Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Jiahan Dong,Tong Jin,Bowen Li,Yinan Zhong,Guangxin Guo,Xiaohu Wang,Yanjiao Chen

DOI: https://doi.org/10.1109/cyberc62439.2024.00016

2024-01-01

Abstract:The Internet of Things (IoT) has significantly expanded the scope of the Internet by enabling seamless communication between devices and the cloud. However, the rapid proliferation of IoT devices has led to a surge in cyber-attacks, such as Distributed Denial of Service (DDoS) attacks, Man-in-the-Middle (MITM) attacks, and privacy data theft. These threats underscore the urgent need for robust device identification (DI) methods. However, current DI approaches often struggle with issues related to accuracy, generalizability across different network environments, privacy concerns, and real-time performance. To address these issues, we introduce DIFORMER, a novel method that leverages network packet data and advanced deep learning techniques, specifically the attention mechanism and residual networks. DIFORMER outperforms existing methods, even in privacy-limited scenarios, and is more generalizable as it does not strictly rely on features like MAC and IP addresses. Rigorous experiments confirm DIFORMER’s effectiveness and robustness, making it a promising solution for securing IoT environments.

Xuan Feng,Qiang Li,Qi Han,Hongsong Zhu,Yan Liu,Jie Cui,Limin Sun

DOI: https://doi.org/10.1109/ICCCN.2016.7568486

2016-01-01

Abstract:Nowadays, more and more physical devices embed computing and networking capabilities and are visible on the Internet. These devices include webcams, net-printers, and industrial control equipments, etc. Collecting information about these devices is crucial to preserve cyber-security and facilitate security auditing for system administrators. In this paper, we propose a scalable framework for physical device profiling. It leverages banner grabbing to identify device types and running services, and uses clock skew to determine a device ID. Our framework scales well. We implement a prototype system and use it to profile Webcams and industrial control device. The results show that our system can effectively profile and identify Webcams in real time. We deploy it on the cloud server and use it to detect 4 billion IP addresses to profile 1.2 million Webcams and more than 60 thousand industrial control devices in 20 hours.

Guannan Guo,Jianwei Zhuge,Mengmeng Yang,Gengqian Zhou,Yixiong Wu

DOI: https://doi.org/10.1109/IINTEC.2018.8695276

2018-01-01

Abstract:Industrial control systems (ICS) have become ubiquitous as cyber-physical systems are widely distributed in critical infrastructures. Yet as the ICS environment evolves and becomes ever more connected, an increasing number of devices are now exposed on the Internet, and the attacking surface and risk increase as well, an attacker who finds an ICS device can cause severe damage to real world easily. In this paper, we deploy high-interaction honeypots using real devices on the Internet to find who is searching the exposed ICS devices and study the discrepancies between different scanners. To gain a more accurate and bigger landscape, instead of performing our own large scale scanning world wide, we provide a survey of ICS devices on the Internet based on historical data collected from multiple data sources. By aggregating and analyzing, we are able to find an even greater number of both ICS devices and honeypots on the Internet compared with any single search engine. We hope to raise the issue of ICS security and inform work on exploring and securing ICS devices on the Internet.

Pengfei Liu,Yang Liu,Xiangming Wang,Yuanyi Bao,Dong Yang,Wenqing Wang,Tong Wu,Zhuo Lv,Ting Liu

DOI: https://doi.org/10.1109/tii.2022.3198676

IF: 12.3

2023-03-29

IEEE Transactions on Industrial Informatics

Abstract:It is hard to conduct cyberattacks in industrial control systems (ICSs) because most underlying networks of ICS like the field bus network are isolated from the internet. However, attackers can physically connect the intrusive device into the target network to launch various attacks, which bypasses the security protection mechanisms between the ICS and the internet. Currently, no effective measures could defend against such unauthorized physical access attacks. In this article, a reflection-based channel fingerprint is proposed to detect and locate these physically intrusive devices in the field bus network. We theoretically analyze the signal reflection characteristics and utilize inevitable changes in the channel fingerprint to detect the intrusive device. Besides, the detected anomaly features could be used to accurately estimate the intrusive device's location. In the end, the proposed method's effectiveness is validated through extensive simulation experiments.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Wei Yang,Yushan Fang,Xiaoming Zhou,Yijia Shen,Wenjie Zhang,Yu Yao

DOI: https://doi.org/10.1007/s10922-024-09805-z

2024-03-06

Journal of Network and Systems Management

Abstract:Industrial control device asset identification is essential to the active defense and situational awareness system for industrial control network security. However, industrial control device asset information is challenging to obtain, and efficient asset detection models and identification methods are urgently needed. Existing active detection techniques send many packets to the system, affecting device operation, while passive identification can only analyze publicly available industrial control data. Based on this problem, we propose an asset identification method including networked industrial control device asset detection, fingerprint feature extraction and classification. The proposed method use TCP SYN semi-networked probing in the asset detection phase to reduce the number of packets sent and remove honeypot device data. The fingerprint feature extraction phase considers the periodicity and long-term stability characteristics of industrial control device and proposes a set of asset fingerprint feature combinations. The classification phase uses an improved decision tree algorithm based on feature weight correction and uses AdaBoost ensemble learning algorithm to strengthen the classification model. The experimental results show that the detection technique proposed by our method has the advantages of high efficiency, low frequency and noise immunity.

computer science, information systems,telecommunications

Yixiong Wu,Jianwei Zhuge,Tingting Yin,Tianyi Li,Junmin Zhu,Guannan Guo,Yue Liu,Jianju Hu

DOI: https://doi.org/10.5220/0010327902370248

2021-01-01

Abstract:The number of Internet-facing industrial control system(ICS) devices has risen rapidly due to remote control demand. Going beyond benefits in maintenance, this also exposes the fragile ICS devices to cyber-attackers. To characterize the security status of Internet-facing ICS devices, we analyze the exposed ICS devices and their vulnerabilities. Considering the ethic, we design and implement ICScope, a passive vulnerability assessment system based on device search engines. Firstly, ICScope extracts the ICS device information from the banners returned by multiple search engines. Then, ICScope filters out the possible ICS honeypots to guarantee accuracy. Finally, ICScope associates ICS vulnerabilities with each ICS device. Over the past year, our measurements cover more than 466,000 IPs. We first perform a comprehensive measurement of Internet-facing ICS devices from Dec 2019 to Jan 2020. We find that there are about 49.58% of Internet-facing ICS devices that can be identified are affected by one or more vulnerabilities. We also conduct three times experiments from Jun 2020 to Dec 2020 to monitor the security status of Internet-facing ICS devices. We observe a slowly decreasing trend in the number of vulnerable ICS devices during our experiment period.

Yiying Yu,Haixiang Wang,Dahua Zhang,Xiaojuan Zhang

DOI: https://doi.org/10.1109/ISAS61044.2024.10552505

2024-05-07

Abstract:In the realm of Industrial IoT, devices are characterized by their diversity and complexity. Upon connection, these devices are exposed to a myriad of security threats. Nevertheless, the adoption of unique device fingerprints facilitates the secure identification and authentication of these devices during access. In this study, we propose DevPF, a novel framework for IoT device identification based on passive traffic analysis. Unlike traditional active detection methods, DevPF analyzes network traffic characteristics without interacting with devices, ensuring minimal network load and no interference with device operations. The framework utilizes machine learning algorithms to classify devices based on extracted traffic features. Experimental results on a public IoT dataset demonstrate that DevPF achieves high classification accuracy, making it a promising solution for enhancing the security of IoT networks.

Computer Science,Engineering

Congqi Shen,Geyang Xiao,Shaofeng Yao,Boyang Zhou,Zhongxia Pan,Hong Zhang

DOI: https://doi.org/10.1109/spac53836.2021.9539933

2021-01-01

Abstract:Current Industrial Internet faces serious threats where attackers propagate malicious flows, resulting in communication failures in the Industrial Internet. In this work, we propose a practical and novel method to detect malicious traffic attack in real time with high accuracy. Our primary idea is to capture network flow, extract adequate network flow features, construct a long short-term memory (LSTM) based deep learning model, and identify the property of the corresponding network flow. Whether the network suffers attack or not is then determined according to the detection results. The corresponding prototype is also implemented in the Industrial Internet which is equipped with Software Defined Networking (SDN). Experimental results validate that the proposed method is effective in defending against malicious traffic attack in real-world network.

Xiaobo Ma,Jian Qu,Jianfeng Li,John C. S. Lui,Zhenhua Li,Wenmao Liu,Xiaohong Guan

DOI: https://doi.org/10.1109/tnet.2021.3112480

2020-01-01

Abstract:With the popularization of Internet of Things (IoT) devices in smart home and industry fields, a huge number of IoT devices are connected to the Internet. However, what devices are connected to a network may not be known by the Internet Service Provider (ISP), since many IoT devices are placed within small networks (e.g., home networks) and are hidden behind network address translation (NAT). Without pinpointing IoT devices in a network, it is unlikely for the ISP to appropriately configure security policies and effectively manage the network. In this paper, we design an efficient and scalable system via spatial-temporal traffic fingerprinting. Our system can accurately identify typical IoT devices in a network, with the additional capability of identifying what devices are hidden behind NAT and how many they are. Through extensive evaluation, we demonstrate that the system can generally identify IoT devices with an F-Score above 0.999, and estimate the number of the same type of IoT device behind NAT with an average error below 5%. We also perform small-scale (labor-intensive) experiments to show that our system is promising in detecting user-IoT interactions.

Libing Qiao,Enhuan Dong,Huanpu Yin,Haisheng Li,Jiahai Yang

DOI: https://doi.org/10.1109/mnet.2024.3374080

IF: 10.294

2024-01-01

IEEE Network

Abstract:With the continuous development of network devices, there are increasingly types and quantities of network devices. Accurate identification of device types helps proactively protect potentially vulnerable devices exposed on the Internet. Among the network device identification methods, the TCP/IP stack active detection method is an important kind since it does not require many open ports of target devices. However, its performance is limited by the rule/fingerprint database quality. Maintaining such a database requires a lot of expert effort, making the method difficult to scale up. To solve the scalability problem, our insight in this paper is to use machine learning methods to generate network device classifiers without needing expert effort. However, generating labeled datasets, extracting features, and selecting features without expert effort is non-trivial. We propose IntelliNDI, an intelligent and active network device identification method. IntelliNDI collects network device type information from multiple cyberspace search engines and filter out the network devices with different types on different search engines. We regard the approximately consistent network device types as the ground truth network device types. As for feature extraction, we use the same attributes employed in the well-known Nmap protocol stack detection to avoid the requirements for constructing features. Finally, we select features with basic ML methods. We implement IntelliNDI for several kinds of typical network devices. The trained classifiers in our experiments can achieve 90 percent accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Marcin Nawrocki,Thomas C. Schmidt,Matthias Wählisch,Matthias Wahlisch

DOI: https://doi.org/10.1109/noms47738.2020.9110256

2020-04-01

Abstract:Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure, but also the Internet ecosystem (e.g., DRDoS attacks). In this paper, we uncover unprotected inter-domain ICS traffic at two central Internet vantage points, an IXP and an ISP. This traffic analysis is correlated with data from honeypots and Internet-wide scans to separate industrial from non-industrial ICS traffic. We provide an in-depth view on Internet-wide ICS communication. Our results can be used (i) to create precise filters for potentially harmful non-industrial ICS traffic, and (ii) to detect ICS sending unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks.

Said Jawad Saidi,Anna Maria Mandalari,Roman Kolcun,Hamed Haddadi,Daniel J. Dubois,David Choffnes,Georgios Smaragdakis,Anja Feldmann

DOI: https://doi.org/10.48550/arXiv.2009.01880

2020-09-30

Abstract:Consumer Internet of Things (IoT) devices are extremely popular, providing users with rich and diverse functionalities, from voice assistants to home appliances. These functionalities often come with significant privacy and security risks, with notable recent large scale coordinated global attacks disrupting large service providers. Thus, an important first step to address these risks is to know what IoT devices are where in a network. While some limited solutions exist, a key question is whether device discovery can be done by Internet service providers that only see sampled flow statistics. In particular, it is challenging for an ISP to efficiently and effectively track and trace activity from IoT devices deployed by its millions of subscribers --all with sampled network data. In this paper, we develop and evaluate a scalable methodology to accurately detect and monitor IoT devices at subscriber lines with limited, highly sampled data in-the-wild. Our findings indicate that millions of IoT devices are detectable and identifiable within hours, both at a major ISP as well as an IXP, using passive, sparsely sampled network flow headers. Our methodology is able to detect devices from more than 77% of the studied IoT manufacturers, including popular devices such as smart speakers. While our methodology is effective for providing network analytics, it also highlights significant privacy consequences.

Networking and Internet Architecture

Yixiong Wu,Shangru Song,Jianwei Zhuge,Tingting Yin,Tianyi Li,Junmin Zhu,Guannan Guo,Yue Liu,Jianju Hu

DOI: https://doi.org/10.1007/978-3-031-37807-2_1

2022-01-01

Abstract:Industrial Control Systems (ICS) play an important role in modern Industrial manufacturing and city life, as well as an critical attack surface. However, many ICS devices are deployed without proper security consideration, such as being exposed to the public Internet without protection. Furthermore, the ICS devices are hardly updated or patched due to the stability requirements. Therefore, the Internet-accessible ICS devices generally have publicly known vulnerabilities, which makes them fragile victims. In this work, we propose a method to measure the security status of Internet-facing ICS devices in a passive way and develop a prototype ICScope. With ICScope, we can find vulnerable devices without actively scanning the ICS device, which may have negative effects on their normal operation. ICScope collects device information from multiple public search engines like Shodan, gets vulnerability information from vulnerability databases like NVD, and matches them according to the vendors, products, and versions. ICScope can deal with the incomplete device data collected from the search engines and has taken the honeypots into consideration. We use ICScope to launch a comprehensive evaluation of the ICS devices exposed to the Internet between Dec 2019 and Jan 2020, including 466K IPs. The result shows that 49.58% of Internet-facing ICS devices have at least one publicly known vulnerability. We also observed a downward trend in the number of ICS devices and their vulnerable percentage during our measurement spanning 1.5 years.

Yixin Jiang,Yunan Zhang,Xiaoyun Kuang,Aidong Xu,Xuzhu Dong,Shiyong Dai,Jinhua Huang

DOI: https://doi.org/10.1109/ei256261.2022.10116191

2022-01-01

Abstract:Industrial control network intrusion detection system has higher requirements for detection rate, false positive rate, and real-time performance. In order to solve this problem, this paper proposed a new type of feature extractor abstracting mapping from the original low-level feature set to the high-level feature set. This feature extractor is composed of 3 heterogeneous sub-feature extractors 1D CNN, LSTM, and SAE. Secondly, the integrated feature set passes through a random forest (RF) classifier. Thirdly, combined with the regularity and stability of the industrial control network, a suspected host inspection method is designed based on the sequential hypothesis testing of real-time network traffic. This method uses the individual learner results of the above 3 feature extractors. Combining the above, two-stage fusion (SHT-RF) is carried out to realize real-time industrial control network intrusion detection, and achieve the purpose of improving the detection rate and enhancing the robustness of the system. Finally, it is verified on the CICIDS2017 data set. The detection rate of the proposed method is 99.59%, and the false positive rate is 0.09%. Compared with other machine learning methods, it has achieved a good improvement effect.

Pengfei Liu,Yang Liu,Xiangming Wang,Chao Fang,Xiaohong Guan,Ting Liu

DOI: https://doi.org/10.1109/jiot.2021.3126461

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:The development of Industrial Internet of Things has made industrial control systems more vulnerable to cyber attacks. Many defense measures have been proposed to prevent attacks in upper IP-based networks. However, the security of underlying field bus networks has not received enough attention. Adversaries could tap intrusive devices into the field bus network via unauthorized physical access. As adversaries' behaviors could be highly concealed when they are eavesdropping or camouflaging, it is challenging and costly to identify these inactive intrusive devices through the network traffic. However, inevitable changes in channel state caused by intrusive devices could be leveraged to detect unauthorized physical access. This article theoretically proves that the transmitted signal's voltage amplitude would vary after tapping intrusive devices into the field bus network. Leveraging the signal's variation, we propose an unauthorized physical access detection method via fingerprinting the channel state. Specifically, we adopt weak signal processing technologies to recover the signal's weak variation and extract its features for detection. The effectiveness of the proposed detection method is validated based on a real testbed. Moreover, simulation experiments with diverse settings demonstrate that the proposed detection method could successfully detect intrusive devices under different scenarios.

Linfeng Wu,Wei Ruan,Keda Sun,Liang Chen,Liu Yang,Tingting Ye

DOI: https://doi.org/10.1109/ICNSC52481.2021.9702185

2021-01-01

Abstract:At present, the security situation in the industrial internet is becoming more and more serious. Various threats such as network attacks, malicious code and vulnerability utilization are gradually increasing. Consequently, it is urgent to study industrial threat detection methods. In order to tackle typical network attacks, system vulnerabilities and malicious operations, a real-time intelligent industrial threat detection method is proposed by analyzing the network data in the industrial control system. Particularly, artificial intelligence technique, adversarial sample generation technique and deep learning model are used in the method. Besides, the proposed method is achieved in the real network, and the corresponding industrial threat detection platform is developed. The results show that the developed threat detection platform can detect a variety of typical network attacks, system vulnerabilities, malicious code, etc. At the same time, the platform has good throughput and compatibility and is suitable for the actual industrial environment.

Li, Shuai

DOI: https://doi.org/10.1007/s11276-024-03736-y

IF: 2.701

2024-04-24

Wireless Networks

Abstract:Nowadays, the Internet of Things is booming and more and more IoT devices are connected to the Internet. However, due to design and configuration vulnerabilities, as well as the pursuit of cheap IoT devices, these IoT devices are often vulnerable. Therefore, effective identification of IoT devices is essential to maintain security. In this paper, in order to better classify and accurately identify IoT devices of the same type, a combination of traffic-based and machine-learning methods are used to identify IoT devices and hierarchize the model. In the first layer, the IoT devices are classified according to their types or features. In the second layer, feature extraction is performed based on TCP/UDP flows to perform specific device identification under each type of iot device. The final experimental results show that we reduced the data volume by 35%, compared to the benchmark experiment,and achieved an overall recognition accuracy of 99.9% after classification of iot devices.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sharad Agarwal,Pascal Oser,Stefan Lueders

DOI: https://doi.org/10.3390/s19194107

IF: 3.9

2019-09-23

Sensors

Abstract:The introduction of the Internet of Things (IoT), i.e., the interconnection of embedded devices over the Internet, has changed the world we live in from the way we measure, make calls, print information and even the way we get energy in our offices or homes. The convenience of IoT products, like closed circuit television (CCTV) cameras, internet protocol (IP) phones, and oscilloscopes, is overwhelming for end users. In parallel, however, security issues have emerged and it is essential for infrastructure providers to assess the associated security risks. In this paper, we propose a novel method to detect IoT devices and identify the manufacturer, device model, and the firmware version currently running on the device using the page source from the web user interface. We performed automatic scans of the large-scale network at the European Organization for Nuclear Research (CERN) to evaluate our approach. Our tools identified 233 IoT devices that fell into eleven distinct device categories and included 49 device models manufactured by 26 vendors from across the world.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Fangfang Dang,Lijing Yan,Ying Yang,Shuai Li,Dingding Li,Dong Niu

DOI: https://doi.org/10.1088/1742-6596/2781/1/012024

2024-06-16

Journal of Physics Conference Series

Abstract:With the rapid development of Electric Power Internet of Things (IoT) technology, a large number of devices are being networked and exposed to cyberspace. Due to the disparity in security design levels and lax management during usage, electric power terminals are susceptible targets for network attackers. This not only causes losses to device owners but also poses a threat to the overall cybersecurity of the network, as compromised devices can serve as nodes for botnets. The importance of addressing this issue cannot be underestimated. Asset identification is a prerequisite for the secure management of IoT devices. This paper analyzes and studies existing asset identification technologies. Existing device identification methods based on message content features have problems such as reliance on textual features of message content and difficulties in labeling large-scale data. To overcome these limitations, a machine learning-based classification method for IoT devices is proposed. This method extracts features from the web homepage of devices and generates feature vector fingerprints. By leveraging the random forest algorithm, the accuracy of IoT device classification is improved. This approach is suitable for asset identification of IoT devices and provides support for the precise implementation of vulnerability scanning for IoT devices.