Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic

  title={Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic},
  author={Amit Kleinmann and Avishai Wool},
  journal={J. Digit. Forensics Secur. Law},
The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs. [] Key Result Despite its high sensitivity, the system had a very low false positive rate - over 99.82% of the trac was identied as normal.

Figures and Tables from this paper

A Statechart-Based Anomaly Detection Model for Multi-Threaded SCADA Systems
This paper introduces a new modeling approach, the Statechart DFA modeling, that includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs.
Timing-Based Anomaly Detection in SCADA Networks
This paper provides a timing-based anomaly detection system that uses the statistical attributes of the communication patterns of SCADA traffic, and is shown to have a False Positive Rate under 1.4%.
Stealthy Deception Attacks Against SCADA Systems
A real-time security assessment tool that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view, which successfully fooled the operator and brought the system to states of blackout and possible equipment damage.
Automatic Forensic Analysis of PCCC Network Traffic Log
This thesis work provides a comprehensive forensic analysis of network traffic generated by the PCCC(Programmable Controller Communication Commands) protocol and presents a prototype tool capable of extracting both updates to programmable logic and crucial configuration information.
SCADA network forensics of the PCCC protocol
Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks
A first look at how the traffic flowing between SCADA components changes over time is provided and a method built upon Probabilistic Suffix Tree (PST) to discover the underlying timing patterns of spontaneous events is proposed.
Temporal Phase Shifts in SCADA Networks
A method to automatically detect traffic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traffic that has similar accuracy and much less permissiveness compared to the previous general Deterministic Finite Automata (DFA) model are suggested.
Intrusion Detection & Prevention in Programmable Logic Controllers: A Model-driven Approach
A light-weight solution for the PLC to detect & protect against data tampering in real-time and is model driven – whereas most intrusion detection mechanisms in the CPS domain seem to be data-driven.
Real-Time Intrusion Detection Method Based on Bidirectional Access of Modbus/TCP Protocol
A real-time intrusion detection method based on bidirectional access of the Modbus/TCP protocol that has traits of timeliness, low false positive rate and low false negative rate.


Anomaly-Based Intrusion Detection for SCADA Systems
The application of techniques developed for monitoring critical process systems, such as nuclear power plants, to anomaly intrusion detection is presented and the results show that these methods can be generally used to detect a variety of common attacks.
A Review of SCADA Anomaly Detection Systems
This work reviews the research effort done towards the development of anomaly detection for SCADA systems and finds that a number of peculiarities make anomaly detection perform better than in traditional information and communications technology (ICT) networks.
A testbed for analyzing security of SCADA control systems (TASSCS)
A testbed designed to study and simulate the various available techniques for securing and protecting Supervisory Control and Data Acquisition (SCADA) systems against a wide range of cyber attacks is presented.
Using Model-based Intrusion Detection for SCADA Networks
It is believed that model-based monitoring, which has the potential for detecting unknown attacks, is more feasible for control networks than for general enterprise networks.
A Taxonomy of Cyber Attacks on SCADA Systems
  • Bonnie Zhu, A. Joseph, S. Sastry
  • Computer Science
    2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing
  • 2011
This paper focuses on systematically identifying and classifying likely cyber attacks including cyber-induced cyber-physical attack son SCADA systems and highlights commonalities and important features of such attacks that define unique challenges posed to securingSCADA systems versus traditional Information Technology(IT) systems.
Detection, correlation, and visualization of attacks against critical infrastructure systems
This work adapted and developed several intrusion detection technologies for control systems, and focused on detection, correlation, and visualization of a network traversal attack, where an attacker penetrates successive network layers to compromise critical assets that directly control the underlying process.
Robustness of the Markov-chain model for cyber-attack detection
This study provides some support for the idea that the Markov-chain technique might not be as robust as the other intrusion-detection methods such as the chi-square distance test technique, although it can produce better performance when the noise level of the data is low,such as the Mill & Pascal data in this study.
The State of the Art in Intrusion Prevention and Detection
The State of the Art in Intrusion Prevention and Detection analyzes the latest trends and issues surrounding intrusion detection systems in computer networks, especially in communications networks, to present novel schemes for intrusion detection and prevention.
Communication pattern anomaly detection in process control systems
  • A. Valdes, S. Cheung
  • Computer Science
    2009 IEEE Conference on Technologies for Homeland Security
  • 2009
This work presents a learning-based approach for detecting anomalous network traffic patterns that correspond to attack activities such as malware propagation or denial of service and may provide a complementary detection capability for protecting digital control systems.