Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Jianxin Xu,Dongqin Feng

DOI: https://doi.org/10.1155/2017/2430835

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:This paper discusses two aspects of major risks related to the cyber security of an industrial control system (ICS), including the exploitation of the vulnerabilities of legitimate communication parties and the features abused by unauthorized parties. We propose a novel framework for exposing the above two types of risks. A state fusion finite state machine (SF-FSM) model is defined to describe multiple request-response packet pair sequence signatures of various applications using the same protocol. An inverted index of keywords in an industrial protocol is also proposed to accomplish fast state sequence matching. Then we put forward the concept of scenario reconstruction, using state sequence matching based on SF-FSM, to present the known vulnerabilities corresponding to applications of a specific type and version by identifying the packet interaction characteristics from the data flow in the supervisory control layer network. We also implement an anomaly detection approach to identifying illegal access using state sequence matching based on SF-FSM. An anomaly is asserted if none of the state sequence signatures in the SF-FSM is matched with a packet flow. Ultimately, an example based on industrial protocols is demonstrated by a prototype system to validate the methods of scenario reconstruction and anomaly detection.

Kai Yang,Qiang Li,Xiaodong Lin,Xin Chen,Limin Sun

DOI: https://doi.org/10.1109/jsac.2020.2980921

IF: 16.4

2020-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Nowadays, the industrial control system (ICS) plays a vital role in critical infrastructures like the power grid. However, there is an increasing security concern that ICS devices are being vulnerable to malicious users/attackers, where any subtle changing or tampering attack would cause significant damage to industrial manufacturing. In this paper, we propose the iFinger, a novel detection approach designed to mitigate ICS attacks adapting to various industrial scenes. We take advantage of an important insight that industrial protocol packets include register status values that are used to reflect the physical characteristics of ICS controllers. The iFinger utilizes register states to generate ICS fingerprints to detect malicious attacks on industrial networks. Specifically, the boolean logic represents every register state sequence of the ICS controller, and the deterministic finite automaton (DFA) generates a device fingerprint. To discover the ICS attacks, we propose two detection approaches based on device fingerprints, including passive and active detection. We present a prototype of the iFinger and conduct real-world experiments to validate its performance. Results show that our approach achieves 97.1% F1 score in ICS device identification. Furthermore, we simulate two typical ICS attacks (replacement and code modification) to validate the effectiveness of our iFinger in industrial networks. Our device fingerprints would detect those malicious attacks within 2s latency at 98.0% recall.

Dinghua Wang,Dongqin Feng

DOI: https://doi.org/10.1109/iaeac.2018.8577543

2018-01-01

Abstract:Supervisory control and data acquisition system is an important part of the country's critical infrastructure, but its inherent network characteristics are vulnerable to attack by intruders. The vulnerability of supervisory control and data acquisition system was analyzed, combining common attacks such as information scanning, response injection, command injection and denial of service in industrial control systems, and proposed an intrusion detection model based on graphical features. The time series of message transmission were visualized, extracting the vertex coordinates and various graphic area features to constitute a new data set, and obtained classification model of intrusion detection through training. An intrusion detection experiment environment was built using tools such as MATLAB and power protocol testers. IEC 60870-5-104 protocol which is widely used in power systems had been taken as an example. The results of tests have good effectiveness.

Chuan Sheng,Yu Yao,Wei Yang,Ying Liu,Qiang Fu

DOI: https://doi.org/10.1109/iciai.2019.8850807

2019-01-01

Abstract:Fingerprinting techniques have been widely used in the security field. However, due to the complexity and heterogeneousness of the Industrial Control System (ICS) network, there is hardly any method to fingerprint attack traffic against it. In this paper, we propose a method to fingerprint attack traffic against ICS networks. The proposed method can not only identify different kinds of attack traffic against ICS network, but also evaluate their potentially malicious intents. In addition, the proposed method is able to discover new kinds of attack traffic from ICS network traffic. Specifically, the attack traffic is characterized as the communication pattern, which is used to evaluate the intent level and further resolved as the communication pattern fingerprint (CPF). The CPF is used to distinguish different kinds of attack traffic and discover new attack traffic. Our experimental results show that the proposed method can effectively and accurately achieve the above functions.

Pengfei Liu,Yang Liu,Xiangming Wang,Yuanyi Bao,Dong Yang,Wenqing Wang,Tong Wu,Zhuo Lv,Ting Liu

DOI: https://doi.org/10.1109/tii.2022.3198676

IF: 12.3

2023-03-29

IEEE Transactions on Industrial Informatics

Abstract:It is hard to conduct cyberattacks in industrial control systems (ICSs) because most underlying networks of ICS like the field bus network are isolated from the internet. However, attackers can physically connect the intrusive device into the target network to launch various attacks, which bypasses the security protection mechanisms between the ICS and the internet. Currently, no effective measures could defend against such unauthorized physical access attacks. In this article, a reflection-based channel fingerprint is proposed to detect and locate these physically intrusive devices in the field bus network. We theoretically analyze the signal reflection characteristics and utilize inevitable changes in the channel fingerprint to detect the intrusive device. Besides, the detected anomaly features could be used to accurately estimate the intrusive device's location. In the end, the proposed method's effectiveness is validated through extensive simulation experiments.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Xuan Feng,Qiang Li,Haining Wang,Limin Sun

DOI: https://doi.org/10.1109/icnp.2016.7784407

2016-01-01

Abstract:Industrial control system (ICS) devices with IP addresses are accessible on the Internet and play a crucial role for critical infrastructures like power grid. However, there is a lack of deep understanding of these devices' characteristics in the cyberspace. In this paper, we take a first step in this direction by investigating these accessible industrial devices on the Internet. Because of critical nature of industrial control systems, the detection of online ICS devices should be done in a real-time and non-intrusive manner. Thus, we first analyze 17 industrial protocols widely used in industrial control systems, and train a probability model through the learning algorithm to improve detection accuracy. Then, we discover online ICS devices in the IPv4 space while reducing the noise of industrial honeypots. To observe the dynamics of ICS devices in a relatively long run, we have deployed our discovery system on Amazon EC2 and detected online ICS devices in the whole IPv4 space for eight times from August 2015 to March 2016. Based on the ICS device data collection, we conduct a comprehensive data analysis to characterize the usage of ICS devices, especially in the answer to the following three questions: (1) what are the distribution features of ICS devices, (2) who use these ICS devices, and (3) what are the functions of these ICS devices.

Pieter Van Vliet,M-T. Kechadi,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1611.01754

2016-11-06

Abstract:Industrial Control Systems (ICS) are used worldwide in critical infrastructures. An ICS system can be a single embedded system working stand-alone for controlling a simple process or ICS can also be a very complex Distributed Control System (DCS) connected to Supervisory Control And Data Acquisition (SCADA) system(s) in a nuclear power plant. Although ICS are widely used to-day, there are very little research on the forensic acquisition and analyze ICS artefacts. In this paper we present a case study of forensics in ICS where we de-scribe a method of safeguarding important volatile artefacts from an embedded industrial control system and several other sources

Cryptography and Security

Chao Shen,Chang Liu,Haoliang Tan,Zhao Wang,Dezhi Xu,Xiaojie Su

DOI: https://doi.org/10.1109/MWC.2017.1800132

IF: 12.777

2018-01-01

IEEE Wireless Communications

Abstract:An increasing number of wireless intelligent equipment is applied to ICS networks. However, it is virtually impossible to use regular encryption methods and security patches to enhance the security level of legacy equipment in ICS networks due to weak computing and storage capabilities of the equipment. To address these concerns, a hybrid-augmented device fingerprinting approach is developed to en...

Chuan Sheng,Yu Yao,Qiang Fu,Wei Yang

DOI: https://doi.org/10.1016/j.comnet.2020.107677

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>Supervisory Control and Data Acquisition (SCADA) systems are becoming increasingly susceptible to the sophisticated and targeted cyber attacks which are typically carried out by exploiting the vulnerabilities of industrial control devices or protocols. However, most of the existing network intrusion detection methods only focus on detecting and characterizing cyber attacks against the SCADA system, but cannot fully describe their real impact on the system. In this paper, we propose a cyber-physical model for the SCADA system to detect intrusions from the SCADA network and evaluate their risk levels against the industrial process. The model aims at characterizing the network structure and industrial process of the SCADA system through extracting and correlating the communication patterns and states of ICS devices. And any violation of the model is considered abnormal behavior, which can be caused by false operation or network attacks. Through associating network intrusions with the status of the SCADA system, a risk assessment method is proposed to estimate the potential damage degree of the attack on the system, which provides network administrators with richer information about network attacks. Moreover, the comprehensive performance evaluation conducted on public SCADA network data sets shows that the proposed method outperforms the existing methods in detecting and analyzing various cyber attacks against the SCADA system.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Jianfeng Zou,Xueqi Jin,Lei Zhang,Yueqiang Wang,Bo Li

DOI: https://doi.org/10.1109/cse/euc.2019.00063

2019-01-01

Abstract:Industrial Control Security (ICS) plays an important role in protecting Industrial assets and processed from being tampered by attackers. Recent years witness the fast development of ICS technology. However there are still few real case study to verify the effectiveness of ICS approaches when dealing with ICS threats. In this paper, we provide a real case study in industrial environments. The case study demonstrates the attacking process of virus spread and worm propagation in industrial environments. The case study also shows how the anomaly detection techniques could be used to identify the bad behaviors of virus and help security administrators to enhance the security of industrial environments.

Zhan-wei SONG,Rui-kang ZHOU,Ying-xu LAI,Ke-feng FAN,Xiang-zhen YAO,Lin LI,Wei LI

DOI: https://doi.org/10.11896/j.issn.1002-137X.2018.01.041

2018-01-01

Abstract:At present,the ICS network security has become a key problem in the field of information security.Detecting attacks,such as behavior data tampering attack and control program tampering attack,is a difficult problem of ICS network security.Therefore,this paper proposed an anomaly detection method based on behavior model.This method extracts the behavior data sequence from the industrial control network traffic.Then it constructs the normal behavior model according to the control process and the controlled process of ICS.At last,it determines whether an exception occurs by comparing and analyzing the behavior data extracted in real time and the behavior data predicted by the model.The experimental analysis shows that it can effectively detect behavior data tampering attack,control program tampering attack and so on.

Yan Hu,Yuyan Sun,Youcheng Wang,Zhiliang Wang

DOI: https://doi.org/10.1109/access.2019.2949645

IF: 3.9

2019-01-01

IEEE Access

Abstract:Industrial Control Systems (ICS) play a very important role in national critical infrastructures. However, the growing interaction between the modern ICS and the Internet has made ICS more vulnerable to cyber attacks. In order to protect ICS from malicious attacks, intrusion detection technology emerges. By analyzing the network meta data or the industrial process data, Intrusion Detection Systems (IDS) can identify attacks that violate communication protocols or system specifications. However, the existing intrusion detection technology is not omnipotent, which opens up a back door for some more advanced attacks. In this work, we design an enhanced multi-stage semantic attack against ICS, which is undetectable by existing IDS. By hijacking the communication channels between the Human Machine Interface (HMI) and the remote Programmable Logic Controllers (PLCs), the attacker can manipulate the measurement data and control instructions simultaneously. The fake measurement data deceives the human operator into making wrong decisions. Furthermore, the attacker can strategically manipulate the semantic meaning of control instructions according to system state transition rules. In the meanwhile, a fake view of measurement data is presented to the HMI to conceal the on-going malicious attack. This attack is totally stealthy since the message sizes and timing, the command sequences, and the system state values are all legitimate. Consequently, this attack can secretly bring the system into critical states. Experimental results have verified the strong attack ability of the proposed attack.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.

Pengfei Liu,Ting Liu

DOI: https://doi.org/10.1109/cns.2018.8433194

2018-01-01

Abstract:It is difficult to prevent attackers from intruding into the industrial control system(ICS) physically, who can connect external devices to the system to steal information or inject false data. In this paper, a physical intrusion detection method is proposed for ICS, by analyzing the communication signal at physical layer. RS485, one of the most important and widely-used serial bus, is selected to investigate how the intruded devices influence the voltage signal in ICS network. The model of voltage signal in RS485 communication lines is built to represent the difference caused by the variation of devices and detect the intruded devices. In the simulation, we demonstrate how to detect an intruded device in a two-device RS485 system.

Shen Wang,An Huang,Zhongchuan Fu

DOI: https://doi.org/10.1007/978-981-10-6571-2_237

2018-01-01

Abstract:While the Industrial control system(ICS) is making great progress for the society, it is facing a huge security risk at the same time. There are some methods like upgrading system and updating patches to protect the ICS, but they are inevitable lagging behind anyway. Byte-level is useful for network intrusion detection and does not need knowledge of the device to be detected. Based on the network data in the industrial control system, we propose an adaptive DBSCAN clustering method for extracting the control instructions in the data packet, and then learning these instructions with the n-gram model. According to received instructions, we are able to predict the next possible instruction. Whether the system is being attacked can be recommended by comparing the instruction that we forecast with the real instruction. Experiments show that the behavior prediction has high accuracy.

Nils Müller,Charalampos Ziras,Kai Heussen

DOI: https://doi.org/10.48550/arXiv.2202.09352

2022-02-18

Cryptography and Security

Abstract:The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitors cyber network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in real-time intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses machine learning-based cyber-physical intrusion detection and multi-class classification through a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised detection and classification pipelines are applied on a recent cyber-physical dataset, which describes various cyber attacks and physical faults on a generic ICS. A key finding is that the integration of physical process data improves detection and classification of all considered attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain root cause identification.

Qiang Li,Xuan Feng,Haining Wang,Limin Sun

DOI: https://doi.org/10.1109/JIOT.2018.2826558

IF: 10.6

2018-01-01

IEEE Internet of Things Journal

Abstract:Industrial control system (ICS) devices play a crucial role in critical infrastructures, such as power grid. In recent years, numerous ICS devices are accessible on the Internet, resulting in potential security issues. However, there is a lack of deep understanding of these devices&#39; characteristics in the cyberspace. In this paper, we take the first step in this direction by investigating these vi...

Shan Gao,Junjie Chen,Bingsheng Zhang,Kui Ren

DOI: https://doi.org/10.1155/2023/7010155

IF: 1.968

2023-01-01

Security and Communication Networks

Abstract:With the development of IT technologies, an increasing number of industrial control systems (ICSs) can be accessed from the public Internet (with authentication). In such an open environment, cyberattacks become a serious threat to both ICS system integrity and data privacy. As a countermeasure, anomaly detection systems are often deployed to analyze the network traffic. However, due to privacy regulation, the network packages cannot be directly processed in plaintext in many countries. In this work, we present a privacy-preserving anomaly detection platform for ICS. The platform consists of three nodes running low-latency MPC protocols to evaluate the live network packages using decision trees on the fly with privacy assurance. Our benchmark result shows that the platform can process thousands of packages every ten seconds.

Yi Yang,Hai-Qing Xu,Lei Gao,Y.B. Yuan,Kieran McLaughlin,Sakir Sezer

DOI: https://doi.org/10.1109/TPWRD.2016.2603339

IF: 4.825

2017-01-01

IEEE Transactions on Power Delivery

Abstract:Emerging cybersecurity vulnerabilities in supervisory control and data acquisition (SCADA) systems are becoming urgent engineering issues for modern substations. This paper proposes a novel intrusion detection system (IDS) tailored for cybersecurity of IEC 61850 based substations. The proposed IDS integrates physical knowledge, protocol specifications, and logical behaviors to provide a comprehens...