{"id":"https://openalex.org/W4385679677","doi":"https://doi.org/10.1109/sp46215.2023.10179411","title":"Scaphy: Detecting Modern ICS Attacks by Correlating Behaviors in SCADA and PHYsical","display_name":"Scaphy: Detecting Modern ICS Attacks by Correlating Behaviors in SCADA and PHYsical","publication_year":2023,"publication_date":"2023-05-01","ids":{"openalex":"https://openalex.org/W4385679677","doi":"https://doi.org/10.1109/sp46215.2023.10179411"},"language":"en","primary_location":{"id":"doi:10.1109/sp46215.2023.10179411","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46215.2023.10179411","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://www.osti.gov/biblio/2001614","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5034721235","display_name":"Moses Ike","orcid":"https://orcid.org/0000-0002-4403-5745"},"institutions":[{"id":"https://openalex.org/I4210104735","display_name":"Sandia National Laboratories","ror":"https://ror.org/01apwpt12","country_code":"US","type":"facility","lineage":["https://openalex.org/I1330989302","https://openalex.org/I198811213","https://openalex.org/I4210104735"]},{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Moses Ike","raw_affiliation_strings":["Georgia Institute of Technology","Sandia National Laboratories"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]},{"raw_affiliation_string":"Sandia National Laboratories","institution_ids":["https://openalex.org/I4210104735"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5055925581","display_name":"Kandy Phan","orcid":null},"institutions":[{"id":"https://openalex.org/I4210104735","display_name":"Sandia National Laboratories","ror":"https://ror.org/01apwpt12","country_code":"US","type":"facility","lineage":["https://openalex.org/I1330989302","https://openalex.org/I198811213","https://openalex.org/I4210104735"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Kandy Phan","raw_affiliation_strings":["Sandia National Laboratories"],"affiliations":[{"raw_affiliation_string":"Sandia National Laboratories","institution_ids":["https://openalex.org/I4210104735"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050307562","display_name":"Keaton Sadoski","orcid":"https://orcid.org/0000-0002-0575-9089"},"institutions":[{"id":"https://openalex.org/I4210104735","display_name":"Sandia National Laboratories","ror":"https://ror.org/01apwpt12","country_code":"US","type":"facility","lineage":["https://openalex.org/I1330989302","https://openalex.org/I198811213","https://openalex.org/I4210104735"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Keaton Sadoski","raw_affiliation_strings":["Sandia National Laboratories"],"affiliations":[{"raw_affiliation_string":"Sandia National Laboratories","institution_ids":["https://openalex.org/I4210104735"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5081234524","display_name":"Romuald Valme","orcid":null},"institutions":[{"id":"https://openalex.org/I4210104735","display_name":"Sandia National Laboratories","ror":"https://ror.org/01apwpt12","country_code":"US","type":"facility","lineage":["https://openalex.org/I1330989302","https://openalex.org/I198811213","https://openalex.org/I4210104735"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Romuald Valme","raw_affiliation_strings":["Sandia National Laboratories"],"affiliations":[{"raw_affiliation_string":"Sandia National Laboratories","institution_ids":["https://openalex.org/I4210104735"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5047140382","display_name":"Wenke Lee","orcid":"https://orcid.org/0000-0003-2761-1277"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Wenke Lee","raw_affiliation_strings":["Georgia Institute of Technology"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5034721235"],"corresponding_institution_ids":["https://openalex.org/I130701444","https://openalex.org/I4210104735"],"apc_list":null,"apc_paid":null,"fwci":2.0009,"has_fulltext":false,"cited_by_count":10,"citation_normalized_percentile":{"value":0.87427227,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"20","last_page":"37"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9961000084877014,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9961000084877014,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.9879000186920166,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9853000044822693,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/scada","display_name":"SCADA","score":0.9659663438796997},{"id":"https://openalex.org/keywords/testbed","display_name":"Testbed","score":0.8095121383666992},{"id":"https://openalex.org/keywords/cyber-physical-system","display_name":"Cyber-physical system","score":0.6544091701507568},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6334394812583923},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.5733019113540649},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.5033826231956482},{"id":"https://openalex.org/keywords/embedded-system","display_name":"Embedded system","score":0.4924982488155365},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.47773024439811707},{"id":"https://openalex.org/keywords/industrial-control-system","display_name":"Industrial control system","score":0.4640433192253113},{"id":"https://openalex.org/keywords/process-control","display_name":"Process control","score":0.41706234216690063},{"id":"https://openalex.org/keywords/supervisory-control","display_name":"Supervisory control","score":0.4163743555545807},{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.41452062129974365},{"id":"https://openalex.org/keywords/real-time-computing","display_name":"Real-time computing","score":0.34584516286849976},{"id":"https://openalex.org/keywords/control","display_name":"Control (management)","score":0.3360030949115753},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.27281564474105835},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.24285387992858887},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.20315289497375488},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.18175384402275085},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.13853666186332703}],"concepts":[{"id":"https://openalex.org/C113863187","wikidata":"https://www.wikidata.org/wiki/Q17498","display_name":"SCADA","level":2,"score":0.9659663438796997},{"id":"https://openalex.org/C31395832","wikidata":"https://www.wikidata.org/wiki/Q1318674","display_name":"Testbed","level":2,"score":0.8095121383666992},{"id":"https://openalex.org/C179768478","wikidata":"https://www.wikidata.org/wiki/Q1120057","display_name":"Cyber-physical system","level":2,"score":0.6544091701507568},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6334394812583923},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.5733019113540649},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.5033826231956482},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.4924982488155365},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.47773024439811707},{"id":"https://openalex.org/C40071531","wikidata":"https://www.wikidata.org/wiki/Q2513962","display_name":"Industrial control system","level":3,"score":0.4640433192253113},{"id":"https://openalex.org/C155386361","wikidata":"https://www.wikidata.org/wiki/Q1649571","display_name":"Process control","level":3,"score":0.41706234216690063},{"id":"https://openalex.org/C92991967","wikidata":"https://www.wikidata.org/wiki/Q7644329","display_name":"Supervisory control","level":3,"score":0.4163743555545807},{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.41452062129974365},{"id":"https://openalex.org/C79403827","wikidata":"https://www.wikidata.org/wiki/Q3988","display_name":"Real-time computing","level":1,"score":0.34584516286849976},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.3360030949115753},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.27281564474105835},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.24285387992858887},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.20315289497375488},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.18175384402275085},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.13853666186332703},{"id":"https://openalex.org/C119599485","wikidata":"https://www.wikidata.org/wiki/Q43035","display_name":"Electrical engineering","level":1,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1109/sp46215.2023.10179411","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46215.2023.10179411","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},{"id":"pmh:oai:osti.gov:2001614","is_oa":true,"landing_page_url":"https://www.osti.gov/biblio/2001614","pdf_url":null,"source":{"id":"https://openalex.org/S4306402487","display_name":"OSTI OAI (U.S. Department of Energy Office of Scientific and Technical Information)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I139351228","host_organization_name":"Office of Scientific and Technical Information","host_organization_lineage":["https://openalex.org/I139351228"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":null},{"id":"pmh:oai:osti.gov:2004055","is_oa":true,"landing_page_url":"https://www.osti.gov/biblio/2004055","pdf_url":null,"source":{"id":"https://openalex.org/S4306402487","display_name":"OSTI OAI (U.S. Department of Energy Office of Scientific and Technical Information)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I139351228","host_organization_name":"Office of Scientific and Technical Information","host_organization_lineage":["https://openalex.org/I139351228"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":null}],"best_oa_location":{"id":"pmh:oai:osti.gov:2001614","is_oa":true,"landing_page_url":"https://www.osti.gov/biblio/2001614","pdf_url":null,"source":{"id":"https://openalex.org/S4306402487","display_name":"OSTI OAI (U.S. Department of Energy Office of Scientific and Technical Information)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I139351228","host_organization_name":"Office of Scientific and Technical Information","host_organization_lineage":["https://openalex.org/I139351228"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":null},"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320332180","display_name":"Defense Advanced Research Projects Agency","ror":"https://ror.org/02caytj08"},{"id":"https://openalex.org/F4320337345","display_name":"Office of Naval Research","ror":"https://ror.org/00rk2pe57"},{"id":"https://openalex.org/F4320338291","display_name":"Sandia National Laboratories","ror":"https://ror.org/01apwpt12"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":68,"referenced_works":["https://openalex.org/W195047088","https://openalex.org/W1546161534","https://openalex.org/W1613804959","https://openalex.org/W1974853427","https://openalex.org/W1978514793","https://openalex.org/W2022570654","https://openalex.org/W2061243822","https://openalex.org/W2087740020","https://openalex.org/W2089944128","https://openalex.org/W2094925223","https://openalex.org/W2133990480","https://openalex.org/W2141050228","https://openalex.org/W2161592722","https://openalex.org/W2167710876","https://openalex.org/W2187618570","https://openalex.org/W2188955186","https://openalex.org/W2321143867","https://openalex.org/W2321407374","https://openalex.org/W2522306212","https://openalex.org/W2533642151","https://openalex.org/W2535751405","https://openalex.org/W2539881305","https://openalex.org/W2585582797","https://openalex.org/W2613412685","https://openalex.org/W2614176030","https://openalex.org/W2625762372","https://openalex.org/W2736680659","https://openalex.org/W2739593311","https://openalex.org/W2751592946","https://openalex.org/W2752929869","https://openalex.org/W2765362015","https://openalex.org/W2768947629","https://openalex.org/W2794757687","https://openalex.org/W2806115626","https://openalex.org/W2808451969","https://openalex.org/W2810107741","https://openalex.org/W2888456894","https://openalex.org/W2889757908","https://openalex.org/W2890112720","https://openalex.org/W2890946036","https://openalex.org/W2906632784","https://openalex.org/W2912528408","https://openalex.org/W2969699559","https://openalex.org/W2972765956","https://openalex.org/W2988884990","https://openalex.org/W2997065203","https://openalex.org/W3013525724","https://openalex.org/W3096735640","https://openalex.org/W3101076092","https://openalex.org/W3107123323","https://openalex.org/W3128529271","https://openalex.org/W3186345182","https://openalex.org/W3191081123","https://openalex.org/W3200086944","https://openalex.org/W3214091108","https://openalex.org/W4205739822","https://openalex.org/W4231367092","https://openalex.org/W4233778128","https://openalex.org/W4244413641","https://openalex.org/W4292891522","https://openalex.org/W6661876895","https://openalex.org/W6679467835","https://openalex.org/W6687024083","https://openalex.org/W6744143349","https://openalex.org/W6753913213","https://openalex.org/W6782203875","https://openalex.org/W6784360436","https://openalex.org/W6800645602"],"related_works":["https://openalex.org/W3201734049","https://openalex.org/W2521068662","https://openalex.org/W2040933081","https://openalex.org/W308697330","https://openalex.org/W2619521171","https://openalex.org/W3083596355","https://openalex.org/W2764881196","https://openalex.org/W1506138463","https://openalex.org/W3117635458","https://openalex.org/W2943911154"],"abstract_inverted_index":{"Modern":[0],"Industrial":[1],"Control":[2,22],"Systems":[3],"(ICS)":[4],"attacks":[5,38,181,211],"evade":[6],"existing":[7,203],"tools":[8],"by":[9,41],"using":[10],"knowledge":[11],"of":[12,47,54,92,132,202],"ICS":[13,37,79,100,172,177,184],"processes":[14],"to":[15,35,49,57,77,102,113,122,138,144,196,209],"blend":[16],"their":[17],"activities":[18,158],"with":[19],"benign":[20],"Supervisory":[21],"and":[23,109,180,199],"Data":[24],"Acquisition":[25],"(SCADA)":[26],"operation,":[27],"causing":[28],"physical":[29,60,106,116,125,156],"world":[30,61],"damages.":[31],"We":[32,164,205],"present":[33],"Scaphy":[34,96,118,152,166,186],"detect":[36],"in":[39,62],"SCADA":[40,48,76,93,133],"leveraging":[42],"the":[43,51,59],"unique":[44,90,143],"execution":[45,94,135],"phases":[46],"identify":[50,114],"limited":[52],"set":[53],"legitimate":[55,145,161],"behaviors":[56,91,142],"control":[58],"different":[63],"phases,":[64,95],"which":[65],"differentiates":[66],"from":[67],"attacker\u2019s":[68,155],"activities.":[69],"For":[70],"example,":[71],"it":[72],"is":[73,136],"typical":[74],"for":[75],"setup":[78],"device":[80],"objects":[81],"during":[82,86],"initialization,":[83],"but":[84],"anomalous":[85],"process-control.":[87],"To":[88],"extract":[89],"first":[97],"leverages":[98],"open":[99],"conventions":[101],"generate":[103],"a":[104,124,168],"novel":[105],"process":[107],"dependency":[108],"impact":[110],"graph":[111],"(PDIG)":[112],"disruptive":[115],"states.":[117],"then":[119],"uses":[120],"PDIG":[121],"inform":[123],"process-aware":[126],"dynamic":[127],"analysis,":[128],"whereby":[129],"code":[130],"paths":[131],"process-control":[134,146,162],"induced":[137],"reveal":[139],"API":[140],"call":[141],"phases.":[147],"Using":[148,175],"this":[149],"established":[150],"behavior,":[151],"selectively":[153],"monitors":[154],"world-targeted":[157],"that":[159],"violates":[160],"behaviors.":[163],"evaluated":[165],"at":[167],"U.S.":[169],"national":[170],"lab":[171],"testbed":[173],"environment.":[174],"diverse":[176],"deployment":[178],"scenarios":[179],"across":[182],"4":[183],"industries,":[185],"achieved":[187],"95%":[188],"accuracy":[189,198],"&":[190],"3.5%":[191],"false":[192],"positives":[193],"(FP),":[194],"compared":[195],"47.5%":[197],"25%":[200],"FP":[201],"work.":[204],"analyze":[206],"Scaphy\u2019s":[207],"resilience":[208],"futuristic":[210],"where":[212],"attacker":[213],"knows":[214],"our":[215],"approach.":[216]},"counts_by_year":[{"year":2025,"cited_by_count":7},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":2}],"updated_date":"2026-03-20T23:20:44.827607","created_date":"2025-10-10T00:00:00"}