Learning Probabilistic Automata in the Context of IEC 104

probabilistic automata, IEC 104, Alergia

Industrial Control System (ICS) communication transmits monitoring and control
data between industrial processes and the control station. ICS systems cover
various domains of critical infrastructure such as the power plants, water and
gas distribution, or aerospace traffic control. Security of ICS systems is
usually implemented on the perimeter of the network using ICS enabled firewalls
or Intrusion Detection Systems (IDSs). These techniques are helpful against
external attacks, however, they are not able to effectively detect internal
threats originating from a compromised device with malicious software.

In order to mitigate or eliminate internal threats against the ICS system, we
need to monitor ICS traffic and detect suspicious data transmissions that differ
from common operational  communication. In our research, we obtain ICS monitoring
data using standardized IPFIX flows extended with meta data extracted from ICS
protocol headers. Unlike other anomaly detection approaches, we focus on
modelling the semantics of ICS communication obtained from the IPFIX  flows that
describes typical conversational patterns. This report presents a technique for
modelling ICS conversations using frequency prefix trees (PT) and Deterministic
Probabilistic Automata (DPA).

As demonstrated on the attack scenarios, these models are efficient to detect
common cyber attacks like the command injection, packet manipulation, network
scanning, or lost connection. An important advantage of our approach is that the
proposed technique can be easily integrated into common security information and
event management (SIEM) systems with Netflow/IPFIX support. Our experiments are
performed on IEC 60870-5-104 (aka IEC 104) control communication that is widely
used for the substation control in smart grids.

• pdf Technical_Report__Learning_Probabilistic_Automata.pdf 734 kB