Contextual Intrusion Alerts for Scada Networks

An Ontology based Approach for Intrusion Alerts Post Processing

Abdullah Al Balushi, Kieran McLaughlin and Sakir Sezer

Centre for Secure Information Technologies, Queens University Belfast, Belfast BT3 9DT, U.K.

Keywords:

Security Ontology, Intrusion Detection System, Modbus TCP, Intrusion Alert Analysis.

Abstract:

The complexity of modern SCADA networks and their associated cyber-attacks requires an expressive but

ﬂexible manner for representing both domain knowledge and collected intrusion alerts with the ability to in-

tegrate them for enhanced analytical capabilities and better understanding of attacks. This paper proposes

an ontology-based approach for contextualized intrusion alerts in SCADA networks. In this approach, three

security ontologies were developed to represent and store information on intrusion alerts, Modbus communi-

cations, and Modbus attack descriptions. This information is correlated into enriched intrusion alerts using

simple ontology logic rules written in Semantic Query-Enhanced Web Rules (SQWRL). The contextualized

alerts give analysts the means to better understand evolving attacks and to uncover the semantic relationships

between sequences of individual attack events. The proposed system is illustrated by two use case scenarios.

1 INTRODUCTION

Supervisory Control and Data Acquisition (SCADA)

systems are used for monitoring and controlling many

critical infrastructures including power grids, water

distribution, transportation systems, and even nuclear

power plants. In the past, most of these systems were

physically isolated from outside connections and op-

erated on their own proprietary hardware and com-

munication protocols. However, these systems are

moving towards the use of general ICT infrastructures

and open standard technologies. This move brought

many operational and management beneﬁts, but also

exposed the systems to an increased number of cyber

security threats. Recently, intrusion detection systems

(IDS) have been introduced to SCADA networks. An

IDS examines data collected from networks and sys-

tems to identify suspicious events and generates ap-

propriate intrusion alerts describing the attack details.

However, IDS systems usually provide elementary

and low level descriptions of the detected individual

attacks, making it a challenging task for security ana-

lysts to verify the nature and signiﬁcance of reported

attacks. Further, mapping discrete intrusion alerts to

the context of where they occurred, and understanding

their impact on the security state of a SCADA system

is a challenging task.

In this paper, we propose an ontology-based ap-

proach to integrate contextual information and exter-

nal knowledge into intrusion alerts. We developed

three security ontologies (models) for the represen-

tation and storage of knowledge on intrusion alerts

and Modbus communications context and cyber at-

tacks. Alert information and contextual information

about the Modbus network communications are corre-

lated by the use of simple ontology logic rules written

in Semantic Query-Enhanced Web Rules (SQWRL).

The proposed approach is implemented in a system

prototype using open-source tools and is illustrated

using two use case scenarios.

The rest of this paper is organized as follows. Sec-

tion 2 presents related works. Proposed approach is

introduced in Section 3. Development of ontologies

is explained in Section 4. System implementation and

use cases are presented in Section 5. Section 6 con-

cludes the paper.

2 RELATED WORK

Recently, a variety of intrusion detection approaches

have been proposed for the surveillance and mon-

itoring of industrial process control infrastructures

(Mitchell, 2014). Snort IDS (Roesch, 1999) is an ex-

ample of general IDS system that became a de facto

standard in many environments. Digital Bond Inc.

(Peterson, 2009) has developed a set of customized

Snort IDS rules for the detection of different attacks

on Modbus TCP. Their detection rules consist of 14

Balushi, A., McLaughlin, K. and Sezer, S.

Contextual Intrusion Alerts for Scada Networks - An Ontology based Approach for Intrusion Alerts Post Processing.

DOI: 10.5220/0005745504570464

In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), pages 457-464

ISBN: 978-989-758-167-0

457

signatures and include denial of service (rebooting

Modbus servers, listen-only mode commands, and

crashing server with a large packets), reconnaissance

(e.g., unauthorized attempt to read data, gathering de-

vice information), and unauthorized write requests.

Cyber attacks on SCADA systems may require

a particular context to proceed. This context in-

cludes speciﬁc network conﬁgurations, communica-

tion protocols, system and application conﬁguration,

and hardware or system components. Thus, contex-

tual information can undoubtedly play a considerable

role in intrusion analysis and understanding the possi-

ble impacts of attacks on the systems. Unfortunately,

most of the current IDS tend to consider only a little

part of the context and generate a huge amount of iso-

lated intrusion alerts (Sadighian et al., 2013). These

alerts provide very little attack descriptions and ana-

lysts can rarely make decisions about security events

without manually analyzing their surrounding con-

text. To address these issues and to enhance the con-

text of intrusion alerts, several approaches have been

proposed in (Cuppens et al., 2009; Frye et al., 2012;

Sadighian et al., 2013).

An ontology is a semantic web technique for

knowledge representation and is used for explicit

speciﬁcation of particular domain conceptualities that

capture its context. It is a formal way of encod-

ing concepts (classes), properties (relations), axioms,

constraints and instances into a machine interpretable

language that easily allows sharing semantic informa-

tion between human and systems.

(Cuppens et al., 2009) proposed an ontology-

based approach to map alerts into the attack context.

In their approach, context is used to identify network

policies that can be used to solve the threat. The

use of ontological representation of networks and at-

tacks is presented by (Frye et al., 2012). The au-

thors used ontologies to describe network trafﬁc and

generic attacks for the purpose of identifying com-

plex attacks. In (Sadighian et al., 2013), an ontol-

ogy based approach is proposed for reducing false

alerts in multi-sensor environments by the incorpora-

tion of contextual information obtained from vulner-

ability databases and context sensors deployed in the

network.

In summary, the concept of ontology techniques

have been applied to attack modeling, knowledge rep-

resentation, and context awareness. However, most

of the works focus on general communication net-

works and do not consider SCADA network context.

The complexity of SCADA networks and their asso-

ciated cyber attacks requires an expressive, but ﬂex-

ible manner, for representing both SCADA domain

expert knowledge and collected intrusion evidences.

This should be supported by the ability to easily in-

tegrate these data for enhanced analytical capabili-

ties and better understanding of attacks. The use

of ontology approaches for contextualizing intrusion

alerts in SCADA networks can bring many advan-

tages. An ontology enables expressing the knowl-

edge with clear structure and detailed deﬁnition in a

machine-interpretable format. Moreover, semantics

(the meaning behind the data) can be added to data

and interpreted using the context deﬁnitions and re-

strictions for new data classiﬁcations. Finally, the on-

tology can help in integrating information from dif-

ferent sources in a ﬂexible way.

3 PROPOSED APPROACH

The proposed ontology-based approach is for corre-

lating and enhancing intrusion alerts with contextual

information in SCADA industrial control networks.

The essential components of the system are illustrated

in Figure 1. These components are labeled with num-

bers linked to the following main steps in our ap-

proach. Detailed information about the technical im-

plementation of each component is provided in Sec-

tion 5.1.

Step 1. Formal knowledge representation models

for trafﬁc, Modbus cyber attacks, and intrusion alerts

are developed using ontologies and stored in a knowl-

edge base. These ontologies capture the main prop-

erties of cyber-attacks on SCADA systems residing

in the communication protocols and systems. They

are used by subsequent components of the system to

transform input data to ontological format and the in-

tegration of SCADA intrusion context.

Step 2. Network trafﬁc containing Modbus pack-

ets is captured and fed into the proposed system along

with generated intrusion alerts by Snort IDS. This

data is parsed and converted to Resource Description

Framework (RDF) triples, which are used as ontolog-

ical representation format. An RDF triple represents

data in three elements pairs that are subject, predicate,

and object. This format is supported by ontologies

and the SPARQL query engine described in the sys-

tem implementation. These RDF triples are added to

the knowledge base as instances.

Step 3. The core analysis engine running on

Apache Jena API library and SPARQL queries re-

trieves correlation rules from the knowledge base and

execute them against the ontology instances to inte-

grate contextual information or extract attack relation-

ships in the alerts and packet instances.

Step 4. The output contextual intrusion alert is

added to the knowledge base and forwarded to the se-

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

458

curity analyst for their decision.

Figure 1: An overview of the System architecture.

4 DEVELOPMENT OF

ONTOLOGIES

In this paper, a total of three security ontology mod-

els have been developed. The ﬁrst constructed model

captures the main concepts in Modbus TCP com-

munications such as network and application layer

features with their semantic interrelationships. This

model caters the protocol speciﬁcations described in

ofﬁcial Modbus documentations (IDA, 2004; Mod-

bus, 2012). It provides the base for transforming net-

work trafﬁc into ontological representation for pro-

cessing and context extraction. The second model is

the cyber attacks ontology, that is used to represent

and store Modbus attacks information as well as their

interrelationships. The third and last model represents

the intrusion alerts. We emphasise that the develop-

ment of any ontology is an iterative process, and there

is no single correct way of mapping knowledge into

discrete structure.

4.1 Modbus TCP Ontology

Modbus TCP communication has a simple request-

response architecture that is well-deﬁned in the of-

ﬁcial Modbus documentations(IDA, 2004; Modbus,

2012). Modbus packet can be classiﬁed as either a

request or a response message, where a client (Mas-

ter) sends a packet to the Modbus server requesting

a function to be executed or a speciﬁc data to be re-

turned. The requested function can be reading values,

writing values, or performing some server diagnos-

tics. The server then processes this request and re-

turns a response to the client. This response can be

either a normal response with the returned data or an

exception (error) response to indicate a failure in ful-

ﬁlling the request. Figure 2 demonstrates the basic

ﬂow of Modbus transactions, while detailed packet

structure is presented in Figure 3.

Figure 2: Modbus TCP transactions ﬂow.

Figure 3: Modbus TCP packet structure.

The main application-level features of Modbus

TCP packets are described in Table 1. These features

can be exploited by adversaries to perform various at-

tacks such as disrupting process control operations,

hiding their attack traces on the system, injecting false

measurement data, or exploiting buffer overﬂow vul-

nerabilities. For example, an attacker may be able to

force a Modbus server into Listen-Mode-Only using

a single Modbus packet with function code feature

set to 08 and sub-function code of 04. This will re-

sult in placing the Modbus server in an inactive state

and will subsequently cause a complete desynchro-

nization with other systems.

Figure 4 presents the derived ontology for Modbus

TCP communication packets. Any Modbus packet

can either be classiﬁed as a request or a response mes-

sage. Thus, we consider these as two main classes in

the ontology. Both types of messages share the same

header section, so we construct a Header class. In or-

der to allow high level classiﬁcation of function codes

in Modbus TCP packets, we classify them into three

different groups; Public, System-deﬁned, and User-

deﬁned. The public functions group can be further di-

vided to subclasses, namely Diagnostics codes, Read

codes, Write codes. These subclasses are based on

the purpose of function codes. An example is that the

Contextual Intrusion Alerts for Scada Networks - An Ontology based Approach for Intrusion Alerts Post Processing

459

Figure 4: Modbus TCP communication ontology.

Table 1: Main application-level features in Modbus TCP.

Section Feature Description

Modbus

Appli-

cation

(MBAP)

Header

Trans ID A numerical identiﬁer

for the current transac-

tion for the purpose of

pairing request and re-

sponse.

Protocol

Describes the protocol

in use. Should be al-

ways set to zero for

Modbus TCP.

Length Speciﬁes the length of

the remaining part of

the packet.

Unit ID Unique device ID when

Modbus gateway is

used. If not, then it is

set to 0xFF.

Protocol

Data Unit

(PDU)

Function

Code

Speciﬁes the action to

be performed by the

slave device.

Data Contains data of vari-

able size with the data

corresponding to the re-

quest or response.

public diagnostic codes can be used for system audit

related operations such as Get Com event counter, Get

Com Event Log, Return Diagnostic Register, Clear

Counters and Diagnostic Registers.

In ontologies, classes and their subclasses are or-

ganized in a hierarchy. The main classes in the Mod-

bus TCP communication ontology are described in

Table 2. Each of the presented classes may have a

relationship with other classes. These relations are

important to deﬁne whether two classes should be dis-

joint from each other or one is parent class. For ex-

ample, IP-Header is disjoint from TCP-Header. An

ontology allows two types of properties; object and

data. Object properties are used to describe relation-

ships between classes, while data properties are used

to store data value. A partial list of these properties is

presented in Table 3.

Table 2: Main Classes in Modbus TCP ontology.

Class Description

HEADER This class represents the main

header features that exist in any

Modbus packets over TCP. Sub-

classes: IP header, TCP header,

Modbus header

MODBUS

REQUEST

This class represent a Modbus re-

quest message sent from client

to Modbus server. Subclasses:

Function-Code, Data

MODBUS

RESPONSE

This class represent a Modbus re-

sponse message sent from Mod-

bus server to client. Subclasses:

Function-Code, Data, Exception-

Code

Table 3: Object and data properties in Modbus TCP.

Object Prop-

erties

SubclassOf, hasA, isDeﬁned-

For, hasPurpose, isPartOf, Con-

tains

Data Proper-

ties

hasUnitID, hasTransactionID,

hasProtocolID, hasLength,

hasSrcIP, hasDstIP, hasFunc-

tionCode, hasExceptionCode,

hasSrcPort, hasDstPort

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

460

4.2 Modbus Attacks Ontology

This model is used to capture and maintain informa-

tion about cyber attacks on SCADA systems that are

utilizing Modbus TCP protocol as an attack vector.

Constructing an ontological representation of these

attacks enables viewing them in high-level abstraction

and extracting their shared attributes such as com-

mon impacts on SCADA system. To construct this

ontology we started by analyzing cyber-attacks cat-

egories against Modbus TCP presented in (Huitsing

et al., 2008; Zhu et al., 2011; Had

ziosmanovi

c et al.,

2014; Drias et al., 2015). The main concepts in the

proposed attacks model are Attack and Attacker. Fig-

ure 5 illustrates the relationship exist between these

main classes and their next level subclasses.

Figure 5: Ontological relationship of main classes in attacks

ontology.

We describe the main classes and their associated

properties as follows:

Attacker Class. This class represents the attacker ob-

ject and its attributes such as the source IP address of

an attacker, his previous intrusive activities obtained

from historical intrusion alerts and his goals. An at-

tacker may aim for one of the following goals, as cap-

tured by the ontology: to change data, disrupt opera-

tions, gain control, steal data, or prepare for another

objective. An ontological representation of these con-

cepts are illustrated in Figure 6.

Figure 6: Ontological view of attacker class.

Attack Class. This class is used to represent the as-

sociated attributes of an attack such as the time of

an attack instance, possible impact outcome and de-

scription of the mechanism used to conduct the at-

tack. For instance, the impact of an attack can be on

Data-Integrity, Denial-of-Service, Physical-Damage,

Process-Integrity, System-Integrity, Reconnaissance,

and Process-Reconnaissance. For example, an ad-

ministrative command (Function code 8, Sub Code

0A) that clear counters and diagnostic audit records

on the server is associated with System Integrity im-

pact. Other commands such as enforcing listen only

mode or restarting the TCP communication can result

in Denial of service impact. In addition, an attack can

be performed using different mechanisms where four

of the related mechanisms are added to the attack on-

tology model as shown in Figure 7.

Figure 7: Ontological view for the Attack Class.

4.3 Intrusion Alerts Ontology

In order to contextualize intrusion alerts, an ontolog-

ical representation (RDF triples) of these alerts is re-

quired. The conversion of alerts and semantic rela-

tionships extraction are deﬁned in the intrusion alert

model. We restrict this ontology to features that exist

in Snort IDS alerts which are Time, Source IP, Source

Port, Destination IP, Destination Port, Signature ID,

Protocol, Alert Classiﬁcation and Alert Message. We

also add some additional features derived from the se-

mantic analysis, which are necessary, but cannot be

provided by Snort. These features include the con-

text protocol in application layer (e.g., Modbus), the

impact on SCADA system, affected systems, attack

description, and recommended action. For example,

the protocol feature in raw Snort alerts is described

as TCP. However, multiple protocols can be encapsu-

lated in TCP frames including HTTP and MODBUS.

Thus,we describe the protocol more precisely by set-

ting relevant feature to Modbus-TCP.

5 IMPLEMENTATION AND USE

CASES

In order to functionally test the proposed approach,

we constructed a system prototype using the three on-

tologies developed in section 4 and open-source tools

Contextual Intrusion Alerts for Scada Networks - An Ontology based Approach for Intrusion Alerts Post Processing

461

that are described in the following sections.

5.1 Reference Implementation

The high-level system architecture was presented in

Figure 1. This system was developed using Java on

top of open-source Apache Jena API library. The pro-

posed system consists of three ontologies for Modbus

TCP communications, Modbus TCP attacks and In-

trusion alerts. In order to derive and implement these

ontologies, we used the Ontology Web Language

Description Logic (OWL-DL) language through an

open-source Protege ontology editor and knowledge

acquisition framework. The resulted ontologies are

then stored in the knowledge base which is based

on Apache Fueski v2. The main inputs are net-

work packet captures (PCAP) and Snort IDS intrusion

alerts. The input data is mapped to the ontological

representation models deﬁned in Modbus TCP com-

munication and intrusion alerts ontologies. We used

the Resource Description Framework (RDF) triples

format to store the converted input data in the knowl-

edge base as instances. This mapping process is per-

formed by the system using Java and Apache Jena

API. After having all input data stored as ontology

instances in the knowledge base, the core analysis

engine can perform queries using Semantic Query-

Enhanced Web Rule Language (SQWRL) through

Apache Jena API library. The result of these queries

are then presented to the security analyst and can be

added as new ontology instances to the knowledge

base.

5.2 Use Case Scenarios

This section presents two use case scenarios. The ﬁrst

scenario focuses on analysing individual raw intru-

sion alerts received from Snort IDS and integrating

them with contextual SCADA information. The aim

of this scenario is to show the advantages of enhanc-

ing contextual information in intrusion alerts for secu-

rity analysts. The second scenario extends the use of

contextual information for the identiﬁcation of com-

plex attack scenarios utilizing the relationship of the

enhanced individual alerts. For these scenarios, we

used Snort IDS with customised Modbus TCP detec-

tion rules that were developed by Digital Bond Quick-

Draw (Peterson, 2009).

5.2.1 Semantic Integration of Contextual

Information

In the ﬁrst scenario, we demonstrate the process of se-

mantically integrating diverse information within the

ontologies knowledge base into a rich context intru-

sion alert. The beneﬁt of this is to provide security an-

alyst with descriptive attack information considering

the context of Modbus communications. Let us con-

sider an attack scenario where the attacker performs a

series of simple attack steps to cause data desynchro-

nization between the Modbus master and clients. As-

suming the attacker has limited knowledge about the

Modbus server implementation under attack, he may

attempt sending spoofed Modbus packets to read the

device identiﬁcation or perform a function scan to de-

termine which functions are allowed. After determin-

ing the server implementation, the attacker may abuse

some of the allowed function codes to cause a denial

of service such as Force-Listen-Only-Mode (Function

code: 08, Sub code 04). Each of these attack activities

may be detected by IDS systems. However, the in-

trusion alert messages presented to security analysts

usually provide only low-level information. For ex-

ample, one attack step of forcing the Modbus server

into Listen only mode is reported by Snort IDS as fol-

low:

09/24-11:02:51.531149 [**] [1:1111001:1] SCADA_IDS:

Modbus TCP-Force Listen Only Mode [**] [Classification:

attempted-dos][Priority:1]{TCP} 192.168.3.100:49880->

192.168.3.20:502

This alert provides little description about the at-

tack step and reports the protocol feature as TCP

with general attack impact of attempted DoS. How-

ever, security analysts may require more descriptive

attack information such as what is the Force listen

only attack and how can it be mitigated. In ad-

dition, the impact of an attack on a Modbus net-

work may be described more precisely. For in-

stance, the reconnaissance attacks on Modbus TCP

can be associated with two types of impacts that are

Process-Reconnaissance or System-Reconnaissance.

The Process-Reconnaissance is where the attacker

analyses the structure of industrial process such as

speciﬁc functions implementations and process ﬂow.

While in the system reconnaissance the attacker anal-

yses the Modbus server functionality and product ver-

sion. Determining these speciﬁc attack impacts can

reveal possible attacker objectives.

To address these concerns, the following SPARQL

query is performed to extract attack description from

the Modbus TCP attacks ontology and integrate it

with the raw alert features presented in the above alert

example.

PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>

PREFIX intrusions: <http://server1/ontologies/IntrusionAl

erts.owl#>

PREFIX attacks:<http://server1/ontologies/ModbusAttacks.

owl#>

SELECT ?alerttime ?alertsrcip ?alertdstip ?protocol

?impact ?severity ?affect ?description

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

462

WHERE {

#alert information from intrusion alert ontology

?alert rdf:type intrusions:IntrusionAlert .

?alert intrusions:hasTime ?alerttime .

?alert intrusions:hasSrcIP ?alertsrcip .

?alert intrusions:hasDstIP ?alertdstip .

?alert intrusions:hasDstPort ?alertdstport .

?alert intrusions:hasAttackSid ?alertAttacksid .

#attack information from Modbus attacks ontology

?attack attacks:hasAttackSid ?attackSID .

?attack attacks:useProtocol ?protocol .

?attack attacks:hasImpact ?impact .

?attack attacks:hasSeverity ?severity .

?attack attacks:hasAffecton ?affect .

?attack attacks:hasDescription ?description .

FILTER (sameTerm(?attackSID,?alertAttacksid))

}

The result of executing the above SPARQL query

provides new contextual information as shown in Fig-

ure 8 which describes the attack in more details and

classify intrusion alert in more speciﬁc way in term

of description the exact protocol and possible impact.

This new contextual alert is then added to the ontol-

ogy knowledge base as ModbusTCPAlert.

Figure 8: The contextual intrusion alert.

As Figure 8 shows, new attack semantic features

have been added to the alert context. The security an-

alysts can understand the intrusion context in a more

descriptive way. In addition, the extended features

such as determined application layer protocol, spec-

iﬁed attack impact, and the affected system allows for

new search capabilities among intrusion alerts. For

instance, it is possible to retrieve all intrusion alert

instances of ModbusTCPAlert that share the same at-

tack impact or affect a speciﬁc target system while in

raw Snort IDS alerts, the search may be limited to IP

addresses, ports, attack signatures, generic protocols

(e.g., TCP, UDP).

5.2.2 Semantic Correlation for Complex Attack

Detection

As an example of complex attacks, we describe a dis-

tributed denial of service in SCADA networks. In

this attack scenario, we assume that the attacker suc-

cessfully introduced a malware infection in the net-

work resulting in compromising multiple engineer

host machines. The attacker now is able to instruct

these infected machines to perform individual attacks

on a Modbus server. The attacker now instructs all

infected machines to send malicious (but legitimate

looking) Modbus TCP packets to the same Mod-

bus server target with Modbus TCP communication

restart command (function code 08, sub function 01).

This command will force the Modbus server to restart

and power up self-tests. During this power up pro-

cess, the Modbus server will be unavailable for short

time. However, repeatedly sending these requests can

force the Modbus server into a restart loop making

it unavailable for a long time. These attack activi-

ties are detected by Snort IDS, but reported in iso-

lation without suspicion that they are part of a com-

plex distributed denial of service as they are originat-

ing from different machine sources. Since these indi-

vidual alerts are received by our system and added to

the ontologies knowledge base as ModbusTCPAlert

instances with shared impact of denial of service,

the system is able to retrieve all individual instances

against the same Modbus server target. To do this, the

system execute the following SPARQL query:

SELECT ?Time ?AttackerSourceIP ?ModbusServerIP

?impact ?affect

WHERE {

#Modbus-TCP alert instances information

?ModbusTCPalert rdf:type intrusions:ModbusTCPAlert .

?ModusTCPalert intrusions:hasTime ?Time .

?ModbusTCPalert intrusions:hasSrcIP ?AttackerSourceIP .

?ModbusTCPalert intrusions:hasDstIP ?ModbusServerIP .

?ModbusTCPalert intrusions:hasImpact ?impact .

?ModbusTCPalert intrusions:hasAffectOn ?affect .

FILTER regex(str(?impact), "Denial of Service")

}

The above query will search the knowledge base

for existence of Modbus TCP alert instances that

report denial of service attack and are targeting

same Modbus server which indicates a possible

distributed denial of service attack if they originate

from different machine IP sources. If this matches,

a summary of the attacker source IP addresses, the

Modbus server IP address, and the attack impact is

retrieved. The system processes the query result in

the background and provide the security analyst with

the following predeﬁned attack summary:

Possible DDoS attack detected!

87 Modbus requests with possible impact of denial of

Contextual Intrusion Alerts for Scada Networks - An Ontology based Approach for Intrusion Alerts Post Processing

463

service have been detected over the last 3 mintues.

Alerts count: 87

Impact: Denial of Service

Affected item: PLCs and other field devices

that contain MODBUS servers

Attack vectors: Modbus TCP restart(84 times),

Force-Listen-Only-Mode (3 times)

Target server: 192.168.3.20

Attack sources: 192.168.3.100, 192.168.3.102,

192.168.3.107

Start time: 09/27-09:03:23.435311

End time: 09/27-09:06:57.229114

This message provides the security analysts with

very descriptive attack information instead of ﬂood-

ing them with every single alert (total of 87 alerts).

This enables a quicker response to perform further in-

vestigation or take a corrective actions. The attack

summary provides useful information about the de-

tected attack scenario. This includes the number of

generated alerts, the impact, the affected asset, sum-

mary of the attacks vectors, the Modbus server under

attack, and more importantly the list of machine IP

addresses that are performing the suspicious activi-

ties.

6 CONCLUSION

This paper has proposed an ontology-based approach

for knowledge representation and integration for con-

textualizing intrusion alerts in SCADA networks. An

ontology enables expressing the domain knowledge

and collected intrusion alerts with clear structure and

detailed deﬁnition in a machine-interpretable format.

Moreover, the semantic meaning of Modbus control

commands are extracted and new classiﬁcations are

possible to derived. Furthermore, as all knowledge

data are represented in the same format using the de-

veloped models, it is possible to integrate them in a

ﬂexible way. The contextualized intrusion alerts pro-

duced by our approach provides better attack descrip-

tions and new classiﬁcations based on the semantic

meaning of the extracted control commands. This

provides the analysts the means to better understand

evolving attacks and to uncover the semantic relation-

ships between sequences of individual attacks. In fu-

ture work it is intended that the proposed approach

will be evaluated against a more comprehensive Mod-

bus dataset.

REFERENCES

Cuppens, N., Cuppens, F., Autrel, F., and Debar, H. (2009).

An ontology-based approach to react to network at-

tacks. IJICS, 3(3-4):280–305.

Drias, Z., Serhrouchni, A., and Vogel, O. (2015). Taxonomy

of attacks on industrial control protocols. In ICPE and

NTDS Conference, 2015, pages 1–6. IEEE.

Frye, L., Cheng, L., and Heﬂin, J. (2012). An ontology-

based system to identify complex network attacks. In

IEEE (ICC), pages 6683–6688. IEEE.

Had

ziosmanovi

c, D., Sommer, R., Zambon, E., and Hartel,

P. H. (2014). Through the eye of the plc: semantic

security monitoring for industrial processes. In 30th

ACSAC, pages 126–135. ACM.

Huitsing, P., Chandia, R., Papa, M., and Shenoi, S. (2008).

Attack taxonomies for the modbus protocols. IJCIP,

1:37–44.

IDA, M. (2004). Modbus messaging on tcp/ip implementa-

tion guide v1. 0a.

Mitchell, Robert, C. I.-R. (2014). A survey of intrusion

detection techniques for cyber-physical systems. ACM

Computing Surveys (CSUR), 46(4):55.

Modbus (2012). Modbus application protocol speciﬁcation

v1. 1b3. Modbus Organization, Inc., April, 26.

Peterson, D. (2009). Quickdraw: Generating security log

events for legacy scada and control system devices. In

CATCH’09, pages 227–229. IEEE.

Roesch, M. (1999). Snort nids.

Sadighian, A., Zargar, S. T., Fernandez, J. M., and Lemay,

A. (2013). Semantic-based context-aware alert fusion

for distributed intrusion detection systems. In (CRi-

SIS), pages 1–6. IEEE.

Zhu, B., Joseph, A., and Sastry, S. (2011). A taxonomy

of cyber attacks on scada systems. In 4th CPSCom,

pages 380–388. IEEE.

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

464