Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis

Proprietary(or semi-proprietary)protocols are widely adopted in industrial control systems(ICSs).Inferring protocol format by reverse engineering is important for many network security applications,e.g.,program tests and intrusion detection.Conventional protocol reverse engineering methods have been proposed which are considered time-consuming,tedious,and error-prone.Recently,automatical protocol reverse engineering methods have been proposed which are,however,neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations.In this paper,we present a framework called the industrial control system protocol reverse engineering framework(ICSPRF)that aims to extract ICS protocol fields with high accuracy.ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context,e.g.,basic block(BBL)group.As a result,by monitoring program execution,we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format.We evaluate our approach with six open-source ICS protocol implementations.The results show that ICSPRF can identify individual protocol fields with high accuracy(on average a 94.3%match ratio).ICSPRF also has a low coarse-grained and overly fine-grained match ratio.For the same metric,ICSPRF is more accurate than AutoFormat(88.5%for all evaluated protocols and 80.0%for binary-based protocols).

Detection and localization of cyber attacks on water treatment systems:an entropy-based approach

With the advent of Industry 4.0,water treatment systems(WTSs)are recognized as typical industrial cyber-physical systems(iCPSs)that are connected to the open Internet.Advanced information technology(IT)benefits the WTS in the aspects of reliability,efficiency,and economy.However,the vulnerabilities exposed in the communication and control infrastructure on the cyber side make WTSs prone to cyber attacks.The traditional IT system oriented defense mechanisms cannot be directly applied in safety-critical WTSs because the availability and real-time requirements are of great importance.In this paper,we propose an entropy-based intrusion detection(EBID)method to thwart cyber attacks against widely used controllers(e.g.,programmable logic controllers)in WTSs to address this issue.Because of the varied WTS operating conditions,there is a high false-positive rate with a static threshold for detection.Therefore,we propose a dynamic threshold adjustment mechanism to improve the performance of EBID.To validate the performance of the proposed approaches,we built a high-fidelity WTS testbed with more than 50 measurement points.We conducted experiments under two attack scenarios with a total of 36attacks,showing that the proposed methods achieved a detection rate of 97.22%and a false alarm rate of 1.67%.