An evaluation of machine learning methods to detect malicious SCADA communications

Justin M. Beaver, Raymond C. Borges-Hink, Mark A. Buckner

Research output: Contribution to conferencePaperpeer-review

147 Scopus citations

Abstract

Critical infrastructure Supervisory Control and Data Acquisition (SCADA) systems have been designed to operate on closed, proprietary networks where a malicious insider posed the greatest threat potential. The centralization of control and the movement towards open systems and standards has improved the efficiency of industrial control, but has also exposed legacy SCADA systems to security threats that they were not designed to mitigate. This work explores the viability of machine learning methods in detecting the new threat scenarios of command and data injection. Similar to network intrusion detection systems in the cyber security domain, the command and control communications in a critical infrastructure setting are monitored, and vetted against examples of benign and malicious command traffic, in order to identify potential attack events. Multiple learning methods are evaluated using a dataset of Remote Terminal Unit communications, which included both normal operations and instances of command and data injection attack scenarios.

Original languageEnglish
Pages54-59
Number of pages6
DOIs
StatePublished - 2013
Event2013 12th International Conference on Machine Learning and Applications, ICMLA 2013 - Miami, FL, United States
Duration: Dec 4 2013Dec 7 2013

Conference

Conference2013 12th International Conference on Machine Learning and Applications, ICMLA 2013
Country/TerritoryUnited States
CityMiami, FL
Period12/4/1312/7/13

Funding

FundersFunder number
Oak Ridge National Laboratory

    Keywords

    • Network
    • SCADA
    • critical infrastructure protection
    • intrusion detection
    • machine learning

    Fingerprint

    Dive into the research topics of 'An evaluation of machine learning methods to detect malicious SCADA communications'. Together they form a unique fingerprint.

    Cite this