Online, Context-aware, Intelligent Anomaly Detection and Analysis for SCADA Systems



  • Fall 2017-present

Project Description

SCADA systems are widely used in energy delivery systems to gather measurement data from field devices and send control commands to them. However, the legacy end devices and industrial control protocols, used in the SCADA system, make it vulnerable to various cyberattacks. There are existing solutions to provide intrusion detection for networks. However, most of them only focus on monitoring and event detection of network state at the transport layer and perform flow-level analysis, which is not enough to detect and reason about semantic attacks hidden in the application layer. Even for those solutions which parse the application protocol, they usually can detect the event only, but fail to provide any causes and consequences of the event. Therefore, it is hard or impossible for the operator to quickly digest the event and react to it. If any of the attacks are undetected or not resolved promptly, the entire system could suffer.

In this activity, we concentrate on developing an online, context-aware, intelligent framework for anomaly detection, anomalous data analysis, causal reasoning, consequence indication and response suggestion for SCADA networks. This is a large research space since the framework requires an integration of approaches in feature selection, machine learning, predictive reasoning, context-aware analysis and alert aggregation, to name a few. Our framework analyzes the network traffic and parses not only transport-layer but also application-layer information. Features are selected, transformed and reduced and feature vectors are constructed. Three scopes of features are considered to offer different granularity of analysis: (a) flow-level information such as addresses, ports of source and destination, delays and jitters; (b) control-protocol-level information such as function codes and parameters; (c) content-level information such as values to be written and results from reads. Machine learning techniques are then used upon feature vectors to perform anomaly detection. Those three levels of anomaly detection serve as the building blocks of our framework and trigger various alarms. Beyond those building blocks, we build a causality-based analyzer to aggregate and analyze the generated alarms. Domain knowledge and causal reasoning are considered and cyber-physical models of the system are built or utilized to aid the detection, causality and consequence analysis of anomalies. Potential responses are then analyzed and provided to the operator based on the analysis results and current states of the system from the cyber-physical models.


  • Ren, Wenyu, Timothy Yardley, and Klara Nahrstedt. “EDMAND: Edge-Based Multi-Level Anomaly Detection for SCADA Networks.” 2018 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). IEEE, 2018.

Funding Agencies

This project is supported by the Department of Energy (DOE), Office of Electricity Cyber Security for Energy Delivery Systems.