Online, Context-aware, Intelligent Anomaly Detection and Analysis for SCADA Systems
Brief Introduction
The objective of this project is to develop an online, context-aware, intelligent framework for anomaly detection, anomalous data analysis, causal reasoning, consequence indication and response suggestion for SCADA networks. The designed framework monitors the network traffic in SCADA networks, detects anomalous events in real time, and provides context-aware information for those anomalies to guide reasoning and consequences of anomalous events, which lead to operational resilience and recovery.
The objective of this project is to develop an online, context-aware, intelligent framework for anomaly detection, anomalous data analysis, causal reasoning, consequence indication and response suggestion for SCADA networks. The designed framework monitors the network traffic in SCADA networks, detects anomalous events in real time, and provides context-aware information for those anomalies to guide reasoning and consequences of anomalous events, which lead to operational resilience and recovery.
Our Contribution
- This project contains two sub-projects. In the first sub-project, we develop a novel edge-based multi-level anomaly detection framework for SCADA networks named EDMAND. EDMAND monitors three levels of network traffic data and applies appropriate anomaly detection methods based on the distinct characteristics of data. Alerts are generated, aggregated, prioritized before sent back to control centers. A prototype of the framework is built to evaluate the detection ability and time overhead of it.
- The objective for the second project is to develop a framework to analyze the generated alerts by EDMAND. We proposed a causal-polytree-based anomaly reasoning framework for SCADA networks, named CAPTAR. CAPTAR takes the meta-alerts from our previous anomaly detection framework EDMAND, correlates the them using a naive Bayes classifier, and matches them to predefined causal polytrees. Utilizing Bayesian inference on the causal polytrees, CAPTAR can produces a high-level view of the security state of the protected SCADA network.