Detecting cyber intrusions in SCADA networks using multi-agent collaboration

Current SCADA (Supervisory Control and Data Acquisition) system architecture increases the interconnectivity to/from other distributed networks and services. In addition, within the SCADA networks there are different types of sub-networks and protocols that are used to monitor and control industrial operations. This complex expansion increases the productivity of SCADA networks; however, it also increases security risks and threats. The state-of-the-art Intrusion Detection Systems (IDSs) are not capable enough of detecting anomalies and intrusions that may be aimed to disrupt the SCADA operations. This paper proposes a Distributed Intrusion Detection System (DIDS) based on a community collaboration between multiple agents of anomaly detectors to identify anomaly behaviors in SCADA networks. The proposed architecture for DIDS incorporates the SCADA network topology and connectivity constraints. In this paper, detailed architecture, components, and functions of DIDS are described and attack scenarios are developed to validate the effectiveness of the proposed methodology.