LiU > IDA > Real-Time Systems Lab
ABOUT
MEMBERS
COOPERATION
PROJECTS
PUBLICATIONS
COURSES
OPEN POSITIONS
THESES
ALUMNI

Announcements

[16 May 2017] A bachelor student at RTSLAB was awarded the best thesis award from IDA - Tim Hultman. more ...

[12 May 2016] A master student at RTSLAB was awarded the best thesis award from IDA - Alexander Alesand. more ...

[12 May 2016] A bachelor student at RTSLAB was awarded the best thesis award from IDA - Mathias Almquist and Viktor Almquist. more ...

[25 May 2015] A master student at RTSLAB was awarded the best thesis award from IDA - Klervie Toczé. more ...

[26 May 2014] A bachelor student at RTSLAB was awarded the best thesis award from IDA - Simon Andersson. more ...

[31 May 2012] A masters student at RTSLAB was awarded the best thesis award from IDA - Ulf Magnusson. more ...

[27 February 2008] A masters student at RTSLAB was awarded the best thesis award from IDA - Johan Sigholm. more ...

[03 March 2004] A masters student at RTSLAB was awarded the best thesis award from IDA - Tobias Chyssler. more ...

[01 Jul 2003] For second year in a row a masters student at RTSLAB was awarded the best thesis award from SNART - Mehdi Amirijoo. more ...

Master Thesis - Past Projects - Abstract

Anomaly Detection in SCADA Network Traffic

ID: LIU-IDA/LITH-EX-A--15/062--SE

Critical infrastructure provides us with the most important parts of modern society, electricity, water and transport. To increase efficiency and to meet new demands from the customer remote monitoring and control of the systems is necessary. This opens new ways for an attacker to reach the Supervisory Control And Data Acquisition (SCADA) systems that control and monitors the physical processes involved. This also increases the need for security features specially designed for these settings. Anomaly-based detection is a technique suitable for the more deterministic SCADA systems. This thesis uses a combination of two techniques to detect anomalies. The first technique is an automatic whitelist that learns the behavior of the network flows. The second technique utilizes the differences in arrival times of the network packets. A prototype anomaly detector has been developed in Bro. To analyze the IEC 60870-5-104 protocol a new parser for Bro was also developed. The resulting anomaly detector was able to achieve a high detection rate for three of the four different types of attacks evaluated. The studied methods of detection are promising when used in a highly deterministic setting, such as a SCADA system.

Keywords:

File: Click here to download/view the thesis

Author(s): Robert Udd

Contact: Simin Nadjm-Tehrani

Click here to return.
Last modified February 2017. If you have questions or suggestions for the webpages, contact the webmaster