The University of Massachusetts Amherst
University of Massachusetts Amherst

Search Google Appliance


Dr. Klara Nahrstedt

"Anomaly Detection and Casual Reasoning about Attacks on SCADA Networks"


Friday, September 13, 2019 - 11:15am


Dr. Klara Nahrstedt, Coordinated Science Laboratory Director and Professof of Computer Science, University of Illinois at Urbana-Champaign


Marston 132


Electrical & Computer Engineering Graduate Student Seminar

Professor Klara Nahrstedt

Coordinated Science Laboratory Director

and Professor of Computer Science

University of Illinois at Urbana-Champaign


Date: Friday, September 13, 2019

Time: 11:15 A.M. – 12:05 P.M.

Location: Marston, Room 132

Faculty Host: Prof. Michael Zink



"Anomaly Detection and Casual Reasoning about Attacks on SCADA Networks"



The SCADA (Supervisory Control and Data Acquisition) systems are widely used in critical cyber-physical systems (CPS) such as Smart Grid, Manufacturing and other mission-critical CPS systems. However, SCADA devices and networks are often subject to a wide range of attacks coming from external attackers and/or internal misconfigurations.  Traditional intrusion detection systems are deployed to ensure the security of SCADA systems, but they often focus on monitoring only one or two levels of SCADA network data, such as transport or content levels, and continuously generate a large number of alerts without further analyzing them for causal reasoning.


In this talk, we present an anomaly detection system, called EDMOND, and a causal reasoning framework for attacks on Smart Grid SCADA networks, called CAPTAR. EDMOND is an edge-based anomaly detector, which analyzes SCADA network anomalies at all three levels of network traffic data (transport, protocol, content levels), aggregates alerts to decrease the volume of alerts, and sends aggregated alerts to control center for causal analysis. CAPTAR is a cloud-based causal reasoning framework which correlates and matches aggregated alerts to causal polytrees. Bayesian inference is performed on the causal polytrees to produce a high-level view of the security state of the protected SCADA network. We will discuss the anomaly detection and causal reasoning analyses on attack examples, and show experimentally that, using MODBUS and DNP3 network traffic, we can do anomaly detection and attack reasoning in real-time.


Joint work with Dr. Wenyu Ren, Tuo Yu, and Tim Yardley in the Information Trust Institute (ITI) at University of Illinois, Urbana-Champaign.



Klara Nahrstedt is the Ralph and Catherine Fisher Professor in the Computer Science Department, and Director of Coordinated Science Laboratory in the College of Engineering at the University of Illinois at Urbana-Champaign. Her research interests are directed toward end-to-end Quality of Service (QoS) and resource management in large scale multimedia distributed systems and networks, and real-time security and privacy in cyber-physical systems. She is the recipient of the IEEE Communication Society Leonard Abraham Award for Research Achievements, University Scholar, Humboldt Award, IEEE Computer Society Technical Achievement Award, ACM SIGMM Technical Achievement Award, Piloty Prize, and Drucker Award. Klara Nahrstedt received her Diploma in Mathematics from Humboldt University, Berlin, Germany in 1985. In 1995 she received her PhD from the University of Pennsylvania in the Department of Computer and Information Science. She is ACM Fellow, IEEE Fellow, and Member of the German National Academy of Sciences (Leopoldina Society).