conclusion is drawn in section VI.
Ii State of the Art
There are many different approaches for IDSs;
Luh et al. categorized them in their survey Semantics-aware detection of targeted attacks into different groups .
They identified the main categories “Host-based”,
“Network-based” and “Multi-source” with several sub-categories.
As we focus our work on industry networks and their components,
we will not focus on individual IDSs for specific hosts,
but on Multi-source and Network-based approaches.
One popular implementation of a Network-based IDS is Snort by Cisco ,
which has grown from a lightweight IDS to a tool that can be used as a full-grown network-based Intrusion Prevention System (IPS).
The signature-based approach utilizes user contributed rules to catch different specific instances of network attacks.
Another well known network monitoring framework,
which can be used as a network IDS,
is Bro .
Bro is split into layers,
where the “Event Engine” performs several integrity checks before it handles the packets sent between senders an recievers that are organised as touples – Bro decides if it should return the whole packet,
just the header or nothing at all,
depending on the used protocol.
The “Policy Script Interpreter”-layer is used to check if the handled packets generated any events that were specified before and then decides if a Bro script should be executed.
These scripts can include several tasks like generating new events,
logging functions and modifying internal states.
There are more popular open source network IDSs like Suricata,
which was first released in 2010 by the Open Information Security Foundation (OISF) ,
which aims at wireless networks .
According to Jyothsna et al., another method to categorize IDSs
is by classifying them into “signature based detection” and “anomaly based detection”. While the first group looks for patterns of known attacks and compares them with the active system, the latter category – the anomaly based approach – builds a model of the normal behaviour and matches this learned behaviour with the running system. While the first approach can’t find novel attacks, the second one needs training on a normal behaving system. According to Thames and Schaefer, the requirements for security aspects differ in many points for CPS and regular IT systems . As we focus primarily on industry networks with heterogeneous participants like Programmable Logic Controllers, Industrial Personal Computers and CPSs with different operating systems, used protocols and various available resources, we have to use a more adjustable approach.
To address these problems we used an approach with Hidden Markov-Models
that uses context information. An approach for the usage of Markov chains was published by Ye. In her paper A Markov Chain Model of Temporal Behavior for Anomaly Detection she introduced her technique where the system learns from historic data to distinguish between normal behavior and intrusive activities. Due further developed that approach in  to a HMM IDS to learn patterns of Unix processes. Hu et al. introduced an IDS that uses system call based HMMs . They focussed on reducing the amount of submodels required to model the scenario and the impact of pre-processing data on training time. Yolaçan suggested in his approach to enrich the data with context information .
The above mentioned IDSs are host-based and do not focus on other available data sources like network traffic. More recent research also show first advances in the field of HMMs in network-based intrusion detection. Chen proposed a classification method for detecting attacks in different attack stages within regular IT networks . Zohrevand used HMMs to develop a system for anomaly detection in water supply SCADA systems showing that their approach outperforms other contestants making HMMs a feasible approach also for industrial networks.
Iii Use Case Description
There are numerous possible attack vectors on industrial applications. As described in sectionI, each company’s network is different and therefore a wholesome security solution is infeasible. As we described in previous works, there are, however, common attack motivations and attacker types . Some attackers aim at extracting information, so-called “espionage”. Others try to cause harm, in covert operations or in the open, so-called “sabotage”. Not only the goals, but also the means of achieving them are numerous and strongly depend on the use case. Therefore, creating a model that covers all possible attacker scenarios is impracticable. Instead, we focus on a subset of all attacks and describe a special manifestation of sabotage. We consider an attack scenario where an attacker reprograms a PLC. This reprogramming leads to unexpected behaviour of the CPS with the potential to cause harm and damage. In our opinion, there are two scenarios how the attacker is able to reprogram the PLC, and four possible ways to detect this attack. An attacker can either
take over a valid programming device and use it maliciously or
introduce a malicious device to the network.
How she circumvents the perimeter is beyond the scope of this work, there are several related works discussing physical and network security . Furthermore, the given attack can be detected in one of four ways.
If each programming device and PLC is provided with a cryptographically secure identity, the adversary has to break it. With state of the art authentication, this can be considered impossible. However, most industrial applications rarely use authentication on devices . This detection mechanism only discovers attacks by an attacker that introduced a malicious device. If malicious programming is executed with a valid device, a valid identity is provided.
Depending on the way an attacker reprograms devices, statistical deviations from normal behaviour could be observed. This is possible for both ways an attacker can modify the system as described above, but only if the attacker significantly differs from the standard system behaviour. A Dolev-Yao intruder model  assumes the attacker possesses knowledge of the system, enabling her to perfectly mimic the standard behaviour.
Deep packet inspection is employed by several IDS to discover content that is capable of causing harm to a system. In industrial applications, a complex model of the production facility is necessary to determine which parameters can cause damage. Even more, a value that is well within safety boundaries can still lead to the production of goods that are low quality. Therefore, it is difficult to determine malicious traffic by payload in industrial applications.
information about network traffic alone is not enough to discover attacks.
In this case,
adding context information can enrich the data source and help to provide a broader view on a system.
This principle is employed by Security Information and Event Management (SIEM) systems.
In this work, we assume that no identity information is provided, allowing an attacker to spoof entities in the network. Furthermore, we assume she does not strictly stick to the standard system behaviour, creating statistical deviations that could be detectable. We then compare the statistical analysis with context-based analysis.
Iv Formal Model
For analysis, a formal model was created. The formal model was used to generate data, as well as to analyse the data with respect to anomalies induced by attacks. The model consists of three parts:
The products symbolise the intended output of a fictional production process. Depending on the change of product, several IPCs have to be reconfigured. These IPCs that are reconfigured are a subset of all available IPCs. Each IPC controls four PLCs that are reprogrammed in case of reconfiguration. The order of reprogramming the PLCs
follows a probability distribution defined by aHMM . A HMM is defined in equation 1.
, the state transition matrix,
, the observation matrix,
, the starting distribution describes the probability of the first state to be
V Analysis and Results
The model introduced in section IV was implemented with specific parameters:
The products are chosen randomly,
following a Markov process .
The possible transitions are shown in figure 1,
the corresponding transition probabilities are shown in table II.
24 different setups were simulated and analysed.
These setups consist of two ways the attacker reprograms the PLCs,
three different numbers of malicious actions introduced,
and four ways the IPCs are reconfigured and reprogram the PLCs due to the change of product.
The simulation setups are an abstraction of real-world behaviour.
As explained in section III,
an operator knowing every transition of her system would be able to detect any attack,
unless the attacker also knew the transitions and was able to mimic this behaviour.
In this case,
the operator could only tell valid from malicious attacks by consulting the necessity of changing states due to changes in production.
The goal of this simulation is to derive the importance of context information for detection of various malicious traffic in different kinds of valid traffic. We first created a set of sequences of valid actions and transitions. The transitions were saved in one, respectively three matrices. The first matrix contained all transitions, regardless of the product to be produced. The three matrices contained the transitions for the correlating product, introducing the notion of context. In the real world, this kind of information is easily accessible via Manufacturing Execution System (MES) and Enterprise Resource Planning (ERP), as, for example, proposed in . First, the matrices were initialised by cycles of product change. Normalisation was applied to the matrices. Then we inserted first one, then two and finally four malicious packets into each sequence of the set. After that, the transition probabilities of the malicious actions were calculated. The probabilities of the attacks, as well as the valid actions, were compared to a threshold varying from to in steps of . This allowed for the calculation of Receiver Operating Characteristics, as well as the f-measure. The f-measure, or F1-score, is a metric to determine the quality of a classifier , as written in equation 2.
One of the most noteworthy properties of a Markov model is its inability to contain memory of states before the previous one, the so-called Markov property. This means that each transition probability only depends on the previous state, completely independent of its predecessors before the current state. This behaviour is noted mathematically in equation 3. The transition probabilities of each state transition only consider the previous state. where is a matrix of transition probabilities, the probability of an event, an event, a state and a time step.
Each sequence of malicious programming actions was considered an attack and should have been found. It was, however, sufficient to detect one malicious segment within a sequence. In reality, finding only one of a series of malicious programming actions would be sufficient to raise awareness for an attack. First, we analyse attacks that are introduced to several scenarios in static order in subsection V-A. Then, attacks that are introduced into the same scenarios in different order are examined in subsection V-B. The results are presented in subsection V-C.
V-a Attacks in Static Order
In these setups, the attacks always were in a static order. In turn, one, two and four attacks were introduced into four different kinds of valid actions.
The IPCs that are reconfigured for each product are shown in table I. If a product is selected, the IPCs are reconfigured in their numerical order. The products are randomly chosen with probabilities as listed in table II, Upon reconfiguration, each IPC reprograms its corresponding PLCs. This reprogramming process is depicted in figure 2, the according transition probabilities are listed in table IV. The given probability distribution allows for some PLCs to not be reprogrammed. This behaviour is supposed to create a small uncertainty that, in reality, could arise from maintenance or reprogramming steps that were undergone. Still, one major difference between office- and industrial-IT lies in the repetitive traffic as described in section I. This repetitive behaviour is modelled by reconfiguring the same IPCs in the same order for each product and the order of reprograming of the PLCs.
|Product 1||Product 2||Product 3|
|Product 1||Product 2||Product 3|
|Product 1||Product 2||Product 3|
|Start||PLC 1||PLC 2||PLC 3||PLC 4||Finish|
The ROCs for one malicious action in each sequence can be found in figure 3. It can be seen that they are 1 almost instantly. This is due to the fact that the valid behaviour is relatively uniform, making it easy to detect malicious activities. For two and four malicious actions in each sequence, the ROC starts even higher.
Because of the higher number of false positives for the context-less approach, the f-measure of the context-based approach is better in for certain thresholds. With increasing threshold, however, the difference decreases as an increasing threshold leads to less transitions that fit. The difference of f-measures looks similar for all numbers of malicious actions in this setup.
In this setup, the same IPCs as in the previous one are reconfigured when switching products. They are summarised in table II. They, however, reprogram their corresponding PLCs always in strict order. The ROC immediately reaches close to one, the diagram is therefore omitted. The f-measures are shown in figure 5. In the pictured scenario, four attacks were introduced into every sequence. The other scenarios look very much alike.
the f-measure of the approach without context seems to be greater than one.
This is a result of plotting inaccuracy,
as the f-measure always results to a value between zero and one.
The strict order of valid actions makes it very easy to distinguish malicious from valid actions, leading to such high true positive values of both approaches. Furthermore, the increase of the difference towards high thresholds results in the faster increase of false positive detections for the context-less approach. While both methods perform very good in terms of true positives, the context-based method is better with respect to choosing less false positives.
In this setup, each change of products led to reconfiguration of all IPCs and thus reprogramming of all PLCs. The PLCs in turn are reprogrammed in strict numeric order. However, the order of reconfiguration varied, depending on the product. It can be found in table V.
|Product 1||IPC 1||IPC 2||IPC 3||IPC 4||IPC 5|
|Product 2||IPC 5||IPC 4||IPC 3||IPC 1||IPC 1|
|Product 3||IPC 1||IPC 5||IPC 2||IPC 4||IPC 3|
The difference in the f-measures indicates an outperformance with respect to false positives by the context-based approach.
In this setup, upon change of product, each IPC was reconfigured, as described in table V. The order of reprogramming the PLCs was completely random. In figure 7, the ROCs for all numbers of malicious actions, with and without the notion of context, respectively, are drawn. It can be seen that there is a break even point, where the curves align. Before that, detection with the notion of context outperforms detection without consideration of context.
The f-measures, depicted in figure 8 for one malicious action per valid sequence, indicate a lower performance than in the previous setups. The difference is located in the low thresholds, due to the better performance with respect to false positives of the context-based approach. The comparatively worse performance is a result of the randomness of valid actions.
V-B Attacks in Random Order
In these setups, the attacks always were in random order. In turn, one, two and four attacks were introduced into four different kinds of valid actions.
The reconfiguration pattern of IPCs is similar to the one described in table I of Setup 1 in subsection V-A, with product transition probabilities as described in table II. The reprogramming pattern of the PLCs is shown in figure 2. the according transition probabilities can be found in table IV. The results are similar as well, the ROCs saturate almost from the beginning, as can be seen in figure 9.
There is a small difference, however, in the f-measure of detection with and without the notion of context. As shown in figure 10, the detection without context slightly outperforms the detection without context in threshold ranges between and .
As in Setup 2 of subsection V-A, upon reconfiguration of an IPC, according to tables I and II, all its PLCs are reprogrammed in strict order. The ROCs of one, two and four attacks per sequence start with one, depicting them is therefore of little interest. Due to the false positives, however, the f-measure values differ, especially with threshold greater than . This behaviour is shown in figure 11.
As with Setup 3 in subsection V-A, in this setup, all IPCs are reconfigured when the product is switched. The order of reconfiguration for each product can be found in table V. The corresponding PLCs are reprogrammed in numeric order, respectively. The ROCs converge immediately. There can, however, be found significant differences in the f-measures, as shown in figure 12. Especially the area between and shows a difference due to false negatives, where the detection with notion of context outperforms the detection without notion of context.
In this Setup, the order of reconfiguration of IPCs again depends on the product as shown in table V. The order of reprogramming the PLCs, however, is random for each IPC respectively. The ROCs for one attack per sequence can be seen in figure 13.
Up to a threshold value of , the detection with consideration of context performs significantly better. This can also be seen in the f-measures, as depicted in figure 14.
Throughout the experiments,
detection with consideration of context always performs better than detection without consideration of context.
This outperformance can in some cases be derived from the faster increasing ROC.
In any case,
the f-measure of context-based detection is higher and decreasing slower than the f-measure of non-context-based detection.
the false negative rate of context-based detection is lower than the false negative rate of context-less detection.
it shows that the quality of detection,
in terms of ROCs,
depends on the randomness of the valid actions.
If only strict patterns occur,
detection is easy.
if there is a level of uncertainty,
detection becomes more difficult,
as the transition matrices become more ambiguous.
Another interesting result lies in the discovery that the order of attacks has very low influence on the detection rate. This is probably because of the fact that the transition from valid action to malicious action, and vice versa, serves as a distinguishing event. Transitions within the malicious actions are not necessary to detect them.
Industrial systems and networks are typically more uniform and deterministic than classic internet networks.
This fact can be used to aid in intrusion detection.
If context information is considered in conjunction with network information,
intelligence about the presence or absence of malicious activities can be gained more easily.
Even though the proposed experiment was a simplification of a real industrial network,
the effect is noteworthy.
Especially false positives are significantly lower with than without notion of context.
In real-world applications,
this is a highly important factor,
as each false positive will lead to investigation and consume time and effort,
resulting in high costs.
A low false positive rate is therefore critical for acceptance of an detection algorithm.
For our future work, we plan on creating a more sophisticated simulator on a packet base, so that frequency, content, length and other properties of network traffic can be observed. In addition to that, we plan on integrating host-based information, such as log-entries or settings of production tools, into the detection solution. This work suggests that this will lead to an increase in detection with a decrease in false positives.
This work has been supported by the Federal Ministry of Education and Research of the Federal Republic of Germany (Foerderkennzeichen KIS4ITS0001, 16KIS0311, IUNO). The authors alone are responsible for the content of the paper.
-  V. M. Igure, S. A. Laughter, and R. D. Williams, “Security issues in scada networks,” Computers & Security, vol. 25, pp. 498–506, 2006.
-  S. Zhou, J. Han, and H. Tang, “Fractal traffic analysis and applications in industrial control ethernet network,” in Emerging Research in Artificial Intelligence and Computational Intelligence. AICI 2011. Communications in Computer and Information Science (H. Deng, D. Miao, F. Wang, and J. Lei, eds.), vol. 237, Springer, Berlin, Heidelberg, 2011.
-  B. Zhu, A. Joseph, and S. Sastry, “A taxonomy of cyber attacks on scada systems,” 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, pp. 380–388, 2011.
-  A. Porros, “Nuking and defending scada networks,” 2010.
-  R. Luh, S. Marschalek, M. Kaiser, H. Janicke, and S. Schrittwieser, “Semantics-aware detection of targeted attacks: A survey,” Journal of Computer Virology and Hacking Techniques, vol. 13, no. 1, pp. 47–85, 2017.
-  M. Roesch, “Snort - lightweight intrusion detection for networks,” in Proceedings of the 13th USENIX Conference on System Administration, LISA ’99, (Berkeley, CA, USA), pp. 229–238, USENIX Association, 1999.
-  V. Paxson, “Bro: A system for detecting network intruders in real-time,” Computer Networks, vol. 31, no. 23-24, pp. 2435–2463, 1999.
-  T. F. N. M. Joshua S. White, “Quantitative analysis of intrusion detection systems: Snort and suricata,” Proc.SPIE, vol. 8757, 2013.
-  D. A. Hindarto, “Wireless attacks from an intrusion detection perspective,” 2010.
-  V. Jyothsna, V. R. Prasad, and K. M. Prasad, “A review of anomaly based intrusion detection systems,” International Journal of Computer Applications, vol. 28, no. 7, pp. 26–35, 2011.
-  L. Thames and D. Schaefer, eds., Cybersecurity for Industry 4.0: Analysis for Design and Manufacturing. Springer Series in Advanced Manufacturing, Cham and s.l.: Springer International Publishing, 2017.
-  N. Ye, “A markov chain model of temporal behavior for anomaly detection,” 2000.
-  Y. Du, H. Wang, and Y. Pang, “Hmms for anomaly intrusion detection,” in Computational and Information Science (D. Hutchison, T. Kanade, J. Kittler, J. M. Kleinberg, F. Mattern, J. C. Mitchell, M. Naor, O. Nierstrasz, C. Pandu Rangan, B. Steffen, M. Sudan, D. Terzopoulos, D. Tygar, M. Y. Vardi, G. Weikum, J. Zhang, J.-H. He, and Y. Fu, eds.), vol. 3314 of Lecture Notes in Computer Science, pp. 692–697, Berlin, Heidelberg: Springer Berlin Heidelberg, 2004.
-  J. Hu, X. Yu, D. Qiu, and H.-H. Chen, “A simple and efficient hidden markov model scheme for host-based anomaly intrusion detection,” IEEE Network, vol. 23, no. 1, pp. 42–47, 2009.
-  E. N. Yolaçan and D. R. Kaeli, “A framework for studying new approaches to anomaly detection,” International Journal of Information Security Science, vol. 5, no. 2, pp. 39–50, 2016.
-  C.-M. Chen, D.-J. Guan, Y.-Z. Huang, and Y.-H. Ou, “Anomaly network intrusion detection using hidden markov model,” International Journal of Innovative Computing, Information and Control,, vol. 12, no. 2, pp. 569–580, 2016.
-  Z. Zohrevand, U. Glasser, H. Y. Shahir, M. A. Tayebi, and R. Costanzo, “Hidden markov based anomaly detection for water supply systems,” in Big Data (Big Data), 2016 IEEE International Conference on, pp. 1551–1560, IEEE, 2016.
-  D. Fraunholz, S. Duque Antón, and H. D. Schotten, “Introducing gamfis: A generic attacker model for information security,” in Proceedings of the 25th International Conference on Software, Telecommunications and Computer Networks. International Conference on Software, Telecommunications and Computer Networks (SoftCom-17), 25th, September 21-23, Split, Croatia, IEEE, 9 2017.
-  S. Northcutt, L. Zeltser, S. Winters, K. Kent, and R. W. Ritchey, Inside Network Perimeter Security (2Nd Edition) (Inside). Indianapolis, IN, USA: Sams, 2005.
-  D. Dolev and A. C. Yao, “On the security of public key protocols,” in 22nd Annual IEEE Symposium on Foundations of Computer Science, pp. 198–208, IEEE, 2017.
-  L. E. Baum and T. Petrie, “Statistical inference for probabilistic functions of finite state markov chains,” The Annals of Mathematical Statistics, pp. 1554–1563, 1966.
-  A. Eberle, “Markov processes,” March 2015.
-  S. Duque Antón, D. Fraunholz, J. Zemitis, F. Pohl, and H. D. Schotten, “Highly scalable and flexible model for effective aggregation of context-based data in generic iiot scenarios,” in 9th Central European Workshop on Services and their Composition. Central European Workshop on Services and their Composition (ZEUS-2017), February 13-14, Lugano, Switzerland (O. Kopp, J. Lenhard, and C. Pautasso, eds.), pp. 51–58, CEUR Workshop Proceedings, 4 2017.
-  C. J. van Rijsbergen, “Information retrieval,” 1979.