Inference of network unknown protocol structure using CSP(Contiguous Sequence Pattern) algorithm based on tree structure

Shim, Kyuseok; Goo, Young-Hoon; Lee, Min-Seob; Hasanova, Huru; Kim, Myung-Sup

doi:10.1109/noms.2018.8406311

Cited by 7 publications

(4 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Through interactive syntax inference technology, it automatically learned to generate the protocol state machine. Shim et al [60] studied the specification extraction of unknown protocols, using the Apriori-based CSP(Contiguous Sequence Pattern) machine learning algorithm to extract the protocol common strings, and using the tree structure-based CSP algorithm to extract the static fields of the protocol. It can extract all the static fields that are not used often but are possible.…”

Section: A Vulnerabilities In Designmentioning

confidence: 99%

Machine Learning Methods for Industrial Protocol Security Analysis: Issues, Taxonomy, and Directions

Men

Lv²,

Zhou

et al. 2020

IEEE Access

View full text Add to dashboard Cite

Machine learning has been widely studied in the security analysis of Industrial Control Systems (ICSs). However, in industrial scenarios, the amount of data as well as the speed of data generation are very different from standard machine learning data sets. Using these heterogeneous data and finding meaningful insights for practical security applications in ICSs is a big challenge. In addition, ICSs have been built for quite a long time. Security has not been seriously taken into account when ICSs were built. Security assessment or attack prevention cannot always be done in real time, as an ICS requires to be online all the time, especially when it comes to systems that affect critical infrastructure. In this work, we are motivated to a provide a clear and comprehensive survey of the state-of-the-art work that employs machine learning in security applications in ICSs, including vulnerability analysis, vulnerability detection and exploitation, anomaly detection and security assessment. Based on our in-depth survey, we highlight the issues of industrial protocol analysis with machine learning methods, provide the security applications with machine learning in ICSs and indicate the future directions.

show abstract

Section: A Vulnerabilities In Designmentioning

confidence: 99%

Machine Learning Methods for Industrial Protocol Security Analysis: Issues, Taxonomy, and Directions

Men

Lv²,

Zhou

et al. 2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…The proposed method collects more than two message flows, performs pre-processing that extracts messages from the collected data, and then clusters messages of the same type using the k-means algorithm. Common fields are then extracted from the clustered messages using the Apriori algorithm [22] and messages of the same type are merged using these extracted fields.…”

Section: Introductionmentioning

confidence: 99%

Enhance the ICS Network Security Using the Whitelist-based Network Monitoring Through Protocol Analysis

Shim

Sohn

Lee

et al. 2021

JWE

Self Cite

View full text Add to dashboard Cite

In our present technological age, most manual and semi-automated tasks are being automated for efficient productivity or convenience. In particular, industrial sites are rapidly being automated to increase productivity and improve work efficiency. However, while networks are increasingly deployed as an integral part of the automation of industrial processes, there are also many resultant dangers such as security threats, malfunctions, and interruption of industrial processes. In particular, while the security of business networks is reinforced and their information is not easily accessible, intruders are now targeting industrial networks whose security is relatively poor, wherein attacks could directly lead to physical damage. Therefore, numerous studies have been conducted to counter security threats through network traffic monitoring, and to minimize physical loss through the detection of malfunctions. In the case of industrial processes, such as in nuclear facilities and petroleum facilities, thorough monitoring is required as security issues can lead to significant danger to humans and damage to property. Most network traffic in industrial facilities uses proprietary protocols for efficient data transmission, and these protocols are kept confidential because of intellectual property and security reasons. Protocol reverse engineering is a preparatory step to monitor network traffic and achieve more accurate traffic analysis. The field extraction method proposed in this study is a method for identifying the structure of proprietary protocols used in industrial sites. From the extracted fields, the structure of commands and protocols used in the industrial environment can be derived. To evaluate the feasibility of the proposed concept, an experiment was conducted using the Modbus/TCP protocol and Ethernet/IP protocol used in actual industrial sites, and an additional experiment was conducted to examine the results of the analysis of conventional protocols using the file transfer protocol.

show abstract

“…For each type, this system uses contiguous sequence pattern (CSP) algorithms to extract a common substring that defines the field. 22 The structure of the messages is analyzed after field definitions. Finally, the sequence and structure of the message types can be used to identify the types of messages used at industrial sites, the meaning of the fields, and the commands transmitted by the network traffic.…”

Section: Introductionmentioning

confidence: 99%

“…These grouped messages are defined as one type. For each type, this system uses contiguous sequence pattern (CSP) algorithms to extract a common substring that defines the field 22 . The structure of the messages is analyzed after field definitions.…”

Section: Introductionmentioning

confidence: 99%

Clustering method in protocol reverse engineering for industrial protocols

et al. 2020

View full text Add to dashboard Cite

Automation in all aspects of industrial activity is currently needed in today's industries. Networks, which are the most essential elements of automation, have been widely used in industrial sites to realize such needs. However, network security threats and malfunctions at industrial sites can cause considerable physical damage. Damage can be prevented, and threats can be detected through network traffic monitoring. However, industrial protocols use selfdeveloped protocols to ensure rapid and efficient data transfer, and most selfdeveloped protocols are private networking protocols. Efficient network traffic monitoring requires a detailed understanding of the structure of industrial protocols. Studies on existing protocol reverse engineering methods for commercial protocols have indicated that there are many limitations in applying these methods to industrial protocols. Therefore, in this paper, we propose a method of analyzing the structure of private protocols that can be employed as industrial protocols. This methodology consists of six modules: traffic collection, message extraction, message clustering by size, message clustering by similarity, field extraction, and session analysis. We collect traffic using the Schneider Modicon M580 and demonstrate the validity of the proposed methodology by comparing collected traffic with existing protocol reverse engineering methods.

show abstract

Inference of network unknown protocol structure using CSP(Contiguous Sequence Pattern) algorithm based on tree structure

Cited by 7 publications

References 10 publications

Machine Learning Methods for Industrial Protocol Security Analysis: Issues, Taxonomy, and Directions

Machine Learning Methods for Industrial Protocol Security Analysis: Issues, Taxonomy, and Directions

Enhance the ICS Network Security Using the Whitelist-based Network Monitoring Through Protocol Analysis

Clustering method in protocol reverse engineering for industrial protocols

Contact Info

Product

Resources

About