Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic
The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observati...
Main Authors: | , |
---|---|
Format: | Article |
Language: | English |
Published: |
Association of Digital Forensics, Security and Law
2014-09-01
|
Series: | Journal of Digital Forensics, Security and Law |
Online Access: | http://ojs.jdfsl.org/index.php/jdfsl/article/view/262 |
Summary: | The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observation that S7 traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC channel can be modeled using its own unique Deterministic Finite Automaton (DFA). The resulting DFA-based IDS is very sensitive and is able to flag anomalies such as a message appearing out of its position in the normal sequence or a message referring to a single unexpected bit. The intrusion detection approach was evaluated on traffic from two production systems. Despite its high sensitivity, the system had a very low false positive rate - over 99.82% of the traffic was identified as normal. |
---|---|
ISSN: | 1558-7215 1558-7223 |