Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations
- We conduct a structured analysis of the GOOSE network traffic in a SCN from a simulation case study that can be further applied to a network traffic from a real substation
- We model the GOOSE communication in an IEC 61850 substation using an ARFIMA model including the parameter estimation and the model prediction. We evaluate the accuracy of the suggested model using well-established criteria from the data-driven modeling field.
- We present a structured AD method based on two different approaches to detect flooding attacks using two well-known statistical tests while assuming an unknown change time and unknown model parameters under each hypothesis
- We evaluate the performance of the AD method with both detectors, in terms of basic and composite detection metrics, using a simulation case study under different rates of SNR.
2. Intrusion Detection Systems (IDSs) in Energy Systems
2.1. Signature-Based Approaches
2.2. Anomaly Detection (AD) Approaches
2.3. Hybrid Approaches
3. Characteristics of the Process Network Traffic
3.1. Diurnal Patterns
3.2. Distributional Considerations of the Data
3.3.1. Variance-Time Plots
3.3.2. Rescaled Adjusted Range R/S
4. ARFIMA Modeling of the Process Traffic in IEC 61850 Substations
4.1. ARFIMA Model
4.2. General Model Predictor
4.3. Maximum Likelihood Estimation
Explanatory Example: Signal Embedded in WGN
4.4. Description of the Process Network Traffic as an ARFIMA Model
5. Statistical Hypothesis Testing for the AD Method
- The algorithm starts by setting the user-defined parameters which are the order of the ARFIMA model i.e., n and a threshold which is defined empirically based on test results for FAs and DR.
- The null-hypothesis is computed with data contained between and . is computed using two data subsets: the bounds of the first one are represented by and and the second one is evaluated between and . Models for and are computed according to Equation (24) whilst .
- is computed as the ration between the pdf of each hypothesis as described in Equation (23). If holds, a change time is assigned to and an alarm is generated. The bounds of the dataset for and are also updated for further computations.
- If does not hold, is incremented and is computed in a new iteration. This procedure is repeated until and the bounds of the datasets for the computation of the PDFs in each hypothesis are updated.
- The algorithm starts by setting the user-defined parameters which are the order of the ARFIMA model i.e., and the size of the time windows, and used for data scanning. The threshold is defined empirically based on test results for FAs and DR.
- As reported in , the model for is computed using a dataset defined by a growing time window whereas the model for is computed with data contained in a sliding fixed-size time window . Bounds of the datasets used for the computation of models for both hypothesis are represented by and . Models for and are computed while holds.
- The decision function is computed iteratively according to Equation (26). If holds, an alarm is generated indicating that anomaly is detected.
- Once an anomaly is detected, the detection time is set, the bounds and are updated and the detection function is reset.
6. Results and Discussion
6.1. Description of the Use Case and the Threat Model
6.2. Evaluation of the Modeling of GOOSE IEC 61850 Traffic
6.3. Performance of the Anomaly Detection (AD) Method
7. Conclusions & Outlook
Conflicts of Interest
|DoS||Denial of Service|
|DPI||Deep Packet Inspection|
|GLRT||Generalized Likelihood Ratio Test|
|GOOSE||Generic Object Oriented Substation Event|
|ICS||Industrial Control System|
|ICT||Information and Communication Technology|
|IEC||International Electrotechnical Commission|
|IED||Intelligent Electronic Device|
|MLE||Maximum Likelihood Estimator|
|MMS||Manufacturing Message Specification|
|NRMSE||Normalized Root Mean Square Error|
|Probability Density Function|
|ROC||Receiver Operating Characteristic|
|SCADA||Supervisory Control And Data Acquisition|
|SCN||Substation Communication Network|
|TNR||True Negative Rate|
|TPR||True Positive Rate|
|WGN||White Gaussian Noise|
|The intrusion detection capability metric.|
|The expected cost metric.|
|L||Length of non-overlaping intervals composing a time-series.|
|Initial size of the dataset for the calculation of the CUSUM detector.|
|Length of fixed-sized sliding window for the calculation of the CUSUM detector.|
|N||Size of a time-series.|
|The standard deviation of a subset x calculated over the interval .|
|The partial sum of a subset x calculated over the interval .|
|The gamma (generalized factorial) function.|
|The covariance matrix of the measurement noise.|
|Moving average (MA) polynomial operator of an ARFIMA model.|
|The parameter vector.|
|The aggregated sequence by m of x.|
|B||The base rate.|
|The threshold for the CUSUM statistical detection.|
|The threshold for the GLRT statistical detection.|
|Autoregressive (AR) polynomial operator of an ARFIMA model.|
|Variance of a white Gaussian noise process.|
|d||The difference coefficient.|
|Value of e at k.|
|g||The CUSUM decision function.|
|k||Discrete time index.|
|Time at which an attack occurs.|
|l||Delay order of the back-shift operator.|
|m||The level of aggregation.|
|n||ARFIMA model order defined by .|
|p||The order of the autoregressive process.|
|q||The order of moving the average.|
|Log-likelihood ratio increment.|
- Hoyos, J.; Dehus, M.; Brown, T.X. Exploiting the GOOSE protocol: A practical attack on cyber-infrastructure. In Proceedings of the Globecom Workshops (GC Wkshps), Anaheim, CA, USA, 3–7 December 2012; IEEE: New York, NY, USA, 2012; pp. 1508–1513. [Google Scholar]
- Elbez, G.; Keller, H.B.; Hagenmeyer, V. A New Classification of Attacks against the Cyber-Physical Security of Smart Grids. In Proceedings of the ARES 2018: International Conference on Availability, Reliability and Security, Hamburg, Germany, 27–30 August 2018. [Google Scholar]
- Yoo, H.; Shon, T. Challenges and research directions for heterogeneous cyber–physical system based on IEC 61850: Vulnerabilities, security requirements, and security architecture. Future Gener. Comput. Syst. 2016, 61, 128–136. [Google Scholar] [CrossRef]
- Keller, H.B.; Schneider, O.; Matthes, J.; Hagenmeyer, V. Reliable, safe and secure software of connected future control systems-challenges and solutions. at-Automatisierungstechnik 2016, 64, 930–947. [Google Scholar] [CrossRef]
- Cherepanov, A.; Lipovsky, R. Industroyer: Biggest Threat to Industrial Control Systems Since Stuxnet. WeLiveSecurity by ESET. 2017. Available online: https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threatindustrial-control-systems-since-stuxnet/ (accessed on 24 October 2018).
- Elbez, G.; Keller, H.B.; Hagenmeyer, V. Authentication of GOOSE Messages under Timing Constraints in IEC 61850 Substations. In Proceedings of the 6th International Symposium for ICS & SCADA Cyber Security Research, Athens, Greece, 10–12 September 2019; pp. 137–143. [Google Scholar]
- Ustun, T.S.; Aftab, M.A.; Ali, I.; Hussain, S.S. A Novel Scheme for Performance Evaluation of an IEC 61850-Based Active Distribution System Substation. IEEE Access 2019, 7, 123893–123902. [Google Scholar] [CrossRef]
- Pal, A.; Jolfaei, A.; Kant, K.; Chi, H. A Fast Prekeying Based Integrity Protection for Smart Grid Communications. Available online: https://cis.temple.edu/~apal/SmartGrid_security.pdf (accessed on 29 June 2020).
- Nguyen, H.; Pongthawornkamol, T.; Nahrstedt, K. Alibi framework for identifying reactive jamming nodes in wireless LAN. In Proceedings of the 2011 IEEE Global Telecommunications Conference-GLOBECOM, Houston, TX, USA, 5–9 December 2011; IEEE: Houston, TX, USA, 2011; pp. 1–6. [Google Scholar]
- Castaño, F.; Strzelczak, S.; Villalonga, A.; Haber, R.E.; Kossakowska, J. Sensor reliability in cyber-physical systems using internet-of-things data: A review and case study. Remote Sens. 2019, 11, 2252. [Google Scholar] [CrossRef][Green Version]
- Basseville, M. Detecting changes in signals and systems—A survey. Automatica 1988, 24, 309–326. [Google Scholar] [CrossRef]
- Cheung, S.; Dutertre, B.; Fong, M.; Lindqvist, U.; Skinner, K.; Valdes, A. Using Model-Based Intrusion Detection for SCADA Networks. Available online: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.141.2076&rep=rep1&type=pdf (accessed on 24 September 2020).
- Premaratne, U.K.; Samarabandu, J.; Sidhu, T.S.; Beresh, R.; Tan, J.C. An intrusion detection system for IEC61850 automated substations. IEEE Trans. Power Deliv. 2010, 25, 2376–2383. [Google Scholar] [CrossRef]
- Morris, T.; Vaughn, R.; Dandass, Y. A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems. In Proceedings of the 2012 45th Hawaii International Conference on System Sciences, Maui, HI, USA, 4–7 January 2012; IEEE: Maui, HI, USA, 2012; pp. 2338–2345. [Google Scholar]
- Lin, H.; Slagell, A.; Di Martino, C.; Kalbarczyk, Z.; Iyer, R.K. Adapting bro into scada: Building a specification-based intrusion detection system for the dnp3 protocol. In Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop, Oak Ridge, TN, USA, 8–10 January 2013; pp. 1–4. [Google Scholar]
- Yang, Y.; Xu, H.Q.; Gao, L.; Yuan, Y.B.; McLaughlin, K.; Sezer, S. Multidimensional intrusion detection system for IEC 61850-based SCADA networks. IEEE Trans. Power Deliv. 2016, 32, 1068–1078. [Google Scholar] [CrossRef][Green Version]
- Nivethan, J.; Papa, M. Dynamic rule generation for SCADA intrusion detection. In Proceedings of the 2016 IEEE Symposium on Technologies for Homeland Security (HST), Waltham, MA, USA, 10–11 May 2016; IEEE: Waltham, MA, USA, 2016; pp. 1–5. [Google Scholar]
- Barbosa, R.R.R. Anomaly Detection in SCADA Systems: A Network Based Approach. 2014. Available online: https://research.utwente.nl/en/publications/anomaly-detection-in-scada-systems-a-network-based-approach-2 (accessed on 29 June 2020).
- Shang, W.; Zeng, P.; Wan, M.; Li, L.; An, P. Intrusion detection algorithm based on OCSVM in industrial control system. Secur. Commun. Netw. 2016, 9, 1040–1049. [Google Scholar] [CrossRef][Green Version]
- Shang, W.; Li, L.; Wan, M.; Zeng, P. Industrial communication intrusion detection algorithm based on improved one-class SVM. In Proceedings of the 2015 World Congress on Industrial Control Systems Security (WCICSS), London, UK, 14–16 December 2015; IEEE: London, UK, 2015; pp. 21–25. [Google Scholar]
- Kwon, Y.; Kim, H.K.; Lim, Y.H.; Lim, J.I. A behavior-based intrusion detection technique for smart grid infrastructure. In Proceedings of the 2015 IEEE Eindhoven PowerTech, Eindhoven, The Netherlands, 29 June–2 July 2015; IEEE: Eindhoven, The Netherlands, 2015; pp. 1–6. [Google Scholar]
- Ren, W.; Yardley, T.; Nahrstedt, K. EDMAND: Edge-Based Multi-Level Anomaly Detection for SCADA Networks. In Proceedings of the 2018 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Aalborg, Denmark, 29–31 October 2018; pp. 1–7. [Google Scholar]
- Coughlin, V.; Rubio-Medrano, C.; Zhao, Z.; Ahn, G.J. EDSGuard: Enforcing Network Security Requirements for Energy Delivery Systems. In Proceedings of the 2018 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Aalborg, Denmark, 29–31 October 2018; IEEE: Aalborg, Denmark, 2018; pp. 1–6. [Google Scholar]
- Yang, Y.; McLaughlin, K.; Gao, L.; Sezer, S.; Yuan, Y.; Gong, Y. Intrusion detection system for IEC 61850 based smart substations. In Proceedings of the 2016 IEEE Power and Energy Society General Meeting (PESGM), Boston, MA, USA, 17–21 July 2016; IEEE: Boston, MA, USA, 2016; pp. 1–5. [Google Scholar]
- Zhang, Z.; Huang, X.; Keune, B.; Cao, Y.; Li, Y. Modeling and simulation of data flow for vlan-based communication in substations. IEEE Syst. J. 2015, 11, 2467–2478. [Google Scholar] [CrossRef]
- Floyd, S.; Paxson, V. Difficulties in simulating the Internet. IEEE/ACM Trans. Netw. 2001, 9, 392–403. [Google Scholar] [CrossRef]
- IEC61850. International Electrotechnical Commission (IEC) Technical Committee 57; Communication Networks and Systems in Substations—Part 5: Communication Requirements for Functions and Device Models. 2003. Available online: https://webstore.iec.ch/preview/info_iec61850-5%7Bed1.0%7Den.pdf (accessed on 29 June 2020).
- Willinger, W.; Taqqu, M.S.; Sherman, R.; Wilson, D.V. Self-similarity through high-variability: Statistical analysis of Ethernet LAN traffic at the source level. IEEE/ACM Trans. Netw. 1997, 5, 71–86. [Google Scholar] [CrossRef][Green Version]
- Yang, Q.; Hao, W.; Ge, L.; Ruan, W.; Chi, F. FARIMA model-based communication traffic anomaly detection in intelligent electric power substations. IET Cyber-Phys. Syst. Theory Appl. 2019, 4, 22–29. [Google Scholar] [CrossRef]
- Hao, W.; Yang, Q. Data Traffic Characterization in Intelligent Electric Substations using FARIMA based Threshold Model. Energy Procedia 2018, 145, 413–420. [Google Scholar] [CrossRef]
- Feizimirkhani, R.; Bratcu, A.I.; Besanger, Y. Time-series Modelling of IEC 61850 GOOSE Communication Traffic between IEDs in smart grids—A parametric analysis. IFAC Pap. 2018, 51, 444–449. [Google Scholar] [CrossRef]
- Hurst, H.E. Long-term storage capacity of reservoirs. Trans. Am. Soc. Civ. Eng. 1951, 116, 770–799. [Google Scholar]
- Leland, W.E.; Taqqu, M.S.; Willinger, W.; Wilson, D.V. On the self-similar nature of Ethernet traffic (extended version). IEEE/ACM Trans. Netw. 1994, 2, 1–15. [Google Scholar] [CrossRef][Green Version]
- Mandelbrot, B. Statistical methodology for nonperiodic cycles: From the covariance to R/S analysis. In Annals of Economic and Social Measurement, Volume 1, Number 3; NBER: Cambridge, MA, USA, 1972; pp. 259–290. [Google Scholar]
- Lloyd, E.; Warren, D. The historically adjusted range and the historically rescaled adjusted range. Stoch. Hydrol. Hydraul. 1988, 2, 175–188. [Google Scholar] [CrossRef]
- Boubaker, H. A generalized arfima model with smooth transition fractional integration parameter. J. Time Ser. Econom. 2017, 10. [Google Scholar] [CrossRef]
- Hosking, J. Fractional differencing modeling in hydrology 1. JAWRA J. Am. Water Resour. Assoc. 1985, 21, 677–682. [Google Scholar] [CrossRef]
- Goodwin, G.C.; Payne, R.L. Dynamic System Identification. Experiment Design And Data Analysis. 1977. Available online: https://pascal-francis.inist.fr/vibad/index.php?action=getRecordDetail&idt=PASCAL7830233130 (accessed on 29 June 2020).
- Kay, S.M. Fundamentals of Statistical Signal Processing; Prentice Hall PTR: Upper Saddle River, NJ, USA, 1993. [Google Scholar]
- Söderström, T.; Stoica, P. System Identification; Prentice-Hall Inc.: London, UK, 1988. [Google Scholar]
- Haslett, J.; Raftery, A.E. Space-time modelling with long-memory dependence: Assessing Ireland’s wind power resource. J. R. Stat. Soc. Ser. C Appl. Stat. 1989, 38, 1–21. [Google Scholar] [CrossRef]
- Fox, R.; Taqqu, M.S. Large-sample properties of parameter estimates for strongly dependent stationary Gaussian time series. Ann. Stat. 1986, 14, 517–532. [Google Scholar] [CrossRef]
- Chan, N.H.; Palma, W. Estimation of long-memory time series models: A survey of different likelihood-based methods. Adv. Econom. 2006, 20, 89–121. [Google Scholar]
- Page, E.S. Continuous inspection schemes. Biometrika 1954, 41, 100–115. [Google Scholar] [CrossRef]
- Basseville, M.; Nikiforov, I.V. Detection of Abrupt Changes: Theory and Application; Prentice Hall: Englewood Cliffs, NJ, USA, 1993; Volume 104. [Google Scholar]
- Biswas, P.P.; Tan, H.C.; Zhu, Q.; Li, Y.; Mashima, D.; Chen, B. A Synthesized Dataset for Cybersecurity Study of IEC 61850 based Substation. In Proceedings of the 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Beijing, China, 21–23 October 2019; IEEE: Beijing, China, 2019; pp. 1–7. [Google Scholar]
- Hong, J.; Liu, C.C.; Govindarasu, M. Integrated Anomaly Detection for Cyber Security of the Substations. IEEE Trans. Smart Grid 2014, 5, 1643–1653. [Google Scholar] [CrossRef]
- Carcano, A.; Coletta, A.; Guglielmi, M.; Masera, M.; Fovino, I.N.; Trombetta, A. A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans. Ind. Inform. 2011, 7, 179–186. [Google Scholar] [CrossRef]
- Milenkoski, A.; Vieira, M.; Kounev, S.; Avritzer, A.; Payne, B.D. Evaluating computer intrusion detection systems: A survey of common practices. ACM Comput. Surv. CSUR 2015, 48, 1–41. [Google Scholar] [CrossRef]
- Gu, G.; Fogla, P.; Dagon, D.; Lee, W.; Skorić, B. Measuring intrusion detection capability: An information-theoretic approach. In Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, Taipei, Taiwan, 21–24 March 2006; pp. 90–101. [Google Scholar]
|Threshold||Detection Delay *||Basic||Composite|
|FPR [%]||FNR [%]||Cexp||CID|
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Elbez, G.; Keller, H.B.; Bohara, A.; Nahrstedt, K.; Hagenmeyer, V. Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations. Energies 2020, 13, 5176. https://doi.org/10.3390/en13195176
Elbez G, Keller HB, Bohara A, Nahrstedt K, Hagenmeyer V. Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations. Energies. 2020; 13(19):5176. https://doi.org/10.3390/en13195176Chicago/Turabian Style
Elbez, Ghada, Hubert B. Keller, Atul Bohara, Klara Nahrstedt, and Veit Hagenmeyer. 2020. "Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations" Energies 13, no. 19: 5176. https://doi.org/10.3390/en13195176