Two-Phase Industrial Control System Anomaly Detection Using Communication Patterns and Deep Learning-Reference-Cited by-同舟云学术

Two-Phase Industrial Control System Anomaly Detection Using Communication Patterns and Deep Learning

Published:2024-04-17 Issue:8 Volume:13 Page:1520
ISSN:2079-9292
Container-title:Electronics
language:en
Short-container-title:Electronics

Author:

Kim Sungjin¹^ORCID,Jo Wooyeon²^ORCID,Kim Hyunjin³,Choi Seokmin⁴,Jung Da-I⁴,Choi Hyeonho⁴,Shon Taeshik³⁵

Affiliation:

1. OT Security Group, Samsung SDS, Seoul 03922, Republic of Korea

2. SAFE Lab, Virginia Commonwealth University, ERB 3339 401 W Main St, Richmond, VA 23284, USA

3. Department of Computer Engineering, Ajou University, Suwon 16499, Republic of Korea

4. Information Security Team, Korea Power Exchange, Naju 58322, Republic of Korea

5. Department of Cybersecurity, Ajou University, Suwon 16499, Republic of Korea

Abstract

Several cases of Industrial Internet of Things (IIoT) attacks with zero-day vulnerabilities have been reported. To prevent these attacks, it is necessary to apply an abnormal behavior detection method; however, there are three main problems that make it hard. First, there are various industrial communication protocols. Instead of IT environments, many unstandardized protocols, which are usually defined by vendors, are used. Second, legacy devices are commonly used, not only EOS (End-of-service), but also EoL (End-of-Life). And last, the analysis of collected data is necessary for defining normal behavior. This behavior should be separately defined in each IIoT. Therefore, it is difficult to apply abnormal behavior detection in environments where economic and human investment is difficult. To solve these problems, we propose a deep learning based abnormal behavior detection technique that utilizes IIoT communication patterns. The proposed method uses a deep learning technique to train periodic data acquisition sequences, which is one of the common characteristics of IIoT. The trained model determined the sequence of packet is normal. The proposed technique can be applied without an additional analysis. The proposed method is expected to prevent security threats by proactively detecting cyberattacks. To verify the proposed method, a dataset was collected from the Korea Electric Power Control System. The model that defines normal behavior based on the application layer exhibits an accuracy of 79.6%. The other model, defining normal behavior based on the transport layer, has an accuracy of 80.9%. In these two models, most false positives and false negatives only occur when the abnormal packet is in a sequence.

Funder

National Research Foundation of Korea

Publisher

MDPI AG

Link

https://www.mdpi.com/2079-9292/13/8/1520/pdf

Reference26 articles.

1. Kaspersky (2020, December 08). ICS Threat Predictions for 2021. Available online: https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Threat-Predictions-2021-EN.pdf.

2. Targeted ransomware: A new cyber threat to edge system of brownfield industrial Internet of Things;Hartog;IEEE Internet Things J.,2019

3. APAD: Autoencoder-based Payload Anomaly Detection for industrial IoE;Kim;Appl. Soft Comput.,2020

4. Securing IoT Space via Hardware Trojan Detection;Guo;IEEE Internet Things J.,2020

5. Correcting design flaws: An improved and cloud assisted key agreement scheme in cyber physical systems;Chaudhry;Comput. Commun.,2020

Cited by 1 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Abnormal behavior detection in industrial control systems based on CNN;Alexandria Engineering Journal;2024-11