Finding anomalies in SCADA logs using rare sequential pattern mining

Abstract

Pattern mining is a branch of data mining used to discover hidden patterns or correlations among data. We use rare sequential pattern mining to find anomalies in critical infrastructure control networks such as supervisory control and data acquisition (SCADA) networks. As anomalous events occur rarely in a system and SCADA systems’ topology and actions do not change often, we argue that some anomalies can be detected using rare sequential pattern mining. This anomaly detection would be useful for intrusion detection or erroneous behaviour of a system. Although research into rare itemsets mining previously exists, neither research into rare sequential pattern mining nor its applicability to SCADA system anomaly detection has previously been completed. Moreover, since there is no consideration to events order, the applicability to intrusion detection in SCADA is minimal. By ensuring the events’ order is maintained, in this paper, we propose a novel Rare Sequential Pattern Mining (RSPM) technique which is a useful anomaly detection system for SCADA. We compared our algorithm with a rare itemset mining algorithm and found anomalous events in SCADA logs.