SlideShare una empresa de Scribd logo

Leveraging Multivariate Analysis to Detect Anomalies in Industrial Control Systems

M
Mikel Iturbe Urretxa

Guest lecture in the DAT300 graduate course of the Chalmers University of Technology in Gothenburg, Sweden.

Tecnología
1 de 43
Descargar para leer sin conexión
LEVERAGING MULTIVARIATE ANALYSIS TO DETECT ANOMALIES IN INDUSTRIAL CONTROL SYSTEMS DAT300 presentation Mikel Iturbe Electronics and Computing Department Faculty of Engineering – Mondragon University Chalmers University of Technology, Gothenburg, Sweden September 15, 2016
<Prologue>
Introduction ADSs MSPC Ongoing work Conclusions About me 3
Introduction ADSs MSPC Ongoing work Conclusions About me • Born in Bilbao, Basque Country, 1987 • BSc in Computer Engineering (Mondragon Unibertsitatea 2008-2012) • MSc in ICT Security (UOC, UAB, URV 2012-2013) • PhD in ICS Security (Mondragon Unibertsitatea 2013-2017?) 4
Introduction ADSs MSPC Ongoing work Conclusions About us: Mondragon Unibertsitatea • Small, private, non-profit university in the Basque Country • Founded in 1997 (1943) • Some data (14/15) • 4 faculties • 3513 undergrad students • 615 Master students • 112 PhD students • Cooperative university • Transfer oriented research 5
Introduction ADSs MSPC Ongoing work Conclusions About us: Telematics team at Mondragon Unibertsitatea 6
</Prologue>
Introduction ADSs MSPC Ongoing work Conclusions Agenda 1. Introduction 2. Anomaly Detection Systems 3. Multivariate Statistical Process Control 4. Ongoing work 5. Conclusions 8
Introduction
Introduction ADSs MSPC Ongoing work Conclusions Industrial control systems CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz 10
Introduction ADSs MSPC Ongoing work Conclusions Fieldbus Network Control Network Demilitarized Zone Corporate Network Internet PLC PLCPLC HMI Control Server Engineering Workstation HistorianData Server Field equipment Workstations Corporate Servers FieldDevicesFieldControllersSupervisoryDevices 11
Introduction ADSs MSPC Ongoing work Conclusions ICS vs. IT ICS networks IT networks Primary function Control of physical equip- ment Data processing and transfer Applicable Domain Manufacturing, processing and utility distribution Corporate and home environ- ments Hierarchy Deep, functionally separated hierarchies with many proto- cols and physical standards Shallow, integrated hierar- chies with uniform protocol and physical standard utili- sation Failure Severity High Low Reliability Required High Moderate Round Trip Times 250μs–10 ms 50+ ms Determinism High Low Data Composition Small packets of periodic and aperiodic traffic Large, aperiodic packets Temporal consistency Required Not Required Operating environment Hostile conditions, often fea- turing high levels of dust, heat and vibration Clean environments, often specifically intended for sen- sitive equipment System lifetime (years) Some tens Some Average node complexity low (simple devices, sensors, actuators) high (large servers/file sys- tems/databases) Brendan Galloway and Gerhard Hancke. Introduction to Industrial Control Networks. IEEE Communications Surveys & Tutorials, 15(2):860–880, 2012 Manuel Cheminod, Luca Durante, and Adriano Valenzano. Review of Security Issues in Industrial Networks. IEEE Transactions on Industrial Informatics, 9(1):277–293, 2013 12
Anomaly Detection Systems
Introduction ADSs MSPC Ongoing work Conclusions Intrusion Detection System • Mechanisms that monitor network and/or system activities to detect suspicious events that occur in them. • Main classification criteria in IDSs 1. Detection mechanism • Signature-based • Anomaly Detection Systems (ADS) 2. Scope • Host • Network 3. ICS Scope • Network • Process 14
Introduction ADSs MSPC Ongoing work Conclusions ADSs on ICSs • Active research topic • Data-driven methods gaining traction Bonnie Zhu and Shankar Sastry. SCADA-specific intrusion detection/prevention systems: a survey and taxonomy. In Proceedings of the 1st Workshop on Secure Control Systems (SCS), 2010 Robert Mitchell and Ingray Chen. A Survey of Intrusion Detection Techniques for Cyber Physical Systems. ACM Computing Surveys, 46(4), April 2014 15
Introduction ADSs MSPC Ongoing work Conclusions Gaps in literature • We found a couple of relevant gaps in the literature. 1. Lack of visualizations 2. Almost no network & process level ADSs 16
Introduction ADSs MSPC Ongoing work Conclusions Visual Network Flow Monitoring (a) Forbidden flow between PLC 1 and HMI 2. (b) Detail of the forbidden flow. Mikel Iturbe, Iñaki Garitano, Urko Zurutuza, and Roberto Uribeetxeberria. Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting. In Proceedings of the 11th Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications, volume 2, pages 99–106, Feb. 2016 17
Introduction ADSs MSPC Ongoing work Conclusions Visual Network Flow Monitoring Able to detect, based on whitelisting: • Forbidden connection • Forbidden port • Incorrect flow size (DoS) • Missing host 18
Introduction ADSs MSPC Ongoing work Conclusions Gaps in literature • We found a couple of relevant gaps in the literature. 1. Lack of visualizations 2. Almost no network & process level ADSs 19
Introduction ADSs MSPC Ongoing work Conclusions Gaps in literature “In order to make IDSs effective in protecting this kind of systems, it is then needed a set of multilayer aggregation features to correlate events generated from different sources (e.g. correlating events coming from the process network of a remote transmission substation with events coming from the office network of a control center) in order to detect large scale complex attacks. This probably represents the next research challenge in this field.” Ettore Bompard, Paolo Cuccia, Marcelo Masera, and Igor Nai Fovino. Cyber vulnerability in power systems operation and control. In Critical Infrastructure Protection, pages 197–234. Springer, 2012 20
Multivariate Statistical Process Control
Introduction ADSs MSPC Ongoing work Conclusions Multivariate data V1 V2 V3 … Vm O1 O2 O3 ... ... ... On • ICSs are multivariate by nature. 22
Introduction ADSs MSPC Ongoing work Conclusions Multivariate data It is not easy to monitor… • If variables are in their normal operation constraints • Correlations between different variables But, information can be expressed in a (smaller) set of non-measurable variables called Latent Variables or Principal Components 23
Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) CC-BY-SA 2.5 Charles Albert-Lehalle 24
Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) • Dimensionality Reduction Algorithm • Linear combination of variables • Maximizes variance 25
Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) CC-BY 2.0 Matthias Scholz, Approaches to analyse and interpret biological profile data. PhD Thesis. University of Potsdam, 2006 26
Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) X = TAPt A + EA           O11 . . . O1m O21 . . . O2m O31 . . . O3m ... ... ... ... On1 . . . Onm           =           O′ 11 O′ 12 O′ 21 O′ 22 O′ 31 O′ 32 ... ... ... ... O′ n1 O′ n2           [ V′ 11 . . . V’1m V′ 21 . . . V’2m ] +           e11 . . . e1m e21 . . . e2m e31 . . . e3m ... ... ... ... en1 . . . enm           27
Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) X = TAPt A + EA           O11 . . . O1m O21 . . . O2m O31 . . . O3m ... ... ... ... On1 . . . Onm           Original values =           O′ 11 O′ 12 O′ 21 O′ 22 O′ 31 O′ 32 ... ... ... ... O′ n1 O′ n2           Scores [ V′ 11 . . . V’1m V′ 21 . . . V’2m ] Loadings +           e11 . . . e1m e21 . . . e2m e31 . . . e3m ... ... ... ... en1 . . . enm           Residuals 28
Introduction ADSs MSPC Ongoing work Conclusions PCA: Residuals PD - Pearson, K. 1901. On lines and planes of closest fit to systems of points in space. Philosophical Magazine 2:559-572. 29
Introduction ADSs MSPC Ongoing work Conclusions Multivariate Statistical Process Control • Statistical Control • Process-agnostic • We monitor the scores and the residuals on control charts. • Two univariate statistics: Dn = A∑ a=1 ( tan − µta σta )2 ; Qn = A∑ a=1 (enm)2 30
Introduction ADSs MSPC Ongoing work Conclusions Control Charts Time Value 31
Introduction ADSs MSPC Ongoing work Conclusions Anomaly Detection • Monitoring of control charts • If three consecutive observations go of bounds, the event is flagged as anomalous 32
Introduction ADSs MSPC Ongoing work Conclusions Anomaly Diagnosis • Once an anomaly is flagged, we diagnose its cause • Contribution (oMEDA) plots TE variables d2 A -90 -80 -70 -60 -50 -40 -30 -20 -10 0 10 XMEAS(1) José Camacho. Observation-based missing data methods for exploratory data analysis to unveil the connection between observations and variables in latent subspace models. Journal of Chemometrics, 25(11):592–600, 2011 33
Introduction ADSs MSPC Ongoing work Conclusions Application to Network Anomaly Detection • MSPC-based techniques can be used for network anomaly detection. • Variable parametrization. • Logs José Camacho, Gabriel Maciá Fernández, Jesús Díaz Verdejo, and Pedro García Teodoro. Tackling the Big Data 4 vs for anomaly detection. In Computer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on, pages 500–505, April 2014. doi: 10.1109/INFCOMW.2014.6849282 José Camacho, Alejandro Pérez Villegas, Pedro García Teodoro, and Gabriel Maciá Fernández. PCA-based multivariate statistical network monitoring for anomaly detection. Computers & Security, 59:118–137, 2016. ISSN 0167-4048. doi: http://dx.doi.org/10.1016/j.cose.2016.02.008 34
Introduction ADSs MSPC Ongoing work Conclusions And in ICSs? • When looking at Process Data, we might be able to distinguish intrusions from disturbances using MSPC Mikel Iturbe, José Camacho, Iñaki Garitano, Urko Zurutuza, and Roberto Uribeetxeberria. On the feasibility of distinguishing between process disturbances and intrusions in process control systems using multivariate statistical process control. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2016), 2016 35
Introduction ADSs MSPC Ongoing work Conclusions Work Hypothesis Therefore, it seems natural to link both worlds, and create a unified ADS for ICSs. 36
Ongoing work
Introduction ADSs MSPC Ongoing work Conclusions Process: Tennessee-Eastman James J Downs and Ernest F Vogel. A plant-wide industrial process control problem. Computers & Chemical Engineering, 17(3):245–255, 1993 38
Introduction ADSs MSPC Ongoing work Conclusions Network 39
Introduction ADSs MSPC Ongoing work Conclusions Challenges • Timestamp synchronization • Data processing complexity 40
Conclusions
Introduction ADSs MSPC Ongoing work Conclusions Conclusions • Anomaly Detection in ICSs is an active research field • Security visualizations in the field are still in their infancy • Multivariate Analysis can help finding process-level anomalies • Network variable parametrization opens the way to a multi-level, process-agnostic, ADS for ICSs. 42
thank you. miturbe@mondragon.edu iturbe.info

Recomendados

Root cause analysis in complex cyber physical systems - Faults Classification
Root cause analysis in complex cyber physical systems - Faults ClassificationRoot cause analysis in complex cyber physical systems - Faults Classification
Root cause analysis in complex cyber physical systems - Faults Classification
Alessandro Granato
 
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
srinivasanece7
 
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUESNEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
cscpconf
 
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUESNEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
csitconf
 
Scada slide
Scada slideScada slide
Scada slide
Towfiqur Rahman
 
Thesis
ThesisThesis
Thesis
Shravan Tamaskar
 
Thesis
ThesisThesis
Thesis
Shravan Tamaskar
 
sensors-20-01011-v2 (1).pdf
sensors-20-01011-v2 (1).pdfsensors-20-01011-v2 (1).pdf
sensors-20-01011-v2 (1).pdf
Shishir Ahmed
 

Recomendados

Root cause analysis in complex cyber physical systems - Faults Classification
Root cause analysis in complex cyber physical systems - Faults ClassificationRoot cause analysis in complex cyber physical systems - Faults Classification
Root cause analysis in complex cyber physical systems - Faults Classification
Alessandro Granato
 
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
srinivasanece7
 
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUESNEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
cscpconf
 
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUESNEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
NEURAL NETWORKS WITH DECISION TREES FOR DIAGNOSIS ISSUES
csitconf
 
Scada slide
Scada slideScada slide
Scada slide
Towfiqur Rahman
 
Thesis
ThesisThesis
Thesis
Shravan Tamaskar
 
Thesis
ThesisThesis
Thesis
Shravan Tamaskar
 
sensors-20-01011-v2 (1).pdf
sensors-20-01011-v2 (1).pdfsensors-20-01011-v2 (1).pdf
sensors-20-01011-v2 (1).pdf
Shishir Ahmed
 
M3AT: Monitoring Agents Assignment Model for the Data-Intensive Applications
M3AT: Monitoring Agents Assignment Model for the Data-Intensive ApplicationsM3AT: Monitoring Agents Assignment Model for the Data-Intensive Applications
M3AT: Monitoring Agents Assignment Model for the Data-Intensive Applications
VladislavKashansky
 
Data aggregation in wireless sensor networks
Data aggregation in wireless sensor networksData aggregation in wireless sensor networks
Data aggregation in wireless sensor networks
Jasleen Kaur (Chandigarh University)
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scada
bhavuksharma10
 
Education set for collecting and visualizing data using sensor system based ...
Education set for collecting and visualizing data using sensor system based ...Education set for collecting and visualizing data using sensor system based ...
Education set for collecting and visualizing data using sensor system based ...
IJMER
 
Impact of the temperature and humidity variations on link quality of xm1000 m...
Impact of the temperature and humidity variations on link quality of xm1000 m...Impact of the temperature and humidity variations on link quality of xm1000 m...
Impact of the temperature and humidity variations on link quality of xm1000 m...
ijasuc
 
Reliable and Efficient Data Acquisition in Wireless Sensor Network
Reliable and Efficient Data Acquisition in Wireless Sensor NetworkReliable and Efficient Data Acquisition in Wireless Sensor Network
Reliable and Efficient Data Acquisition in Wireless Sensor Network
IJMTST Journal
 
Scada system for real time data monitoring and controlling in industries
Scada system for real time data monitoring and controlling in industriesScada system for real time data monitoring and controlling in industries
Scada system for real time data monitoring and controlling in industries
vishnu081
 
Education set for collecting and visualizing data using sensor system based o...
Education set for collecting and visualizing data using sensor system based o...Education set for collecting and visualizing data using sensor system based o...
Education set for collecting and visualizing data using sensor system based o...
IJMER
 
Jprofessionals co create the future of your city
Jprofessionals co create the future of your cityJprofessionals co create the future of your city
Jprofessionals co create the future of your city
Pance Cavkovski
 
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Onyebuchi nosiri
 
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Onyebuchi nosiri
 
FAULT DETECTION SCHEME OF 5 BUS BY ANN AND ANFIS
FAULT DETECTION SCHEME OF 5 BUS BY ANN AND ANFISFAULT DETECTION SCHEME OF 5 BUS BY ANN AND ANFIS
FAULT DETECTION SCHEME OF 5 BUS BY ANN AND ANFIS
IRJET Journal
 
Intrusion Detection System using K-Means Clustering and SMOTE
Intrusion Detection System using K-Means Clustering and SMOTEIntrusion Detection System using K-Means Clustering and SMOTE
Intrusion Detection System using K-Means Clustering and SMOTE
IRJET Journal
 
Semantics in Sensor Networks
Semantics in Sensor NetworksSemantics in Sensor Networks
Semantics in Sensor Networks
Oscar Corcho
 
Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)
shanshicn
 
CPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptxCPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptx
MahendraShukla27
 
Efficient Data Gathering with Compressive Sensing in Wireless Sensor Networks
Efficient Data Gathering with Compressive Sensing in Wireless Sensor NetworksEfficient Data Gathering with Compressive Sensing in Wireless Sensor Networks
Efficient Data Gathering with Compressive Sensing in Wireless Sensor Networks
IRJET Journal
 
Clustering-based Analysis for Heavy-Hitter Flow Detection
Clustering-based Analysis for Heavy-Hitter Flow DetectionClustering-based Analysis for Heavy-Hitter Flow Detection
Clustering-based Analysis for Heavy-Hitter Flow Detection
APNIC
 
Secure data dissemination protocol in wireless sensor networks using xor netw...
Secure data dissemination protocol in wireless sensor networks using xor netw...Secure data dissemination protocol in wireless sensor networks using xor netw...
Secure data dissemination protocol in wireless sensor networks using xor netw...
eSAT Publishing House
 
Detecting Discontinuties in Large Scale Systems
Detecting Discontinuties in Large Scale SystemsDetecting Discontinuties in Large Scale Systems
Detecting Discontinuties in Large Scale Systems
haroonmalik786
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 

Más contenido relacionado

Similar a Leveraging Multivariate Analysis to Detect Anomalies in Industrial Control Systems

Education set for collecting and visualizing data using sensor system based ...
Education set for collecting and visualizing data using sensor system based ...Education set for collecting and visualizing data using sensor system based ...
Education set for collecting and visualizing data using sensor system based ...
IJMER
 
Impact of the temperature and humidity variations on link quality of xm1000 m...
Impact of the temperature and humidity variations on link quality of xm1000 m...Impact of the temperature and humidity variations on link quality of xm1000 m...
Impact of the temperature and humidity variations on link quality of xm1000 m...
ijasuc
 
Reliable and Efficient Data Acquisition in Wireless Sensor Network
Reliable and Efficient Data Acquisition in Wireless Sensor NetworkReliable and Efficient Data Acquisition in Wireless Sensor Network
Reliable and Efficient Data Acquisition in Wireless Sensor Network
IJMTST Journal
 
Education set for collecting and visualizing data using sensor system based o...
Education set for collecting and visualizing data using sensor system based o...Education set for collecting and visualizing data using sensor system based o...
Education set for collecting and visualizing data using sensor system based o...
IJMER
 
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Onyebuchi nosiri
 
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Onyebuchi nosiri
 
Secure data dissemination protocol in wireless sensor networks using xor netw...
Secure data dissemination protocol in wireless sensor networks using xor netw...Secure data dissemination protocol in wireless sensor networks using xor netw...
Secure data dissemination protocol in wireless sensor networks using xor netw...
eSAT Publishing House
 
Detecting Discontinuties in Large Scale Systems
Detecting Discontinuties in Large Scale SystemsDetecting Discontinuties in Large Scale Systems
Detecting Discontinuties in Large Scale Systems
haroonmalik786
 

Similar a Leveraging Multivariate Analysis to Detect Anomalies in Industrial Control Systems (20)

M3AT: Monitoring Agents Assignment Model for the Data-Intensive Applications
M3AT: Monitoring Agents Assignment Model for the Data-Intensive ApplicationsM3AT: Monitoring Agents Assignment Model for the Data-Intensive Applications
M3AT: Monitoring Agents Assignment Model for the Data-Intensive Applications
 
Data aggregation in wireless sensor networks
Data aggregation in wireless sensor networksData aggregation in wireless sensor networks
Data aggregation in wireless sensor networks
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scada
 
Education set for collecting and visualizing data using sensor system based ...
Education set for collecting and visualizing data using sensor system based ...Education set for collecting and visualizing data using sensor system based ...
Education set for collecting and visualizing data using sensor system based ...
 
Impact of the temperature and humidity variations on link quality of xm1000 m...
Impact of the temperature and humidity variations on link quality of xm1000 m...Impact of the temperature and humidity variations on link quality of xm1000 m...
Impact of the temperature and humidity variations on link quality of xm1000 m...
 
Reliable and Efficient Data Acquisition in Wireless Sensor Network
Reliable and Efficient Data Acquisition in Wireless Sensor NetworkReliable and Efficient Data Acquisition in Wireless Sensor Network
Reliable and Efficient Data Acquisition in Wireless Sensor Network
 
Scada system for real time data monitoring and controlling in industries
Scada system for real time data monitoring and controlling in industriesScada system for real time data monitoring and controlling in industries
Scada system for real time data monitoring and controlling in industries
 
Education set for collecting and visualizing data using sensor system based o...
Education set for collecting and visualizing data using sensor system based o...Education set for collecting and visualizing data using sensor system based o...
Education set for collecting and visualizing data using sensor system based o...
 
Jprofessionals co create the future of your city
Jprofessionals co create the future of your cityJprofessionals co create the future of your city
Jprofessionals co create the future of your city
 
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
 
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
Adaptive Monitoring and Localization of Faulty Node in a Wireless Sensor Netw...
 
FAULT DETECTION SCHEME OF 5 BUS BY ANN AND ANFIS
FAULT DETECTION SCHEME OF 5 BUS BY ANN AND ANFISFAULT DETECTION SCHEME OF 5 BUS BY ANN AND ANFIS
FAULT DETECTION SCHEME OF 5 BUS BY ANN AND ANFIS
 
Intrusion Detection System using K-Means Clustering and SMOTE
Intrusion Detection System using K-Means Clustering and SMOTEIntrusion Detection System using K-Means Clustering and SMOTE
Intrusion Detection System using K-Means Clustering and SMOTE
 
Semantics in Sensor Networks
Semantics in Sensor NetworksSemantics in Sensor Networks
Semantics in Sensor Networks
 
Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)
 
CPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptxCPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptx
 
Efficient Data Gathering with Compressive Sensing in Wireless Sensor Networks
Efficient Data Gathering with Compressive Sensing in Wireless Sensor NetworksEfficient Data Gathering with Compressive Sensing in Wireless Sensor Networks
Efficient Data Gathering with Compressive Sensing in Wireless Sensor Networks
 
Clustering-based Analysis for Heavy-Hitter Flow Detection
Clustering-based Analysis for Heavy-Hitter Flow DetectionClustering-based Analysis for Heavy-Hitter Flow Detection
Clustering-based Analysis for Heavy-Hitter Flow Detection
 
Secure data dissemination protocol in wireless sensor networks using xor netw...
Secure data dissemination protocol in wireless sensor networks using xor netw...Secure data dissemination protocol in wireless sensor networks using xor netw...
Secure data dissemination protocol in wireless sensor networks using xor netw...
 
Detecting Discontinuties in Large Scale Systems
Detecting Discontinuties in Large Scale SystemsDetecting Discontinuties in Large Scale Systems
Detecting Discontinuties in Large Scale Systems
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Último (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Leveraging Multivariate Analysis to Detect Anomalies in Industrial Control Systems

  • 1. LEVERAGING MULTIVARIATE ANALYSIS TO DETECT ANOMALIES IN INDUSTRIAL CONTROL SYSTEMS DAT300 presentation Mikel Iturbe Electronics and Computing Department Faculty of Engineering – Mondragon University Chalmers University of Technology, Gothenburg, Sweden September 15, 2016
  • 3. Introduction ADSs MSPC Ongoing work Conclusions About me 3
  • 4. Introduction ADSs MSPC Ongoing work Conclusions About me • Born in Bilbao, Basque Country, 1987 • BSc in Computer Engineering (Mondragon Unibertsitatea 2008-2012) • MSc in ICT Security (UOC, UAB, URV 2012-2013) • PhD in ICS Security (Mondragon Unibertsitatea 2013-2017?) 4
  • 5. Introduction ADSs MSPC Ongoing work Conclusions About us: Mondragon Unibertsitatea • Small, private, non-profit university in the Basque Country • Founded in 1997 (1943) • Some data (14/15) • 4 faculties • 3513 undergrad students • 615 Master students • 112 PhD students • Cooperative university • Transfer oriented research 5
  • 6. Introduction ADSs MSPC Ongoing work Conclusions About us: Telematics team at Mondragon Unibertsitatea 6
  • 8. Introduction ADSs MSPC Ongoing work Conclusions Agenda 1. Introduction 2. Anomaly Detection Systems 3. Multivariate Statistical Process Control 4. Ongoing work 5. Conclusions 8
  • 10. Introduction ADSs MSPC Ongoing work Conclusions Industrial control systems CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz 10
  • 11. Introduction ADSs MSPC Ongoing work Conclusions Fieldbus Network Control Network Demilitarized Zone Corporate Network Internet PLC PLCPLC HMI Control Server Engineering Workstation HistorianData Server Field equipment Workstations Corporate Servers FieldDevicesFieldControllersSupervisoryDevices 11
  • 12. Introduction ADSs MSPC Ongoing work Conclusions ICS vs. IT ICS networks IT networks Primary function Control of physical equip- ment Data processing and transfer Applicable Domain Manufacturing, processing and utility distribution Corporate and home environ- ments Hierarchy Deep, functionally separated hierarchies with many proto- cols and physical standards Shallow, integrated hierar- chies with uniform protocol and physical standard utili- sation Failure Severity High Low Reliability Required High Moderate Round Trip Times 250μs–10 ms 50+ ms Determinism High Low Data Composition Small packets of periodic and aperiodic traffic Large, aperiodic packets Temporal consistency Required Not Required Operating environment Hostile conditions, often fea- turing high levels of dust, heat and vibration Clean environments, often specifically intended for sen- sitive equipment System lifetime (years) Some tens Some Average node complexity low (simple devices, sensors, actuators) high (large servers/file sys- tems/databases) Brendan Galloway and Gerhard Hancke. Introduction to Industrial Control Networks. IEEE Communications Surveys & Tutorials, 15(2):860–880, 2012 Manuel Cheminod, Luca Durante, and Adriano Valenzano. Review of Security Issues in Industrial Networks. IEEE Transactions on Industrial Informatics, 9(1):277–293, 2013 12
  • 14. Introduction ADSs MSPC Ongoing work Conclusions Intrusion Detection System • Mechanisms that monitor network and/or system activities to detect suspicious events that occur in them. • Main classification criteria in IDSs 1. Detection mechanism • Signature-based • Anomaly Detection Systems (ADS) 2. Scope • Host • Network 3. ICS Scope • Network • Process 14
  • 15. Introduction ADSs MSPC Ongoing work Conclusions ADSs on ICSs • Active research topic • Data-driven methods gaining traction Bonnie Zhu and Shankar Sastry. SCADA-specific intrusion detection/prevention systems: a survey and taxonomy. In Proceedings of the 1st Workshop on Secure Control Systems (SCS), 2010 Robert Mitchell and Ingray Chen. A Survey of Intrusion Detection Techniques for Cyber Physical Systems. ACM Computing Surveys, 46(4), April 2014 15
  • 16. Introduction ADSs MSPC Ongoing work Conclusions Gaps in literature • We found a couple of relevant gaps in the literature. 1. Lack of visualizations 2. Almost no network & process level ADSs 16
  • 17. Introduction ADSs MSPC Ongoing work Conclusions Visual Network Flow Monitoring (a) Forbidden flow between PLC 1 and HMI 2. (b) Detail of the forbidden flow. Mikel Iturbe, Iñaki Garitano, Urko Zurutuza, and Roberto Uribeetxeberria. Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting. In Proceedings of the 11th Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications, volume 2, pages 99–106, Feb. 2016 17
  • 18. Introduction ADSs MSPC Ongoing work Conclusions Visual Network Flow Monitoring Able to detect, based on whitelisting: • Forbidden connection • Forbidden port • Incorrect flow size (DoS) • Missing host 18
  • 19. Introduction ADSs MSPC Ongoing work Conclusions Gaps in literature • We found a couple of relevant gaps in the literature. 1. Lack of visualizations 2. Almost no network & process level ADSs 19
  • 20. Introduction ADSs MSPC Ongoing work Conclusions Gaps in literature “In order to make IDSs effective in protecting this kind of systems, it is then needed a set of multilayer aggregation features to correlate events generated from different sources (e.g. correlating events coming from the process network of a remote transmission substation with events coming from the office network of a control center) in order to detect large scale complex attacks. This probably represents the next research challenge in this field.” Ettore Bompard, Paolo Cuccia, Marcelo Masera, and Igor Nai Fovino. Cyber vulnerability in power systems operation and control. In Critical Infrastructure Protection, pages 197–234. Springer, 2012 20
  • 22. Introduction ADSs MSPC Ongoing work Conclusions Multivariate data V1 V2 V3 … Vm O1 O2 O3 ... ... ... On • ICSs are multivariate by nature. 22
  • 23. Introduction ADSs MSPC Ongoing work Conclusions Multivariate data It is not easy to monitor… • If variables are in their normal operation constraints • Correlations between different variables But, information can be expressed in a (smaller) set of non-measurable variables called Latent Variables or Principal Components 23
  • 24. Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) CC-BY-SA 2.5 Charles Albert-Lehalle 24
  • 25. Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) • Dimensionality Reduction Algorithm • Linear combination of variables • Maximizes variance 25
  • 26. Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) CC-BY 2.0 Matthias Scholz, Approaches to analyse and interpret biological profile data. PhD Thesis. University of Potsdam, 2006 26
  • 27. Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) X = TAPt A + EA           O11 . . . O1m O21 . . . O2m O31 . . . O3m ... ... ... ... On1 . . . Onm           =           O′ 11 O′ 12 O′ 21 O′ 22 O′ 31 O′ 32 ... ... ... ... O′ n1 O′ n2           [ V′ 11 . . . V’1m V′ 21 . . . V’2m ] +           e11 . . . e1m e21 . . . e2m e31 . . . e3m ... ... ... ... en1 . . . enm           27
  • 28. Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) X = TAPt A + EA           O11 . . . O1m O21 . . . O2m O31 . . . O3m ... ... ... ... On1 . . . Onm           Original values =           O′ 11 O′ 12 O′ 21 O′ 22 O′ 31 O′ 32 ... ... ... ... O′ n1 O′ n2           Scores [ V′ 11 . . . V’1m V′ 21 . . . V’2m ] Loadings +           e11 . . . e1m e21 . . . e2m e31 . . . e3m ... ... ... ... en1 . . . enm           Residuals 28
  • 29. Introduction ADSs MSPC Ongoing work Conclusions PCA: Residuals PD - Pearson, K. 1901. On lines and planes of closest fit to systems of points in space. Philosophical Magazine 2:559-572. 29
  • 30. Introduction ADSs MSPC Ongoing work Conclusions Multivariate Statistical Process Control • Statistical Control • Process-agnostic • We monitor the scores and the residuals on control charts. • Two univariate statistics: Dn = A∑ a=1 ( tan − µta σta )2 ; Qn = A∑ a=1 (enm)2 30
  • 31. Introduction ADSs MSPC Ongoing work Conclusions Control Charts Time Value 31
  • 32. Introduction ADSs MSPC Ongoing work Conclusions Anomaly Detection • Monitoring of control charts • If three consecutive observations go of bounds, the event is flagged as anomalous 32
  • 33. Introduction ADSs MSPC Ongoing work Conclusions Anomaly Diagnosis • Once an anomaly is flagged, we diagnose its cause • Contribution (oMEDA) plots TE variables d2 A -90 -80 -70 -60 -50 -40 -30 -20 -10 0 10 XMEAS(1) José Camacho. Observation-based missing data methods for exploratory data analysis to unveil the connection between observations and variables in latent subspace models. Journal of Chemometrics, 25(11):592–600, 2011 33
  • 34. Introduction ADSs MSPC Ongoing work Conclusions Application to Network Anomaly Detection • MSPC-based techniques can be used for network anomaly detection. • Variable parametrization. • Logs José Camacho, Gabriel Maciá Fernández, Jesús Díaz Verdejo, and Pedro García Teodoro. Tackling the Big Data 4 vs for anomaly detection. In Computer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on, pages 500–505, April 2014. doi: 10.1109/INFCOMW.2014.6849282 José Camacho, Alejandro Pérez Villegas, Pedro García Teodoro, and Gabriel Maciá Fernández. PCA-based multivariate statistical network monitoring for anomaly detection. Computers & Security, 59:118–137, 2016. ISSN 0167-4048. doi: http://dx.doi.org/10.1016/j.cose.2016.02.008 34
  • 35. Introduction ADSs MSPC Ongoing work Conclusions And in ICSs? • When looking at Process Data, we might be able to distinguish intrusions from disturbances using MSPC Mikel Iturbe, José Camacho, Iñaki Garitano, Urko Zurutuza, and Roberto Uribeetxeberria. On the feasibility of distinguishing between process disturbances and intrusions in process control systems using multivariate statistical process control. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2016), 2016 35
  • 36. Introduction ADSs MSPC Ongoing work Conclusions Work Hypothesis Therefore, it seems natural to link both worlds, and create a unified ADS for ICSs. 36
  • 38. Introduction ADSs MSPC Ongoing work Conclusions Process: Tennessee-Eastman James J Downs and Ernest F Vogel. A plant-wide industrial process control problem. Computers & Chemical Engineering, 17(3):245–255, 1993 38
  • 39. Introduction ADSs MSPC Ongoing work Conclusions Network 39
  • 40. Introduction ADSs MSPC Ongoing work Conclusions Challenges • Timestamp synchronization • Data processing complexity 40
  • 42. Introduction ADSs MSPC Ongoing work Conclusions Conclusions • Anomaly Detection in ICSs is an active research field • Security visualizations in the field are still in their infancy • Multivariate Analysis can help finding process-level anomalies • Network variable parametrization opens the way to a multi-level, process-agnostic, ADS for ICSs. 42