TECoSA Seminar – Anomaly Detection and Causal Reasoning about Attacks in SCADA Systems
May 6, 15:00 – 16:30
We aim to bring you a TECoSA Seminar at kl.15 on the first Thursday of each month. This Spring they will be on-line, and all are welcome to join. Each invited speaker will talk for about 40 minutes, followed by a panel discussion coordinated by TECoSA members.
The seventh speaker in our series is Prof Klara Nahrstedt, Director of the Coordinated Science Laboratory at the University of Illinois at Urbana-Champaign. Prof Nahrstedt is also a member of TECoSA’s International Scientific Advisory Board. You can read more about Prof Nahrstedt here: https://cs.illinois.edu/about/people/faculty/klara
Please email firstname.lastname@example.org to register!
Anomaly Detection and Causal Reasoning about Attacks in SCADA Systems
ABSTRACT: Abstract: The SCADA (Supervisory Control and Data Acquisition) systems are widely used in critical cyber-physical systems (CPS) such as Smart Grid, Manufacturing and other mission-critical CPS systems. SCADA devices and networks are often subject to a wide range of attacks coming from external attackers and/or internal misconfigurations. Traditional intrusion detection systems are deployed to ensure the security of SCADA systems, but they often focus on monitoring only one or two levels of network data, such as traffic or source data, and continuously generate a large number of alerts without further analyzing them for causal reasoning.
In this talk, we present anomaly detection systems, such as ED4GAP and EDMOND, and a causal reasoning framework, such as CAPTAR. ED4GAP is an efficient edge-based detector for GOOSE-based source data attacks. EDMOND is an edge-based anomaly detector for MODBUS traffic, which analyzes SCADA network anomalies at all three levels of network traffic data (transport, protocol, source data), aggregates alerts to decrease the volume of alerts, and sends aggregated alerts to control center for causal analysis. CAPTAR is a cloud-based causal reasoning framework which correlates and matches aggregated alerts to causal polytrees. Bayesian inference is performed on the causal polytrees to produce a high-level view of the security state of the protected SCADA network. We will discuss the anomaly detection and causal reasoning analyses on attack examples, and show experimentally that, using GOOSE, MODBUS and DNP3 network traffic, we can do anomaly detection and attack reasoning in real-time.
Joint work with Dr. Wenyu Ren, Dr. Tuo Yu, Dr. Atul Bohara, Dr. Jordi Ros-Giralt, Ghada Elbez, Tim Yardley, Al Valdes, Prof. Bill Sanders in the Information Trust Institute (ITI) at University of Illinois, Urbana-Champaign.
BIO: Klara Nahrstedt is the Grainger Distinguished Chair of Engineering Professor in the Computer Science Department, and Director of Coordinated Science Laboratory in the College of Engineering at the University of Illinois at Urbana-Champaign. Her research interests are directed toward end-to-end Quality of Service (QoS) and resource management in large scale multimedia distributed systems and networks, and real-time security and privacy in cyber-physical systems. She is the recipient of the IEEE Communication Society Leonard Abraham Award for Research Achievements, University Scholar, Humboldt Award, IEEE Computer Society Technical Achievement Award, ACM SIGMM Technical Achievement Award, Piloty Prize, and Drucker Award. Klara Nahrstedt received her Diploma in Mathematics from Humboldt University, Berlin, Germany in 1985. In 1995 she received her PhD from the University of Pennsylvania in the Department of Computer and Information Science. She is ACM Fellow, IEEE Fellow, AAAS Fellow, and Member of the German National Academy of Sciences (Leopoldina Society).