Temporal Phase Shifts in SCADA Networks

TL;DR

This paper introduces a method to detect phase shifts in SCADA network traffic, improving anomaly detection by modeling multiple traffic phases and enabling real-time process state inference.

Contribution

It proposes an automatic phase shift detection technique and a multi-phase anomaly detection model that reduces complexity and enhances accuracy over previous automata-based approaches.

Findings

Effective detection of traffic phase shifts.

Comparable accuracy with reduced model permissiveness.

Provides real-time process state information.

Abstract

In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Previous work showed that in many cases, it is possible to create an automata-based model of the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server, and to use the model to detect anomalies in the traffic. When testing the validity of previous models, we noticed that overall, the models have difficulty in dealing with communication patterns that change over time. In this paper we show that in many cases the traffic exhibits phases in time, where each phase has a unique pattern, and the transition between the different phases is rather sharp. We suggest a method to automatically detect traffic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traffic. Furthermore we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity. The model presented has similar accuracy and much less permissiveness compared to the previous general DFA model. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traffic phases.