A Feasibility Study on the Application of the ScriptGenE Framework as an Anomaly Detection System in Industrial Control Systems   [open pdf - 682KB]

From the Abstract: "Recent events such as Stuxnet and the Shamoon Aramco incident have brought to light how vulnerable industrial control systems (ICS) are to cyber attacks. ICS and critical infrastructure is ingrained in modern society, including the electric power grid, water treatment facilities, and nuclear energy plants. Malicious attempts to disrupt, destroy and disable such systems can have devastating effects on the way of life in a modern society, including loss of life. The need to implement security controls in the ICS environment is more vital than ever. ICSs were not originally designed with network security in mind. Today, intrusion detection systems (IDSs) are employed to detect attacks that penetrate the ICS network. This research proposes the use of a novel algorithm known as the ScriptGenE framework as an anomaly-based intrusion detection system or anomaly detection system (ADS). The ADS is implemented between an engineering workstation (EWS) and programmable logic controller (PLC)to monitor traffic and alert the operator of anomalous behavior. Two experiments are performed including an Experimental Validation in which a 'Baseline' model of normal network behavior is established. The experiments are designed to test the effectiveness of the ADS when introduced to three types of network traces: Normal, Malicious, and Combined. The Normal and Malicious network traces are compared with the 'Baseline' model to determine if the ADS will correctly classify normal network behavior with anomalous network behavior in Experiment 1. The Combined network trace is used to determine if the ADS is still able to detect anomalies when the training data also contains anomalous behavior in Experiment 2. The ADS achieves true positive rate (TPR) of 0.9011 and false positive rate (FPR) of 0.054 for Experiment 2. In Experiment 1, the ADS achieves a FPR of 0 and true negative rate (TNR) of 1 and shows that it is a perfect classifier when trained with network traffic that is free of anomalies. Based on Experiment 1 findings, this research demonstrates the viability of using the ScriptGenE framework."

Report Number:
Air Force Institute of Technology. Approved for Public Release. Distribution Unlimited.
Retrieved From:
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/
Media Type:
Help with citations