Enhance the ICS Network Security Using the Whitelist-based Network Monitoring Through Protocol Analysis
Keywords:Network security, Protocol analysis, Traffic monitoring, ICS network, Clustering algorithm, Apriori algorithm
In our present technological age, most manual and semi-automated tasks are being automated for efficient productivity or convenience. In particular, industrial sites are rapidly being automated to increase productivity and improve work efficiency. However, while networks are increasingly deployed as an integral part of the automation of industrial processes, there are also many resultant dangers such as security threats, malfunctions, and interruption of industrial processes. In particular, while the security of business networks is reinforced and their information is not easily accessible, intruders are now targeting industrial networks whose security is relatively poor, wherein attacks could directly lead to physical damage. Therefore, numerous studies have been conducted to counter security threats through network traffic monitoring, and to minimize physical loss through the detection of malfunctions. In the case of industrial processes, such as in nuclear facilities and petroleum facilities, thorough monitoring is required as security issues can lead to significant danger to humans and damage to property. Most network traffic in industrial facilities uses proprietary protocols for efficient data transmission, and these protocols are kept confidential because of intellectual property and security reasons. Protocol reverse engineering is a preparatory step to monitor network traffic and achieve more accurate traffic analysis. The field extraction method proposed in this study is a method for identifying the structure of proprietary protocols used in industrial sites. From the extracted fields, the structure of commands and protocols used in the industrial environment can be derived. To evaluate the feasibility of the proposed concept, an experiment was conducted using the Modbus/TCP protocol and Ethernet/IP protocol used in actual industrial sites, and an additional experiment was conducted to examine the results of the analysis of conventional protocols using the file transfer protocol.
K. Zetter. Attack code for scada vulnerabilities released online. http://www.wired.com/threatlevel/2011/03/scada-vulnerabilities/, 2011.
Spenneberg, R., Brüggemann, M., Schwartke, H., “PLC-Blaster: A Worm Living Solely in the PLC.” Black Hat Asia 16, 2016.
Langner, Ralph. “Stuxnet: Dissecting a cyberwarfare weapon.” IEEE Security & Privacy 9.3 pp. 49–51. 2011.
Stouffer, Keith, Joe Falco, and Karen Scarfone. “Guide to industrial control systems (ICS) security.” NIST special publication 800.82: pp. 16–16. 2011
Pidgin. (2018). About Pidgin. [Online]. Available: http://www.pidgin.im/about
J. Caballero and D. Song, “Automatic protocol reverse-engineering: Message format extraction and field semantics inference,” Int. J. Comput. Telecommun. Netw., vol. 57, no. 2, pp. 451–474, Feb. 2013.
M. Liu, C. Jia, L. Liu, and Z. Wang, “Extracting sent message formats from executables using backward slicing,” Proc. 4th Int. Conf. Emerg. Intell.Data Web Technol., X’ian, China, Sep. 2013, pp. 377–384.
Y. Wang et al., “A semantics aware approach to automated reverse engineering unknown protocols,” in Proc. 20th IEEE Int. Conf. Netw. Protocols (ICNP), Oct. 2012, pp. 1–10.
T. Krueger, H. Gascon, N. Kramer, and K. Rieck, “Learning stateful models for network honeypots,” in Proc. 5th ACM Workshop Secur. Artif.Intell., Raleigh, NC, USA, Oct. 2012, pp. 37–48.
H. Li, B. Shuai, J. Wang, and C. Tang, “Protocol reverse engineering using LDA and association analysis,” in Proc. 11th Int. Conf. Comput. Intell.Secur. (CIS), Dec. 2015, pp. 312–316.
M. A. Beddoe. (2004). Network Protocol Analysis Using Bioinforomatics Algorithms. [Online]. Available: http://www.4tphi.net/~awalters/PI/pi.pdf
C. Leita, K. Mermoud, and M. Dacier, “ScriptGen: An automated script generation tool for Honeyd,” in Proc. 21st Annu. Comput. Secur. Appl.Conf., Tucson, AZ, USA, Dec. 2005, p. 2.
W. Cui, J. Kannan, and H. J. Wang, “Discoverer: Automatic protocol reverse engineering from network traces,” in Proc. 16th USENIX Secur.Symp., Boston, MA, USA, Aug. 2007, pp. 199–212.
G. Bossert, “Exploiting semantic for the automatic reverse engineering of communication protocols,” Ph.D. dissertation, Univ. Gif-sur-Yvette, Rennes, France, Dec. 2014.
L. Wang and T. Jiang, “On the complexity of multiple sequence alignment,” J. Comput. Biol., vol. 1, no. 4, pp. 337–348, 1994.
J.-Z. Luo and S.-Z. Yu, “Position-based automatic reverse engineering of network protocols,” J. Netw. Comput. Appl., vol. 36, no. 3, pp. 1070–1077, May 2013.
Y. Wang, N. Zhang, Y.-M. Wu, B.-B. Su, and Y.-J. Liao, “Protocol formats reverse engineering based on association rules in wireless environment,” in Proc. 12th IEEE Int. Conf. Trust, Secur. Privacy Comput. Commun. Melbourne, VIC, Australia, Jul. 2013, pp. 134–141.
R. Ji, H. Li, and C. Tang, “Extracting keywords of UAVs wireless communication protocols based on association rules learning,” in Proc. 12th IEEE Int. Conf. Comput. Intell. Secur., Wuxi, China, Dec. 2016, pp. 310–313.
I. Bermudez, A. Tongaonkar, M. Iliofotou, M. Mellia, and M. M. Munafo, “Automatic protocol field inference for deeper protocol understanding,”in Proc. 14th IFIP Netw. Conf., Toulouse, France, May 2015, pp. 1–9.
G. Ladi, L. Buttyan, and T. Holczer, “Message format and field semantics inference for binary protocols using recorded network traffic,” in Proc. 26th Int. Conf. Softw., Telecommun. Comput. Netw., Split, Croatia, Sep. 2018
A. Tridgell. (Aug. 2003). How Samba Was Written. [Online]. Available: http://samba.org/ftp/tridge/misc/french_cafe.txt
Kyu-Seok Shim, Young-Hoon Goo, Min-Seob Lee, Huru Hasanova and Myung-Sup Kim, “Inference of Network Unknown Protocol Structure using CSP(Contiguous Sequence Pattern) Algorithm based on Tree Structure,” Proc. of the NOMS 2018 - IEEE/IFIP DISSECT workshop, Taipei, Taiwan, April. 23, 2018, pp. 1–4.
Tovar, Eduardo, and Francisco Vasques. “Real-time fieldbus communications using Profibus networks.” IEEE transactions on Industrial Electronics 46.6 (1999): 1241–1251.
Van Herrewege, Anthony, Dave Singelee, and Ingrid Verbauwhede. “CANAuth-a simple, backward compatible broadcast authentication protocol for CAN bus.” ECRYPT Workshop on Lightweight Cryptography. Vol. 2011. 2011.
Cena, Gianluca, and Adriano Valenzano. “A protocol for automatic node discovery in CANopen networks.” IEEE Transactions on Industrial Electronics 50.3 (2003): 419–430.
Lian, Feng-Li, James R. Moyne, and Dawn M. Tilbury. “Performance evaluation of control networks: Ethernet, ControlNet, and DeviceNet.” IEEE control systems magazine 21.1 (2001): 66-83.
Fovino, Igor Nai, et al. “Design and implementation of a secure modbus protocol.” International conference on critical infrastructure protection. Springer, Berlin, Heidelberg, 2009.
Noguchi, Satoshi, et al. “FDT technology for CC-link network.” SICE Annual Conference 2011. IEEE, 2011.
Bonney, Gregor, et al. “ICS/SCADA security analysis of a Beckhoff CX5020 PLC.” 2015 International Conference on Information Systems Security and Privacy (ICISSP). IEEE, 2015.
Seno, Lucia, and Claudio Zunino. “A simulation approach to a Real-Time Ethernet protocol: EtherCAT.” 2008 IEEE International Conference on Emerging Technologies and Factory Automation. IEEE, 2008.
Brooks, Paul. “Ethernet/IP-industrial protocol.” ETFA 2001. 8th International Conference on Emerging Technologies and Factory Automation. Proceedings (Cat. No. 01TH8597). Vol. 2. IEEE, 2001.
Feld, Joachim. “PROFINET-scalable factory communication for all applications.” IEEE International Workshop on Factory Communication Systems, 2004. Proceedings IEEE, 2004.
Goldenberg, Niv, and Avishai Wool. “Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems.” International Journal of Critical Infrastructure Protection 6.2 (2013): 63–75.
Jain, Anil K. “Data clustering: 50 years beyond K-means.” Pattern recognition letters 31.8 (2010): 651–666.
Gronau, Ilan, and Shlomo Moran. “Optimal implementations of UPGMA and other common clustering algorithms.” Information Processing Letters 104.6 (2007): 205–210.
Cheng, Yizong. “Mean shift, mode seeking, and clustering.” IEEE transactions on pattern analysis and machine intelligence 17.8 (1995): 790–799.
K. S. Shim, S. H. Yoon, S. K. Lee, S. M. Kim, W. S. Jung, M. S. Kim, “Automatic Generation of Snort Content Rule for Network Traffic Analysis,” KICS, Vol. 40, No. 04, pp. 666–677, April, 2015.