Anomaly Detection Method for Unknown Protocols in a Power Plant ICS Network with Decision Tree-Reference-Cited by-同舟云学术

Anomaly Detection Method for Unknown Protocols in a Power Plant ICS Network with Decision Tree

Published:2023-03-26 Issue:7 Volume:13 Page:4203
ISSN:2076-3417
Container-title:Applied Sciences
language:en
Short-container-title:Applied Sciences

Author:

Lee Kyoung-Mun¹²^ORCID,Cho Min-Yang³⁴^ORCID,Kim Jung-Gu⁵,Lee Kyung-Ho²^ORCID

Affiliation:

1. Korea Southern Power Co., Ltd., Andog-si 36618, Republic of Korea

2. Department of Information Security, Korea University, Seoul 02841, Republic of Korea

3. Department of Computer Science and Engineering, Korea University, Seoul 02841, Republic of Korea

4. Department of Computer Software, Dong Seoul University, Seongnam-si 13117, Republic of Korea

5. Department of AI Application Software, Dong Seoul University, Seongnam-si 13117, Republic of Korea

Abstract

This study aimed to enhance the stability and security of power plant control network systems by developing detectable models using artificial intelligence machine learning techniques. Due to the closed system operation policy of facility manufacturers, it is challenging to detect and respond to security threats using standard security systems. With the increasing digitization of control systems, the risk of external malware penetration is also on the rise. To address this, machine learning techniques were applied to extract patterns from network traffic data produced at an average of 6.5 TB per month, and fingerprinting was used to detect unregistered terminals accessing the control network. By setting a threshold between transmission amounts and attempts using one month of data, an anomaly judgment model was learned to define patterns of data communication between the origin and destination. The hypothesis was tested using machine learning techniques if a new pattern occurred and no traffic occurred. The study confirmed that this method can be applied to not only plant control systems but also closed-structured control networks, where availability is critical, and other industries that use large amounts of traffic data. Experimental results showed that the proposed model outperformed existing models in terms of detection efficiency and processing time.

Publisher

MDPI AG

Subject

Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science

Link

https://www.mdpi.com/2076-3417/13/7/4203/pdf

Reference45 articles.

1. A review on islanding operation and control for distribution network connected with small hydro power plant;Mohamad;Renew. Sustain. Energy Rev.,2011

2. Network traffic analysis and SCADA security;Stavroulakis;Handbook of Information and Communication Security,2010

3. Lippmann, R., Fried, D., Piwowarski, K., and Streilein, W. (2003, January 19–22). Passive operating system identification from TCP/IP packet headers. Proceedings of the Workshop on Data Mining for Computer Security, Melbourne, FL, USA.

4. Automatic payload signature update system for classification of recent network applications;Shim;J. Korean Inst. Commun. Inf. Sci.,2017

5. Tracking the source of cascading cyber attack traffic using network traffic analysis;Goo;Korean Inst. Commun. Inf. Sci.,2016