ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA networks
April 20, 2018
SCADA systems are widely used in power systems to gather measurement data from field devices and send control commands to them. However, the legacy end devices and industrial control protocols, used in the SCADA system, make it vulnerable to various cyber attacks. Most of the existing solutions to provide intrusion detection only focus on monitoring and event detection of network state at the transport layer and perform flow-level analysis, which is not enough to detect and reason about semantic attacks hidden in the application layer. Even for those solutions which parse the application protocol, they usually can detect the anomaly only, but fail to provide any causes and consequences of the anomaly. Therefore, it is hard or impossible for the operator to quickly digest the event and react to it. In this work, we concentrate on developing an online, context-aware, intelligent framework for anomaly detection, anomalous data analysis, causal reasoning, consequence indication and response suggestion for SCADA networks. This is a work in progress and we are currently working on the first half of the project, which is the design of a multi-level anomaly detector and an alert manager.