Network Anomaly Detection for M-Connected SCADA Networks

In the current national critical infrastructures, SCADA systems and networks are playing very important roles. Unfortunately, most of closed-network SCADA systems have been considered as very secure against cyber-attacks. Because they use their own operating systems and communication/ network protocols, and their private networks are physically isolated from the public networks and the Internet. However, in case the closed SCADA system has m-connected status due to its maintenance, updates, and patches, it is no longer perfectly secure against cyber-attacks. This paper analyzes vulnerabilities of m-connected SCADA networks and proposes a novel security model for detecting network anomalies. The proposed model is based on an intrusion detection system using the network-based pattern reference method, which has two kinds of rule sets - one is the base rule set, and the other is dynamically produced rule set. The basic rule set can be set with pre-known intrusion patterns, and a dynamically produced new rule set can be set by detecting network anomalies under specific threshold values. Such new rule set would be adapted to the pattern reference model in its next execution time. Therefore, the proposed security model can identify abnormal command execution more effectively and efficiently.