Network Traffic Analysis and SCADA Security

Abstract

The problem of monitoring and characterizing network traffic arises in the context of a variety of network management functions. For example, consider the five functions defined in the OSI Network Management Framework [20.1], i.e., configuration management, performance management, fault management, accounting management and security management. Traffic monitoring is used in configuration management for tasks such as estimating the traffic demands between different points in the network, so that network capacity can be allocated to these demands. In performance management, traffic monitoring can be used to determine whether the measured traffic levels exceed the allocated network capacity, thus causing congestion or delays. When a fault occurs in the network, traffic monitoring is used in fault management to help locate the source of the fault, based on changes in the traffic levels through the surrounding network elements. In accounting management, traffic monitoring is needed to measure the network usage by each customer, so that costs can be charged accordingly in terms of the volume and type of traffic generated. Finally, network traffic monitoring can be used in security management to identify unusual traffic flows, which may be caused by a denial-of-service attack or other forms of misuse.