Research Of Deep Packet Analysis Platform And Methods For Typical Industrial Control Protocols

Recently,the security of industrial control system(ICS)has been attracting significant research attention due to the frequent occurrence of security incidents in industrial control systems.People urgently need to monitor system security.The existing researches show that the anomaly detection is an effective method to deal with various safety problems in ICS,and deep packet inspection(DPI)is one of the most comprehensive and effective methods.However,most of the existing methods are designed based on specific system environment and attack behavior.When the system communication protocol cha nges or the attack target is extended from crashing devices and tampering with the setpoint of controlled process to stealthier attacks,such as modifying the request-response behavior,switching device mode,tampering with control programs or parameters and so on,the existing methods are difficult to ensure their effectiveness.And the lack of abnormal datasets and testbeds for ICS environment also brings more difficulties.Based on the above,this paper conducts an investigation on the current DPI methods and testbeds in ICS,analyzes the limitations of existing detection methods,presents a DPI method based on semantic features,and implement a testbed for typical industrnal control protocols to vernfy the method.This paper focuses on anomaly detection methods in industrial control systems.The main contributions are as follows:1.Due to the lack of controlled process and multi-type abnormal behavior in the existing datasets and testbeds for ICS environment,we generate traces containing real production process information and provide a test environment for attack behaviors based on the testbed of typical industrial control protocols,and generate four abnormal datasets affecting one or more targets in the communication process,control devices or controlled process.This paper selects five typical industrial protocols of IEC 60870-5-104,Modbus/TCP,BACnet/IP,Ethernet/IP and CC-LINK to build the testbed based on the plant supervisory layer and the direct control layer,and generate traces with the five protocols.Then we investigate the vulnerability of protocols and verify the semantics of message to generate attack traces through packet mutation.We finally implement four abnormal behaviors,which are exception scenarios of control information,data unit identification,reset command and the controlled process.2.To overcome the shortcomings of incomplete analy'sis of the application layer and repeated parsing of packet in multi-protocol scenarno in the existing researches,we propose a deep packet analysis method for hybrid protocols based on the similarity of encapsulation process to improve the parsing efficiency,and parse each bit in the payload to mine the semantic information.Based on the encapsulation process of industrial control protocols,this paper analyzes the similarity of the underlying layers of different protocols,and then splits and parses the packet from the physical layer to the transport layer in turn to reduce the repeated parsing.After that,we parse the application layer per bit and identify the protocol type according to the ldentitification label.For the five typical industrial control protocols in this paper,our method shows a 100%accuracy in protocol recognition.3.Due to the poor migration of state transition based methods for the scene where the controlled process occurs anomaly,and the bottleneck of time series prediction based metthods for detection of anomaly in communication process and control devices,we proposed a semantic features based DPI method,and figured out the problem of performance degradation in the multiple anomaly composite scenarios.In this paper,we combined the prior knowledge of industrial control system to analyze the semantic information of packet.The sample data is described by feature vector with three kinds of fields,including communication function field,control function field and process variable field.For the applicability of the detection model in different scenarios,we merge the results of different types of Naive Bayes Models,which are used to deal with different kinds of fields.For the above abnormal behaviors of control information,data unit identification,reset command and the controlled process,the proposed method can achieve the accuracy rate and recall rate of at least 90%.