نوع مقاله : پژوهشی

نویسندگان

1 دانشکده مهندسی کامپیوتر- واحد شیراز، دانشگاه آزاد اسلامی، شیراز، فارس، ایران

2 دانشکده مهندسی برق و کامپیوتر- دانشگاه شیراز، شیراز، فارس، ایران

چکیده

اغلب سیستم­های کنترل، دارای شبکه ارتباطی با پروتکل­های خاص هستند. سیستم­های تشخیص نفوذی که بر پایه روش­های کنترل ترافیک شبکه با پروتکل­های معمول توسعه داده شده­اند و یا از مجموعه داده­های موجود استفاده کرده­اند، برای سیستم­های کنترل کارایی لازم را ندارند. همچنین کدهای مخرب جدید و پیچیده برای حمله به سیستم­های کنترل و در نهایت خراب­کاری در فرایند فیزیکی از دستورات شناخته شده و قابل درک سیستم­های کنترل استفاده می­کنند. این حملات تغییری در ترافیک شبکه ایجاد نمی­کنند، بنابراین به­وسیله سیستم­های تشخیص نفوذ مبتنی بر شبکه قابل تشخیص نیستند. در این مقاله روشی ابتکاری و ترکیبی برای شناسایی انواع حملات به سیستم­های کنترل با شبکه اختصاصی پیشنهاد شده است. به­منظور شناسایی کامل حملات به سیستم­های کنترل ترکیبی از روش­های شناسایی حملات معنایی یا دزدکی و شناسایی حملات با تاثیر بر ترافیک شبکه سیستم کنترل ارائه شده است. برای اولین بار به­ صورت عملی تاثیر انواع حملات معمول بر روی یک سیستم کنترل با شبکه خاص بررسی و قوانین تشخیص این حملات به­دست آمده است. نتایج تجربی در این مطالعه نشان داده است که قوانین استخراج شده به­صورت صددرصد حملات مرتبط از قبل شناخته شده را شناسایی می­کند. روش جدید ارائه شده مبتنی بر شناسایی دستورات سیستم کنترل از روی رکوردهای استخراج شده شبکه نیز به­صورت کامل حملات معنایی را تشخیص می­دهد. روش مبتنی بر داده­های فرایندی نیز قادر به تشخیص حدود 99 درصد از حملات معنایی با استفاده از الگوریتم­های طبقه­بندی و مجموعه داده استفاده شده است.

چکیده تصویری

سیستم تشخیص نفوذ ترکیبی برای مقابله با حملات سایبری در سیستمهای کنترل صنعتی با شبکه اختصاصی

تازه های تحقیق

- جامع بودن سیستم تشخیص نفوذ پیشنهادی در تشخیص انواع حملات به سیستمهای کنترل صنعتی

- استفاده  از روش هایی بر پایه قوانین تعریف شده در تشخیص حملات تاثیرگذار بر ترافیک

- استفاده از بسته های ارسالی شبکه ناشی از دستورات قانونی برای تشخیص حملات معنایی

- عدم وابستگی روش پیشنهادی به نوع شبکه سیستمهای کنترل و عدم نیاز به جزئیات شبکه اختصاصی

- سادگی روش پیشنهادی جهت پیاده سازی و اجرا و در نتیجه امکان تجاری سازی آسان

کلیدواژه‌ها

موضوعات

عنوان مقاله [English]

Combined Intrusion Detection System to deal with Cyber- Attacks in Industrial Control Systems with a Dedicated Network

نویسندگان [English]

  • Mohammad Safari 1
  • Elham Parvinnia 1
  • Alireza Keshavarz haddad 2

1 Department of Computer Engineering- Shiraz Branch, Islamic Azad University, Shiraz, Iran

2 School of Electrical and Computer Engineering- Shiraz University, Shiraz, Iran

چکیده [English]

Most control systems use a dedicated communication network with specific protocols. Intrusion detection systems developed based on network traffic with standard protocols, or existing datasets can not detect significant threats on these control systems. New sophisticated malicious codes usually attacked these systems by sending known and understandable commands to the control systems and ultimately sabotaging the physical process. These attacks do not alter network traffic, so they are not detectable with standard network-based intrusion detection systems. In this paper, we proposed an innovative combined method for identifying different types of attacks on control systems with a dedicated network. We have provided a combination of methods for detecting semantic or stealth attacks and identifying attacks that affect the traffic of the control system network. For the first time in practice, the effect of common types of attacks on a control system with a specific network has been investigated, and the rules for detecting these attacks have been obtained. Experimental results in this study show that the extracted rules identify 100% of the already known attacks. The proposed new approach, based on identifying the control system commands from the extracted network records, also thoroughly detects semantic attacks. The process data behavioral method used in this study can detect about 99% of semantic attacks using classification algorithms base on Data set which is created in this study.

کلیدواژه‌ها [English]

  • behavioral intrusion detection system
  • industrial control system
  • industrial intrusion detection system
  • semantic and stealthy attacks

Citation: M. Safari, E. Parvinnia, A. Keshavarz Haddad, "Combined intrusion detection system to deal with cyberattacks in industrial control systems with a dedicated network", Journal of Intelligent Procedures in Electrical Technology, vol. 13, no. 51, pp. 31-51, December 2022 (in Persian).

  1. Friedberg, K. McLaughlin, P. Smith, D. Laverty, S. Sezer, "STPA-safeSec: Safety and security analysis for cyber-physical systems", Journal of Information Security and Applications, vol. 34, pp. 183-196, June 2017 (doi: 10.1016/j.jisa.2016.05.008).
  2. K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, A. Hahn, "Guide to industrial control system (ics) security”, NIST Special Publication 800-82, 2015 (doi:10.6028/NIST.SP.800-82r2).
  3. Zhang, Q. Wang, G. Feng, Y. Shi, A. Vasilakos, “A survey on attack detection, estimation and control of industrial cyber–physical systems”, ISA Transactions, vol. 116, pp. 1-16, Jan.2021 (doi: 10.1016/j.isatra.2­021­.01.036).
  4. Kravchik, A. Shabtai, “Efficient cyber attack detection in industrial control systems using lightweight neural networks and pca”, IEEE Trans. on Dependable and Secure Computing, Jan. 2021 (doi: 10.1109/T­DSC.2­021.3050101).
  5. Mokhtari, A. Abbaspour, KK. Yen, A. Sargolzaei, “A machine learning approach for anomaly detection in industrial control systems based on measurement data”, Electronics, vol. 10, no. 4, Article Number: 407, Jan. 2021 (doi: 10.3390/electronics10040407).
  6. Zhang, JW. Hines, J. Coble, “Industrial control system testbed for cybersecurity research with industrial process data”, Proceeding of the ICAPP, pp. 279-284, April 2018.
  7. Edward J.M, A. Kott, “Cyber-security of SCADA and  other industrial control systems”, Springer, 2016 (ISBN: 978-3-319-32125-7).
  8. Knapp, J. Langill, “Industrial Network Security: Securing critical infrastructure networks for smart grid, SCADA, and other industrial control systems”, Syngress; Dec. 2014.
  9. Stouffer, J. Falco, K. Scarfone, “Guide to industrial control systems (ICS) security”, NIST special publication, 800(82), 16-16, 2011.
  10. Mitchell, I. Chen, “A survey of intrusion detection techniques for cyber-physical systems”, Computer Science, ACM Computing Surveys, vol. 46, Article Number: 55, April 2014 (doi: 10.1145/2542049).
  11. Hu, A. Yang, H. Li, Y. Sun, L. Sun, “A survey of intrusion detection on industrial controlsystems”, International Journal of Distributed Sensor Networks, vol. 14, no. 8, pp. 1-14, Aug. 2018 (doi: 10.1177/15­5­01­47718794615).
  12. Xavier, J. Moyano, G. Leon, " A real-time anomaly-based IDS for cyber-attack detection at the industrial process level of critical infrastructures", International Journal of Critical Infrastructure Protection, vol. 23, pp. 11-20, Dec. 2018 (doi: 10.1016/j.ijcip.2018.08.002).
  13. Ring, S. Wunderlich, D. Scheuring, D. Landes, A. Hotho, “A survey of network-based intrusion detection data sets”, Computers and Security, vol. 86, pp. 147-167, Sept. 2019 (doi: 10.1016/j.cose­.20­19.0­6.­005).
  14. Zhengbing, L. Zhitang, W. Junqi, "A novel network intrusion detection system (NIDS) based on signatures search of data mining", Proceeding of the IEEE/WKDD, pp. 10-16, Adelaide, SA, Australia, Jan. 2008 (doi: 10.1109/WKDD.2008.48).
  15. Javaid, Q. Niyaz, W. Sun, M. Alam, “A deep learning approach for network intrusion detection system”, Proceedings of the BIONETICS, vol. 24, pp. 21-26, 2016 (doi: 10.4108/eai.3-12-2015.2262516).
  16. Shone, T.N. Ngoc, V.D. Phai, Q. Shi, "A deep learning approach to network intrusion detection", IEEE Trans. on Emerging Topics in Computational Intelligence, vol. 2, no. 1, pp. 41-50, Feb. 2018 (doi: 10.1109/­TET­CI.2017.2772792).
  17. Momeni, S. Gharravi, F. Hourali, “Reducing the impact of SYN flood attacks by improving the accuracy of the PSO algorithm by adaptive effective filters”, Journal of Intelligent Procedures in Electrical Technology, vol. 10, np. 37, pp. 51-57, Spring 2019 (in Persian).
  18. Faghihnia, S.R.K. Tabakh Farizani, M. Kheirabadi, “Improved intrusion detection system based on distributed self-adaptive genetic algorithm to solve support vector machine in form of multi kernel learning with auto encoder”, Journal of Intelligent Procedures in Electrical Technology, vol. 12, no. 45, pp. 77-93, Spring 2021 (dor: 20.1001.1.23223871.1400.12.1.6.2) (in Persian).
  19. Moustafa, J. Hu, J. Slay, “A holistic review of network anomaly detection systems: Acomprehensive survey”, Journal of Network and Computer Application, vol. 128, pp. 33-55, 2019 (doi: 10.1016/j.jn­ca.2­01­8.1­2.006).
  20. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, A. Valdes, “Using model-based intrusion detection for SCADA networks”, Proceedings of the SCADA security scientific symposium, vol. 46, pp. 1-12, Jan. 2007.
  21. Carcano, I. Fovino, M. Masera, A. Trombetta, “State-based network intrusion detection systems for SCADA protocols: a proof of concept”, InInternational Workshop on Critical Information Infrastructures Security, pp. 138-150, Berlin, Heidelberg, Sept. 2009 (doi: 10.1007/978-3-642-14379-3_12).
  22. Yang, K. McLaughlin, T. Littler, S. Sezer, H. Wang, “Rule-based intrusion detection system for SCADA networks”, Proceeding of the IEEE/RPG, pp. 1-4, Beijing, Sept. 2013 (doi: 10.1049/cp.2013.1729).
  23. Yang, K. McLaughlin, T. Littler, S. Sezer, B. Pranggono, H.F. Wang, "Intrusion detection system for IEC 60870-5-104 based SCADA networks", Proceeding of the IEEE/PESMG, pp. 1-5, Vancouver, BC, Canada, July 2013 (doi: 10.1109/PESMG.2013.6672100).
  24. Zachry, J. Butts, J. Lopez Jr, T. Dube, "Firmware modification attacks on programmable logic controllers", International Journal of Critical Infrastructure Protection, vol. 6, pp. 76-84, 2013 (doi: 10.101­6/j.ij­cip.20­13.04.004).
  25. Carl, J. Butts, S. Dunlap, "An evaluation of modification attacks on programmable logic controllers", International Journal of Critical Infrastructure Protection, vol. 7, pp. 61-68, 2014 (doi: 10.1016/j.ijcip.201­4.0­1.0­04).
  26. Hubballi, V. Suryanarayanan, “False alarm minimization techniques in signature-based intrusion detec­tion systems: A survey”, Computer Communications, vol. 49, pp. 1-17, 2014 (doi: 10.1016/j.com­com.­20­14.04.012).
  27. Wei, M. Thomas, "On cyber attacks and signature based intrusion detection for modbus based industrial control systems", Journal of Digital Forensics, Security and Law, vol. 9, Article Number: 3, 2014 (doi: 10.15394/jdfsl.2014.1162).
  28. K. Kim, D.H. Kang, T.M. Chung, “Detecting abnormal behavior in SCADA networks using normal traffic pattern learning”, Computer Science and its Applications, Springer, Berlin, Heidelberg, pp. 121-126, 2015 (doi: 10.1007/978-3-662-45402-2_18).
  29. Yingxu, Z. Liu, Z. Song, Y. Wang, Y. Gao, "Anomaly detection in industrial autonomous decentralized system based on time series", Simulation Modelling Practice and Theory, vol. 65, pp. 57-71, June 2016 (doi: 10.1016/j.simpat.2016.01.013).
  30. Peng, J. Liang, G. Xu, "Malware detection method for the industrial control systems", Proceeding of the IEEE/CCIS, pp. 255-259, Beijing, China, Aug. 2016 (doi: 10.23919/JCC.2021.01.012).
  31. Li, L. Xie, Z. Deng, Z. Wang, “False sequential logic attack on SCADA system and its physical impact analysis”, Computers and Security, vol. 58, pp. 149-159, June 2016 (doi: 10.1016/j.cose.2016.01.001).
  32. Kleinmann, O. Amichay, A. Wool, D. Tenenbaum, O. Bar, L. Lev, “Stealthy deception attacks against SC­A­DA systems”, Computer and Security, vol. 14, pp. 93-109, Sept. 2017 (doi: 10.1007/978-3-319-72817-9_7).
  33. Chih-Yuan, S. Nadjm-Tehrani, M. Asplund, "Timing-based anomaly detection in SCADA networks", International Conference on Critical Information Infrastructures Security, pp. 48-59, Cham, 2017 (doi: 10.1­0­­0­7/978-3-319-99843-5_5).
  34. Yun, Y. Hwang, W. Lee, H. Ahn, S. Kim, “Statistical similarity of critical infrastructure network traffic based on nearest neighbor distances”, InInternational Symposium on Research in Attacks, Intrusions, and Defenses, vol. 10, pp. 577-599, Cham, Sept. 2018 (doi: 10.1007/978-3-030-00470-5_27).
  35. Robles-Durazno, N. Moradpoor, J. McWhinnie, G. Russell, I. Maneru-Marin, "PLC memory attack detection and response in a clean water supply system", International Journal of Critical Infrastructure Protection, vol. 26, Article Number: 100300, Sept. 2019 (doi: 10.1016/j.ijcip.2019.05.003).
  36. Zhang, H. A. D. E. Kodituwakku, J. W. Hines, J. Coble, "Multilayer data-driven cyber-attack detection system for industrial control systems based on network, system, and process data", IEEETrans. on Industrial Informatics, vol. 15, no. 7, pp. 4362-4369, July 2019 (doi: 10.1109/TII.2019.2891261).
  37. Kalech, “Cyber-attack detection in SCADA systems using temporal pattern recognition techniques”, Computers & Security, vol. 84, pp. 225-238, 2019 (doi: 10.1016/j.cose.2019.03.007).
  38. Vnet/IP Built In Security, Technical Information, Doc No:TI30A10A20-01E, 2011, Yokogawa Corporation.