Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Geng-hong LU,Dong-qin FENG

DOI: https://doi.org/10.13195/j.kzyjc.2016.0551

2017-01-01

Abstract:The attacks against the industrial control network have different types and various attack intensity. Under this circumstance, the traditional detection techniques cannot identify the multiple types of attacks effectively, and can not assess the security situations of the industrial control network comprehensively and accurately. Therefore, the industrial control network security situation awareness model is proposed. Firstly, the rule extraction can be done by applying the improved C-SVC algorithm to the multi-sensor data. Then with the application of decision fusion algorithm, the decision-level fusion is completed and the results of situation awareness are procured. The simulation experiment results show that the proposed model and algorithms can distinguish multiple types of attacks effectively, identify the attacks that are launched against the industrial control system accurately, and generate the results of situation awareness.

Mengyao Fu,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9327246

2020-01-01

Abstract:In recent years, the network security problem of industrial control systems is very severe. It is particularly important to detect abnormal situations in the industrial control system network correctly and timely to avoid disasters in the physical world. This paper proposes a compound fuzzy clustering algorithm, taking TE process as the research object, to analyze its working mechanism and distinguish security threats it may encounter. Considering the coupling relationship between the production process unit in the industrial control system, fuzzy clustering is used for each process unit, which performs detection and comprehensive decision-making to obtain the final anomaly detection result. Experimental results show that the proposed compound fuzzy clustering algorithm can realize anomaly detection in industrial control systems.

Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Eva Holasova,Petr Blazek,Radek Fujdiak,Jan Masek,Jiri Misurec

DOI: https://doi.org/10.1016/j.segan.2023.101269

2024-01-08

Sustainable Energy, Grids and Networks

Abstract:The main objective of this paper is to classify unencrypted and encrypted industrial protocols using deep learning, especially Convolutional Neural Networks. Protocol recognition is important for network security and network analysis. Overall knowledge of industrial protocols and networks is crucial, especially in operational technologies. Five industrial protocol standards are under investigation, namely IEC 60870-5-104, IEC 61850 (MMS, GOOSE, SV) and Modbus/TCP. It is also investigated whether the selected protocols can be recognized in their encrypted version. Furthermore, it is investigated whether this encrypted traffic is recognizable from the use of VPN technology. Three convolutional neural network models were trained to recognize industrial protocols. These networks outperform traditional machine learning in pattern recognition in several areas of classification. By converting the captured traffic into image data that convolutional neural networks work with, differences in the encrypted traffic of different industrial protocols can be recognized. Three scenarios (1D, 2D, PKT) are presented using convolutional neural network models with 1D and 2D architectures. Training, testing and validation data are used to verify each scenario. An accuracy of 96-97 % is achieved for the recognition of unencrypted and encrypted industrial protocols. According to the results, 2D convolutional neural network model is faster than 1D and PKT models. The 1D and 2D models are suitable for use in protocol specific networks. Another application of these models can be anomaly detection in these networks. The PKT model is useful in networks with multiple industry protocols because it can evaluate network traffic on a packet-by-packet basis.

energy & fuels,engineering, electrical & electronic

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Yi-Chuan Wang,Bin-Bin Bai,Xin-Hong Hei,Ju Ren,Wen-Jiang Ji

DOI: https://doi.org/10.6688/jise.202007_36(4).0005

2020-01-01

Journal of information science and engineering

Abstract:In recent years, unscrupulous hacker attacks have led to the information leakage of enterprise and individual network users, which makes the network security issue unprecedented concerned. Botnet and dark network, which use C & C channel of unknown protocol format to communicate, are the important parts. With the development of wireless mobile networks technology, this problem becomes more prominent. Classifying and identifying the unknown protocol features can help us to judge and predict the unknown attack behavior in the Internet of things environment, so as to protect the network security. Firstly, this paper compares the protocol features to be detected with the existing protocol features in the feature base through the vectorization operation of protocol features, selects the feature set with high recognition rate, and judges the similarity between protocols. The extracted composite features are digitized to generate 0-1 matrix, then Principal Component Analysis (PCA) dimension reduction is processed, and finally clustering analysis is carried out. A Clique to Protocol Feature Vectorization (CPFV) algorithm is designed to improve the efficiency of protocol clustering and finally generate a new protocol format. The experimental results show that compared with the traditional Clique and BIRCH algorithms, the proposed optimization algorithm improves the accuracy by 20% and the stability by 15%. It can cluster and identify unknown protocols accurately and quickly.

Yunping Gong,Chaoqun Li,Xiaosheng Fang

DOI: https://doi.org/10.1109/jiot.2023.3302236

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:With the rapid development of the industrial Internet of things (IIoT), the industrial wireless sensor network (IWSN) with strong information perception capability and strict service quality requirements has been derived. The robust operation of the network plays a crucial role in the collection and transmission of important industrial information. Therefore, it is imperative to solve the problems of short network life and low quality of service (QoS). Considering these problems, this paper comprehensively considers the energy consumption, remaining energy, packet loss rate and delay, and designs a new multi-objective clustering model to accurately and reasonably elect cluster heads. Based on the advantages of the model, a novel multi-objective high-performance clustering framework (namely MHCF-CECSO) is proposed to improve the overall performance of IWSN. Specifically, in MHCF-CECSO, a novel chaotic multi-level elite clone snake optimization method is designed to enhance the optimal clustering mechanism. To further improve the clustering efficiency of MHCF-CECSO, chaos optimization is designed to perform an initial search for the snake group to enhance the diversity of the snake group and the algorithm’s ability to escape from local optimum. In addition, a new multi-level elite cloning strategy is designed, which effectively improves the convergence speed of MHCF-CECSO. Comparing experiments with three state-of-the-art clustering schemes are conducted in four different scenarios, and the results show that the proposed MHCF-CECSO outperforms the other three comparison schemes in terms of network lifetime, energy consumption control and reliability.

Haiyang Liu,Linghang Meng,Yuantao Gu

DOI: https://doi.org/10.1109/iceict55736.2022.9909347

2022-01-01

Abstract:In recent years, with the rapid development of Internet communication and satellite communication, and other fields, the number of network protocol types has gradually increased, which contains a large number of private protocols or unknown protocols, which makes the network management and maintenance work increasingly heavy and very difficult. To address this problem, we proposed a classification method of unknown protocols. By preprocessing, feature extraction, and clustering method based on hyperparametric optimization scheme, two classes of classifiers are constructed to classify and identify the unknown protocol data to meet the actual business requirements. The experimental results show that the improved optimization method has a 4.6% increase in the mean probability of obtaining the global optimal solution compared with the traditional optimization method, and the proposed method can effectively identify and classify the protocols.

Zhi-Yang,Xiao-jun

2020-01-01

Abstract:Intrusion Detection Algorithm of Power Grid Industrial Control System Based on CNN ZHAO Zhi-Yang, XIA Xiao-Jun (University of Chinese Academy of Sciences, Beijing 100049, China) (Shenyang Institute of Computing Technology, Chinese Academy of Sciences, Shenyang 110168, China) Abstract: Traditional power grid industrial control systems are mainly isolated from external networks through tools such as firewalls, but with the application of new technologies such as cloud computing and the Internet of Things, the degree of interconnection between networks has continued to deepen, and the difficulty of security protection has greatly increased. How to effectively detect network intrusion behavior has become very important. Compared with traditional intrusion detection technology, convolutional neural networks have a better ability to extract intrusion features. This study proposes a power grid industrial control system intrusion detection algorithm based on convolutional neural networks. The KDD99 dataset is processed for model training, and a cascade convolution layer is added to optimize the network structure. Under the premise of small parameter scale, the real-time requirements of the model are guaranteed. Compared with the traditional SVM algorithm and the k-means algorithm, the intrusion detection accuracy of the proposed algorithm in this study is improved, the false detection rate is reduced, and the intrusion behavior to the power grid industrial control system can be effectively detected.

Wen Si,Jiang-Hai Li,Xiao-Jin Huang

DOI: https://doi.org/10.1007/978-981-15-1876-8_51

2020-01-01

Abstract:Anomaly detection is significant in the cyber security of industrial control systems. Unsupervised learning neural networks approach is applicable for the anomaly detection of industrial control systems. The large amount of network packets produced from systems every time are suitable source for training data acquisition. However, the packets contains many layers following different protocols. Thus, extracting effective features from packets will make sense. First the structure of a network packet is analyzed, and one packet is divided into two parts, the header part which includes layers following IT network protocols and the data part which includes layers following ICS protocols. Then IT network features are extracted from the header part. Third, the data part is processed by conversation correspondence and physical meaning reverting, so that industrial control features are extracted from this part. Finally, how to apply the extracted features in neural network approaches for ICS anomaly detection is discussed.

Weiping Wang,Chunyang Wang,Yongzhen Guo,Manman Yuan,Xiong Luo,Yang Gao

DOI: https://doi.org/10.3389/fenrg.2020.555145

IF: 3.4

2021-01-19

Frontiers in Energy Research

Abstract:Industrial control network is a direct interface between information system and physical control process. Due to the lack of authentication, encryption, and other necessary security protection designs, it has become the main target of malicious attacks under the trend of increasing openness. In order to protect the industrial control systems, we examine the detection of abnormal traffic in industrial control network and propose a method of detecting abnormal traffic in industrial control network based on autoencoder technology. What is more, a new deep autoencoder model was designed to reduce the dimensionality of traffic data in industrial control network. In this article, the Kullback–Leibler divergence was added to the loss function to improve the ability of feature extraction and the ability to recover raw data. Finally, this model was compared with the traditional data dimensionality reduction method (principal component analysis (PCA), independent component analysis, and singular value decomposition) on gas pipeline dataset. The results show that the approach designed in this article outperforms the three methods in different scenes in terms of f 1 score.

energy & fuels

Yuhuan Liu,Fengyun Zhang,Yulong Ding,Jie Jiang,Shuang-Hua Yang

DOI: https://doi.org/10.1016/j.comcom.2022.07.025

IF: 5.047

2022-10-01

Computer Communications

Abstract:The Industrial Internet of Things (IIoT) connects various industrial devices and processes for smart manufacturing purposes. The industrial devices and processes may employ standard or private communication protocols. Protocol Reverse Engineering (PRE) can infer the format of the unknown protocol by analyzing traffic traces. Existing work in the field mainly focuses on Internet protocol only, handling text messages. PRE for industrial control protocols is difficult and particularly designed for IIoT for real-time interconnection among industrial devices. Given the phenomenon that many consecutive sub-messages are often embedded in a lengthy message payload and have a similar format, a novel sub-messages extraction algorithm is proposed in this work by using template iteration as an intermediate step to form a full message format inference framework. An improved evaluation criterion is also proposed to evaluate the sub-messages extraction results. We carry out our algorithm on three standard industrial control protocols and two unknown protocols. Experiments show that adding our sub-messages extraction in PRE for IIoT can greatly improve the accuracy of the overall protocol format inference compared with the existing work.

computer science, information systems,telecommunications,engineering, electrical & electronic

Bin Xie,Xinyu Dong,Changguang Wang

DOI: https://doi.org/10.1155/2021/9322368

2021-08-04

Wireless Communications and Mobile Computing

Abstract:The existing wireless network intrusion detection algorithms based on supervised learning confront many challenges, such as high false detection rate, difficulty in finding unknown attack behaviors, and high cost in obtaining labeled training data sets. This paper presents an improved k -means clustering algorithm for detecting intrusions on wireless networks based on Federated Learning. The proposed algorithm allows multiple participants to train a global model without sharing their private data and can expand the amount of data in the training model and protect the local data of each participant. Furthermore, the cosine distance of multiple perspectives is introduced in the algorithm to measure the similarity between network data objects in the improved k -means clustering process, making the clustering results more reasonable and the judgment of network data behavior more accurate. The AWID, an open wireless network attack data set, is selected as the experimental data set. Its dimensionality reduces by the method of principal component analysis (PCA). Experimental results show that the improved k -means clustering intrusion detection algorithm based on Federated Learning has better performance in detection rate, false detection rate, and detection of unknown attack types.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yixin Jiang,Yunan Zhang,Xiaoyun Kuang,Aidong Xu,Xuzhu Dong,Shiyong Dai,Jinhua Huang

DOI: https://doi.org/10.1109/ei256261.2022.10116191

2022-01-01

Abstract:Industrial control network intrusion detection system has higher requirements for detection rate, false positive rate, and real-time performance. In order to solve this problem, this paper proposed a new type of feature extractor abstracting mapping from the original low-level feature set to the high-level feature set. This feature extractor is composed of 3 heterogeneous sub-feature extractors 1D CNN, LSTM, and SAE. Secondly, the integrated feature set passes through a random forest (RF) classifier. Thirdly, combined with the regularity and stability of the industrial control network, a suspected host inspection method is designed based on the sequential hypothesis testing of real-time network traffic. This method uses the individual learner results of the above 3 feature extractors. Combining the above, two-stage fusion (SHT-RF) is carried out to realize real-time industrial control network intrusion detection, and achieve the purpose of improving the detection rate and enhancing the robustness of the system. Finally, it is verified on the CICIDS2017 data set. The detection rate of the proposed method is 99.59%, and the false positive rate is 0.09%. Compared with other machine learning methods, it has achieved a good improvement effect.

Zhen Qin,Zeyu Yang,Yangyang Geng,Xin Che,Tianyi Wang,Hengye Zhu,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/infocom52122.2024.10621405

2024-01-01

Abstract:Industrial protocols are widely used in Industrial Control Systems (ICSs) to network physical devices, thus playing a crucial role in securing ICSs. However, most commercial industrial protocols are proprietary and owned by their vendors, which impedes the implementation of protections against cyber threats. In this paper, we design REInPro to Reverse Engineer Industrial Protocols. REInPro is inspired by the fact that the structure of industrial protocols can be determined by a particular field referred to control field. By applying a probabilistic model of network traffic behavior, REInPro automatically identifies the control field and groups the associated network traffic into clusters. REInPro then infers critical semantics of industrial protocols by differentiating the features of corresponding protocol fields. We have experimentally implemented and evaluated REInPro using 8 different industrial protocols across 6 Programmable Logic Controllers (PLCs) belonging to 5 original equipment manufacturers. The experimental results show REInPro to reverse-engineer the formats and semantics of industrial protocols with an average correctness/perfection of 0.70/0.58 and 0.96/0.39.

Bowei Ning,Xuejun Zong,Kan He,Lian Lian

DOI: https://doi.org/10.3390/sym15030706

2023-03-12

Symmetry

Abstract:The security of industrial control systems relies on the communication and data exchange capabilities provided by industrial control protocols, which can be complex, and may even use encryption. Reverse engineering these protocols has become an important topic in industrial security research. In this paper, we present PREIUD, a reverse engineering tool for industrial control protocols, based on unsupervised learning and deep neural network methods. The reverse process is divided into stages. First, we use the bootstrap voting expert algorithm to infer the keyword segment boundaries of the protocols, considering the symmetry properties. Then, we employ a bidirectional long short-term memory conditional random field with an attention mechanism to classify the protocols and extract their format and semantic features. We manually constructed data sample sets for six commonly used industrial protocols, and used them to train and test our model, comparing its performance to two advanced protocol reverse tools, MSERA and Discoverer. Our results showed that PREIUD achieved an average accuracy improvement of 7.4% compared to MSERA, and 15.4% compared to Discoverer, while also maintaining a balance between computational conciseness and efficiency. Our approach represents a significant advancement in the field of industrial control protocol reverse engineering, and we believe it has practical implications for securing industrial control systems.

multidisciplinary sciences

Weigang Liu

DOI: https://doi.org/10.1155/2022/4927504

2022-06-10

Wireless Communications and Mobile Computing

Abstract:Attacks on network systems are becoming more and more common, the current state of increasingly sophisticated attack methods, the emergence of intrusion prevention technology is the inevitable result of the development of computer technology and network technology, and research on intrusion prevention has become a new focus of network security technology research in recent years. In order to ensure the security of computer network confidential information, the authors propose a semisupervised clustering intrusion detection algorithm. An overview of machine learning, followed by an explanation of the theory of cluster analysis, simulation experiments were carried out using the K -means algorithm and the semisupervised clustering algorithm proposed by the author, for 10,000 records, the K -means clustering algorithm and the semisupervised clustering algorithm described in this paper are used, respectively, and intrusion detection data tests were performed. At the same time, different K values were selected, three datasets were selected from "kddcup.newtestdata_10_percent_corrected," the test data were tested separately, and their average value was taken as the test result. From the simulation results, the detection rate of the semisupervised clustering algorithm is higher than that of the K -means clustering algorithm, and the false alarm rate and K -means algorithms have also been improved. Therefore, the author's semisupervised algorithm enhances the stability of the system, and the performance of the K -means algorithm is improved to a certain extent. When the value of K gradually increases, the false alarm rate also increases; however, when K is 20, the detection rate is maximized, from this, it can be known that when K is 20, its detection rate reaches 91.76%, and the false alarm rate is 8.54%. The detection rate of the author's algorithm is significantly higher than the other two algorithms, the false positive rate is slightly higher than K -means, and the false positive rate is lower than that of the other algorithm, proving the superior performance of our algorithm.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kai Jin,Lei Zhang,Yujie Zhang,Duo Sun,Xiaoyuan Zheng

DOI: https://doi.org/10.3390/electronics12204329

IF: 2.9

2023-10-19

Electronics

Abstract:The current mainstream intrusion detection models often have a high false negative rate, significantly affecting intrusion detection systems' (IDSs) practicability. To address this issue, we propose an intrusion detection model based on a multi-scale one-dimensional convolutional neural network module (MS1DCNN), an efficient channel attention module (ECA), and two bidirectional long short-term memory modules (BiLSTMs). The proposed hybrid MS1DCNN-ECA-BiLSTM model uses the MS1DCNN module to extract features with a different granularity from the input data and uses the ECA module to enhance the weight of important features. Finally, the model carries out sequence learning through two BiLSTM layers. We use the dung beetle optimizer (DBO) to optimize the hyperparameters in the model to obtain better classification results. Additionally, we use the synthetic minority oversampling technique (SMOTE) to fill several samples to reduce the local false negative rate. In this paper, we train and test the model using accurate network data from a water storage industrial control system. In the multi-classification experiment, the model's accuracy was 97.04%, the precision was 97.17%, and the false negative rate was 2.95%; in the binary classification experiment, the accuracy and false negative rate were 99.30% and 0.7%. Compared with other mainstream methods, our model has a higher score. This study provides a new algorithm for the intrusion detection of industrial control systems.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiyang Zhang,Yongze Ma,Yanqing Zhao,Yanxin Li,Yi Hu

DOI: https://doi.org/10.1109/ICTech58362.2023.00073

2023-04-01

Abstract:Aiming at the problem that the existing application layer protocols (http, smtp, ftp) are difficult to fully meet the communication and transmission of industrial data in the network, this paper proposes an industrial Internet application layer protocol QSHQ (Quick-Security-HQ) that supports multiple underlying bearer protocols (MQTT, WebSocket) based on various factors such as security, real-time, versatility, and scalability. QSHQ (Quick-Security-HQ) unifies the format and message structure of industrial data in network transmission, avoids repeated design in industrial Internet development, and at the same time, addresses the security issues of transmission in industrial data networks. In the process of QSHQ message transmission, AES and RSA hybrid encryption technology is used to realize the encryption and decryption of data. Based on this, a set of CNC machine tool security interaction system is designed. The system shows that the protocol can avoid reading and tampering data in network transmission, avoid the network risk caused by the interconnection between CNC network and other networks, and has good real-time performance and versatility, which can provide basic support for industrial data in network transmission.

Engineering,Computer Science