Content-based deep communication control for networked control system

IEEE Trans.Inform.Forensic Secur.

Shang

Zeng

2017

Self Cite

Abstract-Due to the growing dependencies of information network technology, networked control systems are undergoing a severe blow of cyberattacks, and simply modeling cyberattacks is inadequate and impractical for the detection requirements, because of various vulnerabilities in these systems and the diversities of cyberattacks. Actually, a feasible viewpoint is to identify misbehaviors by constructing a normal model of industrial communication behaviors. However, one of the chief difficulties is how to completely and appropriately summarize industrial communication behaviors according to the specific communication characteristics. In view of process control and data acquisition, this paper associates industrial communication characteristics with the time sequence, and further extracts two distinct behaviors: function control behavior and process data behavior. Based on these double behavior characteristics, we introduce one-class classification to detect the corresponding anomalies, respectively. Besides, we also present the weighted mixed Kernel function and parameter optimization method to improve classification performance. Experimental results clearly demonstrate that the proposed approach has significant advantages of classification accuracy and detection efficiency.Index Terms-Function control behavior, process data behavior, one-class classification, networked control systems.

Section: Experimental Results and Analysismentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Double Behavior Characteristics for One-Class Classification Anomaly Detection in Networked Control Systems

IEEE Trans.Inform.Forensic Secur.

Shang

Zeng

2017

Self Cite

“…In the device-oriented cases, trusted computing for industrial embedded devices [16] is a burgeoning security technology to provide system integrity check and data confidentiality protection. In the network-oriented cases, industrial firewall [11,17] and intrusion detection [15,18,19] are the typical applications in industrial control networks to improve the communication security. However, because we have not understood the boundary conditions between the availability and security of industrial control systems, the cases on trusted computing and industrial firewall may result in the processing delay or transmission delay in industrial process automation.…”

Section: Security and Communication Networkmentioning

confidence: 99%

“…Moreover, we suppose that these malicious Modus/TCP packets cannot contain other function codes which are different with the four categories of function codes used in the simulation control system, and these packets only change the function control process. The major reason of such assumption is that the malicious packets containing other function codes can be easily filtered by the applied industrial firewall [11,32]. Besides, we generate 60 malicious function code sequences in each experiment.…”

Section: Detection Performance Evaluationmentioning

confidence: 99%

“…According to the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) statistics [7], the ICS-CERT incident response team generalized and analyzed 290 industrial security incidents in 2016, and more and more sophisticated attacks against industrial control systems are developed by the adversaries. Actually, three comprehensible causes in such a situation can be recognized as follows: (1) multifarious vulnerabilities of industrial control systems have been exposed gradually in recent years, for example, system architecture vulnerability [8,9], embedded control device vulnerability [9][10][11], and industrial communication vulnerability [11,12]; (2) the types of cyberattacks are distinctive and diversified, and targeted attacks and APTs (Advanced Persistent Threats) have permeated to face reality [13]; (3) industrial-oriented defense technologies are in an underway and exploring stage, and the regular Internet security methods are unable to satisfy the special industrial control requirements [14].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Function-Aware Anomaly Detection Based on Wavelet Neural Network for Industrial Control Communication

Security and Communication Networks

Song

Yuan

et al. 2018

Self Cite

Function control, which is an essential link in industrial automation, is undergoing a growing integration with ICTs (Information Communication Technologies) because of the flexible manufacturing and convenient interoperability in CPSs (Cyber-Physical Systems). However, it has also brought the increasing dangers of cyberattacks caused by malicious or intentional industrial process control exploitations. In order to effectively detect these cyber intrusions and anomalies, this paper proposes a function-aware anomaly detection approach based on WNN (Wavelet Neural Network), which perceives the abnormal function control changes in industrial control communication. By appropriately extracting the time-related function control characteristics from industrial communication packets, this approach builds an optimized wavelet neural network to model the normal function control behaviors and calculates the detection threshold to differentiate the aberrant industrial process control activities. Additionally, a real-world control system, whose communication protocol is Modbus/TCP, is simulated to furnish the analyzed function control data. According to the experimental results, we fully demonstrate this approach has the fine detection accuracy and adequate real-time capability.

Software-Defined Data Flow Detection and Control Approach for Industrial Modbus/TCP Communication

Advances in Intelligent, Interactive Systems and Applications

Song

Yuan

et al. 2019

Self Cite

There is an increasing consensus that software-defined networking may become a successful case to provide fine scalability and availability for industrial Internet, and it also brings new opportunities for the development of industrial cyber security. Aligning with the defense in depth strategy, this paper proposes a software-defined data flow detection and control approach for industrial Modbus/TCP communication. Furthermore, this approach designs a novel security strategy configuration service in SDN controllers to publish the flow control rules, and SDN switches match Modbus/TCP data flows with these flow control rules to detect and control abnormal communication behaviors. Specifically, a flow control rule database which stores all flow control rules of the entire control system is managed by SDN controllers, and a security flow table is maintained by each SDN switch according to different requirements of industrial communication. By using the DPI (Deep Packet Inspection) technology, this approach can run a deep analysis of Modbus/TCP packets according to the protocol specification, and block the improper control commands or undesired technology parameters. The qualitative analysis shows that the proposed approach possesses certain advantages and feasibilities.