Modeling Behavior of Industrial Control System Protocols for Intrusion Detection
Security of Industrial Control Systems (ICSs) like smart grids, water treatment plants, etc., is a great concern in the present world. Due to various reasons like interconnected network, lack of security awareness, legacy devices and protocols, advanced attacking tools, political competition among nations, etc., the number of cyber attacks against various ICSs are increasing. To understand and secure these critical systems, we should perceive the normal behavior of the underlying protocol between two components in an ICS. In this dissertation, we study various modeling techniques, specially Discrete-time Markov Chain (DTMC) and Deterministic Finite Automata (DFA), for communication between HMI (Human Machine Interface) and PLC (Programmable Logic Control) using various protocols like Modbus TCP, EtherNet/IP, DNP3, etc. Once model is built through the deep packet inspection (DPI), we can use it in intrusion detection system (IDS). From our empirical analysis over various real world and test-bed datasets, we ﬁnd, a probabilistic model like DTMC can describe the communication pattern in a more preferable and expressive way in comparison with other non-probabilistic ones like Deterministic Finite Automata (DFA). Besides, DTMC based approach can also be used for other purposes like channel visualization, meaningful log generation, etc. On the other hand, we discuss the limitations of DTMC based approach like states and transitions explosion as we increase data for building the model, large state space, etc. Such research will help the current and future researchers and related stakeholders to select an effective modeling technique. The contributions of our work are as follows: • This is the ﬁrst work for comparing different modeling approaches using various real world and testbed datasets while previous works mainly described their own approaches without comparing any related technique. • We have identiﬁed the limitation of existing methods along with the challenges for modeling the normal behavior of different ICS protocols as each protocol possesses some unique characteristics. • Most of the previous works are based on the periodicity assumption of communication between two ICS components. However, through the empirical analysis, we show in many cases, this assumption is violated. From our discussion, it becomes clear to capture communication subtle over an ICS protocol, a probabilistic model is necessary • We proposed a speciﬁcation based approach as complement of anomaly based methods to mitigate their shortcomings. • Exploratory data analysis has been performed with datasets from various ICS domains which allows researchers as well as relevant stakeholders to understand the pros and cons for different modeling techniques.