Publication Details
Accurate Automata-Based Detection of Cyber Threats in Smart Grid Communication
Smart grid, cyber security, anomaly detection, probabilistic automata, network
flows, MITRE ATT&CK
Several industry sectors, including critical infrastructure, have experienced
severe cyber attacks against their Industrial Control Systems (ICS) due to the
malware that masqueraded itself as a legitimate ICS process and communicated with
valid ICS messages. Such behavior is difficult to detect by standard techniques.
Intrusion Detection Systems (IDS) usually filter illegitimate communication using
pre-defined patterns while statistical-based Anomaly Detection Systems (ADS)
mostly observe selected attributes of transmitted packets without deeper analysis
of ICS messages. We propose a new detection approach based on Deterministic
Probabilistic Automata (DPAs) that capture the intended semantics of the ICS
message exchange. The method models normal ICS message sequences using a set of
DPAs representing expected traffic patterns. Then the detection system applies
reasoning about the model to reveal a malicious activity in the ICS traffic
expressed by unexpected ICS messages. In this paper, we significantly improve the
performance of the automata-based detection method and reduce its false-positive
rate. We also present a technique that produces additional details about detected
anomalies, which is important for real-world deployment. The approach is
demonstrated on IEC 104 or MMS communication from different ICS systems.
@article{BUT179636,
author="Vojtěch {Havlena} and Petr {Matoušek} and Ondřej {Ryšavý} and Lukáš {Holík}",
title="Accurate Automata-Based Detection of Cyber Threats in Smart Grid Communication",
journal="IEEE Transactions on Smart Grid",
year="2023",
volume="2023",
number="14",
pages="2352--2366",
doi="10.1109/TSG.2022.3216726",
issn="1949-3053",
url="https://ieeexplore.ieee.org/document/9927376"
}