Anomaly Detection Based on Temporal Behavior Monitoring in Programmable Logic Controllers
Abstract
:1. Introduction
2. Related Works
3. Anomaly Detection Method Based on Temporal Behavior
3.1. Detecting CPU Usage Anomaly
3.2. Detecting Control-Flow Anomaly
3.3. Implementation
4. Experimental Results
5. Conclusions
Author Contributions
Funding
Conflicts of Interest
References
- Dragos, 2019 Year in Review ICS Vulnerabilities. Available online: https://www.dragos.com/reviw/2019-ics-year-in-review-ics-vulnerabilities/ (accessed on 5 April 2021).
- Positive Technologies, ICS Vulnerabilities: 2018 in Review. Available online: https://www.ptsecurity.com/ww-en/analytics/ics-vulnerabilities-2019/ (accessed on 5 April 2021).
- Yoo, H.; Irfan, A. Control logic injection attacks on industrial control systems. In IFIP International Conference on ICT Systems Security and Privacy Protection; Springer: Cham, Germany, 2019. [Google Scholar]
- Shin, H.K.; Lee, W.; Yun, J.H.; Kim, H. Implementation of programmable CPS testbed for anomaly detection. In Proceedings of the 12th USENIX Workshop on Cyber Security Experimentation and Test, Santa Clara, CA, USA, 12 August 2019. [Google Scholar]
- Falliere, N.; Murchu, L.O.; Chien, E. W32.Stuxnet dossier: White paper. Secur. Response 2011, 5, 29. [Google Scholar]
- Senthivel, S.; Dhungana, S.; Yoo, H.; Ahmed, I.; Roussev, V. Denial of engineering operations attacks in industrial control systems. In Proceedings of the ACM Conference on Data and Application Security and Privacy, Tempe, AZ, USA, 19–21 March 2018. [Google Scholar]
- Sayegh, N.; Chehab, A.; Elhajj, I.H.; Kayssi, A. Internal security attacks on SCADA systems. In Proceedings of the 3rd International Conference on Communications and Information Technology, Beirut, Lebanon, 19–21 June 2013. [Google Scholar]
- Abbasi, A. Ghost in the PLC: Stealth on-the-fly manipulation of programmable logic controllers’ I/O. In Proceedings of the Black Hat EU, London, UK, 1–4 November 2016. [Google Scholar]
- Ylmaz, E.N.; Ciylan, B.; Gönen, S.; Sindiren, E.; Karacayılmaz, G. Cyber security in industrial control systems: Analysis of DoS attacks against PLCs and the insider effect. In Proceedings of the 6th International Istanbul Smart Grids and Cities Congress and Fair, Istanbul, Turkey, 25–26 April 2018; pp. 81–85. [Google Scholar]
- Xiao, Y.; Xu, W.; Jia, Z.; Qi, D. NIPAD: A non-invasive power-based anomaly detection scheme for programmable logic controllers. Front. Inf. Technol. Electron. Eng. 2017, 18, 519–534. [Google Scholar] [CrossRef]
- Shahzad, A.; Lee, M.; Lee, Y.-K.; Kim, S.; Xiong, N.; Choi, J.-Y.; Cho, Y. Real time ModBus transmissions and cryptography security designs and enhancements of protocol sensitive information. Symmetry 2015, 7, 1176–1210. [Google Scholar] [CrossRef] [Green Version]
- Bhatia, S.; Kush, N.; Djamaludin, C.; Akande, J.; Foo, E. Practical ModBus flooding attack and detection. In Proceedings of the 12th Austrian Information Security Conference, Auckland, New Zealand, 20–23 January 2014; Volume 149, pp. 57–65. [Google Scholar]
- Ahmed, I.; Obermeier, S.; Sudhakaran, S.; Roussev, V. Programmable logic controller forensics. IEEE Secur. Priv. 2017, 15, 18–24. [Google Scholar] [CrossRef]
- MITRE. CWE-400: Uncontrolled Resource Consumption. Available online: https://cwe.mitre.org/data/definitions/400.html (accessed on 5 April 2021).
- Niedermaier, M.; Malchow, J.O.; Fischer, F.; Marzin, D.; Merli, D.; Roth, V.; von Bodisco, A. You snooze, you lose: Measuring PLC cycle times under attacks. In Proceedings of the 12th USENIX Workshop on Offensive Technologies, Baltimore, MD, USA, 13–14 August 2018. [Google Scholar]
- Long, M.; Wu, C.-H.; Hung, J.Y. Denial of service attacks on network-based control systems: Impact and mitigation. IEEE Trans. Ind. Inform. 2005, 1, 85–96. [Google Scholar] [CrossRef]
- Markovic-Petrovic, J.D.; Stojanovic, M.D. Analysis of SCADA system vulnerabilities to DDoS attacks. In Proceedings of the 11th international conference on telecommunications in modern satellite, cable and broadcasting services, Nis, Serbia, 16–19 October 2013; pp. 591–594. [Google Scholar]
- Horak, T.; Strelec, P.; Huraj, L.; Tanuska, P.; Vaclavova, A.; Kebisek, M. The vulnerability of the production line using Industrial IoTs systems under DDoS attack. Electronics 2021, 10, 381. [Google Scholar] [CrossRef]
- Kalle, S.; Ameen, N.; Yoo, H.; Ahmed, I. CLIK on PLCs! attacking control logic with decompilation and virtual PLC. In Proceedings of the Workshop on Binary Analysis, San Diego, CA, USA, 24 February 2019. [Google Scholar]
- Saranyan, S.; Ahmed, I.; Roussev, V. SCADA network forensics of the PCCC protocol. Digit. Investig. 2017, 22, S57–S65. [Google Scholar]
- Biham, E.; Bitan, S.; Carmel, A.; Dankner, A.; Malin, U.; Wool, A. Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs. In Proceedings of the Black Hat USA 2019, Las Vegas, NV, USA, 3–8 August 2019. [Google Scholar]
- Jeong, E.; Park, J.; Oh, I.; Kim, M.; Yim, K. Analysis on account hijacking and remote DoS vulnerability in the CODESYS-based PLC runtime. In Proceedings of the International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, Lodz, Poland, 1–3 July 2020; pp. 457–467. [Google Scholar]
- Mohaqeqi, M.; Nasri, M.; Xu, Y.; Cervin, A.; Årzén, K.-E. Optimal harmonic period assignment: Complexity results and approximation algorithms. Real-Time Syst. 2018, 54, 830–860. [Google Scholar] [CrossRef] [Green Version]
- Kwon, K.-C.; Lee, M.-S. Technical review on the localized digital instrumentation and control systems. Nucl. Eng. Technol. 2019, 41, 447–454. [Google Scholar] [CrossRef] [Green Version]
- Boofuzz: Network Protocol Fuzzing for Humans. Available online: https://github.com/jtpereyda/boofuzz (accessed on 5 April 2021).
Component | Specification |
---|---|
PLC hardware | TMDSDOCK28335 MCU: TMS320 (32-bit @150 MHz) Memory: 512KB |
Operating system | uC/OS-II |
Water level sensor | FIT0212 |
UART | CP2102 (300~1 Mbps) |
Water pump | DWP-370N |
Motor driver | L298 (2 A, 5 V~35 V) |
Task | Priority | Execution Time | Period | Description |
---|---|---|---|---|
Comm | 1 | 5 ms | 40 ms | communication with EWS and devices |
Control | 2 | 10 ms | 40 ms | motor control logic |
Statistics | 3 | 8 ms | 40 ms | tracking CPU utilization |
Monitor | 4 | 7 ms | 80 ms | detecting behavioral anomaly |
CallFlow | 4 | 4 ms | - | detecting control-flow anomaly |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Han, S.; Lee, K.; Cho, S.; Park, M. Anomaly Detection Based on Temporal Behavior Monitoring in Programmable Logic Controllers. Electronics 2021, 10, 1218. https://doi.org/10.3390/electronics10101218
Han S, Lee K, Cho S, Park M. Anomaly Detection Based on Temporal Behavior Monitoring in Programmable Logic Controllers. Electronics. 2021; 10(10):1218. https://doi.org/10.3390/electronics10101218
Chicago/Turabian StyleHan, Seungjae, Keonyong Lee, Seongje Cho, and Moonju Park. 2021. "Anomaly Detection Based on Temporal Behavior Monitoring in Programmable Logic Controllers" Electronics 10, no. 10: 1218. https://doi.org/10.3390/electronics10101218