Process-level Anomaly Detection in Industrial Control Systems

dc.contributor.authorStröm, David
dc.contributor.authorSinai Nadkarni, Viren
dc.contributor.departmentChalmers tekniska högskola / Institutionen för data och informationstekniksv
dc.contributor.examinerJonsson, Erland
dc.date.accessioned2019-07-12T12:14:18Z
dc.date.available2019-07-12T12:14:18Z
dc.date.issued2019sv
dc.date.submitted2019
dc.description.abstractOver the last decade, Industrial Control Systems (ICSs), which manage critical infrastructure such as power, water and gas distribution systems, are increasingly being targeted by sophisticated cyberattacks. It is of paramount importance that necessary safeguards are in place for these systems to avoid potentially catastrophic damage. Intrusion Detection Systems (IDSs) can be used to monitor computer systems for signs of attacks and are commonly of two types: signature-based or anomaly-based. Signature-based IDSs work by using a database of known traffic patterns to identify malicious activity. Attacks against ICSs are specialised and crafted to exploit specific protocol semantics and setup. As such, building a signature database which incorporates all attack properties is difficult. This has led to a growing interest in doing anomaly-based intrusion detection using information from the industrial processes, such as sensor readings and control commands. Research has shown that process-level anomaly detection can identify a large range of attack types, but so far there have been limited insights into whether processlevel anomaly detection is suitable for modern ICS software. Questions such as if the cost of processing a large number of signals is reasonable, if it is feasible to integrate anomaly detection into existing ICS software, need a deeper understanding. This study aims to evaluate the suitability of using process-level anomaly detection in production-grade ICS software. The platform is provided by ABB, a major international supplier of ICSs. We focus on two time series algorithms: Process-Aware Stealthy Attack Detection (PASAD) and Auto-Regression (AR) modelling. Our findings show that both methods can successfully be used in large-scale ICS software. AR gives throughput one magnitude higher than PASAD, while PASAD is better at detecting stealthy attacks and attacks in noisy signals. PASAD can also leverage GPU capabilities, but needs buffering to outperform CPU implementations. The design of PASAD means that it requires a large amount of memory to model signals which have many values representing the normal behaviour. On the whole, we find that process-level anomaly detection can be a reliable complementary security mechanism for ICS deployments.sv
dc.identifier.coursecodeDATX05sv
dc.identifier.urihttps://hdl.handle.net/20.500.12380/300050
dc.language.isoengsv
dc.setspec.uppsokTechnology
dc.subjectAnomaly detectionsv
dc.subjectIntrusion detectionsv
dc.subjectIndustrial control systemssv
dc.subjectElectrical gridsv
dc.titleProcess-level Anomaly Detection in Industrial Control Systemssv
dc.type.degreeExamensarbete för masterexamensv
dc.type.uppsokH
Ladda ner
Original bundle
Visar 1 - 1 av 1
Bild (thumbnail)
Namn:
CSE 19-50 Ström Sinai Nadkarni.pdf
Storlek:
4.1 MB
Format:
Adobe Portable Document Format
Beskrivning:
CSE Ström Sinai Nadkarni
License bundle
Visar 1 - 1 av 1
Bild saknas
Namn:
license.txt
Storlek:
1.14 KB
Format:
Item-specific license agreed upon to submission
Beskrivning: