Scenario fingerprint of an industrial control system and abnormally detection

doi:10.16511/j.cnki.qhdxxb.2016.23.013

Abstract
Figures/Tables
References
Related Articles
Metrics

Download: PDF(2386 KB)
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks

Abstract Industrial control systems (ICSs) are cyber-physical systems (CPSs) which supervise and control physical processes in critical infrastructure industries such as electric power, water treatment, oil & natural gas exploration, transportation, and chemical industry. Based on the observation of ICS'stable and persistent communication data flow control patterns, a concept and a methodology of ICS scenario fingerprinting were proposed which analyze industrial control protocol interactive behavior to represent ICS system-level normal behavior characteristics. ICS scenario fingerprint can identify unique ICS installation, while being used as a more generalized method to establish ICS systems'behavior benchmark and further being used to identify ICS systems'abnormal behavior. Experiments were made to validate the proposed viewpoint, which use real equipment for ICS cyber domain and use simulation for ICS physical domain. Experimental results demonstrate that ICS scenario fingerprinting technique provides ICS security research with a promising method.

Keywords industrial control system (ICS) cyber-physical system (CPS) scenario fingerprint abnormally detection

ZTFLH:

TP309

Issue Date: 15 January 2016

	Service

	E-mail this article
	E-mail Alert
	RSS
	Articles by authors

	PENG Yong
	XIANG Chong
	ZHANG Miao
	CHEN Dongqing
	GAO Haihui
	XIE Feng
	DAI Zhonghua

Cite this article:

PENG Yong,XIANG Chong,ZHANG Miao, et al. Scenario fingerprint of an industrial control system and abnormally detection[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 14-21.

URL:

http://jst.tsinghuajournals.com/EN/10.16511/j.cnki.qhdxxb.2016.23.013 OR http://jst.tsinghuajournals.com/EN/Y2016/V56/I1/14

[1] Stouffer K, Falco J, Scarfone K. Guide to Industrial Control Systems (ICS) Security, NIST: special publication 800-82 [R]. 2011.
[2] 彭勇, 江常青, 谢丰, 等. 工业控制系统信息安全研究进展 [J]. 清华大学学报: 自然科学版, 2012, 52(10): 1396-1408. PENG Yong, JIANG Changqing, XIE Feng, et al. Industrial control system cybersecurity research [J]. Journal of Tsinghua University: Sci & Technol, 2012, 52(10): 1396-1408. (in Chinese).
[3] Falliere N, Murchu L O, Chien E. W32.Stuxnet dossier, Symantec white paper [R]. 2010.
[4] Bencsáth B, Pék G, Buttyán L, et al. Duqu: A Stuxnet-like malware found in the wild[R/OL]. (2011-10). http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf.
[5] sKyWIper Analysis Team. sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks[R/OL]. (2012-05). http://www.crysys.hu/skywiper/skywiper.pdf.
[6] Caselli M, Hadiosmanovi D, Zambon E, et al. On the feasibility of device fingerprinting in industrial control systems [C]//8th International Workshop on Critical Information Infrastructures Security, CRITIS. 2013: 155-166.
[7] Cheminod M, Durante L, Valenzano A. Review of security issues in industrial networks [J]. IEEE Transactions on Industrial Informatics, 2013, 9(1): 277-293.
[8] Barbosa R R R, Sadre R, Pras A. A first look into SCADA network traffic [C]//Proceedings of 2012 IEEE Network Operations and Management Symposium, NOMS. 2012.
[9] Pleijsier E. Towards anomaly detection in SCADA networks using connection patterns [C]//18th Twente Student Conference on IT. 2013.
[10] Crotti M, Dusi M, Gringoli F, et al. Traffic classification through simple statistical fingerprinting [J]. SIGCOMM Comput Commun Rev, 2007, 37(1): 5-16.
[11] Garitano I, Siaterlis C, Genge B, et al. A method to construct network traffic models for process control systems [C]//Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies and Factory Automation, ETFA. 2012.
[12] Cheung S, Dutertre B, Fong M, et al. Using model-based intrusion detection for SCADA networks [C]//SCADA Security Scientific Symposium. 2007.
[13] Goldenberg N, Wool A. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems [J]. International Journal of Critical Infrastructure Protection, 2013, 6(2): 63-75.
[14] Morris T, Vaughn R, Dandass Y. A Retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems [C]//Proceedings of the 2012 45th Hawaii International Conference on System Sciences. 2012.
[15] Barbosa R R R, Sadre R, Pras A. Flow whitelisting in SCADA networks [J]. International Journal of Critical Infrastructure Protection, 2013, 6(3-4): 150-158.
[16] ANSI/ISA-99.01.01-2007. Security for industrial automation and control systems: Terminology, concepts and models [R]. 2007.
[17] IEC/TS 62443-1. Industrial communication networks- Network and system security-Part 1-1: Terminology, concepts and models [R]. 2009.

[1]	LU Xiaofeng, JIANG Fangshuo, ZHOU Xiao, CUI Baojiang, YI Shengwei, SHA Jing. API based sequence and statistical features in a combined malware detection architecture[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(5): 500-508.
[2]	LONG Yu, WANG Xin, XU Xian, HONG Xuan. Highly-descriptive chain of trust in trusted computing[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(4): 387-394.
[3]	CHEN Dongqing, ZHANG Puhan, WANG Huazhong. Intrusion detection for industrial control systems based on an improved SVM method[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(4): 380-386.
[4]	CHEN Xingshu, CHEN Jiaxin, ZHAO Dandan, JIN Xin. Anomaly detection based on IO sequences in a virtual machine with the Markov mode[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(4): 395-401,410.
[5]	WANG Lina, ZHOU Weikang, LIU Weijie, YU Rongwei. Hardware-assisted ROP attack detection on cloud platforms[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(3): 237-242.
[6]	ZHAO Gang, YU Yue, HUANG Minhuan, WANG Yuying, WANG Jiajie, SUN Xiaoxia. Test method for the font parser in PDF viewers[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(3): 266-271.
[7]	LI Taoshen, LIU Qing, HUANG Ruwei. Multi-user fully homomorphic encryption scheme based on proxy re-encryption for cloud computing[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(2): 143-149.
[8]	CAO Laicheng, LIU Yufei, DONG Xiaoye, GUO Xian. User privacy-preserving cloud storage scheme on CP-ABE[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(2): 150-156.
[9]	ZOU Jing, LI Bin, ZHANG Li, LUO Yang, SUN Yunchuan, LI Shixian. Security analysis of dynamic provable data possession based on Hash aggregation[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(11): 1145-1149,1158.
[10]	WANG Yuding, YANG Jiahai. Data access control model based on data's role and attributes for cloud computing[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(11): 1150-1158.
[11]	SHEN Ke, YE Xiaojun, LIU Xiaonan, LI Bin. Android App behavior-intent inference based on API usage analysis[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(11): 1139-1144.
[12]	LIANG Bin, GONG Weigang, YOU Wei, LI Zan, SHI Wenchang. DTA technique for JavaScript optimizing compilation mode[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(9): 932-938.
[13]	DENG Hui, SHI Hongsong, ZHANG Baofeng, YANG Yongsheng, LIU Hui. Semi-formal method for security policies and design specifications[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(7): 695-701.
[14]	PEI Jisheng, YE Xiaojun. Provenance dependency path pattern mining algorithm based on grammar induction[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(6): 561-568.
[15]	SHAN Chun, HU Kangwen, XUE Jingfeng, HU Changzhen, ZHAO Xiaolin. Improved pairing-free constant round certificateless authenticated group key agreement protocol[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(6): 580-585.

Viewed

Full text

Abstract

Cited

Shared

Discussed