Abstract

We look to build a model of expected traffic generated from flow-based statistics
within a SCADA network, and then use that to detect attacks by recognizing
anomalous network traffic that does not match the baseline model. Initially we
create a model based on network traffic captures. In addition, this model can be
edited using a graphical representation of the physical network topology,
allowing for easy manipulation of the model. Our system models are integrated
into Snort, a popular open source intrusion detection system, for the detection
phase.