forked from manbo/internal-docs
Generation of process time series on ICS to produce regular network data packets
Papers about topic 7 Generation of process time series on ICS to produce regular network data packets
This commit is contained in:
Hongyu Yan
@@ -0,0 +1,10 @@
|
||||
@INPROCEEDINGS{6923938,
|
||||
author={Al-Dalky, Rami and Abduljaleel, Omar and Salah, Khaled and Otrok, Hadi and Al-Qutayri, Mahmoud},
|
||||
booktitle={2014 9th International Symposium on Communication Systems, Networks & Digital Sign (CSNDSP)},
|
||||
title={A Modbus traffic generator for evaluating the security of SCADA systems},
|
||||
year={2014},
|
||||
volume={},
|
||||
number={},
|
||||
pages={809-814},
|
||||
keywords={Protocols;SCADA systems;Ports (Computers);IP networks;Payloads;Feature extraction;Receivers;SCADA System;Modbus;Snort;Scapy;Network security},
|
||||
doi={10.1109/CSNDSP.2014.6923938}}
|
||||
@@ -0,0 +1,56 @@
|
||||
# Autoregressive Denoising Diffusion Models for Multivariate Probabilistic Time Series Forecasting
|
||||
|
||||
|
||||
|
||||
**第一个问题**:请对论文的内容进行摘要总结,包含研究背景与问题、研究目的、方法、主要结果和结论,字数要求在150-300字之间,使用论文中的术语和概念。
|
||||
|
||||
摘要总结:SCADA系统随互联网集成暴露于大量网络攻击,但现有研究缺乏用于评估安全方案有效性的自动化恶意流量生成工具。本文提出面向Modbus/TCP的恶意流量生成器,目标是从Snort NIDS规则自动提取特征并用Scapy生成对应的Modbus数据包,以在测试环境评估安全方案。方法包括解析Snort规则头与选项(content、offset),构造并修改MBAP与Modbus PDU/ADU头部与负载,封装为TCP/IP数据包并建立会话发送;提供详细算法与实验测试床(发送端/接收端/Snort NIDS与镜像端口)。主要结果显示该工具成功生成能触发指定Snort规则的恶意流量,Wireshark验证了字段值(如第9字节0x09),Snort记录与规则sid/msg一致。结论:该工具为SCADA安全评估提供可复现实验流量来源,并可扩展至其他协议(如DNP3)。
|
||||
|
||||
**第二个问题**:请提取论文的摘要原文,摘要一般在Abstract之后,Introduction之前。
|
||||
|
||||
Supervisory control and data acquisition (SCADA) systems are used to monitor and control several industrial functions such as: oil & gas, electricity, water, nuclear fusion, etc. Recently, the Internet connectivity to SCADA systems introduced new vulnerabilities to these systems and made it a target for immense amount of attacks. In the literature, several solutions have been developed to secure SCADA systems; however; the literature is lacking work directed at the development of tools to evaluate the effectiveness of such solutions. An essential requirement of such tools is the generation of normal and malicious SCADA traffic. In this paper, we present an automated tool to generate a malicious SCADA traffic to be used to evaluate such systems. We consider the traffic generation of the popular SCADA Modbus protocol. The characteristics of the generated traffic are derived from Snort network intrusion detection system (NIDS) Modbus rules. The tool uses Scapy to generate packets based on the extracted traffic features. We present the testing results for our tool. The tool is used to read a Snort rule file that contains Modbus rules to extract the required traffic features.
|
||||
|
||||
**第三个问题**:请列出论文的全部作者,按照此格式:`作者1, 作者2, 作者3`。
|
||||
|
||||
Rami Al-Dalky, Omar Abduljaleel, Khaled Salah, Hadi Otrok, Mahmoud Al-Qutayri
|
||||
|
||||
**第四个问题**:请直接告诉我这篇论文发表在哪个会议或期刊,请不要推理或提供额外信息。
|
||||
|
||||
2014 9th International Symposium on Communication Systems, Networks & Digital Signal Processing (CSNDSP)
|
||||
|
||||
**第五个问题**:请详细描述这篇论文主要解决的核心问题,并用简洁的语言概述。
|
||||
|
||||
核心问题:缺乏自动化、基于标准检测规则的SCADA恶意流量生成工具,无法有效评估防护与检测方案的实际效果。简述:从Snort的Modbus规则自动提取特征,用Scapy生成可触发这些规则的Modbus/TCP恶意数据包,在真实/仿真实验环境中验证安全方案。
|
||||
|
||||
**第六个问题**:请告诉我这篇论文提出了哪些方法,请用最简洁的方式概括每个方法的核心思路。
|
||||
|
||||
- 基于Snort规则的特征提取:解析规则头(协议、端口)与选项(content、offset),筛选Modbus相关规则(TCP/502)。
|
||||
- 头部与负载映射算法:依据offset将content分配到MBAP头、Modbus头或负载,必要时跨界写入并补齐payload。
|
||||
- 封装与发送流程:构造Modbus PDU/ADU,封装至TCP/IP(端口502),建立会话、发送、确认、关闭。
|
||||
- 实验测试床设计:发送端生成流量、接收端监听502端口、镜像端口供Snort抓取,Wireshark用于字段验证。
|
||||
|
||||
**第七个问题**:请告诉我这篇论文所使用的数据集,包括数据集的名称和来源。
|
||||
|
||||
本研究未使用公开数据集;使用来源为Snort NIDS规则文件(包含Modbus规则)作为流量特征输入,工具据此生成恶意Modbus/TCP数据包;实验数据来自测试床抓包与Snort告警日志(Wireshark与Snort输出)。
|
||||
|
||||
**第八个问题**:请列举这篇论文评估方法的所有指标,并简要说明这些指标的作用。
|
||||
|
||||
- 规则触发情况(告警条目、sid/msg匹配):验证生成流量能否触发目标Snort规则,衡量有效性。
|
||||
- 报文字段正确性(Wireshark解析、关键字节值如第9字节0x09):确认MBAP/Modbus头与payload按照规则设定生成。
|
||||
- 会话与传输成功率(TCP会话建立/关闭、端口502监听):保障流量到达与被NIDS镜像捕获。
|
||||
- 规则覆盖数量(输入规则数与触发数一致性):衡量工具对规则集的支持与完整性。
|
||||
|
||||
**第九个问题**:请总结这篇论文实验的表现,包含具体的数值表现和实验结论。
|
||||
|
||||
实验使用3条Modbus Snort规则作为输入,工具逐条生成恶意Modbus/TCP数据包;接收端Wireshark显示默认MBAP头并验证第9字节为0x09等关键值;Snort通过网络镜像端口捕获流量并产生3条对应告警,sid与msg与输入规则完全一致;测试床为三台工作站、1 Gbps链路、监听端口502。结论:该工具能够稳定、准确地生成可触发指定规则的恶意Modbus流量,满足SCADA安全评估对“可控恶意流量”的需求。
|
||||
|
||||
**第十个问题**:请清晰地描述论文所作的工作,分别列举出动机和贡献点以及主要创新之处。
|
||||
|
||||
- 动机:SCADA系统安全方案亟需在受控环境中用真实协议恶意流量进行评估,而现有研究缺少自动化流量生成工具。
|
||||
- 贡献点:
|
||||
1. 提出并实现基于Snort规则的Modbus恶意流量生成器(开源发布)。
|
||||
2. 设计规则到报文字段的映射与封装算法(MBAP/Modbus PDU/ADU到TCP/IP)。
|
||||
3. 构建评测测试床并验证工具在触发目标规则上的有效性与一致性。
|
||||
- 主要创新:
|
||||
- 首次把Snort NIDS规则直接转化为可执行的Modbus/TCP恶意数据包生成流程,实现从检测签名到攻击流量的自动闭环。
|
||||
- 细化offset/content到协议层级字段的自动映射,兼顾跨头部与payload写入的边界处理,保障生成包语义与触发条件精确匹配。
|
||||
Binary file not shown.
@@ -0,0 +1,18 @@
|
||||
|
||||
@Article{s23031310,
|
||||
AUTHOR = {Kim, Bedeuro and Alawami, Mohsen Ali and Kim, Eunsoo and Oh, Sanghak and Park, Jeongyong and Kim, Hyoungshick},
|
||||
TITLE = {A Comparative Study of Time Series Anomaly Detection Models for Industrial Control Systems},
|
||||
JOURNAL = {Sensors},
|
||||
VOLUME = {23},
|
||||
YEAR = {2023},
|
||||
NUMBER = {3},
|
||||
ARTICLE-NUMBER = {1310},
|
||||
URL = {https://www.mdpi.com/1424-8220/23/3/1310},
|
||||
PubMedID = {36772349},
|
||||
ISSN = {1424-8220},
|
||||
ABSTRACT = {Anomaly detection has been known as an effective technique to detect faults or cyber-attacks in industrial control systems (ICS). Therefore, many anomaly detection models have been proposed for ICS. However, most models have been implemented and evaluated under specific circumstances, which leads to confusion about choosing the best model in a real-world situation. In other words, there still needs to be a comprehensive comparison of state-of-the-art anomaly detection models with common experimental configurations. To address this problem, we conduct a comparative study of five representative time series anomaly detection models: InterFusion, RANSynCoder, GDN, LSTM-ED, and USAD. We specifically compare the performance analysis of the models in detection accuracy, training, and testing times with two publicly available datasets: SWaT and HAI. The experimental results show that the best model results are inconsistent with the datasets. For SWaT, InterFusion achieves the highest F1-score of 90.7% while RANSynCoder achieves the highest F1-score of 82.9% for HAI. We also investigate the effects of the training set size on the performance of anomaly detection models. We found that about 40% of the entire training set would be sufficient to build a model producing a similar performance compared to using the entire training set.},
|
||||
DOI = {10.3390/s23031310}
|
||||
}
|
||||
|
||||
|
||||
|
||||
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,19 @@
|
||||
TY - JOUR
|
||||
AU - Landauer, Max
|
||||
AU - Skopik, Florian
|
||||
AU - Stojanović, Branka
|
||||
AU - Flatscher, Andreas
|
||||
AU - Ullrich, Torsten
|
||||
PY - 2024
|
||||
DA - 2024/10/30
|
||||
TI - A review of time-series analysis for cyber security analytics: from intrusion detection to attack prediction
|
||||
JO - International Journal of Information Security
|
||||
SP - 3
|
||||
VL - 24
|
||||
IS - 1
|
||||
AB - Understanding the current threat landscape as well as timely detection of imminent attacks are primary objectives of cyber security. Through time-series modeling of security data, such as event logs, alerts, or incidents, analysts take a step towards these goals. On the one hand, extrapolating time-series to predict future occurrences of attacks and vulnerabilities is able to support decision-making and preparation against threats. On the other hand, detection of model deviations as anomalies can point to suspicious outliers and thereby disclose cyber attacks. However, since the set of available techniques for time-series analysis is just as diverse as the research domains in the area of cyber security analytics, it can be difficult for analysts to understand which approaches fit the properties of security data at hand. This paper therefore conducts a broad literature review in research domains that leverage time-series analysis for cyber security analytics, with focus on available techniques, data sets, and challenges imposed by applications or feature properties. The results of our study indicate that relevant approaches range from detective systems ingesting short-term and low-level events to models that produce long-term forecasts of high-level attack cases.
|
||||
SN - 1615-5270
|
||||
UR - https://doi.org/10.1007/s10207-024-00921-0
|
||||
DO - 10.1007/s10207-024-00921-0
|
||||
ID - Landauer2024
|
||||
ER -
|
||||
@@ -0,0 +1,10 @@
|
||||
@ARTICLE{9781420,
|
||||
author={Naveed, Muhammad Haris and Hashmi, Umair Sajid and Tajved, Nayab and Sultan, Neha and Imran, Ali},
|
||||
journal={IEEE Access},
|
||||
title={Assessing Deep Generative Models on Time Series Network Data},
|
||||
year={2022},
|
||||
volume={10},
|
||||
number={},
|
||||
pages={64601-64617},
|
||||
keywords={Data models;Generative adversarial networks;Telecommunications;Solid modeling;Training data;Time series analysis;Predictive models;Machine learning;GAN;TimeGAN;PAR;DoppleGANger;time series;forecast analysis},
|
||||
doi={10.1109/ACCESS.2022.3177906}}
|
||||
Binary file not shown.
@@ -0,0 +1,13 @@
|
||||
@article{GKOULIS2025101500,
|
||||
title = {Creating interpretable synthetic time series for enhancing the design and implementation of Internet of Things (IoT) solutions},
|
||||
journal = {Internet of Things},
|
||||
volume = {30},
|
||||
pages = {101500},
|
||||
year = {2025},
|
||||
issn = {2542-6605},
|
||||
doi = {https://doi.org/10.1016/j.iot.2025.101500},
|
||||
url = {https://www.sciencedirect.com/science/article/pii/S2542660525000137},
|
||||
author = {Dimitris Gkoulis},
|
||||
keywords = {Internet of Things (IoT), Synthetic data, Synthetic time series, IoT simulation},
|
||||
abstract = {This study establishes a foundation for addressing the challenge of developing Internet of Things (IoT) solutions in the absence of real-world data, a common obstacle in the early stages of IoT design, prototyping, and testing. Motivated by the need for reliable and interpretable synthetic data, this work introduces a structured approach and a dedicated library for creating realistic time series data. The methodology emphasizes flexibility and modularity, allowing for the combination of distinct components–such as trends, seasonality, and noise–to create synthetic data that accurately reflects real-world phenomena while maintaining interpretability. The approach’s utility is demonstrated by creating synthetic air temperature time series, which are rigorously compared against real-world datasets to assess their fidelity. The results validate the proposed methodology’s and library’s effectiveness in producing data that closely mirrors real-world patterns, providing a robust tool for IoT development in data-constrained environments.}
|
||||
}
|
||||
File diff suppressed because one or more lines are too long
@@ -0,0 +1,17 @@
|
||||
|
||||
@Article{electronics13101920,
|
||||
AUTHOR = {Kim, Minseo and Jeon, Seungho and Cho, Jake and Gong, Seonghyeon},
|
||||
TITLE = {Data-Driven ICS Network Simulation for Synthetic Data Generation},
|
||||
JOURNAL = {Electronics},
|
||||
VOLUME = {13},
|
||||
YEAR = {2024},
|
||||
NUMBER = {10},
|
||||
ARTICLE-NUMBER = {1920},
|
||||
URL = {https://www.mdpi.com/2079-9292/13/10/1920},
|
||||
ISSN = {2079-9292},
|
||||
ABSTRACT = {Industrial control systems (ICSs) are integral to managing and optimizing processes in various industries, including manufacturing, power generation, and more. However, the scarcity of widely adopted ICS datasets hampers research efforts in areas like optimization and security. This scarcity arises due to the substantial cost and technical expertise required to create physical ICS environments. In response to these challenges, this paper presents a groundbreaking approach to generating synthetic ICS data through a data-driven ICS network simulation. We circumvent the need for expensive hardware by recreating the entire ICS environment in software. Moreover, rather than manually replicating the control logic of ICS components, we leverage existing data to autonomously generate control logic. The core of our method involves the stochastic setting of setpoints, which introduces randomness into the generated data. Setpoints serve as target values for controlling the operation of the ICS process. This approach enables us to augment existing ICS datasets and cater to the data requirements of machine learning-based ICS intrusion detection systems and other data-driven applications. Our simulated ICS environment employs virtualized containers to mimic the behavior of real-world PLCs and SCADA systems, while control logic is deduced from publicly available ICS datasets. Setpoints are generated probabilistically to ensure data diversity. Experimental results validate the fidelity of our synthetic data, emphasizing their ability to closely replicate temporal and statistical characteristics of real-world ICS networks. In conclusion, this innovative data-driven ICS network simulation offers a cost-effective and scalable solution for generating synthetic ICS data. It empowers researchers in the field of ICS optimization and security with diverse, realistic datasets, furthering advancements in this critical domain. Future work may involve refining the simulation model and exploring additional applications for synthetic ICS data.},
|
||||
DOI = {10.3390/electronics13101920}
|
||||
}
|
||||
|
||||
|
||||
|
||||
Binary file not shown.
@@ -0,0 +1,9 @@
|
||||
@misc{hu2025flowtstimeseriesgeneration,
|
||||
title={FlowTS: Time Series Generation via Rectified Flow},
|
||||
author={Yang Hu and Xiao Wang and Zezhen Ding and Lirong Wu and Huatian Zhang and Stan Z. Li and Sheng Wang and Jiheng Zhang and Ziyun Li and Tianlong Chen},
|
||||
year={2025},
|
||||
eprint={2411.07506},
|
||||
archivePrefix={arXiv},
|
||||
primaryClass={cs.LG},
|
||||
url={https://arxiv.org/abs/2411.07506},
|
||||
}
|
||||
Binary file not shown.
@@ -0,0 +1,17 @@
|
||||
@inproceedings{10.1145/3320269.3384730,
|
||||
author = {Sarkar, Esha and Benkraouda, Hadjer and Maniatakos, Michail},
|
||||
title = {I came, I saw, I hacked: Automated Generation of Process-independent Attacks for Industrial Control Systems},
|
||||
year = {2020},
|
||||
isbn = {9781450367509},
|
||||
publisher = {Association for Computing Machinery},
|
||||
address = {New York, NY, USA},
|
||||
url = {https://doi.org/10.1145/3320269.3384730},
|
||||
doi = {10.1145/3320269.3384730},
|
||||
abstract = {Malicious manipulations on Industrial Control Systems (ICSs) endanger critical infrastructures, causing unprecedented losses. State-of-the-art research in the discovery and exploitation of vulnerability typically assumes full visibility and control of the industrial process, which in real-world scenarios is unrealistic. In this work, we investigate the possibility of an automated end-to-end attack for an unknown control process in the constrained scenario of infecting just one industrial computer. We create databases of human-machine interface images, and Programmable Logic Controller (PLC) binaries using publicly available resources to train machine-learning models for modular and granular fingerprinting of the ICS sectors and the processes, respectively. We then explore control-theoretic attacks on the process leveraging common/ubiquitous control algorithm modules like Proportional Integral Derivative blocks using a PLC binary reverse-engineering tool, causing stable or oscillatory deviations within the operational limits of the plant. We package the automated attack and evaluate it against a benchmark chemical process, demonstrating the feasibility of advanced attacks even in constrained scenarios.},
|
||||
booktitle = {Proceedings of the 15th ACM Asia Conference on Computer and Communications Security},
|
||||
pages = {744–758},
|
||||
numpages = {15},
|
||||
keywords = {fingerprinting, industrial control systems security, machine learning, process-aware attacks},
|
||||
location = {Taipei, Taiwan},
|
||||
series = {ASIA CCS '20}
|
||||
}
|
||||
Binary file not shown.
@@ -0,0 +1,10 @@
|
||||
@inproceedings {198143,
|
||||
author = {Antoine Lemay and Jose M. Fernandez},
|
||||
title = {Providing {SCADA} Network Data Sets for Intrusion Detection Research},
|
||||
booktitle = {9th Workshop on Cyber Security Experimentation and Test (CSET 16)},
|
||||
year = {2016},
|
||||
address = {Austin, TX},
|
||||
url = {https://www.usenix.org/conference/cset16/workshop-program/presentation/lemay},
|
||||
publisher = {USENIX Association},
|
||||
month = aug
|
||||
}
|
||||
Binary file not shown.
@@ -0,0 +1,9 @@
|
||||
@misc{nikitin2024tsgmflexibleframeworkgenerative,
|
||||
title={TSGM: A Flexible Framework for Generative Modeling of Synthetic Time Series},
|
||||
author={Alexander Nikitin and Letizia Iannucci and Samuel Kaski},
|
||||
year={2024},
|
||||
eprint={2305.11567},
|
||||
archivePrefix={arXiv},
|
||||
primaryClass={cs.LG},
|
||||
url={https://arxiv.org/abs/2305.11567},
|
||||
}
|
||||
Reference in New Issue
Block a user