A Connection Pattern-based Approach to Detect Network Traffic Anomalies in Critical Infrastructures Béla Genge 1 , Dorin Adrian Rusu 2 , Piroska Haller 1 1 “Petru Maior” University of Tîrgu Mure¸ s, Romania, 2 VU University Amsterdam, The Netherlands bela.genge@ing.upm.ro, d.rusu@student.vu.nl, phaller@upm.ro ABSTRACT Recent trends in Critical Infrastructures (CIs), e.g., power plants and energy smart grids, showed an increased use of commodity, off-the-shelf Information and Communication Technologies (ICT) hardware and software. Although this enabled the implementation of a broad palette of new fea- tures, the pervasive use of ICT, especially within the core of CIs, i.e., in Industrial Control Systems (ICSs), attracted a new class of attacks in which cyber disturbances propagate to the physical dimension of CIs. To ensure a more effective detection of cyber attacks against the ICS of CIs, we have de- veloped SPEAR, a systematic approach that automatically configures anomaly detection engines to detect attacks that violate connection patterns specific to ICSs. The approach is validated by experimental scenarios including traffic traces from real industrial equipment and real malware (Stuxnet). Categories and Subject Descriptors J.7 [Computers In Other Systems]: Industrial control; C.2 [Computer-Communication Networks]: Security and protection General Terms Critical Infrastructures, Security Keywords Industrial Control Systems, Anomaly Detection Systems 1. INTRODUCTION The term Critical Infrastructure (CI) underlines the sig- nificance of an infrastructure, which “if disrupted or de- stroyed, would have a serious impact on the health, safety, security or economic well-being of citizens” [10]. Although this general definition embraces installations from several industrial domains such as power generation & transmis- sion, oil & gas industries, water & wastewater management, Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Permissions@acm.org. EuroSec’14, April 13-16 2014, Amsterdam, Netherlands Copyright 2014 ACM 978-1-4503-2715-2/14/04 ...$15.00. http://dx.doi.org/10.1145/2592791.2592792 a common well-recognized factor amongst today’s Critical Infrastructures is the adoption of commodity, off-the-shelf Information and Communication Technologies (ICT) hard- ware and software [3]. This particular trend is mainly a consequence of the advantages of pervasive ICT, which en- abled the implementation of new services and features such as remote monitoring and maintenance, energy markets, and the newly emerging smart grid. Nevertheless, this technological shift from a completely isolated environment to a “system of systems” integration had a dramatic impact on the security of CIs. By leveraging attack vectors that are commonly used to attack traditional computer systems, e.g., phishing and USB key infections, malware aimed at the disruption of critical infrastructure systems have become effective cyber weapons [6, 7]. Such attacks are usually targeted against the Industrial Control Systems (ICSs), which are part of the core of CIs. With the continuing increase in the level of sophistication as well as in the number of yearly reported malware aimed at ICSs, nowadays, the development of protective measures to secure CIs is receiving considerable attention. As such, recent advancements in the field of CI security highlighted the applicability of anomaly detection techniques to effi- ciently detect abnormal behavior [14, 13, 16, 18]. In fact, anomaly-based intrusion detection is well-suited for scenar- ios in which the encountered behavior is sufficiently narrow to allow meaningful detection from the“normal”. Therefore, in this paper we propose SPEAR, a systematic approach consisting of a tool-suite aimed at modeling the topology of ICSs and automatically generating Snort [17] detection rules. SPEAR relies on the predictive behavior of connec- tions between different ICS hosts in order to identify abnor- mal packet exchanges. It builds on the assumption that the core of CIs, i.e., its ICSs, once deployed, remains fixed over long time periods, while eventual changes can have various causes, such as the replication, relocation or decommission- ing of equipment [14, 5]. Nevertheless, the same assumption can be applied to communication flows between equipment, which exhibit long-lasting patterns, called connection pat- terns [15]. The mechanisms implemented within SPEAR highlight two phases: modeling of ICS networks and generating anomaly detection rules. In the first phase SPEAR provides a formal language based on ns-2 [1] and a graphical interface to model the architecture of ICSs as well as communication flows be- tween equipment. The second phase provides an approach that processes the ICS model and generates Snort anomaly detection rules. In this paper we provide the mathematical