{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T17:57:11Z","timestamp":1773511031290,"version":"3.50.1"},"reference-count":33,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2017,2,24]],"date-time":"2017-02-24T00:00:00Z","timestamp":1487894400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"10th International Conference on Critical Information Infrastructures Security"},{"name":"Interdisciplinary Cyber Research Center at TAU"},{"name":"Israeli Ministry of Science and Technology"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Intell. Syst. Technol."],"published-print":{"date-parts":[[2017,7,31]]},"abstract":"<jats:p>\n            Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed ICS streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA and a high false-alarm rate. In this article, we introduce a new modeling approach that addresses this gap. Our\n            <jats:italic>Statechart DFA<\/jats:italic>\n            modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We demonstrate how to automatically construct the statechart from a captured traffic stream. Our unsupervised learning algorithms first build a Discrete-Time Markov Chain (DTMC) from the stream. Next, we split the symbols into sets, one per multiplexed cycle, based on symbol frequencies and node degrees in the DTMC graph. Then, we create a sub-graph for each cycle and extract Euler cycles for each sub-graph. The final statechart is comprised of one DFA per Euler cycle. The algorithms allow for non-unique symbols, which appear in more than one cycle, and also for symbols that appear more than once in a cycle.\n          <\/jats:p>\n          <jats:p>\n            We evaluated our solution on traces from a production ICS using the Siemens S7-0x72 protocol. We also stress-tested our algorithms on a collection of synthetically-generated traces that simulated multiplexed ICS traces with varying levels of symbol uniqueness and time overlap. The algorithms were able to split the symbols into sets with 99.6% accuracy. The resulting statechart modeled the traces with a median false-alarm rate of as low as 0.483%. In all but the most extreme scenarios, the\n            <jats:italic>Statechart<\/jats:italic>\n            model drastically reduced both the false-alarm rate and the learned model size in comparison with the naive single-DFA model.\n          <\/jats:p>","DOI":"10.1145\/3011018","type":"journal-article","created":{"date-parts":[[2017,2,27]],"date-time":"2017-02-27T13:06:52Z","timestamp":1488200812000},"page":"1-21","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":27,"title":["Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded Industrial Control Systems"],"prefix":"10.1145","volume":"8","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4423-1399","authenticated-orcid":false,"given":"Amit","family":"Kleinmann","sequence":"first","affiliation":[{"name":"Tel Aviv University, Ramat-Aviv Tel-Aviv, Israel"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8371-4759","authenticated-orcid":false,"given":"Avishai","family":"Wool","sequence":"additional","affiliation":[{"name":"Tel Aviv University, Ramat-Aviv Tel-Aviv, Israel"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2017,2,24]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897855"},{"key":"e_1_2_1_2_1","unstructured":"Afcon Technologies. 2015. PULSE HMI Software. Retrieved from http:\/\/www.afcon.co.il\/product\/pulse.  Afcon Technologies. 2015. PULSE HMI Software. Retrieved from http:\/\/www.afcon.co.il\/product\/pulse."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-17127-2_2"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1201\/b16390-12"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2010.5593242"},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the International Infrastructure Survivability Workshop.","author":"Byres Eric J.","year":"2004","unstructured":"Eric J. Byres , Matthew Franz , and Darrin Miller . 2004 . The use of attack trees in assessing vulnerabilities in SCADA systems . In Proceedings of the International Infrastructure Survivability Workshop. Eric J. Byres, Matthew Franz, and Darrin Miller. 2004. The use of attack trees in assessing vulnerabilities in SCADA systems. In Proceedings of the International Infrastructure Survivability Workshop."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2732198.2732200"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/CPSNA.2013.6614240"},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the SCADA Security Scientific Symposium. 127--134","author":"Cheung S.","unstructured":"S. Cheung , B. Dutertre , M. Fong , U. Lindqvist , K. Skinner , and A. Valdes . 2007. Using model-based intrusion detection for SCADA networks . In Proceedings of the SCADA Security Scientific Symposium. 127--134 . S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, and A. Valdes. 2007. Using model-based intrusion detection for SCADA networks. In Proceedings of the SCADA Security Scientific Symposium. 127--134."},{"key":"e_1_2_1_10_1","volume-title":"Yao","author":"Dolev Danny","year":"1981","unstructured":"Danny Dolev and Andrew C . Yao . 1981 . On the Security of Public Key Protocols. Technical Report. Stanford, CA. Danny Dolev and Andrew C. Yao. 1981. On the Security of Public Key Protocols. Technical Report. Stanford, CA."},{"key":"e_1_2_1_11_1","unstructured":"Electrical Engineering Blog. 2013. The top most used PLC systems around the world. Electrical installation 8 energy efficiency. Retrieved from http:\/\/engineering.electrical-equipment.org\/electrical-distribution\/the-top-most-used-plc-systems-around-the-world.html.  Electrical Engineering Blog. 2013. The top most used PLC systems around the world. Electrical installation 8 energy efficiency. Retrieved from http:\/\/engineering.electrical-equipment.org\/electrical-distribution\/the-top-most-used-plc-systems-around-the-world.html."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2015.05.001"},{"key":"e_1_2_1_13_1","unstructured":"N. Falliere L. O. Murchu and E. Chien. 2011. W32. stuxnet dossier. White paper Symantec Corp. Security Response (2011).  N. Falliere L. O. Murchu and E. Chien. 2011. W32. stuxnet dossier. White paper Symantec Corp. Security Response (2011)."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/AINA.2010.86"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2013.05.001"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/EC2ND.2011.10"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1016\/0167-6423(87)90035-9"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/BF01442866"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.15394\/jdfsl.2014.1169"},{"key":"e_1_2_1_20_1","volume-title":"Pre-Proceedings of the 10th International Conference on Critical Information Infrastructures Security (CRITIS\u201915)","author":"Kleinmann Amit","year":"2015","unstructured":"Amit Kleinmann and Avishai Wool . 2015 . A statechart-based anomaly detection model for multi-threaded SCADA systems . In Pre-Proceedings of the 10th International Conference on Critical Information Infrastructures Security (CRITIS\u201915) . Fraunhofer IAIS, 139--150. Amit Kleinmann and Avishai Wool. 2015. A statechart-based anomaly detection model for multi-threaded SCADA systems. In Pre-Proceedings of the 10th International Conference on Critical Information Infrastructures Security (CRITIS\u201915). Fraunhofer IAIS, 139--150."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2011.67"},{"key":"e_1_2_1_23_1","volume-title":"Critical Foundations: Protecting America\u2019s Infrastructures - The Report of the President\u2019s Commission on Critical Infrastructure Protection. Technical Report.","author":"Marsh Robert T.","year":"1997","unstructured":"Robert T. Marsh . 1997 . Critical Foundations: Protecting America\u2019s Infrastructures - The Report of the President\u2019s Commission on Critical Infrastructure Protection. Technical Report. Robert T. Marsh. 1997. Critical Foundations: Protecting America\u2019s Infrastructures - The Report of the President\u2019s Commission on Critical Infrastructure Protection. Technical Report."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/65.283931"},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the 1997 National Information Systems Security Conference.","author":"Phillip","unstructured":"Phillip A. Porras and Peter G. Neumann. 1997. EMERALD: Event monitoring enabling responses to anomalous live disturbances . In Proceedings of the 1997 National Information Systems Security Conference. Phillip A. Porras and Peter G. Neumann. 1997. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 1997 National Information Systems Security Conference."},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.5555\/1039834.1039864"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"e_1_2_1_28_1","first-page":"800","article-title":"Guide to Industrial Control Systems (ICS) Security","author":"Stouffer K. A.","year":"2013","unstructured":"K. A. Stouffer , J. A. Falco , and K. A. Scarfone . 2013 . Guide to Industrial Control Systems (ICS) Security . Technical Report 800 - 882 . National Institute of Standards and Technology (NIST), Gaithersburg, MD. K. A. Stouffer, J. A. Falco, and K. A. Scarfone. 2013. Guide to Industrial Control Systems (ICS) Security. Technical Report 800-82. National Institute of Standards and Technology (NIST), Gaithersburg, MD.","journal-title":"Technical Report"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978388"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/THS.2009.5168010"},{"key":"e_1_2_1_31_1","unstructured":"T. Wiens. 2014. S7comm Wireshark dissector plugin. Retrieved from http:\/\/sourceforge.net\/projects\/s7commwireshark Available at: http:\/\/sourceforge.net\/projects\/s7commwireshark.  T. Wiens. 2014. S7comm Wireshark dissector plugin. Retrieved from http:\/\/sourceforge.net\/projects\/s7commwireshark Available at: http:\/\/sourceforge.net\/projects\/s7commwireshark."},{"key":"e_1_2_1_32_1","volume-title":"The Free Encyclopedia.","unstructured":"Wikipedia. 2015. Variable-length quantity\u2014Wikipedia , The Free Encyclopedia. Retrieved from http:\/\/en.wikipedia.org\/wiki\/Variable-length_quantity. Wikipedia. 2015. Variable-length quantity\u2014Wikipedia, The Free Encyclopedia. Retrieved from http:\/\/en.wikipedia.org\/wiki\/Variable-length_quantity."},{"key":"e_1_2_1_33_1","volume-title":"5th Intl. Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies. 12--16","author":"Yang D.","unstructured":"D. Yang , A. Usynin , and J. W. Hines . 2006. Anomaly-based intrusion detection for SCADA systems . In 5th Intl. Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies. 12--16 . D. Yang, A. Usynin, and J. W. Hines. 2006. Anomaly-based intrusion detection for SCADA systems. In 5th Intl. Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies. 12--16."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2004.823851"}],"container-title":["ACM Transactions on Intelligent Systems and Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3011018","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3011018","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:23:34Z","timestamp":1750220614000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3011018"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,2,24]]},"references-count":33,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2017,7,31]]}},"alternative-id":["10.1145\/3011018"],"URL":"https:\/\/doi.org\/10.1145\/3011018","relation":{},"ISSN":["2157-6904","2157-6912"],"issn-type":[{"value":"2157-6904","type":"print"},{"value":"2157-6912","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,2,24]]},"assertion":[{"value":"2015-12-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2016-10-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-02-24","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}