OSCIDS: An Ontology based SCADA Intrusion Detection Framework

Abdullah Al Balushi, Kieran McLaughlin, Sakir Sezer


This paper presents the design, development, and validation of an ontology based SCADA intrusion detection system. The proposed system analyses SCADA network communications and can derive additional information based on the background knowledge and ontology models to enhance the intrusion detection data. The developed intrusion model captures network communications, cyber attacks and the context within the SCADA domain. Moreover, a set of semantic rules were constructed to detect various attacks and extract logical relationships among these attacks. The presented framework was extensively evaluated and a comparison to the state of the art is provided.


  1. Barnett, B., Crapo, A., and ONeil, P. (2012). Experiences in using semantic reasoners to evaluate security of cyber physical systems. Technical report, GridSec.
  2. Barry, B. I. and Chan, H. A. (2009). Syntax, and semanticsbased signature database for hybrid intrusion detection systems. Security and Communication Networks, 2(6):457-475.
  3. Carcano, A., Coletta, A., Guglielmi, M., Masera, M., Fovino, I. N., and Trombetta, A. (2011). A multidimensional critical state analysis for detecting intrusions in scada systems. Industrial Informatics,IEEE Trans. on, 7(2):179-186.
  4. Choras, M., Flizikowski, A., Kozik, R., and Holubowicz, W. (2010). Decision aid tool and ontology-based reasoning for critical infrastructure vulnerabilities and threats analysis. 4th CRITIS, pages 98-110.
  5. Drias, Z., Serhrouchni, A., and Vogel, O. (2015). Taxonomy of attacks on industrial control protocols. In ICPE'15, pages 1-6. IEEE.
  6. Hadz?iosmanovic, D., Sommer, R., Zambon, E., and Hartel, P. H. (2014). semantic security monitoring for industrial processes. In 30th ACSAC, pages 126-135. ACM.
  7. Harris, S., Seaborne, A., and Prudhommeaux, E. (2013). Sparql 1.1 query language. W3C, 21.
  8. Jena (2011). Jena-a semantic web framework for java. Talis Systems.
  9. Kang, D.-H., Kim, B.-K., and Na, J.-C. (2014). Cyber threats and defence approaches in scada systems. In 16th ICACT, pages 324-327. IEEE.
  10. Langner, R. (2011). Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3):49-51.
  11. Mallouhi, M., Al-Nashif, Y., Cox, D., Chadaga, T., and Hariri, S. (2011). A testbed for analyzing security of scada control systems (tasscs). In IEEE ISGT, pages 1-7. IEEE.
  12. Modbus (2012). Modbus specification v1. 1b3. Modbus Organization, Inc., April, 26.
  13. Morris, T. H., Jones, B. A., Vaughn, R. B., and Dandass, Y. S. (2013). Deterministic intrusion detection rules for modbus protocols. In 46th HICSS, pages 1773- 1781. IEEE.
  14. Peterson, D. (2009). Quickdraw: Generating security log events for legacy scada and control system devices. In CATCH'09, pages 227-229. IEEE.
  15. Roesch, M. et al. (1999). Snort ids. In LISA, volume 99, pages 229-238.
  16. Sartakov, V. A. (2015). Ontological representation of networks for ids in cyber-physical systems. In 4th AIST, pages 421-430. Springer.
  17. Sayegh, N., Elhajj, I. H., Kayssi, A., and Chehab, A. (2014). Scada intrusion detection system based on temporal behavior of frequent patterns. In 17th MELECON, pages 432-438. IEEE.
  18. Sheldon, F., Fetzer, D., Manz, D., Huang, J., Goose, S., Morris, T., Dang, J., Kirsch, J., and Wei, D. (2013). Intrinsically resilient energy control systems. CSIIRW'13, pages 63:1-63:4. ACM.
  19. Surridge, M., Chakravarthy, A., Hall-May, M., Chen, X., Nasser, B., and Nossal, R. (2012). Serscis: Semantic modelling of dynamic, multi-stakeholder systems.
  20. Zhu, B. and Sastry, S. (2010). Scada-specific intrusion detection/prevention systems: a survey and taxonomy. In 1st SCS.

Paper Citation

in Harvard Style

Al Balushi A., McLaughlin K. and Sezer S. (2016). OSCIDS: An Ontology based SCADA Intrusion Detection Framework . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 327-335. DOI: 10.5220/0005969803270335

in Bibtex Style

author={Abdullah Al Balushi and Kieran McLaughlin and Sakir Sezer},
title={OSCIDS: An Ontology based SCADA Intrusion Detection Framework},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},

in EndNote Style

JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - OSCIDS: An Ontology based SCADA Intrusion Detection Framework
SN - 978-989-758-196-0
AU - Al Balushi A.
AU - McLaughlin K.
AU - Sezer S.
PY - 2016
SP - 327
EP - 335
DO - 10.5220/0005969803270335