Home > Research > Publications & Outputs > SENAMI

Electronic data

  • senami

    Rights statement: © Owner/Author, 2016. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in CPS-SPC '16 Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy http://dx.doi.org/10.1145/2994487.2994496

    Accepted author manuscript, 872 KB, PDF document

    Available under license: CC BY-NC: Creative Commons Attribution-NonCommercial 4.0 International License

Links

Text available via DOI:

View graph of relations

SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Published

Standard

SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection. / Jardine, William; Frey, Sylvain; Green, Benjamin et al.
CPS-SPC '16 Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy. New York: ACM, 2016. p. 23-34.

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Harvard

Jardine, W, Frey, S, Green, B & Rashid, A 2016, SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection. in CPS-SPC '16 Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy. ACM, New York, pp. 23-34, 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, Vienna, Austria, 28/10/16. https://doi.org/10.1145/2994487.2994496

APA

Jardine, W., Frey, S., Green, B., & Rashid, A. (2016). SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection. In CPS-SPC '16 Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy (pp. 23-34). ACM. https://doi.org/10.1145/2994487.2994496

Vancouver

Jardine W, Frey S, Green B, Rashid A. SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection. In CPS-SPC '16 Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy. New York: ACM. 2016. p. 23-34 doi: 10.1145/2994487.2994496

Author

Jardine, William ; Frey, Sylvain ; Green, Benjamin et al. / SENAMI : Selective Non-Invasive Active Monitoring for ICS Intrusion Detection. CPS-SPC '16 Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy. New York : ACM, 2016. pp. 23-34

Bibtex

@inproceedings{581764a58abc47e18df8b399d1b60bfc,
title = "SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection",
abstract = "Current intrusion detection systems (IDS) for industrial control systems (ICS) mostly involve the retrofitting of conventional network IDSs, such as SNORT. Such an approach is prone to missing highly targeted and specific attacks against ICS. Where ICS-specific approaches exist, they often rely on passive network monitoring techniques, offering a low cost solution, and avoiding any computational overhead arising from actively polling ICS devices. However, the use of passive approaches alone could fail in the detection of attacks that alter the behaviour of ICS devices (as was the case in Stuxnet). Where active solutions exist, they can be resource-intensive, posing the risk of overloading legacy devices which are commonplace in ICSs. In this paper we aim to overcome these challenges through the combination of a passive network monitoring approach, and selective active monitoring based on attack vectors specific to an ICS context. We present the implementation of our IDS, SENAMI, for use with Siemens S7 devices. We evaluate the effectiveness of SENAMI in a comprehensive testbed environment, demonstrating validity of the proposed approach through the detection of purely passive attacks at a rate of 99%, and active value tampering attacks at a rate of 81-93%. Crucially, we reach recall values greater than 0.96, indicating few attack scenarios generating false negatives.",
author = "William Jardine and Sylvain Frey and Benjamin Green and Awais Rashid",
note = "{\textcopyright} Owner/Author, 2016. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in CPS-SPC '16 Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy http://dx.doi.org/10.1145/2994487.2994496; 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, CPS-SPC '16 ; Conference date: 28-10-2016 Through 28-10-2016",
year = "2016",
month = oct,
day = "28",
doi = "10.1145/2994487.2994496",
language = "English",
isbn = "9781450345682",
pages = "23--34",
booktitle = "CPS-SPC '16 Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy",
publisher = "ACM",
url = "https://www.sigsac.org/ccs/CCS2016/",

}

RIS

TY - GEN

T1 - SENAMI

T2 - 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy

AU - Jardine, William

AU - Frey, Sylvain

AU - Green, Benjamin

AU - Rashid, Awais

N1 - Conference code: 2nd

PY - 2016/10/28

Y1 - 2016/10/28

N2 - Current intrusion detection systems (IDS) for industrial control systems (ICS) mostly involve the retrofitting of conventional network IDSs, such as SNORT. Such an approach is prone to missing highly targeted and specific attacks against ICS. Where ICS-specific approaches exist, they often rely on passive network monitoring techniques, offering a low cost solution, and avoiding any computational overhead arising from actively polling ICS devices. However, the use of passive approaches alone could fail in the detection of attacks that alter the behaviour of ICS devices (as was the case in Stuxnet). Where active solutions exist, they can be resource-intensive, posing the risk of overloading legacy devices which are commonplace in ICSs. In this paper we aim to overcome these challenges through the combination of a passive network monitoring approach, and selective active monitoring based on attack vectors specific to an ICS context. We present the implementation of our IDS, SENAMI, for use with Siemens S7 devices. We evaluate the effectiveness of SENAMI in a comprehensive testbed environment, demonstrating validity of the proposed approach through the detection of purely passive attacks at a rate of 99%, and active value tampering attacks at a rate of 81-93%. Crucially, we reach recall values greater than 0.96, indicating few attack scenarios generating false negatives.

AB - Current intrusion detection systems (IDS) for industrial control systems (ICS) mostly involve the retrofitting of conventional network IDSs, such as SNORT. Such an approach is prone to missing highly targeted and specific attacks against ICS. Where ICS-specific approaches exist, they often rely on passive network monitoring techniques, offering a low cost solution, and avoiding any computational overhead arising from actively polling ICS devices. However, the use of passive approaches alone could fail in the detection of attacks that alter the behaviour of ICS devices (as was the case in Stuxnet). Where active solutions exist, they can be resource-intensive, posing the risk of overloading legacy devices which are commonplace in ICSs. In this paper we aim to overcome these challenges through the combination of a passive network monitoring approach, and selective active monitoring based on attack vectors specific to an ICS context. We present the implementation of our IDS, SENAMI, for use with Siemens S7 devices. We evaluate the effectiveness of SENAMI in a comprehensive testbed environment, demonstrating validity of the proposed approach through the detection of purely passive attacks at a rate of 99%, and active value tampering attacks at a rate of 81-93%. Crucially, we reach recall values greater than 0.96, indicating few attack scenarios generating false negatives.

U2 - 10.1145/2994487.2994496

DO - 10.1145/2994487.2994496

M3 - Conference contribution/Paper

SN - 9781450345682

SP - 23

EP - 34

BT - CPS-SPC '16 Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy

PB - ACM

CY - New York

Y2 - 28 October 2016 through 28 October 2016

ER -