TY - GEN
T1 - Implementation of a Stateful Network Protocol Intrusion Detection Systems
AU - Seng, S.
AU - Garcia-Alfaro, J.
AU - Laarouci, Y.
N1 - Publisher Copyright:
© 2021 by SCITEPRESS - Science and Technology Publications, Lda. All rights reserved.
PY - 2022/1/1
Y1 - 2022/1/1
N2 - The deployment of a Network Intrusion Detection System (NIDS) is one of the imperatives for the control of an information system. Today, almost all intrusion detection systems are based on a static vision of network exchanges, whether for detection engines based on signatures or on behavioral models. However, this approach is limited: it does not allow to directly take into account past exchanges and thus to fully model normal or abnormal behavior, such as verifying that an authentication has taken place before authorizing a privileged request or detecting a replay attack. We propose to add an additional dimension to NIDS by performing stateful monitoring of communication protocols. Unified Modeling Language (UML) statecharts have been chosen to model the protocols and to perform the stateful monitoring. An implementation of this solution is integrated within an existing NIDS and validated on two industrial protocols IEC 60870-5-104 and Modbus TCP. This implementation has been realized by dissociating the stateful monitoring and the NIDS with the help of an abstraction interface allowing an easy integration of new communication protocols.
AB - The deployment of a Network Intrusion Detection System (NIDS) is one of the imperatives for the control of an information system. Today, almost all intrusion detection systems are based on a static vision of network exchanges, whether for detection engines based on signatures or on behavioral models. However, this approach is limited: it does not allow to directly take into account past exchanges and thus to fully model normal or abnormal behavior, such as verifying that an authentication has taken place before authorizing a privileged request or detecting a replay attack. We propose to add an additional dimension to NIDS by performing stateful monitoring of communication protocols. Unified Modeling Language (UML) statecharts have been chosen to model the protocols and to perform the stateful monitoring. An implementation of this solution is integrated within an existing NIDS and validated on two industrial protocols IEC 60870-5-104 and Modbus TCP. This implementation has been realized by dissociating the stateful monitoring and the NIDS with the help of an abstraction interface allowing an easy integration of new communication protocols.
KW - Anomaly Detection
KW - Critical Infrastructures
KW - Industrial System
KW - Intrusion Detection System
KW - Protocol Modeling
KW - Statechart
UR - https://www.scopus.com/pages/publications/85178503458
U2 - 10.5220/0011327400003283
DO - 10.5220/0011327400003283
M3 - Conference contribution
AN - SCOPUS:85178503458
SN - 9789897585906
T3 - Proceedings of the International Conference on Security and Cryptography
SP - 398
EP - 405
BT - SECRYPT 2022 - Proceedings of the 19th International Conference on Security and Cryptography
A2 - De Capitani di Vimercati, Sabrina
A2 - Samarati, Pierangela
PB - Science and Technology Publications, Lda
T2 - 19th International Conference on Security and Cryptography, SECRYPT 2022
Y2 - 11 July 2022 through 13 July 2022
ER -