Industrial Control System Monitoring Based on Communication Profile

Masafumi, Matta; Koike, Masato; Machii, Wataru; Aoyama, Tomomi; Naruoka, Hidemasa; Koshijima, Ichiro; Hashimoto, Y.

doi:10.1252/jcej.14we323

Cited by 5 publications

(8 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since the communication behaviors in ICSs are usually periodic [28], [34], the length of the period can be taken as the E-DFA matching length. But there are some special situations need to be considered in reality, such as: 1) Packet retransmission: a same packet is sent repeatedly at two adjacent instant, i.e.…”

Section: End If 16: End Formentioning

confidence: 99%

A Software-Defined Security Approach for Securing Field Zones in Industrial Control Systems

2019

View full text Add to dashboard Cite

Industrial control systems (ICSs) are facing increasingly severe security threats. Zone isolation, a commonly adopted idea for stopping attack propagation in general information systems, has been investigated for ICS security protection. It is usually implemented through perimeter security techniques. However, anomaly states of the physical processes in a compromised field zone may spread into other zones through the inter-zone information interaction. Due to the coupling of the physical processes between different zones, it is difficult to prevent the propagation of attack impact in ICSs. In this paper, a softwaredefined security (SDSec) approach is presented to address this problem. It consists of a hybrid anomaly detection module and a multi-level security response module, both of which work together to secure the ICS field zones. The hybrid anomaly detection module inspects anomaly behaviors from the perspectives of network communications and physical process states. The multi-level security response module helps prevent unapproved packets from communications, thus isolating any compromised zone. It also generates attack mitigation strategies to secure physical processes. Hardware-in-the-loop simulations are conducted to demonstrate the effectiveness of the presented approach.

show abstract

Section: End If 16: End Formentioning

confidence: 99%

A Software-Defined Security Approach for Securing Field Zones in Industrial Control Systems

2019

View full text Add to dashboard Cite

show abstract

“…The previous work [13] suggested that packet intervals reflect the characteristics of packets in a typical ICS network. In a typical ICS network, there are IP communications between the object linking and embedding (OLE) for process control (OPC) server and the single loop controller (SLC) (programmable logic controller (PLC)).…”

Section: Packet Intervalsmentioning

confidence: 99%

“…The proposed method was evaluated using datasets obtained from the testbed prepared for previous research [13]. Fig.…”

Section: Evaluation Environmentmentioning

confidence: 99%

See 1 more Smart Citation

Intrusion Detection Method for Industrial Control Systems Using Singular Spectrum Analysis

Terai

Chiba

Shintani

et al. 2018

WIT Transactions on Engineering Sciences

Self Cite

View full text Add to dashboard Cite

Because of their automated processing capabilities, industrial control systems (ICSs) currently play a crucial role in plant operations. It was not long before ICS had been completely insulated from the Internet. However, because of the improved reliability of ICS devices and systems, we could find only a few plants that did not use ICS in conjunction with the Internet. As a result, the extended accessibility of almost every ICS component makes such systems vulnerable to cyber-attacks. Because of this, intrusion detection systems, which monitor ICS network traffic and detect suspicious activities within the components themselves, are extremely important. Previous studies argued that packet intervals could ideally be regarded as indicators of the hazardous status of ICSs against hacking activities, and proposed intrusion detection methodologies relying solely on packet intervals. However, these methodologies with supervised machine-learning have inevitably been compromised by cyber-attacks whose characteristics are different than those of the training dataset. We hypothesize that packet intervals in an ICS network used for automated industrial processes, which are forced to produce a certain type of periodicity, reflect a particular type of packet interval patterns. In other words, certain anomalous behaviors never fail to interfere with this pattern. This paper proposes an intrusion detection method using a singular spectrum analysis to monitor time series packets. We evaluated our proposed method on our cybersecurity testbed using penetration tests. The results verified the validity of our system realized in the packet interval periodicity. Furthermore, we examined the optimum parameter set for the singular spectrum analysis in the proposed method. From this experiment, we successfully designated criteria for the parameter-set based on the period of the packet intervals during normal operations. The proposed method successfully detected all three types of attacks within 4 sec, without producing a false alert during normal operations.

show abstract

“…When an ICS network during steady-state exhibits a particular pattern, the techniques can infer the hidden structure of the pattern and detect anomalous behavior by comparing the pattern during steady-state. Matta et al [15] demonstrated that packet intervals during steadystate have a particular pattern and cyber-attacks may disturb this pattern. Furthermore, a certain type of periodicity was observed in time-series packet intervals using a testbed, and an IDS was proposed using singular spectrum analysis (SSA) by searching for the disturbance [16].…”

Section: Introductionmentioning

confidence: 99%

Intrusion Detection Using Long Short-Term Memory Model for Industrial Control System

Terai¹,

Chiba²,

Shintani³

et al. 2020

IJSSE

Self Cite

View full text Add to dashboard Cite

Given the rapid progress of digital technology, systems are increasingly vulnerable to cyber-attacks. Intrusion detection systems (IDS), which monitor an industrial control system (ICS) network traffic and detect suspicious activities, are a necessity for the operation of ICSs. Previous studies argued that packet intervals could ideally be regarded as indicators of the cyber-attacks on ICSs and proposed an intrusion detection methodology relying on packet intervals using singular spectrum analysis (SSA). SSA is a nonparametric spectral estimation method, but it suffers from high computational cost. Thus, in this study, a long short-term memory (LSTM) model was developed based on the packet intervals during steady-state operation, and an intrusion detection method using the LSTM model was proposed. The LSTM model is a recurrent neural network model and can be used for time-series prediction problems. Furthermore, we evaluated the proposed method on a cybersecurity testbed using penetration tests. The results show that the LSTM model performs better than SSA and suggests the possibility of the application of the LSTM model to IDS for various types of plants by adjusting its complexity.

show abstract

Industrial Control System Monitoring Based on Communication Profile

Cited by 5 publications

References 2 publications

A Software-Defined Security Approach for Securing Field Zones in Industrial Control Systems

A Software-Defined Security Approach for Securing Field Zones in Industrial Control Systems

Intrusion Detection Method for Industrial Control Systems Using Singular Spectrum Analysis

Intrusion Detection Using Long Short-Term Memory Model for Industrial Control System

Contact Info

Product

Resources

About