RRCNN: Request Response-Based Convolutional Neural Network for ICS Network Traffic Anomaly Detection

Nowadays,industrial control system(ICS)has begun to integrate with the Internet.While the Internet has brought convenience to ICS,it has also brought severe security concerns.Traditional ICS network traffic anomaly detection methods rely on statistical features manually extracted using the experience of network security experts.They are not aimed at the original network data,nor can they capture the potential characteristics of network packets.Therefore,the following improvements were made in this study:(1)A dataset that can be used to evaluate anomaly detection algorithms is produced,which provides raw network data.(2)A request response-based convolutional neural network named RRCNN is proposed,which can be used for anomaly detection of ICS network traffic.Instead of using statistical features manually extracted by security experts,this method uses the byte sequences of the original network packets directly,which can extract potential features of the network packets in greater depth.It regards the request packet and response packet in a session as a Request-Response Pair(RRP).The feature of RRP is extracted using a one-dimensional convolutional neural network,and then the RRP is judged to be normal or abnormal based on the extracted feature.Experimental results demonstrate that this model is better than several other machine learning and neural network models,with F1,accuracy,precision,and recall above 99%.

Endogenous Innovation in Chinese IC Firms:A Case Study Based on the Technology Strategy Evolution of NSBIC

It is a common sense that enterprise is the principal of endogenous innovation, but why many firms do not innovate actively？ What kind of difficulty will enterprises suffer in endogenous innovation？ What can the government do for the endogenous innovation？ These questions are very crucial to realize endogenous innovation. This paper tries to answer the questions mentioned above from the perspective of technology evolution. The industrial environment of emerging technology is emphasized for analyzing the endogenous innovation in Chinese enterprises. The process of endogenous innovation in NanShanBridge Co. Ltd （NSBIC）, which is an IC design firm, is analyzed as a case. From the case study, we can answer the questions above in certain extent, give some suggestions to the enterprises as a later-comer, and present some advice to government.

Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis

Proprietary(or semi-proprietary)protocols are widely adopted in industrial control systems(ICSs).Inferring protocol format by reverse engineering is important for many network security applications,e.g.,program tests and intrusion detection.Conventional protocol reverse engineering methods have been proposed which are considered time-consuming,tedious,and error-prone.Recently,automatical protocol reverse engineering methods have been proposed which are,however,neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations.In this paper,we present a framework called the industrial control system protocol reverse engineering framework(ICSPRF)that aims to extract ICS protocol fields with high accuracy.ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context,e.g.,basic block(BBL)group.As a result,by monitoring program execution,we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format.We evaluate our approach with six open-source ICS protocol implementations.The results show that ICSPRF can identify individual protocol fields with high accuracy(on average a 94.3%match ratio).ICSPRF also has a low coarse-grained and overly fine-grained match ratio.For the same metric,ICSPRF is more accurate than AutoFormat(88.5%for all evaluated protocols and 80.0%for binary-based protocols).

ICPFuzzer:proprietary communication protocol fuzzing by using machine learning and feedback strategies

The fuzzing test is able to discover various vulnerabilities and has more chances to hit the zero-day targets.And ICS(Industrial control system)is currently facing huge security threats and requires security standards,like ISO 62443,to ensure the quality of the device.However,some industrial proprietary communication protocols can be customized and have complicated structures,the fuzzing system cannot quickly generate test data that adapt to various protocols.It also struggles to define the mutation field without having prior knowledge of the protocols.Therefore,we propose a fuzzing system named ICPFuzzer that uses LSTM(Long short-term memory)to learn the features of a protocol and generates mutated test data automatically.We also use the responses of testing and adjust the weight strategies to further test the device under testing(DUT)to find more data that cause unusual connection status.We verified the effectiveness of the approach by comparing with the open-source and commercial fuzzers.Furthermore,in a real case,we experimented with the DLMS/COSEM for a smart meter and found that the test data can cause a unusual response.In summary,ICPFuzzer is a black-box fuzzing system that can automatically execute the testing process and reveal vulnerabilities that interrupt and crash industrial control communication.Not only improves the quality of ICS but also improves safety.

Anomaly Detection of Industrial Control Systems Based on Transfer Learning

Industrial Control Systems(ICSs)are the lifeline of a country.Therefore,the anomaly detection of ICS traffic is an important endeavor.This paper proposes a model based on a deep residual Convolution Neural Network(CNN)to prevent gradient explosion or gradient disappearance and guarantee accuracy.The developed methodology addresses two limitations:most traditional machine learning methods can only detect known network attacks and deep learning algorithms require a long time to train.The utilization of transfer learning under the modification of the existing residual CNN structure guarantees the detection of unknown attacks.One-dimensional ICS flow data are converted into two-dimensional grayscale images to take full advantage of the features of CNN.Results show that the proposed method achieves a high score and solves the time problem associated with deep learning model training.The model can give reliable predictions for unknown or differently distributed abnormal data through short-term training.Thus,the proposed model ensures the safety of ICSs and verifies the feasibility of transfer learning for ICS anomaly detection.