More Web Proxy on the site http://driver.im/

research-article

AMON: an Automaton MONitor for Industrial Cyber-Physical Security

Authors:

Giuseppe Bernieri,

Gabriele PozzanAuthors Info & Claims

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Article No.: 33, Pages 1 - 10

https://doi.org/10.1145/3339252.3340521

Published: 26 August 2019 Publication History

Abstract

The rapid evolution towards the Industry 4.0 improves the performances of Industrial Control Systems (ICSs). However, due to the unmanageable re-engineering cost of pre-existing industrial devices, insecure protocols continue to be used to manage these systems. In this scenario, legacy protocols, such as the Modbus/TCP, are still largely used to control a range of industrial processes alongside with modern technologies. Consequently, hybrid industrial infrastructures with both legacy and innovative devices require novel security and prevention methodologies.

In this work, we present AMON (Automaton MONitor): an Intrusion Detection System (IDS) based on Deterministic Finite Automata (DFA) for Modbus/TCP traffic monitoring. AMON combines DFA with the Longest Repeating Subsequence (LRS) algorithm, commonly used in bioinformatics, to model the traffic and identify anomalies. In order to address the challenges presented in hybrid scenarios, we extend AMON to work with the Constrained Application Protocol (CoAP), used for the Industrial Internet of Things (IIoT). We show preliminary results in a simulated industrial network and discuss possible implementation of the developed detection system to secure hybrid industrial infrastructures.

References

[1]

Michela Becchi and Patrick Crowley. 2007. A hybrid finite automaton for practical deep packet inspection. In 2007 ACM CoNEXT conference. ACM, 1.

Digital Library

[2]

Joel Branch, Alan Bivens, Chi Yu Chan, Taek Kyeun Lee, and Boleslaw K Szymanski. 2002. Denial of service intrusion detection using time dependent deterministic finite automata. In Proc. Graduate Research Conference. 45--51.

[3]

Eric J Byres, Matthew Franz, and Darrin Miller. 2004. The use of attack trees in assessing vulnerabilities in SCADA systems. In Proceedings of the international infrastructure survivability workshop. Citeseer, 3--10.

[4]

Anton Cherepanov. 2017. WIN32/INDUSTROYER: a new threat for industrial control systems. White paper, ESET (June 2017) (2017).

[5]

Mustafa Faisal, Alvaro A Cardenas, and Avishai Wool. 2016. Modeling Modbus TCP for intrusion detection. In 2016 IEEE Conference on Communications and Network Security (CNS). IEEE, 386--390.

[6]

Niv Goldenberg and Avishai Wool. 2013. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. International Journal of Critical Infrastructure Protection (2013), 63--75.

[7]

Tarik Hajji, Noura Ouerdi, Abdelmalek Azizi, and Mostafa Azizi. 2018. EMV Cards Vulnerabilities Detection Using Deterministic Finite Automaton. Procedia Computer Science 127 (2018), 531--538.

Digital Library

[8]

Markel Iglesias-Urkia, Adrián Orive, and Aitor Urbieta. 2017. Analysis of CoAP implementations for industrial internet of things: a survey. Procedia Computer Science 109 (2017), 188--195.

[9]

Dragos Inc. 2017. TRISIS Malware: Analysis of Safety System Targeted Malware. https://dragos.com/blog/trisis/TRISIS-01.pdf.

[10]

Stamatis Karnouskos. 2011. Stuxnet worm impact on industrial cyber-physical system security. In IECON 2011-37th Annual Conference of the IEEE Industrial Electronics Society. IEEE, 4490--4494.

[11]

Dhilung Kirat and Giovanni Vigna. 2015. Malgene: Automatic extraction of malware analysis evasion signature. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 769--780.

Digital Library

[12]

Amit Kleinmann and Avishai Wool. 2015. A statechart-based anomaly detection model for multi-threaded SCADA systems. In International Conference on Critical Information Infrastructures Security. Springer, 132--144.

[13]

Mark V Lawson. 2003. Finite automata. Chapman and Hall/CRC.

[14]

Chen Markman, Avishai Wool, and Alvaro A Cardenas. 2017. A New Burst-DFA Model for SCADA Anomaly Detection. In Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy. ACM, 1--12.

Digital Library

[15]

Modbus. 2004. MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3.

[16]

Modbus. 2004. Modbus messaging on TCP/IP implementation guide. v1.0b (2004).

[17]

Zach Shelby, Klaus Hartke, Carsten Bormann, and B Frank. 2014. RFC 7252: The constrained application protocol (CoAP). Internet Engineering Task Force (2014).

[18]

Giacomo Tanganelli, Carlo Vallati, and Enzo Mingozzi. 2015. CoAPthon: Easy development of CoAP-based IoT applications with Python. In 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT). IEEE, 63--68.

Digital Library

Cited By

El-Kady AHalim SEl-Halwagi MKhan F(2023)Analysis of safety and security challenges and opportunities related to cyber-physical systemsProcess Safety and Environmental Protection10.1016/j.psep.2023.03.012173(384-413)Online publication date: May-2023
https://doi.org/10.1016/j.psep.2023.03.012
Rodríguez MTobón DMúnera D(2023)Anomaly classification in industrial Internet of things: A reviewIntelligent Systems with Applications10.1016/j.iswa.2023.200232(200232)Online publication date: May-2023
https://doi.org/10.1016/j.iswa.2023.200232
Gundogan CKietzmann PLenders MPetersen HFrey MSchmidt TShzu-Juraschek FWahlisch M(2021)The Impact of Networking Protocols on Massive M2M Communication in the Industrial IoTIEEE Transactions on Network and Service Management10.1109/TNSM.2021.308954918:4(4814-4828)Online publication date: Dec-2021
https://doi.org/10.1109/TNSM.2021.3089549
Show More Cited By

Index Terms

AMON: an Automaton MONitor for Industrial Cyber-Physical Security
1. Computer systems organization
  1. Embedded and cyber-physical systems
    1. Sensors and actuators
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Sequence-aware Intrusion Detection in Industrial Control Systems
CPSS '15: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security

Nowadays, several threats endanger cyber-physical systems. Among these systems, industrial control systems (ICS) operating on critical infrastructures have been proven to be an attractive target for attackers. The case of Stuxnet has not only showed ...
KingFisher: an Industrial Security Framework based on Variational Autoencoders
SenSys-ML 2019: Proceedings of the 1st Workshop on Machine Learning on Edge in Sensor Systems

The recent evolution of edge computing favored the Industrial Internet of Things (IIoT) growth, opening dangerous surfaces of vulnerabilities. In this distributed sensor system scenario, due to the insecure interactions between Information Technology (...
Honeypot Based Industrial Threat Detection Using Game Theory in Cyber-Physical System
Abstract
Cyber threats are clearly understood across the security landscape using honeypot technologies across industrial cyber-physical systems (ICPS). Specifically, Distributed Denial of Service (DDoS) and Man in the Middle (MITM) attacks are the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

August 2019

979 pages

ISBN:9781450371643

DOI:10.1145/3339252

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES '19

ARES '19: 14th International Conference on Availability, Reliability and Security

August 26 - 29, 2019

CA, Canterbury, United Kingdom

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
158
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)1

Reflects downloads up to 31 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

El-Kady AHalim SEl-Halwagi MKhan F(2023)Analysis of safety and security challenges and opportunities related to cyber-physical systemsProcess Safety and Environmental Protection10.1016/j.psep.2023.03.012173(384-413)Online publication date: May-2023
https://doi.org/10.1016/j.psep.2023.03.012
Rodríguez MTobón DMúnera D(2023)Anomaly classification in industrial Internet of things: A reviewIntelligent Systems with Applications10.1016/j.iswa.2023.200232(200232)Online publication date: May-2023
https://doi.org/10.1016/j.iswa.2023.200232
Gundogan CKietzmann PLenders MPetersen HFrey MSchmidt TShzu-Juraschek FWahlisch M(2021)The Impact of Networking Protocols on Massive M2M Communication in the Industrial IoTIEEE Transactions on Network and Service Management10.1109/TNSM.2021.308954918:4(4814-4828)Online publication date: Dec-2021
https://doi.org/10.1109/TNSM.2021.3089549
ALGUTTAR AHUSSIN SALASHIK KYILDIRIM R(2020)Siber Fiziksel Sistemlerde Müdahale Tespit Tekniklerinin GözlemiEuropean Journal of Science and Technology10.31590/ejosat.araconf35(277-287)Online publication date: 30-Apr-2020
https://doi.org/10.31590/ejosat.araconf35

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents