As the main communication mediums in industrial control networks,industrial communication protocols are always vulnerable to extreme exploitations,and it is very difficult to take protective measures due to their seri...As the main communication mediums in industrial control networks,industrial communication protocols are always vulnerable to extreme exploitations,and it is very difficult to take protective measures due to their serious privacy.Based on the SDN(Software Defined Network)technology,this paper proposes a novel event-based anomaly detection approach to identify misbehaviors using non-public industrial communication protocols,and this approach can be installed in SDN switches as a security software appliance in SDN-based control systems.Furthermore,aiming at the unknown protocol specification and message format,this approach first restructures the industrial communication sessions and merges the payloads from industrial communication packets.After that,the feature selection and event sequence extraction can be carried out by using the N-gram model and K-means algorithm.Based on the obtained event sequences,this approach finally trains an event-based HMM(Hidden Markov Model)to identify aberrant industrial communication behaviors.Experimental results clearly show that the proposed approach has obvious advantages of classification accuracy and detection efficiency.展开更多
The fuzzing test is able to discover various vulnerabilities and has more chances to hit the zero-day targets.And ICS(Industrial control system)is currently facing huge security threats and requires security standards...The fuzzing test is able to discover various vulnerabilities and has more chances to hit the zero-day targets.And ICS(Industrial control system)is currently facing huge security threats and requires security standards,like ISO 62443,to ensure the quality of the device.However,some industrial proprietary communication protocols can be customized and have complicated structures,the fuzzing system cannot quickly generate test data that adapt to various protocols.It also struggles to define the mutation field without having prior knowledge of the protocols.Therefore,we propose a fuzzing system named ICPFuzzer that uses LSTM(Long short-term memory)to learn the features of a protocol and generates mutated test data automatically.We also use the responses of testing and adjust the weight strategies to further test the device under testing(DUT)to find more data that cause unusual connection status.We verified the effectiveness of the approach by comparing with the open-source and commercial fuzzers.Furthermore,in a real case,we experimented with the DLMS/COSEM for a smart meter and found that the test data can cause a unusual response.In summary,ICPFuzzer is a black-box fuzzing system that can automatically execute the testing process and reveal vulnerabilities that interrupt and crash industrial control communication.Not only improves the quality of ICS but also improves safety.展开更多
基金This work is supported by the Hainan Provincial Natural Science Foundation of China(618QN219)the National Natural Science Foundation of China(Grant No.61501447)the General Project of Scientific Research of Liaoning Provincial Department of Education(LYB201616).
文摘As the main communication mediums in industrial control networks,industrial communication protocols are always vulnerable to extreme exploitations,and it is very difficult to take protective measures due to their serious privacy.Based on the SDN(Software Defined Network)technology,this paper proposes a novel event-based anomaly detection approach to identify misbehaviors using non-public industrial communication protocols,and this approach can be installed in SDN switches as a security software appliance in SDN-based control systems.Furthermore,aiming at the unknown protocol specification and message format,this approach first restructures the industrial communication sessions and merges the payloads from industrial communication packets.After that,the feature selection and event sequence extraction can be carried out by using the N-gram model and K-means algorithm.Based on the obtained event sequences,this approach finally trains an event-based HMM(Hidden Markov Model)to identify aberrant industrial communication behaviors.Experimental results clearly show that the proposed approach has obvious advantages of classification accuracy and detection efficiency.
文摘The fuzzing test is able to discover various vulnerabilities and has more chances to hit the zero-day targets.And ICS(Industrial control system)is currently facing huge security threats and requires security standards,like ISO 62443,to ensure the quality of the device.However,some industrial proprietary communication protocols can be customized and have complicated structures,the fuzzing system cannot quickly generate test data that adapt to various protocols.It also struggles to define the mutation field without having prior knowledge of the protocols.Therefore,we propose a fuzzing system named ICPFuzzer that uses LSTM(Long short-term memory)to learn the features of a protocol and generates mutated test data automatically.We also use the responses of testing and adjust the weight strategies to further test the device under testing(DUT)to find more data that cause unusual connection status.We verified the effectiveness of the approach by comparing with the open-source and commercial fuzzers.Furthermore,in a real case,we experimented with the DLMS/COSEM for a smart meter and found that the test data can cause a unusual response.In summary,ICPFuzzer is a black-box fuzzing system that can automatically execute the testing process and reveal vulnerabilities that interrupt and crash industrial control communication.Not only improves the quality of ICS but also improves safety.
