CAPTAR: Causal-polytree-based anomaly reasoning for SCADA networks

Wenyu Ren, Tuo Yu, Timothy Yardley, Klara Nahrstedt

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The Supervisory Control and Data Acquisition (SCADA) system is the most commonly used industrial control system but is subject to a wide range of serious threats. Intrusion detection systems are deployed to promote the security of SCADA systems, but they continuously generate tremendous number of alerts without further comprehending them. There is a need for an efficient system to correlate alerts and discover attack strategies to provide explainable situational awareness to SCADA operators. In this paper, we present a causal-polytree-based anomaly reasoning framework for SCADA networks, named CAPTAR. CAPTAR takes the meta-alerts from our previous anomaly detection framework EDMAND, correlates the them using a naive Bayes classifier, and matches them to predefined causal polytrees. Utilizing Bayesian inference on the causal polytrees, CAPTAR can produces a high-level view of the security state of the protected SCADA network. Experiments on a prototype of CAPTAR proves its anomaly reasoning ability and its capabilities of satisfying the real-time reasoning requirement.

Original languageEnglish (US)
Title of host publication2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781538680995
DOIs
StatePublished - Oct 2019
Event2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019 - Beijing, China
Duration: Oct 21 2019Oct 23 2019

Publication series

Name2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019

Conference

Conference2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019
CountryChina
CityBeijing
Period10/21/1910/23/19

Fingerprint

Supervisory Control
data acquisition
Data Acquisition
Anomaly
SCADA systems
Data acquisition
Reasoning
Correlate
Intrusion detection
Classifiers
Naive Bayes Classifier
Situational Awareness
Anomaly Detection
Control systems
Intrusion Detection
Bayesian inference
control system
Control System
Attack
Prototype

Keywords

  • Anomaly reasoning
  • Causal analysis
  • SCADA
  • Smart Grid

ASJC Scopus subject areas

  • Artificial Intelligence
  • Computer Networks and Communications
  • Energy Engineering and Power Technology
  • Electrical and Electronic Engineering
  • Safety, Risk, Reliability and Quality
  • Control and Optimization
  • Transportation

Cite this

Ren, W., Yu, T., Yardley, T., & Nahrstedt, K. (2019). CAPTAR: Causal-polytree-based anomaly reasoning for SCADA networks. In 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019 [8909766] (2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SmartGridComm.2019.8909766

CAPTAR : Causal-polytree-based anomaly reasoning for SCADA networks. / Ren, Wenyu; Yu, Tuo; Yardley, Timothy; Nahrstedt, Klara.

2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019. Institute of Electrical and Electronics Engineers Inc., 2019. 8909766 (2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Ren, W, Yu, T, Yardley, T & Nahrstedt, K 2019, CAPTAR: Causal-polytree-based anomaly reasoning for SCADA networks. in 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019., 8909766, 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019, Institute of Electrical and Electronics Engineers Inc., 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019, Beijing, China, 10/21/19. https://doi.org/10.1109/SmartGridComm.2019.8909766
Ren W, Yu T, Yardley T, Nahrstedt K. CAPTAR: Causal-polytree-based anomaly reasoning for SCADA networks. In 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019. Institute of Electrical and Electronics Engineers Inc. 2019. 8909766. (2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019). https://doi.org/10.1109/SmartGridComm.2019.8909766
Ren, Wenyu ; Yu, Tuo ; Yardley, Timothy ; Nahrstedt, Klara. / CAPTAR : Causal-polytree-based anomaly reasoning for SCADA networks. 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019. Institute of Electrical and Electronics Engineers Inc., 2019. (2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019).
@inproceedings{508db3a930a34906a6299398766f5912,
title = "CAPTAR: Causal-polytree-based anomaly reasoning for SCADA networks",
abstract = "The Supervisory Control and Data Acquisition (SCADA) system is the most commonly used industrial control system but is subject to a wide range of serious threats. Intrusion detection systems are deployed to promote the security of SCADA systems, but they continuously generate tremendous number of alerts without further comprehending them. There is a need for an efficient system to correlate alerts and discover attack strategies to provide explainable situational awareness to SCADA operators. In this paper, we present a causal-polytree-based anomaly reasoning framework for SCADA networks, named CAPTAR. CAPTAR takes the meta-alerts from our previous anomaly detection framework EDMAND, correlates the them using a naive Bayes classifier, and matches them to predefined causal polytrees. Utilizing Bayesian inference on the causal polytrees, CAPTAR can produces a high-level view of the security state of the protected SCADA network. Experiments on a prototype of CAPTAR proves its anomaly reasoning ability and its capabilities of satisfying the real-time reasoning requirement.",
keywords = "Anomaly reasoning, Causal analysis, SCADA, Smart Grid",
author = "Wenyu Ren and Tuo Yu and Timothy Yardley and Klara Nahrstedt",
year = "2019",
month = "10",
doi = "10.1109/SmartGridComm.2019.8909766",
language = "English (US)",
series = "2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
booktitle = "2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019",
address = "United States",

}

TY - GEN

T1 - CAPTAR

T2 - Causal-polytree-based anomaly reasoning for SCADA networks

AU - Ren, Wenyu

AU - Yu, Tuo

AU - Yardley, Timothy

AU - Nahrstedt, Klara

PY - 2019/10

Y1 - 2019/10

N2 - The Supervisory Control and Data Acquisition (SCADA) system is the most commonly used industrial control system but is subject to a wide range of serious threats. Intrusion detection systems are deployed to promote the security of SCADA systems, but they continuously generate tremendous number of alerts without further comprehending them. There is a need for an efficient system to correlate alerts and discover attack strategies to provide explainable situational awareness to SCADA operators. In this paper, we present a causal-polytree-based anomaly reasoning framework for SCADA networks, named CAPTAR. CAPTAR takes the meta-alerts from our previous anomaly detection framework EDMAND, correlates the them using a naive Bayes classifier, and matches them to predefined causal polytrees. Utilizing Bayesian inference on the causal polytrees, CAPTAR can produces a high-level view of the security state of the protected SCADA network. Experiments on a prototype of CAPTAR proves its anomaly reasoning ability and its capabilities of satisfying the real-time reasoning requirement.

AB - The Supervisory Control and Data Acquisition (SCADA) system is the most commonly used industrial control system but is subject to a wide range of serious threats. Intrusion detection systems are deployed to promote the security of SCADA systems, but they continuously generate tremendous number of alerts without further comprehending them. There is a need for an efficient system to correlate alerts and discover attack strategies to provide explainable situational awareness to SCADA operators. In this paper, we present a causal-polytree-based anomaly reasoning framework for SCADA networks, named CAPTAR. CAPTAR takes the meta-alerts from our previous anomaly detection framework EDMAND, correlates the them using a naive Bayes classifier, and matches them to predefined causal polytrees. Utilizing Bayesian inference on the causal polytrees, CAPTAR can produces a high-level view of the security state of the protected SCADA network. Experiments on a prototype of CAPTAR proves its anomaly reasoning ability and its capabilities of satisfying the real-time reasoning requirement.

KW - Anomaly reasoning

KW - Causal analysis

KW - SCADA

KW - Smart Grid

UR - http://www.scopus.com/inward/record.url?scp=85076443639&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85076443639&partnerID=8YFLogxK

U2 - 10.1109/SmartGridComm.2019.8909766

DO - 10.1109/SmartGridComm.2019.8909766

M3 - Conference contribution

AN - SCOPUS:85076443639

T3 - 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019

BT - 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2019

PB - Institute of Electrical and Electronics Engineers Inc.

ER -