{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,28]],"date-time":"2025-11-28T12:29:59Z","timestamp":1764332999041,"version":"3.40.3"},"publisher-location":"Cham","reference-count":25,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030697808"},{"type":"electronic","value":"9783030697815"}],"license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,2,18]],"date-time":"2021-02-18T00:00:00Z","timestamp":1613606400000},"content-version":"vor","delay-in-days":48,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Supervisory and Data Acquisition (SCADA) systems control and monitor modern power networks. As attacks targeting SCADA systems are increasing, significant research is conducted to defend SCADA networks including variations of anomaly detection. Due to the sensitivity of real data, many defence mechanisms have been tested only in small testbeds or emulated traffic that were designed with assumptions on how SCADA systems behave. This work provides a timing characterization of IEC-104 spontaneous traffic and compares the results from emulated traffic and real traffic to verify if the network characteristics appearing in testbeds and emulated traffic coincide with real traffic. Among three verified characteristics, two of them appear in the real dataset but in a less regular way, and one does not appear in the collected real data. The insights from these observations are discussed in terms of presumed differences between emulated and real traffic and how those differences are generated.<\/jats:p>","DOI":"10.1007\/978-3-030-69781-5_14","type":"book-chapter","created":{"date-parts":[[2021,2,19]],"date-time":"2021-02-19T11:12:22Z","timestamp":1613733142000},"page":"207-223","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["A Comparative Analysis of Emulated and Real IEC-104 Spontaneous Traffic in Power System Networks"],"prefix":"10.1007","author":[{"given":"C.-Y.","family":"Lin","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Simin","family":"Nadjm-Tehrani","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2021,2,18]]},"reference":[{"key":"14_CR1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"219","DOI":"10.1007\/978-3-030-05849-4_17","volume-title":"Critical Information Infrastructures Security","author":"M Almgren","year":"2019","unstructured":"Almgren, M., et al.: RICS-el: building a national testbed for research and training on SCADA security (Short Paper). In: Luiijf, E., \u017dutautait\u0117, I., H\u00e4mmerli, B.M. (eds.) CRITIS 2018. LNCS, vol. 11260, pp. 219\u2013225. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-05849-4_17"},{"key":"14_CR2","doi-asserted-by":"crossref","unstructured":"Aoudi, W., Iturbe, M., Almgren, M.: Truth will out: departure-based process-level detection of stealthy attacks on control systems. In: Proceedings of the Conference on Computer and Communications Security. ACM (2018)","DOI":"10.1145\/3243734.3243781"},{"key":"14_CR3","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"126","DOI":"10.1007\/978-3-642-28537-0_13","volume-title":"Passive and Active Measurement","author":"RRR Barbosa","year":"2012","unstructured":"Barbosa, R.R.R., Sadre, R., Pras, A.: Difficulties in modeling SCADA traffic: a comparative analysis. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 126\u2013135. Springer, Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-642-28537-0_13"},{"key":"14_CR4","doi-asserted-by":"crossref","unstructured":"Barbosa, R.R.R., Sadre, R., Pras, A.: A first look into SCADA network traffic. In: Proceedings of Network Operations and Management Symposium (NOMS). IEEE (2012)","DOI":"10.1109\/NOMS.2012.6211945"},{"key":"14_CR5","doi-asserted-by":"publisher","first-page":"52","DOI":"10.1016\/j.ijcip.2016.02.004","volume":"13","author":"RRR Barbosa","year":"2016","unstructured":"Barbosa, R.R.R., Sadre, R., Pras, A.: Exploiting traffic periodicity in industrial control networks. Int. J. Crit. Infrastruct. Protect. 13, 52\u201362 (2016)","journal-title":"Int. J. Crit. Infrastruct. Protect."},{"key":"14_CR6","unstructured":"Bencs\u00e1th, B., P\u00e9k, G., Butty\u00e1n, L., F\u00e9legyh\u00e1zi, M.: Duqu: a stuxnet-like malware found in the wild. Technical report Laboratory of Cryptography and System Security (CrySyS Lab), Budapest University of Technology and Economics Department of Telecommunications (2011)"},{"key":"14_CR7","doi-asserted-by":"crossref","unstructured":"Clarke, G., Reynders, D.: Practical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems. Newnes (2004)","DOI":"10.1016\/B978-075065799-0\/50019-X"},{"key":"14_CR8","unstructured":"Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet dossier. Technical report Symantec, Mountain View (2011)"},{"key":"14_CR9","doi-asserted-by":"crossref","unstructured":"Formby, D., Jung, S.S., Copeland, J., Beyah, R.: An empirical study of TCP vulnerabilities in critical power system devices. In: Proceedings of the 2nd Workshop on Smart Energy Grid Security (SEGS), pp. 39\u201344 (2014)","DOI":"10.1145\/2667190.2667196"},{"key":"14_CR10","doi-asserted-by":"crossref","unstructured":"Formby, D., Walid, A., Beyah, R.: A case study in power substation network dynamics. In: Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 1, p. 19 (2017)","DOI":"10.1145\/3078505.3078525"},{"key":"14_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"88","DOI":"10.1007\/978-3-319-71368-7_8","volume-title":"Critical Information Infrastructures Security","author":"J Goh","year":"2017","unstructured":"Goh, J., Adepu, S., Junejo, K.N., Mathur, A.: A dataset to support research in the design of secure water treatment systems. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds.) CRITIS 2016. LNCS, vol. 10242, pp. 88\u201399. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-71368-7_8"},{"issue":"2","key":"14_CR12","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1016\/j.ijcip.2013.05.001","volume":"6","author":"N Goldenberg","year":"2013","unstructured":"Goldenberg, N., Wool, A.: Accurate modeling of Modbus\/TCP for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63\u201375 (2013)","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"key":"14_CR13","doi-asserted-by":"crossref","unstructured":"Hodo, E., Grebeniuk, S., Ruotsalainen, H., Tavolato, P.: Anomaly detection for simulated iec-60870-5-104 trafiic. In: Proceedings of the 12th International Conference on Availability, Reliability and Security (2017)","DOI":"10.1145\/3098954.3103166"},{"key":"14_CR14","doi-asserted-by":"crossref","unstructured":"Jung, S.S., Formby, D., Day, C., Beyah, R.: A first look at machine-to-machine power grid network traffic. In: Proceedings of International Conference on Smart Grid Communications (SmartGridComm). IEEE (2015)","DOI":"10.1109\/SmartGridComm.2014.7007760"},{"key":"14_CR15","doi-asserted-by":"crossref","unstructured":"Kiss, I., Genge, B., Haller, P.: A clustering-based approach to detect cyber attacks in process control systems. In: Proceedings of the 13th International Conference on Industrial Informatics (INDIN). IEEE (2015)","DOI":"10.1109\/INDIN.2015.7281725"},{"key":"14_CR16","doi-asserted-by":"crossref","unstructured":"Krotofil, M., Larson, J., Gollmann, D.: The process matters: Ensuring data veracity in cyber-physical systems. In: Proceedings of the 10th Symposium on Information, Computer and Communications Security (ASIACCS). ACM (2015)","DOI":"10.1145\/2714576.2714599"},{"issue":"1","key":"14_CR17","doi-asserted-by":"publisher","first-page":"159","DOI":"10.2307\/2529310","volume":"33","author":"R Landis","year":"1977","unstructured":"Landis, R., Koch, G.: The measurement of observer agreement for categorical data. Int. Biometric Soc. 33(1), 159\u2013174 (1977)","journal-title":"Int. Biometric Soc."},{"key":"14_CR18","unstructured":"Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid: Defense use case. Technical report Electricity Information Sharing and Analysis Center (E-ISAC) (2016)"},{"key":"14_CR19","doi-asserted-by":"crossref","unstructured":"Lin, C.Y., Nadjm-Tehrani, S.: Understanding IEC-60870-5-104 traffic patterns in SCADA networks. In: Proceedings of the 4th ACM Cyber-Physical System Security Workshop (CPSS). ACM (2018)","DOI":"10.1145\/3198458.3198460"},{"key":"14_CR20","unstructured":"Lin, C.Y., Nadjm-Tehrani, S.: Timing patterns and correlations in spontaneous SCADA traffic for anomaly detection. In: Proceedings of 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID). USENIX Association (2019)"},{"key":"14_CR21","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99843-5_5","volume-title":"Crit. Inf. Infrastruct. Secur.","author":"CY Lin","year":"2017","unstructured":"Lin, C.Y., Nadjm-Tehrani, S., Asplund, M.: Timing-based anomaly detection in SCADA networks. In: D\u2019Agostino, G., Scala, A. (eds.) LNCS, vol. 10707. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-99843-5_5"},{"key":"14_CR22","doi-asserted-by":"crossref","unstructured":"Mai, K., Qin, X., Silva, N.O., Cardenas, A.A.: IEC 60870-5-104 network characterization of a large-scale operational power grid. In: Proceedings of Security and Privacy Workshops (SPW) (2019)","DOI":"10.1109\/SPW.2019.00051"},{"key":"14_CR23","doi-asserted-by":"crossref","unstructured":"Sayegh, N., Elhajj, I.H., Kayssi, A., Chehab, A.: SCADA intrusion detection system based on temporal behavior of frequent patterns. In: Proceedings of the 17th Mediterranean Electrotechnical Conference (MELECON). IEEE (2014)","DOI":"10.1109\/MELCON.2014.6820573"},{"key":"14_CR24","doi-asserted-by":"crossref","unstructured":"Udd, R., Asplund, M., Nadjm-Tehrani, S., Kazemtabrizi, M., Ekstedt, M.: Exploiting bro for intrusion detection in a SCADA system. In: Proceedings of the 2nd International Workshop on Cyber-Physical System Security (CPSS). ACM (2016)","DOI":"10.1145\/2899015.2899028"},{"key":"14_CR25","doi-asserted-by":"publisher","first-page":"1068","DOI":"10.1109\/TPWRD.2016.2603339","volume":"32","author":"Y Yang","year":"2017","unstructured":"Yang, Y., Xu, H.Q., Gao, L., Yuan, Y.B., McLaughlin, K., Sezer, S.: Multidimensional intrusion detection system for IEC 61850-based SCADA networks. IEEE Trans. Power Delivery 32, 1068\u20131078 (2017)","journal-title":"IEEE Trans. Power Delivery"}],"container-title":["Lecture Notes in Computer Science","Cyber-Physical Security for Critical Infrastructures Protection"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-69781-5_14","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,2,19]],"date-time":"2021-02-19T11:18:33Z","timestamp":1613733513000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-69781-5_14"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"ISBN":["9783030697808","9783030697815"],"references-count":25,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-69781-5_14","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2021]]},"assertion":[{"value":"18 February 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"CPS4CIP","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Workshop on Cyber-Physical Security for Critical Infrastructures Protection","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Guildford","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"United Kingdom","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2020","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18 September 2020","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18 September 2020","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"1","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"cps4cip2020","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/sites.google.com\/fbk.eu\/cps4cip20","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"23","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"12","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"52% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"1","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"The conference was held online due to the COVID-19 pandemic.","order":10,"name":"additional_info_on_review_process","label":"Additional Info on Review Process","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}