Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic
The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observati...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Association of Digital Forensics, Security and Law
2014-09-01
|
| Series: | Journal of Digital Forensics, Security and Law |
| Online Access: | http://ojs.jdfsl.org/index.php/jdfsl/article/view/262 |
| id |
doaj-a3acaffac2214abfadc01f8c6ea0a777 |
|---|---|
| record_format |
Article |
| spelling |
doaj-a3acaffac2214abfadc01f8c6ea0a7772020-11-25T02:50:05ZengAssociation of Digital Forensics, Security and LawJournal of Digital Forensics, Security and Law1558-72151558-72232014-09-01923750168Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital ForensicAmit Kleinmann0Avishai Wool1Tel-Aviv UniversityTel-Aviv UniversityThe Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observation that S7 traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC channel can be modeled using its own unique Deterministic Finite Automaton (DFA). The resulting DFA-based IDS is very sensitive and is able to flag anomalies such as a message appearing out of its position in the normal sequence or a message referring to a single unexpected bit. The intrusion detection approach was evaluated on traffic from two production systems. Despite its high sensitivity, the system had a very low false positive rate - over 99.82% of the traffic was identified as normal.http://ojs.jdfsl.org/index.php/jdfsl/article/view/262 |
| collection |
DOAJ |
| language |
English |
| format |
Article |
| sources |
DOAJ |
| author |
Amit Kleinmann Avishai Wool |
| spellingShingle |
Amit Kleinmann Avishai Wool Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic Journal of Digital Forensics, Security and Law |
| author_facet |
Amit Kleinmann Avishai Wool |
| author_sort |
Amit Kleinmann |
| title |
Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic |
| title_short |
Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic |
| title_full |
Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic |
| title_fullStr |
Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic |
| title_full_unstemmed |
Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic |
| title_sort |
accurate modeling of the siemens s7 scada protocol for intrusion detection and digital forensic |
| publisher |
Association of Digital Forensics, Security and Law |
| series |
Journal of Digital Forensics, Security and Law |
| issn |
1558-7215 1558-7223 |
| publishDate |
2014-09-01 |
| description |
The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observation that S7 traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC channel can be modeled using its own unique Deterministic Finite Automaton (DFA). The resulting DFA-based IDS is very sensitive and is able to flag anomalies such as a message appearing out of its position in the normal sequence or a message referring to a single unexpected bit. The intrusion detection approach was evaluated on traffic from two production systems. Despite its high sensitivity, the system had a very low false positive rate - over 99.82% of the traffic was identified as normal. |
| url |
http://ojs.jdfsl.org/index.php/jdfsl/article/view/262 |
| work_keys_str_mv |
AT amitkleinmann accuratemodelingofthesiemenss7scadaprotocolforintrusiondetectionanddigitalforensic AT avishaiwool accuratemodelingofthesiemenss7scadaprotocolforintrusiondetectionanddigitalforensic |
| _version_ |
1724740213033402368 |