Rule-Based Intrusion Detection System for SCADA Networks

Increased complexity and interconnectivity of Supervisory Control and Data Acquisition (SCADA) systems in Smart Grids potentially means greater susceptibility to malicious attackers. SCADA systems with legacy communication infrastructure have inherent cyber-security vulnerabilities as these systems were originally designed with little consideration of cyber threats. In order to improve cyber-security of SCADA networks, this paper presents a rule-based Intrusion Detection System (IDS) using a Deep Packet Inspection (DPI) method, which includes signature-based and model-based approaches tailored for SCADA systems. The proposed signature-based rules can accurately detect several known suspicious or malicious attacks. In addition, model-based detection is proposed as a complementary method to detect unknown attacks. Finally, proposed intrusion detection approaches for SCADA networks are implemented and verified using a ruled based method.

Intrusion Detection System for IEC 60870-5-104 Based SCADA Networks

Increased complexity and interconnectivity of Supervisory Control and Data Acquisition (SCADA) systems in Smart Grids potentially means greater susceptibility to malicious attackers. SCADA systems with legacy communication infrastructure have inherent cyber-security vulnerabilities as these systems were originally designed with little consideration of cyber threats. In order to improve cyber-security of SCADA networks, this paper presents a rule-based Intrusion Detection System (IDS) using a Deep Packet Inspection (DPI) method, which includes signature-based and model-based approaches tailored for SCADA systems. The proposed signature-based rules can accurately detect several known suspicious or malicious attacks. In addition, model-based detection is proposed as a complementary method to detect unknown attacks. Finally, proposed intrusion detection approaches for SCADA networks are implemented and verified via Snort rules.

Intrusion Detection System for Network Security in Synchrophasor Systems

Synchrophasor systems will play a crucial role in next generation Smart Grid monitoring, protection and control. However these systems also introduce a multitude of potential vulnerabilities from malicious and inadvertent attacks, which may render erroneous operation or severe damage. This paper proposes a Synchrophasor Specific Intrusion Detection System (SSIDS) for malicious cyber attack and unintended misuse. The SSIDS comprises a heterogeneous whitelist and behavior-based approach to detect known attack types and unknown and so-called ‘zero-day’ vulnerabilities and attacks. The paper describes reconnaissance, Man-in-the-Middle (MITM) and Denial-of-Service (DoS) attack types executed against a practical synchrophasor system which are used to validate the real-time effectiveness of the proposed SSIDS cyber detection method.

Multidimensional Intrusion Detection System for IEC 61850 based SCADA Networks

Emerging cybersecurity vulnerabilities in supervisory control and data acquisition (SCADA) systems are becoming urgent engineering issues for modern substations. This paper proposes a novel intrusion detection system (IDS) tailored for cybersecurity of IEC 61850 based substations. The proposed IDS integrates physical knowledge, protocol specifications and logical behaviours to provide a comprehensive and effective solution that is able to mitigate various cyberattacks. The proposed approach comprises access control detection, protocol whitelisting, model-based detection, and multi-parameter based detection. This SCADA-specific IDS is implemented and validated using a comprehensive and realistic cyber-physical test-bed and data from a real 500kV smart substation.

Multi-Attribute SCADA-Specific Intrusion Detection System for Power Networks

The increased interconnectivity and complexity of supervisory control and data acquisition (SCADA) systems in power system networks has exposed the systems to a multitude of potential vulnerabilities. In this paper, we present a novel approach for a next-generation SCADA-specific intrusion detection system (IDS). The proposed system analyzes multiple attributes in order to provide a comprehensive solution that is able to mitigate varied cyber-attack threats. The multiattribute IDS comprises a heterogeneous white list and behavior-based concept in order to make SCADA cybersystems more secure. This paper also proposes a multilayer cyber-security framework based on IDS for protecting SCADA cybersecurity in smart grids without compromising the availability of normal data. In addition, this paper presents a SCADA-specific cybersecurity testbed to investigate simulated attacks, which has been used in this paper to validate the proposed approach.

Network Based Malware Detection in Virtualised Environment

While virtualisation can provide many benefits to a networks infrastructure, securing the virtualised environment is a big challenge. The security of a fully virtualised solution is dependent on the security of each of its underlying components, such as the hypervisor, guest operating systems and storage.

This paper presents a single security service running on the hypervisor that could potentially work to provide security service to all virtual machines running on the system. This paper presents a hypervisor hosted framework which performs specialised security tasks for all underlying virtual machines to protect against any malicious attacks by passively analysing the network traffic of VMs. This framework has been implemented using Xen Server and has been evaluated by detecting a Zeus Server setup and infected clients, distributed over a number of virtual machines. This framework is capable of detecting and identifying all infected VMs with no false positive or false negative detection.

The effect of probe interval estimation on attack detection performance of a WLAN independent intrusion detection system

A new niche of densely populated, unprotected networks is becoming more prevalent in public areas such as Shopping Malls, defined here as independent open-access networks, which have attributes that make attack detection more challenging than in typical enterprise networks. To address these challenges, new detection systems which do not rely on knowledge of internal device state are investigated here. This paper shows that this lack of state information requires an additional metric (The exchange timeout window) for detection of WLAN Denial of Service Probe Flood attacks. Variability in this metric has a significant influence on the ability of a detection system to reliably detect the presence of attacks. A parameter selection method is proposed which is shown to provide reliability and repeatability in attack detection in WLANs. Results obtained from ongoing live trials are presented that demonstrate the importance of accurately estimating probe request and probe response timeouts in future Independent Intrusion Detection Systems.

Unique Challenges in WiFi Intrusion Detection

The Intrusion Detection System (IDS) is a common means of protecting networked systems from attack or malicious misuse. The deployment of an IDS can take many different forms dependent on protocols, usage and cost. This is particularly true of Wireless Intrusion Detection Systems (WIDS) which have many detection challenges associated with data transmission through an open, shared medium, facilitated by fundamental changes at the Physical and MAC layers. WIDS need to be considered in more detail at these lower layers than their wired counterparts as they face unique challenges. The remainder of this chapter will investigate three of these challenges where WiFi deviates significantly from that of wired counterparts:

• Attacks Specific to WiFi Networks: Outlining the additional threats which WIDS must account for: Denial of Service, Encryption Bypass and AP Masquerading attacks.

• The Effect of Deployment Architecture on WIDS Performance: Demonstrating that the deployment environment of a network protected by a WIDS can influence the prioritisation of attacks.

• The Importance of Live Data in WiFi Research: Investigating the different choices for research data sources with an emphasis on encouraging live network data collection for future WiFi research.

Introduction to Wireless Intrusion Detection Systems

The IDS (Intrusion Detection System) is a common means of protecting networked systems from attack or malicious misuse. The development and rollout of an IDS can take many different forms in terms of equipment, protocols, connectivity, cost and automation. This is particularly true of WIDS (Wireless Intrusion Detection Systems) which have many more opportunities and challenges associated with data transmission through an open, shared medium.
The operation of a WIDS is a multistep process from origination of an attack through to human readable evaluation. Attention to the performance of each of the processes in the chain from attack detection to evaluation is imperative if an optimum solution is to be sought. At present, research focuses very much on each discrete aspect of a WIDS with little consideration to the operation of the whole system. Taking a holistic view of the technology shows the interconnectivity and inter-dependence between stages, leading to improvements and novel research areas for investigation.
This chapter will outline the general structure of Wireless Intrusion Detection Systems and briefly describe the functions of each development stage, categorised into the following 6 areas:
• Threat Identification,
• Architecture,
• Data Collection,
• Intrusion Detection,
• Alert Correlation,
• Evaluation.
These topics will be considered in broad terms designed for those new to the area. Focus will be placed on ensuring the readers are aware of the impact of choices made at early stages in WIDS development on future stages.

Stateful Intrusion Detection for IEC 60870-5-104 SCADA Security

Cyber threats in Supervisory Control and Data Acquisition (SCADA) systems have the potential to render physical damage and jeopardize power system operation, safety and stability. SCADA systems were originally designed with little consideration of escalating cyber threats and hence the problem of how to develop robust intrusion detection technologies to tailor the requirements of SCADA is an emerging topic and a big challenge. This paper proposes a stateful Intrusion Detection System (IDS) using a Deep Packet Inspection (DPI) method to improve the cyber-security of SCADA systems using the IEC 60870-5-104 protocol which is tailored for basic telecontrol communications. The proposed stateful protocol analysis approach is presented that is designed specifically for the IEC 60870-5-104 protocol. Finally, the novel intrusion detection approach are implemented and validated.

Measuring Inconsistency in a Network Intrusion Detection Rule Set Based on Snort

In this preliminary study, we investigate how inconsistency in a network intrusion detection rule set can be measured. To achieve this, we first examine the structure of these rules which are based on Snort and incorporate regular expression (Regex) pattern matching. We then identify primitive elements in these rules in order to translate the rules into their (equivalent) logical forms and to establish connections between them. Additional rules from background knowledge are also introduced to make the correlations among rules more explicit. We measure the degree of inconsistency in formulae of such a rule set (using the Scoring function, Shapley inconsistency values and Blame measure for prioritized knowledge) and compare the informativeness of these measures. Finally, we propose a new measure of inconsistency for prioritized knowledge which incorporates the normalized number of atoms in a language involved in inconsistency to provide a deeper inspection of inconsistent formulae. We conclude that such measures are useful for the network intrusion domain assuming that introducing expert knowledge for correlation of rules is feasible.

Synchrophasor-Based Islanding Detection for Distributed Generation Systems Using Systematic Principal Component Analysis Approaches

Systematic principal component analysis (PCA) methods are presented in this paper for reliable islanding detection for power systems with significant penetration of distributed generations (DGs), where synchrophasors recorded by Phasor Measurement Units (PMUs) are used for system monitoring. Existing islanding detection methods such as Rate-of-change-of frequency (ROCOF) and Vector Shift are fast for processing local information, however with the growth in installed capacity of DGs, they suffer from several drawbacks. Incumbent genset islanding detection cannot distinguish a system wide disturbance from an islanding event, leading to mal-operation. The problem is even more significant when the grid does not have sufficient inertia to limit frequency divergences in the system fault/stress due to the high penetration of DGs. To tackle such problems, this paper introduces PCA methods for islanding detection. Simple control chart is established for intuitive visualization of the transients. A Recursive PCA (RPCA) scheme is proposed as a reliable extension of the PCA method to reduce the false alarms for time-varying process. To further reduce the computational burden, the approximate linear dependence condition (ALDC) errors are calculated to update the associated PCA model. The proposed PCA and RPCA methods are verified by detecting abnormal transients occurring in the UK utility network.