Publication Details
Accurate Automata-Based Detection of Cyber Threats in Smart Grid Communication
Smart grid, cyber security, anomaly detection, probabilistic automata, network
flows, MITRE ATT&CK
Several industry sectors, including critical infrastructure, have experienced
severe cyber attacks against their Industrial Control Systems (ICS) due to the
malware that masqueraded itself as a legitimate ICS process and communicated with
valid ICS messages. Such behavior is difficult to detect by standard techniques.
Intrusion Detection Systems (IDS) usually filter illegitimate communication using
pre-defined patterns while statistical-based Anomaly Detection Systems (ADS)
mostly observe selected attributes of transmitted packets without deeper analysis
of ICS messages.
We propose a new detection approach based on Deterministic Probabilistic Automata
(DPAs) that capture the intended semantics of the ICS message exchange. The
method models normal ICS message sequences using a set of DPAs representing
expected traffic patterns. Then the detection system applies reasoning about the
model to reveal a malicious activity in the ICS traffic expressed by unexpected
ICS messages. In this paper, we significantly improve the performance of the
automata-based detection method and reduce its false-positive rate. We also
present a technique that produces additional details about detected anomalies,
which is important for real-world deployment. The approach is demonstrated on IEC
104 or MMS communication from different ICS systems.
@article{BUT179636,
author="Vojtěch {Havlena} and Petr {Matoušek} and Ondřej {Ryšavý} and Lukáš {Holík}",
title="Accurate Automata-Based Detection of Cyber Threats in Smart Grid Communication",
journal="IEEE Transactions on Smart Grid",
year="2023",
volume="2023",
number="14",
pages="2352--2366",
doi="10.1109/TSG.2022.3216726",
issn="1949-3053",
url="https://ieeexplore.ieee.org/document/9927376"
}