Field intrusion detection system for SCADA networks

摘要

This dissertation presents a new approach for detecting electronic intrusions in the SCADA networks used to control chemical plants. The approach has combined network intrusion detection and field intrusion detection systems in a way that significantly enhances system performance, and also greatly reduces false positives and false negatives. The major contribution, however, of this dissertation is in the development, implementation testing and evaluation of a novel field intrusion detection unit.;The network intrusion detection system (NIDS) is applied to data transmitted using the distributed network protocol (DNP3) over TCP/IP. Rule-base security is used to implement NIDS for incoming and outgoing data transmissions from a master terminal unit (MTU) to a remote terminal unit (RTU). The field intrusion detection system (FIDS) presented here is based on PCA and hierarchical principal component analysis (HPCA). HPCA is a fast data reduction technique which has been designed to avoid the problem of evaluating eigenvectors for high dimension data. Reliance on outputs of these methods depends on a decision tree which is constructed to provide FID the ability to detect intruded variables. Also, a mathematical model for group assignment algorithm of HPCA is presented to improve the intrusion detection rate.;For testing purposes, network traffic from an actual SCADA system in Chemical Engineering Department at the University of Louisville, which controls a chemical distillation process, was used for offline analysis. To perform real-time evaluation, a mathematical model of the process was utilized. Detailed analysis of the FIDS unit is discussed in this dissertation, including the ROC curve, scalability considerations, clustering input parameters, implementation of a low-pass filter for reducing high noise, and the sensitivity of hierarchical principal component analysis (HPCA) versus PCA. The experimental results are found to provide acceptable detection for real-time systems, and the projected scalability of the detection system to larger installations is also acceptable.