Industrial Control System Intrusion Detection Model Based on S7 Protocol

doi:10.3969/j.issn.1671-1122.2019.11.002

Abstract

Abstract:

With the proposal of “made in China 2025” strategy, the integration of industrial control network and Internet technology is getting higher and higher. At the same time, the closeness of industrial control network has been broken to a certain extent, making the problem of industrial control network security increasingly serious. S7 protocol is a private protocol of Siemens company in Germany, which is widely used in the communication process of industrial control network. This paper proposes an industrial control composite intrusion detection model based on deep analysis and white list self-learning. The model uses deep analysis algorithm to realize the analysis of S7 data packets, dynamically builds a white list through white list self-learning algorithm, and uses the composite intrusion detection method of white list detection and abnormal behavior detection to detect anomalies. The experiments show that the method can effectively detect the abnormal S7 protocol packets in the industrial control network, and the detection accuracy can reach 98.3% at 5000/s packet rate.

Key words: protocol analysis, intrusion detection, white list self-learning, S7 protocol

CLC Number:

TP309

Zheng TIAN, Shu LI, Yizhen SUN, Xi LI. Industrial Control System Intrusion Detection Model Based on S7 Protocol[J]. Netinfo Security, 2019, 19(11): 8-13.

Figures/Tables 7

References 14

[1]	XIA Chunming, LIU Tao, WANG Huazhong, et al.Current Situation and Development Trend of Information Security in Industrial Control System[J]. Information Security and Technology, 2013, 4(2): 13-18.
	夏春明,刘涛,王华忠,等. 工业控制系统信息安全现状及发展趋势[J]. 网络空间安全,2013,4(2):13-18.
[2]	SADEGHI A R, WACHSMANN C, WAIDNER M.Security and Privacy Challenges in Industrial Internet of Things[C]//ACM. 2015 52nd Annual Design Automation Conference, June 7 - 11, 2015, San Francisco, California. New York: ACM, 2015: 1-6.
[3]	DRIAS Z, SERHROUCHNI A, VOGEL O.Analysis of Cyber Security for Industrial Control Systems[C]//IEEE. 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications, August 5-7, 2015, Shanghai, China. NJ: IEEE, 2015: 1-8.
[4]	MARCO C, EMMANUELE Z, FRANK K.Sequence-aware Intrusion Detection in Industrial Control Systems[C]//ACM. The 1st ACM Workshop on Cyber-Physical System Security, March 14-April 14, 2015, Singapore. New York: ACM, 2015: 13-24.
[5]	PONOMAREV S, ATKISON T.Industrial Control System Network Intrusion Detection by Telemetry Analysis[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 13(2): 252-260.
[6]	TRIVEDI M.Toward Autonomic Security for Industrial Control Systems[D]. Starkville: Mississippi State University, 2015.
[7]	VASILOMANOLAKIS E, SRINIVASA S, CORDERO C G, et al.Multi-stage Attack Detection and Signature Generation with ICS Honeypots[C]//IEEE. 2016 IEEE/IFIP Network Operations and Management Symposium, April 25-29, 2016, Istanbul, Turkey. NJ: IEEE, 2016: 1227-1232.
[8]	PONOMAREV S, ATKISON T.Session Duration Based Feature Extraction for Network Intrusion Detection in Control System Networks[C]//IEEE. 2016 International Conference on Computational Science and Computational Intelligence, December 15-17, 2016. Las Vegas, NV, USA. NJ: IEEE, 2016: 892-896.
[9]	DUNLAP S, BUTTS J, LOPEZ J, et al.Using Timing-based Side Channels for Anomaly Detection in Industrial Control Systems[J]. International Journal of Critical Infrastructure Protection, 2016, 15: 12-26.
[10]	MUTHA A, TUTEJA M R R. Secure and Efficient Approach for Multilayer Cyber Security Based on Intrusion Detection System[J]. International Journal of Advent Research in Computer and Electronics, 2015, 2(2): 33-37.
[11]	GAI Keke, QIU Meikang, TAO Lixin, et al.Intrusion Detection Techniques for Mobile Cloud Computing in Heterogeneous 5G[J]. Security and Communication Networks, 2016, 9(16): 3049-3058.
[12]	VINAYAKUMAR R, SOMAN K P, VELAN K K S, et al. Evaluating Shallow and Deep Networks for Ransomware Detection and Classification[C]//IEEE. Sixth International Conference on Advances in Computing, Communications and Informatics(ICACCI-2017), September 13-16, 2017, Manipal, India. NJ: IEEE, 2017: 1282-1289.
[13]	CASELLI M, ZAMBON E, AMANN J, et al.Specification Mining for Intrusion Detection in Networked Control Systems[C]//USENIX Association. Proceedings of the 25th USENIX Security Symposium, August 10-12, 2016, Austin, United States. Austin: USENIX, 2016: 791-806.
[14]	KWON Y J, KIM H K, YONG H L, et al.A Behavior-based Intrusion Detection Technique for Smart Grid Infrastructure[C]//PowerTech. 2015 IEEE Eindhoven PowerTech, June 29 - July 2, 2015, Eindhoven, Netherlands. NJ: IEEE, 2015: 1-6.

异常类型	异常描述	白名单检测结果	异常行为检测
格式异常	非法IP	告警	未检测
格式异常	非法长度	告警	未检测
格式异常	非法端口号	告警	未检测
格式异常	非法协议类型	告警	未检测
格式异常	非法函数字段	告警	未检测
格式异常	非法地址字段	告警	未检测
格式异常	非法数据字段	告警	未检测
格式异常	非法文件名字段	告警	未检测
行为异常	高频响应	未告警	告警
行为异常	PLC异常关闭时间	未告警	告警
正常	COTP 连接包	未告警	未告警
正常	S7 正常数据包	未告警	未告警

[1]	Rong WANG, Chunguang MA, Peng WU. An Intrusion Detection Method Based on Federated Learning and Convolutional Neural Network [J]. Netinfo Security, 2020, 20(4): 47-54.
[2]	Wenhua LUO, Caidian XU. Network Intrusion Detection Based on Improved MajorClust Clustering [J]. Netinfo Security, 2020, 20(2): 14-21.
[3]	KANG Jian, WANG Jie, LI Zhengxu, ZHANG Guangda. A Model for Anomaly Intrusion Detection with Different Feature Extraction Strategies in IoT [J]. Netinfo Security, 2019, 19(9): 21-25.
[4]	FENG Wenying, GUO Xiaobo, HE Yuanye, XUE Cong. Intrusion Detection Model Based on Feedforward Neural Network [J]. Netinfo Security, 2019, 19(9): 101-105.
[5]	RAO Xuli, XU Pengna, CHEN Zhide, XU Li. Network Intrusion Detection with Incomplete Information Based on Deep Learning [J]. Netinfo Security, 2019, 19(6): 53-60.
[6]	LIU Jinghao, MAO Siping, FU Xiaomei. Intrusion Detection Model Based on ICA Algorithm and Deep Neural Network [J]. 信息网络安全, 2019, 19(3): 1-10.
[7]	CHEN Hong, XIAO Yue, XIAO Chenglong, CHEN Jianhu. The Intrusion Detection Method of SMOTE Algorithm with Maximum Dissimilarity Coefficient Density [J]. 信息网络安全, 2019, 19(3): 61-71.
[8]	ZHANG Yang, YAO Yuangang. Research on Network Intrusion Detection Based on Xgboost [J]. 信息网络安全, 2018, 18(9): 102-105.
[9]	ZHANG Gelin, LI Yong. Non-negative Matrix Factorization Optimization and Its Application in Network Intrusion Detection [J]. 信息网络安全, 2018, 18(8): 73-78.
[10]	WEI Shuning, CHEN Xingru, JIAO Yong, WANG Jin. Research on the Application of AR-OSELM Algorithm in Network Intrusion Detection [J]. 信息网络安全, 2018, 18(6): 1-6.
[11]	HE Xiang, LIU Sheng, JIANG Jiguo. Comparative Study of Intrusion Detection Methods Based on Machine Learning [J]. 信息网络安全, 2018, 18(5): 1-11.
[12]	LIU Chaoling, ZHANG Yan, YANG Huiran, WU Hongjing. Design and Implementation of a DPDK-based Virtual NIPS [J]. 信息网络安全, 2018, 18(5): 41-51.
[13]	CHEN Hongsong, WANG Gang, SONG Jianlin. Research on Anomaly Behavior Classification Algorithm of Internal Network User Based on Cloud Computing Intrusion Detection Data Set [J]. 信息网络安全, 2018, 18(3): 1-7.
[14]	ZHAO Xu, HUANG Guangqiu, CUI Yanpeng, WANG Mingming. Improvement of Selection Operator in Multithreading Model for Multimedia Packets in NIDS [J]. 信息网络安全, 2018, 18(10): 45-50.
[15]	CHENG Dongmei, YAN Biao, WEN Hui, SUN Limin. The Design and Implement of Rule Matching-based Distributed Intrusion Detection Framework for Industry Control System [J]. 信息网络安全, 2017, 17(7): 45-51.