Enhance the ICS Network Security Using the Whitelist-based Network Monitoring Through Protocol Analysis

Authors

  • Kyu-Seok Shim National Institute of Supercomputing and Networking Advanced KREONET Center, Korea Institute of Science and Technology Information, Daejon, Korea https://orcid.org/0000-0002-3317-7000
  • Ilkwon Sohn National Institute of Supercomputing and Networking Advanced KREONET Center, Korea Institute of Science and Technology Information, Daejon, Korea
  • Eunjoo Lee National Institute of Supercomputing and Networking Advanced KREONET Center, Korea Institute of Science and Technology Information, Daejon, Korea
  • Woojin Seok National Institute of Supercomputing and Networking Advanced KREONET Center, Korea Institute of Science and Technology Information, Daejon, Korea https://orcid.org/0000-0002-7340-9961
  • Wonhyuk Lee National Institute of Supercomputing and Networking Advanced KREONET Center, Korea Institute of Science and Technology Information, Daejon, Korea https://orcid.org/0000-0002-1571-9638

DOI:

https://doi.org/10.13052/jwe1540-9589.2011

Keywords:

Network security, Protocol analysis, Traffic monitoring, ICS network, Clustering algorithm, Apriori algorithm

Abstract

In our present technological age, most manual and semi-automated tasks are being automated for efficient productivity or convenience. In particular, industrial sites are rapidly being automated to increase productivity and improve work efficiency. However, while networks are increasingly deployed as an integral part of the automation of industrial processes, there are also many resultant dangers such as security threats, malfunctions, and interruption of industrial processes. In particular, while the security of business networks is reinforced and their information is not easily accessible, intruders are now targeting industrial networks whose security is relatively poor, wherein attacks could directly lead to physical damage. Therefore, numerous studies have been conducted to counter security threats through network traffic monitoring, and to minimize physical loss through the detection of malfunctions. In the case of industrial processes, such as in nuclear facilities and petroleum facilities, thorough monitoring is required as security issues can lead to significant danger to humans and damage to property. Most network traffic in industrial facilities uses proprietary protocols for efficient data transmission, and these protocols are kept confidential because of intellectual property and security reasons. Protocol reverse engineering is a preparatory step to monitor network traffic and achieve more accurate traffic analysis. The field extraction method proposed in this study is a method for identifying the structure of proprietary protocols used in industrial sites. From the extracted fields, the structure of commands and protocols used in the industrial environment can be derived. To evaluate the feasibility of the proposed concept, an experiment was conducted using the Modbus/TCP protocol and Ethernet/IP protocol used in actual industrial sites, and an additional experiment was conducted to examine the results of the analysis of conventional protocols using the file transfer protocol.

Downloads

Download data is not yet available.

Author Biographies

Kyu-Seok Shim, National Institute of Supercomputing and Networking Advanced KREONET Center, Korea Institute of Science and Technology Information, Daejon, Korea

Kyu-Seok Shim is a postdoctoral researcher in Korea Institute of Science and Technology Information (KISTI), Daejeon, Korea. He received his B.S., M.S., and Ph.D. degree in the Department of Computer and Information Science, Korea University, Korea, in 2014, 2016, and 2020, respectively. His research interests include Internet traffic classification, network management, protocol reverse engineering and quantum key distribution.

Ilkwon Sohn, National Institute of Supercomputing and Networking Advanced KREONET Center, Korea Institute of Science and Technology Information, Daejon, Korea

IlKwon Sohn is a senior researcher in Korea Institute of Science and Technology Information (KISTI), Daejeon, Korea. He received his B.S., and Unified M.S. & Ph.D. degree in the School of Electrical Engineering, Korea University, Korea, in 2011, and 2018, respectively. His research interests include quantum error correction, quantum key distribution, and quantum computation.

Eunjoo Lee, National Institute of Supercomputing and Networking Advanced KREONET Center, Korea Institute of Science and Technology Information, Daejon, Korea

Eunjoo Lee is a postdoctoral researcher in Korea Institute of Science and Technology Information (KISTI), Daejeon, Korea. She received B.S. degree in Physics from Hanyang University, Korea and Ph.D degree in Physics from Korea Advanced Institute of Science and Technology (KAIST). She was a former postdoctoral researcher of quantum optics group in Korea Research Institute of Standards and Science (KRISS). Her interests include fiber optics, single photon generation in telecom band, quantum optics experiment and quantum communication with single photons and continuous variables.

Woojin Seok, National Institute of Supercomputing and Networking Advanced KREONET Center, Korea Institute of Science and Technology Information, Daejon, Korea

Woojin Seok is a principal researcher in Korea Institute of Science and Technology Information (KISTI), Daejeon, Korea. He received his B.S. in the School of Computer Engineering, Kyungpuk University, M.S. in the school of Computer Science in UNC Chapel Hill, and Ph.D. degree in the School of Computer Engineering, Chungnam University, in 1998, 2003, and 2008, respectively. His research interests include TCP protocol, QKD network, and wireless network such as LoRa and private 5G.

Wonhyuk Lee, National Institute of Supercomputing and Networking Advanced KREONET Center, Korea Institute of Science and Technology Information, Daejon, Korea

Wonhyuk Lee is a senior researcher in Korea Institute of Science and Technology Information (KISTI), Daejeon, Korea. He received his B.S., and M.S. & Ph.D. degree in the School of Electrical, Electronical and Computer Engineering, Sungkyunkwan University, Korea, in 2001, 2003 and 2010, respectively. His research interests include quantum Network Management, Network Performance Enhancement, and QKD network.

References

K. Zetter. Attack code for scada vulnerabilities released online. http://www.wired.com/threatlevel/2011/03/scada-vulnerabilities/, 2011.

Spenneberg, R., Brüggemann, M., Schwartke, H., “PLC-Blaster: A Worm Living Solely in the PLC.” Black Hat Asia 16, 2016.

Langner, Ralph. “Stuxnet: Dissecting a cyberwarfare weapon.” IEEE Security & Privacy 9.3 pp. 49–51. 2011.

Stouffer, Keith, Joe Falco, and Karen Scarfone. “Guide to industrial control systems (ICS) security.” NIST special publication 800.82: pp. 16–16. 2011

Pidgin. (2018). About Pidgin. [Online]. Available: http://www.pidgin.im/about

J. Caballero and D. Song, “Automatic protocol reverse-engineering: Message format extraction and field semantics inference,” Int. J. Comput. Telecommun. Netw., vol. 57, no. 2, pp. 451–474, Feb. 2013.

M. Liu, C. Jia, L. Liu, and Z. Wang, “Extracting sent message formats from executables using backward slicing,” Proc. 4th Int. Conf. Emerg. Intell.Data Web Technol., X’ian, China, Sep. 2013, pp. 377–384.

Y. Wang et al., “A semantics aware approach to automated reverse engineering unknown protocols,” in Proc. 20th IEEE Int. Conf. Netw. Protocols (ICNP), Oct. 2012, pp. 1–10.

T. Krueger, H. Gascon, N. Kramer, and K. Rieck, “Learning stateful models for network honeypots,” in Proc. 5th ACM Workshop Secur. Artif.Intell., Raleigh, NC, USA, Oct. 2012, pp. 37–48.

H. Li, B. Shuai, J. Wang, and C. Tang, “Protocol reverse engineering using LDA and association analysis,” in Proc. 11th Int. Conf. Comput. Intell.Secur. (CIS), Dec. 2015, pp. 312–316.

M. A. Beddoe. (2004). Network Protocol Analysis Using Bioinforomatics Algorithms. [Online]. Available: http://www.4tphi.net/~awalters/PI/pi.pdf

C. Leita, K. Mermoud, and M. Dacier, “ScriptGen: An automated script generation tool for Honeyd,” in Proc. 21st Annu. Comput. Secur. Appl.Conf., Tucson, AZ, USA, Dec. 2005, p. 2.

W. Cui, J. Kannan, and H. J. Wang, “Discoverer: Automatic protocol reverse engineering from network traces,” in Proc. 16th USENIX Secur.Symp., Boston, MA, USA, Aug. 2007, pp. 199–212.

G. Bossert, “Exploiting semantic for the automatic reverse engineering of communication protocols,” Ph.D. dissertation, Univ. Gif-sur-Yvette, Rennes, France, Dec. 2014.

L. Wang and T. Jiang, “On the complexity of multiple sequence alignment,” J. Comput. Biol., vol. 1, no. 4, pp. 337–348, 1994.

J.-Z. Luo and S.-Z. Yu, “Position-based automatic reverse engineering of network protocols,” J. Netw. Comput. Appl., vol. 36, no. 3, pp. 1070–1077, May 2013.

Y. Wang, N. Zhang, Y.-M. Wu, B.-B. Su, and Y.-J. Liao, “Protocol formats reverse engineering based on association rules in wireless environment,” in Proc. 12th IEEE Int. Conf. Trust, Secur. Privacy Comput. Commun. Melbourne, VIC, Australia, Jul. 2013, pp. 134–141.

R. Ji, H. Li, and C. Tang, “Extracting keywords of UAVs wireless communication protocols based on association rules learning,” in Proc. 12th IEEE Int. Conf. Comput. Intell. Secur., Wuxi, China, Dec. 2016, pp. 310–313.

I. Bermudez, A. Tongaonkar, M. Iliofotou, M. Mellia, and M. M. Munafo, “Automatic protocol field inference for deeper protocol understanding,”in Proc. 14th IFIP Netw. Conf., Toulouse, France, May 2015, pp. 1–9.

G. Ladi, L. Buttyan, and T. Holczer, “Message format and field semantics inference for binary protocols using recorded network traffic,” in Proc. 26th Int. Conf. Softw., Telecommun. Comput. Netw., Split, Croatia, Sep. 2018

A. Tridgell. (Aug. 2003). How Samba Was Written. [Online]. Available: http://samba.org/ftp/tridge/misc/french_cafe.txt

Kyu-Seok Shim, Young-Hoon Goo, Min-Seob Lee, Huru Hasanova and Myung-Sup Kim, “Inference of Network Unknown Protocol Structure using CSP(Contiguous Sequence Pattern) Algorithm based on Tree Structure,” Proc. of the NOMS 2018 - IEEE/IFIP DISSECT workshop, Taipei, Taiwan, April. 23, 2018, pp. 1–4.

Tovar, Eduardo, and Francisco Vasques. “Real-time fieldbus communications using Profibus networks.” IEEE transactions on Industrial Electronics 46.6 (1999): 1241–1251.

Van Herrewege, Anthony, Dave Singelee, and Ingrid Verbauwhede. “CANAuth-a simple, backward compatible broadcast authentication protocol for CAN bus.” ECRYPT Workshop on Lightweight Cryptography. Vol. 2011. 2011.

Cena, Gianluca, and Adriano Valenzano. “A protocol for automatic node discovery in CANopen networks.” IEEE Transactions on Industrial Electronics 50.3 (2003): 419–430.

Lian, Feng-Li, James R. Moyne, and Dawn M. Tilbury. “Performance evaluation of control networks: Ethernet, ControlNet, and DeviceNet.” IEEE control systems magazine 21.1 (2001): 66-83.

Fovino, Igor Nai, et al. “Design and implementation of a secure modbus protocol.” International conference on critical infrastructure protection. Springer, Berlin, Heidelberg, 2009.

Noguchi, Satoshi, et al. “FDT technology for CC-link network.” SICE Annual Conference 2011. IEEE, 2011.

Bonney, Gregor, et al. “ICS/SCADA security analysis of a Beckhoff CX5020 PLC.” 2015 International Conference on Information Systems Security and Privacy (ICISSP). IEEE, 2015.

Seno, Lucia, and Claudio Zunino. “A simulation approach to a Real-Time Ethernet protocol: EtherCAT.” 2008 IEEE International Conference on Emerging Technologies and Factory Automation. IEEE, 2008.

Brooks, Paul. “Ethernet/IP-industrial protocol.” ETFA 2001. 8th International Conference on Emerging Technologies and Factory Automation. Proceedings (Cat. No. 01TH8597). Vol. 2. IEEE, 2001.

Feld, Joachim. “PROFINET-scalable factory communication for all applications.” IEEE International Workshop on Factory Communication Systems, 2004. Proceedings IEEE, 2004.

Goldenberg, Niv, and Avishai Wool. “Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems.” International Journal of Critical Infrastructure Protection 6.2 (2013): 63–75.

Jain, Anil K. “Data clustering: 50 years beyond K-means.” Pattern recognition letters 31.8 (2010): 651–666.

Gronau, Ilan, and Shlomo Moran. “Optimal implementations of UPGMA and other common clustering algorithms.” Information Processing Letters 104.6 (2007): 205–210.

Cheng, Yizong. “Mean shift, mode seeking, and clustering.” IEEE transactions on pattern analysis and machine intelligence 17.8 (1995): 790–799.

K. S. Shim, S. H. Yoon, S. K. Lee, S. M. Kim, W. S. Jung, M. S. Kim, “Automatic Generation of Snort Content Rule for Network Traffic Analysis,” KICS, Vol. 40, No. 04, pp. 666–677, April, 2015.

Downloads

Published

2021-02-17

Issue

Section

Data Science and Artificial Intelligence: Architecture, Use Cases, and Challenge