Covert Attacks Based On Two-Loop Structure And Their Detection

With the deep integration of informatization and industrialization,the original security vulnerabilities of industrial control systems(ICSs)are gradually exposed to the Internet.In recent years,real attacks on ICSs show that attackers can use these vulnerabilities to damage the physical world.As the sensing and control data in control networks are closely related to the physical state,the attack and detection problem has become a research hotspot.In view of the shortcomings and research trend of existing attacks,this dissertation explores potential covert attacks,and evaluates their attack effects.Then,according to the characteristics of the potential attacks,corresponding detection methods are designed to make up for the deficiencies of existing detection methods.Specifically speaking,we focus on the problems of sequential logic covert attack and PID steady-state deviation covert attack.To meet the same requirements of attack and covert in the two problems,a two-loop covert attack structure is designed,which is also called two-loop structure.The two-loop covert attack of sequential logic and the two-loop covert attack of PID steady-state deviation are proposed respectively.Then anomaly detection methods of these two-loop covert attacks are studied.The feasibility of the attacks and detection methods are demonstrated by a security testing platform.The main contents and contributions of this dissertation are as follows.(1)A two-loop covert attack of sequential logic is presented based on a periodic replay attack.By constructing two-loop covert attack structure,periodic replay attack is used to cover up the anomalies caused by the sequential logic attack.First,we propose a five-tuple model to represent the normal sequential logic of control data.Then,the sequential logic attack model is proposed,and the impact evaluation model is established.After that,the periodic replay attack model is proposed.Experimental results in a three-tank control system demonstrate the effectiveness of the proposed covert attack.(2)A two-loop covert attack of PID steady-state deviation is presented based on the least squares support vector machine(LSSVM)method.First,we design a two-loop attack structure,which consists of a covert loop and an attack loop.Then,the PID steady-state deviation attack model and the steady-state behavior covert attack model are proposed respectively.The former makes the given statistic deviation,while the latter can simulate the normal steady-state behavior of the physical process and conceal the data anomalies caused by the former.Experiments are conducted in a continuous stirred tank heater(CSTH)simulation control system.The results show that when the deviation is set at+10%,the PID steady-state deviation attack can cause+9.9%statistical deviation.Besides,the fluctuation range of simulated data generated by the steady-state behavior covert attack is smaller than that of normal data,and it is difficult to detect the anomalies by the CUSUM(Cumulative sum)method.(3)An anomaly detection model of sequential logic is proposed based on four-tuple rules.The covert loop in the two-loop covert attack of sequential logic can make the input and output data of the controller in normal state.It is difficult to detect anomalies using the sensing and control data in the covert loop.Therefore,we present a four-tuple rules based anomaly detection model for the attack loop.The rules include number of the rule,current command,next command and duration constraint.Simulation results show that sequential logic attacks can be detected in time by detecting the execution order of adjacent control commands and the time interval between commands.(4)A steady-state anomaly detection model is proposed based on the MSD-LSSVM method.The MSD module composed of mean,standard deviation and difference is used to extract the fluctuation and trend features of sequence data,and these features are used to train the LSSVM model.We proposed a steady-state anomaly detection model based on the MSD-LSSVM.The training set,test set and validation set are established respectively in a CSTH simulation system.Experimental results show that the classification accuracy of MSD-LSSVM is higher than that of LSSVM,KNN and LSTM when the length of input sequence is the same.Moreover,when the length of input sequence is 8,the classification accuracy of MSD-LSSVM is 100%.(5)A security testing platform is designed to implement the two-loop covert attacks and detection methods.It is made up of two PC machines,a SIEMENS S7-300 PLC and a router.One PC runs the Simulink program and S7Security program,and the other PC runs the TwoLoopSecurity program.Based on the platform,the proposed two-loop covert attacks and corresponding anomaly detection methods are implemented respectively,which demonstrates the feasibility of the proposed attack and detection methods.