• Home
  • Combined Intrusion Detection System to deal with Cyber- Attacks in Industrial Control Systems with a Dedicated Network

Share To

Article Url


Manuscript ID : JIPET-2106-1581 (R1) Visit : 142 Page: 31 - 50

20.1001.1.23223871.1401.13.51.3.6

Article Type: Original Research

Combined Intrusion Detection System to deal with Cyber- Attacks in Industrial Control Systems with a Dedicated Network

Subject Areas : Industry - Automation

Mohammad Safari 1 , Elham Parvinnia 2 , Alireza Keshavarz Haddad 3

1 - Department of Computer Engineering- Shiraz Branch, Islamic Azad University, Shiraz, Iran
2 - Department of Computer Engineering- Shiraz Branch, Islamic Azad University, Shiraz, Iran
3 - School of Electrical and Computer Engineering- Shiraz University, Shiraz, Iran

Received: 2021-06-28 Accepted : 2021-09-08 Published : 2021-08-23

Keywords: industrial control system, semantic and stealthy attacks, industrial intrusion detection system, behavioral intrusion detection system,

Abstract :

Most control systems use a dedicated communication network with specific protocols. Intrusion detection systems developed based on network traffic with standard protocols, or existing datasets can not detect significant threats on these control systems. New sophisticated malicious codes usually attacked these systems by sending known and understandable commands to the control systems and ultimately sabotaging the physical process. These attacks do not alter network traffic, so they are not detectable with standard network-based intrusion detection systems. In this paper, we proposed an innovative combined method for identifying different types of attacks on control systems with a dedicated network. We have provided a combination of methods for detecting semantic or stealth attacks and identifying attacks that affect the traffic of the control system network. For the first time in practice, the effect of common types of attacks on a control system with a specific network has been investigated, and the rules for detecting these attacks have been obtained. Experimental results in this study show that the extracted rules identify 100% of the already known attacks. The proposed new approach, based on identifying the control system commands from the extracted network records, also thoroughly detects semantic attacks. The process data behavioral method used in this study can detect about 99% of semantic attacks using classification algorithms base on Data set which is created in this study.

References:


  1. Friedberg, K. McLaughlin, P. Smith, D. Laverty, S. Sezer, "STPA-safeSec: Safety and security analysis for cyber-physical systems", Journal of Information Security and Applications, vol. 34, pp. 183-196, June 2017 (doi: 10.1016/j.jisa.2016.05.008).
    2.
  2. K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, A. Hahn, "Guide to industrial control system (ics) security”, NIST Special Publication 800-82, 2015 (doi:10.6028/NIST.SP.800-82r2).
    3.
  3. Zhang, Q. Wang, G. Feng, Y. Shi, A. Vasilakos, “A survey on attack detection, estimation and control of industrial cyber–physical systems”, ISA Transactions, vol. 116, pp. 1-16, Jan.2021 (doi: 10.1016/j.isatra.2­021­.01.036).
    4.
  4. Kravchik, A. Shabtai, “Efficient cyber attack detection in industrial control systems using lightweight neural networks and pca”, IEEE Trans. on Dependable and Secure Computing, Jan. 2021 (doi: 10.1109/T­DSC.2­021.3050101).
    5.
  5. Mokhtari, A. Abbaspour, KK. Yen, A. Sargolzaei, “A machine learning approach for anomaly detection in industrial control systems based on measurement data”, Electronics, vol. 10, no. 4, Article Number: 407, Jan. 2021 (doi: 10.3390/electronics10040407).
    6.
  6. Zhang, JW. Hines, J. Coble, “Industrial control system testbed for cybersecurity research with industrial process data”, Proceeding of the ICAPP, pp. 279-284, April 2018.
    7.
  7. Edward J.M, A. Kott, “Cyber-security of SCADA and  other industrial control systems”, Springer, 2016 (ISBN: 978-3-319-32125-7).
    8.
  8. Knapp, J. Langill, “Industrial Network Security: Securing critical infrastructure networks for smart grid, SCADA, and other industrial control systems”, Syngress; Dec. 2014.
    9.
  9. Stouffer, J. Falco, K. Scarfone, “Guide to industrial control systems (ICS) security”, NIST special publication, 800(82), 16-16, 2011.
    10.
  10. Mitchell, I. Chen, “A survey of intrusion detection techniques for cyber-physical systems”, Computer Science, ACM Computing Surveys, vol. 46, Article Number: 55, April 2014 (doi: 10.1145/2542049).
    11.
  11. Hu, A. Yang, H. Li, Y. Sun, L. Sun, “A survey of intrusion detection on industrial controlsystems”, International Journal of Distributed Sensor Networks, vol. 14, no. 8, pp. 1-14, Aug. 2018 (doi: 10.1177/15­5­01­47718794615).
    12.
  12. Xavier, J. Moyano, G. Leon, " A real-time anomaly-based IDS for cyber-attack detection at the industrial process level of critical infrastructures", International Journal of Critical Infrastructure Protection, vol. 23, pp. 11-20, Dec. 2018 (doi: 10.1016/j.ijcip.2018.08.002).
    13.
  13. Ring, S. Wunderlich, D. Scheuring, D. Landes, A. Hotho, “A survey of network-based intrusion detection data sets”, Computers and Security, vol. 86, pp. 147-167, Sept. 2019 (doi: 10.1016/j.cose­.20­19.0­6.­005).
    14.
  14. Zhengbing, L. Zhitang, W. Junqi, "A novel network intrusion detection system (NIDS) based on signatures search of data mining", Proceeding of the IEEE/WKDD, pp. 10-16, Adelaide, SA, Australia, Jan. 2008 (doi: 10.1109/WKDD.2008.48).
    15.
  15. Javaid, Q. Niyaz, W. Sun, M. Alam, “A deep learning approach for network intrusion detection system”, Proceedings of the BIONETICS, vol. 24, pp. 21-26, 2016 (doi: 10.4108/eai.3-12-2015.2262516).
    16.
  16. Shone, T.N. Ngoc, V.D. Phai, Q. Shi, "A deep learning approach to network intrusion detection", IEEE Trans. on Emerging Topics in Computational Intelligence, vol. 2, no. 1, pp. 41-50, Feb. 2018 (doi: 10.1109/­TET­CI.2017.2772792).
    17.
  17. Momeni, S. Gharravi, F. Hourali, “Reducing the impact of SYN flood attacks by improving the accuracy of the PSO algorithm by adaptive effective filters”, Journal of Intelligent Procedures in Electrical Technology, vol. 10, np. 37, pp. 51-57, Spring 2019 (in Persian).
    18.
  18. Faghihnia, S.R.K. Tabakh Farizani, M. Kheirabadi, “Improved intrusion detection system based on distributed self-adaptive genetic algorithm to solve support vector machine in form of multi kernel learning with auto encoder”, Journal of Intelligent Procedures in Electrical Technology, vol. 12, no. 45, pp. 77-93, Spring 2021 (dor: 20.1001.1.23223871.1400.12.1.6.2) (in Persian).
    19.
  19. Moustafa, J. Hu, J. Slay, “A holistic review of network anomaly detection systems: Acomprehensive survey”, Journal of Network and Computer Application, vol. 128, pp. 33-55, 2019 (doi: 10.1016/j.jn­ca.2­01­8.1­2.006).
    20.
  20. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, A. Valdes, “Using model-based intrusion detection for SCADA networks”, Proceedings of the SCADA security scientific symposium, vol. 46, pp. 1-12, Jan. 2007.
    21.
  21. Carcano, I. Fovino, M. Masera, A. Trombetta, “State-based network intrusion detection systems for SCADA protocols: a proof of concept”, InInternational Workshop on Critical Information Infrastructures Security, pp. 138-150, Berlin, Heidelberg, Sept. 2009 (doi: 10.1007/978-3-642-14379-3_12).
    22.
  22. Yang, K. McLaughlin, T. Littler, S. Sezer, H. Wang, “Rule-based intrusion detection system for SCADA networks”, Proceeding of the IEEE/RPG, pp. 1-4, Beijing, Sept. 2013 (doi: 10.1049/cp.2013.1729).
    23.
  23. Yang, K. McLaughlin, T. Littler, S. Sezer, B. Pranggono, H.F. Wang, "Intrusion detection system for IEC 60870-5-104 based SCADA networks", Proceeding of the IEEE/PESMG, pp. 1-5, Vancouver, BC, Canada, July 2013 (doi: 10.1109/PESMG.2013.6672100).
    24.
  24. Zachry, J. Butts, J. Lopez Jr, T. Dube, "Firmware modification attacks on programmable logic controllers", International Journal of Critical Infrastructure Protection, vol. 6, pp. 76-84, 2013 (doi: 10.101­6/j.ij­cip.20­13.04.004).
    25.
  25. Carl, J. Butts, S. Dunlap, "An evaluation of modification attacks on programmable logic controllers", International Journal of Critical Infrastructure Protection, vol. 7, pp. 61-68, 2014 (doi: 10.1016/j.ijcip.201­4.0­1.0­04).
    26.
  26. Hubballi, V. Suryanarayanan, “False alarm minimization techniques in signature-based intrusion detec­tion systems: A survey”, Computer Communications, vol. 49, pp. 1-17, 2014 (doi: 10.1016/j.com­com.­20­14.04.012).
    27.
  27. Wei, M. Thomas, "On cyber attacks and signature based intrusion detection for modbus based industrial control systems", Journal of Digital Forensics, Security and Law, vol. 9, Article Number: 3, 2014 (doi: 10.15394/jdfsl.2014.1162).
    28.
  28. K. Kim, D.H. Kang, T.M. Chung, “Detecting abnormal behavior in SCADA networks using normal traffic pattern learning”, Computer Science and its Applications, Springer, Berlin, Heidelberg, pp. 121-126, 2015 (doi: 10.1007/978-3-662-45402-2_18).
    29.
  29. Yingxu, Z. Liu, Z. Song, Y. Wang, Y. Gao, "Anomaly detection in industrial autonomous decentralized system based on time series", Simulation Modelling Practice and Theory, vol. 65, pp. 57-71, June 2016 (doi: 10.1016/j.simpat.2016.01.013).
    30.
  30. Peng, J. Liang, G. Xu, "Malware detection method for the industrial control systems", Proceeding of the IEEE/CCIS, pp. 255-259, Beijing, China, Aug. 2016 (doi: 10.23919/JCC.2021.01.012).
    31.
  31. Li, L. Xie, Z. Deng, Z. Wang, “False sequential logic attack on SCADA system and its physical impact analysis”, Computers and Security, vol. 58, pp. 149-159, June 2016 (doi: 10.1016/j.cose.2016.01.001).
    32.
  32. Kleinmann, O. Amichay, A. Wool, D. Tenenbaum, O. Bar, L. Lev, “Stealthy deception attacks against SC­A­DA systems”, Computer and Security, vol. 14, pp. 93-109, Sept. 2017 (doi: 10.1007/978-3-319-72817-9_7).
    33.
  33. Chih-Yuan, S. Nadjm-Tehrani, M. Asplund, "Timing-based anomaly detection in SCADA networks", International Conference on Critical Information Infrastructures Security, pp. 48-59, Cham, 2017 (doi: 10.1­0­­0­7/978-3-319-99843-5_5).
    34.
  34. Yun, Y. Hwang, W. Lee, H. Ahn, S. Kim, “Statistical similarity of critical infrastructure network traffic based on nearest neighbor distances”, InInternational Symposium on Research in Attacks, Intrusions, and Defenses, vol. 10, pp. 577-599, Cham, Sept. 2018 (doi: 10.1007/978-3-030-00470-5_27).
    35.
  35. Robles-Durazno, N. Moradpoor, J. McWhinnie, G. Russell, I. Maneru-Marin, "PLC memory attack detection and response in a clean water supply system", International Journal of Critical Infrastructure Protection, vol. 26, Article Number: 100300, Sept. 2019 (doi: 10.1016/j.ijcip.2019.05.003).
    36.
  36. Zhang, H. A. D. E. Kodituwakku, J. W. Hines, J. Coble, "Multilayer data-driven cyber-attack detection system for industrial control systems based on network, system, and process data", IEEETrans. on Industrial Informatics, vol. 15, no. 7, pp. 4362-4369, July 2019 (doi: 10.1109/TII.2019.2891261).
    37.
  37. Kalech, “Cyber-attack detection in SCADA systems using temporal pattern recognition techniques”, Computers & Security, vol. 84, pp. 225-238, 2019 (doi: 10.1016/j.cose.2019.03.007).
    38.
  38. Vnet/IP Built In Security, Technical Information, Doc No:TI30A10A20-01E, 2011, Yokogawa Corporation.
    39.
_||_

  1. Friedberg, K. McLaughlin, P. Smith, D. Laverty, S. Sezer, "STPA-safeSec: Safety and security analysis for cyber-physical systems", Journal of Information Security and Applications, vol. 34, pp. 183-196, June 2017 (doi: 10.1016/j.jisa.2016.05.008).
    2.
  2. K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, A. Hahn, "Guide to industrial control system (ics) security”, NIST Special Publication 800-82, 2015 (doi:10.6028/NIST.SP.800-82r2).
    3.
  3. Zhang, Q. Wang, G. Feng, Y. Shi, A. Vasilakos, “A survey on attack detection, estimation and control of industrial cyber–physical systems”, ISA Transactions, vol. 116, pp. 1-16, Jan.2021 (doi: 10.1016/j.isatra.2­021­.01.036).
    4.
  4. Kravchik, A. Shabtai, “Efficient cyber attack detection in industrial control systems using lightweight neural networks and pca”, IEEE Trans. on Dependable and Secure Computing, Jan. 2021 (doi: 10.1109/T­DSC.2­021.3050101).
    5.
  5. Mokhtari, A. Abbaspour, KK. Yen, A. Sargolzaei, “A machine learning approach for anomaly detection in industrial control systems based on measurement data”, Electronics, vol. 10, no. 4, Article Number: 407, Jan. 2021 (doi: 10.3390/electronics10040407).
    6.
  6. Zhang, JW. Hines, J. Coble, “Industrial control system testbed for cybersecurity research with industrial process data”, Proceeding of the ICAPP, pp. 279-284, April 2018.
    7.
  7. Edward J.M, A. Kott, “Cyber-security of SCADA and  other industrial control systems”, Springer, 2016 (ISBN: 978-3-319-32125-7).
    8.
  8. Knapp, J. Langill, “Industrial Network Security: Securing critical infrastructure networks for smart grid, SCADA, and other industrial control systems”, Syngress; Dec. 2014.
    9.
  9. Stouffer, J. Falco, K. Scarfone, “Guide to industrial control systems (ICS) security”, NIST special publication, 800(82), 16-16, 2011.
    10.
  10. Mitchell, I. Chen, “A survey of intrusion detection techniques for cyber-physical systems”, Computer Science, ACM Computing Surveys, vol. 46, Article Number: 55, April 2014 (doi: 10.1145/2542049).
    11.
  11. Hu, A. Yang, H. Li, Y. Sun, L. Sun, “A survey of intrusion detection on industrial controlsystems”, International Journal of Distributed Sensor Networks, vol. 14, no. 8, pp. 1-14, Aug. 2018 (doi: 10.1177/15­5­01­47718794615).
    12.
  12. Xavier, J. Moyano, G. Leon, " A real-time anomaly-based IDS for cyber-attack detection at the industrial process level of critical infrastructures", International Journal of Critical Infrastructure Protection, vol. 23, pp. 11-20, Dec. 2018 (doi: 10.1016/j.ijcip.2018.08.002).
    13.
  13. Ring, S. Wunderlich, D. Scheuring, D. Landes, A. Hotho, “A survey of network-based intrusion detection data sets”, Computers and Security, vol. 86, pp. 147-167, Sept. 2019 (doi: 10.1016/j.cose­.20­19.0­6.­005).
    14.
  14. Zhengbing, L. Zhitang, W. Junqi, "A novel network intrusion detection system (NIDS) based on signatures search of data mining", Proceeding of the IEEE/WKDD, pp. 10-16, Adelaide, SA, Australia, Jan. 2008 (doi: 10.1109/WKDD.2008.48).
    15.
  15. Javaid, Q. Niyaz, W. Sun, M. Alam, “A deep learning approach for network intrusion detection system”, Proceedings of the BIONETICS, vol. 24, pp. 21-26, 2016 (doi: 10.4108/eai.3-12-2015.2262516).
    16.
  16. Shone, T.N. Ngoc, V.D. Phai, Q. Shi, "A deep learning approach to network intrusion detection", IEEE Trans. on Emerging Topics in Computational Intelligence, vol. 2, no. 1, pp. 41-50, Feb. 2018 (doi: 10.1109/­TET­CI.2017.2772792).
    17.
  17. Momeni, S. Gharravi, F. Hourali, “Reducing the impact of SYN flood attacks by improving the accuracy of the PSO algorithm by adaptive effective filters”, Journal of Intelligent Procedures in Electrical Technology, vol. 10, np. 37, pp. 51-57, Spring 2019 (in Persian).
    18.
  18. Faghihnia, S.R.K. Tabakh Farizani, M. Kheirabadi, “Improved intrusion detection system based on distributed self-adaptive genetic algorithm to solve support vector machine in form of multi kernel learning with auto encoder”, Journal of Intelligent Procedures in Electrical Technology, vol. 12, no. 45, pp. 77-93, Spring 2021 (dor: 20.1001.1.23223871.1400.12.1.6.2) (in Persian).
    19.
  19. Moustafa, J. Hu, J. Slay, “A holistic review of network anomaly detection systems: Acomprehensive survey”, Journal of Network and Computer Application, vol. 128, pp. 33-55, 2019 (doi: 10.1016/j.jn­ca.2­01­8.1­2.006).
    20.
  20. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, A. Valdes, “Using model-based intrusion detection for SCADA networks”, Proceedings of the SCADA security scientific symposium, vol. 46, pp. 1-12, Jan. 2007.
    21.
  21. Carcano, I. Fovino, M. Masera, A. Trombetta, “State-based network intrusion detection systems for SCADA protocols: a proof of concept”, InInternational Workshop on Critical Information Infrastructures Security, pp. 138-150, Berlin, Heidelberg, Sept. 2009 (doi: 10.1007/978-3-642-14379-3_12).
    22.
  22. Yang, K. McLaughlin, T. Littler, S. Sezer, H. Wang, “Rule-based intrusion detection system for SCADA networks”, Proceeding of the IEEE/RPG, pp. 1-4, Beijing, Sept. 2013 (doi: 10.1049/cp.2013.1729).
    23.
  23. Yang, K. McLaughlin, T. Littler, S. Sezer, B. Pranggono, H.F. Wang, "Intrusion detection system for IEC 60870-5-104 based SCADA networks", Proceeding of the IEEE/PESMG, pp. 1-5, Vancouver, BC, Canada, July 2013 (doi: 10.1109/PESMG.2013.6672100).
    24.
  24. Zachry, J. Butts, J. Lopez Jr, T. Dube, "Firmware modification attacks on programmable logic controllers", International Journal of Critical Infrastructure Protection, vol. 6, pp. 76-84, 2013 (doi: 10.101­6/j.ij­cip.20­13.04.004).
    25.
  25. Carl, J. Butts, S. Dunlap, "An evaluation of modification attacks on programmable logic controllers", International Journal of Critical Infrastructure Protection, vol. 7, pp. 61-68, 2014 (doi: 10.1016/j.ijcip.201­4.0­1.0­04).
    26.
  26. Hubballi, V. Suryanarayanan, “False alarm minimization techniques in signature-based intrusion detec­tion systems: A survey”, Computer Communications, vol. 49, pp. 1-17, 2014 (doi: 10.1016/j.com­com.­20­14.04.012).
    27.
  27. Wei, M. Thomas, "On cyber attacks and signature based intrusion detection for modbus based industrial control systems", Journal of Digital Forensics, Security and Law, vol. 9, Article Number: 3, 2014 (doi: 10.15394/jdfsl.2014.1162).
    28.
  28. K. Kim, D.H. Kang, T.M. Chung, “Detecting abnormal behavior in SCADA networks using normal traffic pattern learning”, Computer Science and its Applications, Springer, Berlin, Heidelberg, pp. 121-126, 2015 (doi: 10.1007/978-3-662-45402-2_18).
    29.
  29. Yingxu, Z. Liu, Z. Song, Y. Wang, Y. Gao, "Anomaly detection in industrial autonomous decentralized system based on time series", Simulation Modelling Practice and Theory, vol. 65, pp. 57-71, June 2016 (doi: 10.1016/j.simpat.2016.01.013).
    30.
  30. Peng, J. Liang, G. Xu, "Malware detection method for the industrial control systems", Proceeding of the IEEE/CCIS, pp. 255-259, Beijing, China, Aug. 2016 (doi: 10.23919/JCC.2021.01.012).
    31.
  31. Li, L. Xie, Z. Deng, Z. Wang, “False sequential logic attack on SCADA system and its physical impact analysis”, Computers and Security, vol. 58, pp. 149-159, June 2016 (doi: 10.1016/j.cose.2016.01.001).
    32.
  32. Kleinmann, O. Amichay, A. Wool, D. Tenenbaum, O. Bar, L. Lev, “Stealthy deception attacks against SC­A­DA systems”, Computer and Security, vol. 14, pp. 93-109, Sept. 2017 (doi: 10.1007/978-3-319-72817-9_7).
    33.
  33. Chih-Yuan, S. Nadjm-Tehrani, M. Asplund, "Timing-based anomaly detection in SCADA networks", International Conference on Critical Information Infrastructures Security, pp. 48-59, Cham, 2017 (doi: 10.1­0­­0­7/978-3-319-99843-5_5).
    34.
  34. Yun, Y. Hwang, W. Lee, H. Ahn, S. Kim, “Statistical similarity of critical infrastructure network traffic based on nearest neighbor distances”, InInternational Symposium on Research in Attacks, Intrusions, and Defenses, vol. 10, pp. 577-599, Cham, Sept. 2018 (doi: 10.1007/978-3-030-00470-5_27).
    35.
  35. Robles-Durazno, N. Moradpoor, J. McWhinnie, G. Russell, I. Maneru-Marin, "PLC memory attack detection and response in a clean water supply system", International Journal of Critical Infrastructure Protection, vol. 26, Article Number: 100300, Sept. 2019 (doi: 10.1016/j.ijcip.2019.05.003).
    36.
  36. Zhang, H. A. D. E. Kodituwakku, J. W. Hines, J. Coble, "Multilayer data-driven cyber-attack detection system for industrial control systems based on network, system, and process data", IEEETrans. on Industrial Informatics, vol. 15, no. 7, pp. 4362-4369, July 2019 (doi: 10.1109/TII.2019.2891261).
    37.
  37. Kalech, “Cyber-attack detection in SCADA systems using temporal pattern recognition techniques”, Computers & Security, vol. 84, pp. 225-238, 2019 (doi: 10.1016/j.cose.2019.03.007).
    38.
  38. Vnet/IP Built In Security, Technical Information, Doc No:TI30A10A20-01E, 2011, Yokogawa Corporation.
    39.

Sanad

Sanad is a platform for managing Azad University publications

Links

Related Centers

Technical Support

Official pages

The rights to this website are owned by the Raimag Press Management System.
Copyright © 2021-2024

Home| Login| About Us| Contact Us|
[فارسی] [العربية] [fa] [ar]