Unknown Protocol Behavior Prediction For Industrial Control System

The rapid development of the Internet brings the traditional industry some new air.By the impact of the IT Internet,Industrial Control System(ICS)which was physical isolated has developed to be distributed controlled and Intern et accessable.However,the introduction of the Internet has accelerated the pace of development of the industrial control system,but the threat from the Internet has never been absent.How to deal with the attacks of the attackers to ensure the safety of the industrial control system is an urgent problem.The establishment of library for attack code library is time-consuming and strenuous.It is difficult to completely collect attack codes which are endless.If we establish a model for the instructions within the industrial control system,and use it to make estimation.By comparing the estimated results and the actual received instructions,whether the industrial control system is under threats can be inferred.In this paper,an adaptive DBSCAN method for clustering is proposed to analyze the network packets of the industrial control system.There is a little difference between our research and the protocol reverse engineering(PRE).The concrete meaning of each field is not necessary as long as we can iden tify the data segment of the protocol.First,the captured packets were processed,the contents of the protocol that we interested are preserved.And then the global similarity matrix for these packets is calculated out.The similarity matrix contains the distance information between every pair of the messages.The adaptive DBSCAN estimates a appropriate parameters based on the similarity matrix.Then clustering was performed with the parameters we estimated before.And then analyze the protocol information and obtains data in each cluster.The n-gram model from natural language processing is used to model the extracted instructions.And the models of different classes are linearly combined to balance the reliability of the higher-order model and the statistical significance of the low-order model,the problem of the zero probability is solved at the same time.Experiments show that the adaptive DBSCAN has achieved very good results,and the more rich the sample,the more accurate classification.Behavior pre diction has also reached an ideal accuracy.