Mobile Networks and Management. 9th International Conference, MONAMI 2017, Melbourne, Australia, December 13-15, 2017, Proceedings

Research Article

Probability Risk Identification Based Intrusion Detection System for SCADA Systems

Download74 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-90775-8_28,
        author={Thomas Marsden and Nour Moustafa and Elena Sitnikova and Gideon Creech},
        title={Probability Risk Identification Based Intrusion Detection System for SCADA Systems},
        proceedings={Mobile Networks and Management. 9th International Conference, MONAMI 2017, Melbourne, Australia, December 13-15, 2017, Proceedings},
        proceedings_a={MONAMI},
        year={2018},
        month={5},
        keywords={SCADA Security Network intrusion detection MODBUS TCP Probability risk identification},
        doi={10.1007/978-3-319-90775-8_28}
    }
    
  • Thomas Marsden
    Nour Moustafa
    Elena Sitnikova
    Gideon Creech
    Year: 2018
    Probability Risk Identification Based Intrusion Detection System for SCADA Systems
    MONAMI
    Springer
    DOI: 10.1007/978-3-319-90775-8_28
Thomas Marsden1,*, Nour Moustafa1,*, Elena Sitnikova1,*, Gideon Creech1,*
  • 1: UNSW Canberra
*Contact email: thomas.marsden@defence.gov.au, nour.moustafa@unsw.edu.au, e.sitnikova@adfa.edu.au, g.creech@adfa.edu.au

Abstract

As Supervisory Control and Data Acquisition (SCADA) systems control several critical infrastructures, they have connected to the internet. Consequently, SCADA systems face different sophisticated types of cyber adversaries. This paper suggests a Probability Risk Identification based Intrusion Detection System (PRI-IDS) technique based on analysing network traffic of Modbus TCP/IP for identifying replay attacks. It is acknowledged that Modbus TCP is usually vulnerable due to its unauthenticated and unencrypted nature. Our technique is evaluated using a simulation environment by configuring a testbed, which is a custom SCADA network that is cheap, accurate and scalable. The testbed is exploited when testing the IDS by sending individual packets from an attacker located on the same LAN as the Modbus master and slave. The experimental results demonstrated that the proposed technique can effectively and efficiently recognise replay attacks.