ADNA: Anomaly Detection aNd Analysis Tool
ADNA is an online, context-aware, intelligent tool for anomaly detection, anomalous data analysis, causal reasoning, consequence indication and response suggestion for SCADA networks. It is written mainly in Bro scripts and Python and the structure is shown in Figure 1. We use Smart Grid as our scenario while designing ADNA; however, it can be easily adapted to any cyber physical systems that use SCADA (oil and gas systems for example) just by changing the physical model and introducing corresponding domain knowledge.
- The first part consists of the parser in Bro and the anomaly detector. This part utilizes Bro to analyze the network traffic and parse not only transport-layer but also application-layer information. Three scopes of statistics are considered to offer different granularity of analysis: (a) flow-level information such as addresses, ports of source and destination, delays and jitters; (b) control-protocol-level information such as function codes and parameters; (c) content-level information such as results from read operations. Features are selected, transformed and reduced and feature vectors are constructed. Various statistical and machine learning techniques are then used upon feature vectors to perform anomaly detection. These three levels of anomaly detection serve as the building blocks of our tool and identify anomalies.
- Beyond those building blocks, we are going to build a causality-based analyzer to aggregate and analyze the identified anomalies. Domain knowledge and causal reasoning will be considered and cyber-physical models of the system will be built or utilized to aid the detection, causality and consequence analysis of anomalies. Potential responses will then be analyzed and provided to the operator based on the analysis results and current states of the system from the cyber-physical models.
For more information about this technology or opportunities for industrial collaboration, contact Wenyu Ren. More information is also available on the Related Research Activity page.