Inside the Closed World: User and Device Profile Analytics for SCADA Security

¹ State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, 100195 E-park C1 Norh, No. 80 Xingshikou Road, Haidian District, Beijing, China
² School of Cyber Security, University of Chinese Academy of Sciences, 100049 No.19(A) Yuquan Road, Shijingshan District, Beijing, P.R.China

^* Corresponding author: author@e-mail.org

Abstract

Attacks that use sophisticated and complex methods in-creased recently, aiming to infiltrate the Supervisory Control and Data Acquisition (SCADA) system and stay undetected. Therefore, attackers often get access to authorized permissions of SCADA and bring catastrophic damages by sending ‘legitimate’ control commands. Furthermore, insiders may also misuse or abuse their permissions to damage SCADA system, which is difficult to predict and protect against them. Most existing security systems employ standard signature-based or anomaly-based approaches, which are not able to identify this type of malicious activities. In this paper, we use machine learning algorithms based on Singular Values Decomposition (SVD) to create profiles of users and devices. The major contribution of this paper is providing a general process to detect anomalies, independent of specific use-cases. Suspicious actions are altered to analysts with relevant contextual information for further investigation and action. We provide detailed description of algorithms, methodology, processing of profiling and anomaly detection. Having profiles of different users and devices can provide us a baseline of normal behavior to compare against unusual behaviors. To demonstrate the proposed method, attack scenarios have been simulated at a Compressed Natural Gas (CNG) system in our lab. Experimental results illustrate that the proposed method is effective for abnormal behaviors in SCADA system.