Science and Development Network (SciDev.Net)
The Distributed Network Protocol Version 3 (DNP3) protocol is widely used in SCADA systems as a means of communicating observed sensor state information back to a control center. In general, utilities that use the DNP3 protocol repeat their own limited operations, so a whitelist-based approach is clearly suitable for network intrusion detection. In this paper, the authors propose a burst-based whitelist model for utilities using the DNP3 protocol. A burst is a group of consecutive packets with shorter inter-arriving time than packets arriving before or after the burst of packets. When utilities communicate on the DNP3 protocol, one transaction at the application-level is mapped to one burst.