Network forensic analysis of electrical substation automation traffic - Critical Infrastructure Protection XI Access content directly
Conference Papers Year : 2017

Network forensic analysis of electrical substation automation traffic

Julian Rrushi
  • Function : Author
  • PersonId : 1026619

Abstract

The computations and input/output values of intelligent electronic devices that monitor and operate an electrical substation depend strongly on the state of the power system. This chapter presents an approach that correlates the physical parameters of an electrical substation with the network traffic that intelligent electronic devices send over a substation automation network. Normal network traffic in a substation automation network is modeled as a directed, weighted graph, yielding what is referred to as a model graph. Similar graph modeling is performed on unknown network traffic. The research problem of determining whether or not unknown network traffic is normal involves a subgraph isomorphism search algorithm. Normal network packets in unknown network traffic form a graph that is a subgraph of the model graph. In contrast, malware-generated network packets present in unknown network traffic produce a graph that is not a subgraph of the model graph. Time series analysis of network traffic is performed to estimate the weights of the edges in the graphs. This analysis enables the subgraph isomorphism search algorithm to find structural matches with portions of the model graph as well matches with the timing characteristics of normal network traffic. The approach is validated using samples drawn from recent industrial control system malware campaigns.
Fichier principal
Vignette du fichier
460140_1_En_4_Chapter.pdf (239.64 Ko) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-01819141 , version 1 (20-06-2018)

Licence

Attribution

Identifiers

Cite

Megan Leierzapf, Julian Rrushi. Network forensic analysis of electrical substation automation traffic. 11th International Conference on Critical Infrastructure Protection (ICCIP), Mar 2017, Arlington, VA, United States. pp.63-78, ⟨10.1007/978-3-319-70395-4_4⟩. ⟨hal-01819141⟩
283 View
111 Download

Altmetric

Share

Gmail Facebook X LinkedIn More