Research On Detecting PLC Program Malicious Behaviors Based On State Verification

Programmable Logic Controller(PLC)programs are vulnerable to tampering attacks,which can substantially cause violation of the safety requirements and even severe physical estructions.At present,the security of PLC codes mainly depends on the detection of code defects.However,there is no detection of malicious code that violates the safety requirements.According to the problem of PLC programs are vulnerable to tampering attacks,and which can substantially cause violation of the safety requirements and even severe physical estructions,we put forward a detection method of malicious behaviors of PLC programs based on state verification.Firstly,disassemble the binary program into STL program.Secondly,constructed the control flow graph of STL program according to the characteristics of STL language.Third,the program execution paths and the mapping relation between PLC program output and input are obtained on the control flow graph.Fourth,construct the state detection model according to the characteristics of feedback loops.Finally,the security specifications are detected based on the state verification,and realize the the malicious behavior detection of PLC programs.The main work of this paper is summarized as follows:In order to tackle the problem of state space explosion,a method is proposed in this paper.In particular,this method merges the output states of the current scan cycle and removes the output states that have been analyzed in previous scan cycles from the output states of current scan cycle.Since the industrial control system general y requires high real-time processing capability,the timer is a very important object of the model.Since the timer is a global variable across all the cycles,it will increase the modeling difficulty and the detection time by considering time as a factor during modeling.However,it becomes impossible to detect time-related safety specifications without consideration of time.This paper proposes a method to deduce the state transition relationship in the timer timing by analyzing the partial output state transition relationship,thus reducing the overhead of timer modeling.In this paper,a method is proposed,In particular,this method deduce all output states within the preset time for a timer based on the analysis of the part of output state transition relationships,which reduces the overhead of timer modeling.Obtain the sequence of input that violates the safety requirement.If the malicious code is found,the sequence of input that violates the safety requirement could be obtained according to reverse PLC program execution process.Design and implement prototype system.A prototype system is designed and implemented in this paper,and according to the experimental results,it can be proved that the proposed method can detect PLC malicious code effectively and accurately.Moreover,the proposed method takes less than 5 minutes in five cases to detect malicious code for the worst case.