Multimodel-based Detection Framework for Robust Industrial Control Systems
Multimodel-based Detection Framework for Robust Industrial Control Systems
- 주제(키워드) Control System , Intrusion Detection , Anomaly Detection , Whitelist
- 발행기관 아주대학교
- 지도교수 손태식
- 발행년도 2017
- 학위수여년월 2017. 2
- 학위명 박사
- 학과 및 전공 일반대학원 컴퓨터공학과
- 실제URI http://www.dcollection.net/handler/ajou/000000024904
- 본문언어 영어
- 저작권 아주대학교 논문은 저작권에 의해 보호받습니다.
초록/요약
As a number of attacks such as Stuxnet and BlackEnergy targeting the control system of critical infrastructure have happened, the importance of security enhancement for the facilities such as Industrial Control System (ICS) has emerged. In this thesis, we conduct effective Network Intrusion Detection System (NIDS) by reflecting the common characteristics of ICS environment that has a relatively regular communication between network nodes. In order to establish more effective detection models for ICS environment, we propose a multimodel-based detection framework which is combined with four anomaly detection engines: whitelist engine, single packet anomaly detection engine, packet sequence pattern detection engine, traffic anomaly detection engine. In detection, observing packets that have unidentified header, whitelist engine decides the packet as anomalies. The whitelist engine automatically construct whitelist from network packets based on pre-selected features from packet header. The single packet anomaly detection engine cope with the threats such as injection attacks, integrity attacks, malformed packet, etc. As learning-based single packet anomaly detection model, anomaly detection system uses a model constructed with a well-known learning method One Class SVM (OCSVM) and a newly proposed representative detection model invented for solving the limitation of OCSVM. We also consider the sequence of packets. The packet sequence pattern detection make a detection model with the packet sequences as like packet sequence pattern library with packet sequences from normal dataset with each protocols. This detection engine used for detecting anomalies which has a sequence problem such as packet out-of-order, packet duplication, packet loss. Finally, we consider the traffic anomaly detection for detect traffic anomalies such as burst of traffic, network scanning, packet flooding from a single node, etc. We demonstrate to validate our proposed detection framework using four detection engine on simulated ICS environment that reflects real-world traffic on Korean power grid.
more목차
Chapter 1 Introduction 1
1.1 Contribution to the Field 3
1.2 Overall Framework 5
1.3 Thesis Outline 8
Chapter 2 Background and Related Works 9
2.1 Security Threat of Industrial Control System 9
2.2 Anomaly Detection System for Industrial Control System 11
Chapter 3 Multimodel-based Detection Framework 15
3.1 Raw Packet Preprocessor 15
3.2 Whitelist Engine 17
3.3 Single Packet Anomaly Detection Engine 20
3.4 Packet Sequence Pattern Detection Engine 29
3.5 Entropy-based Traffic Anomaly Detection Engine 33
Chapter 4 Experimental Methods and Results 35
4.1 Simulation Environment 35
4.2 Simulated Dataset Description 41
4.3 Results with Simulated Environment 46
4.4 Detection Results of Simulation Environment 60
4.5 Detection Framework Validation with Real-world Dataset 61
Chapter 5 Conclusion 63
5.1 Summary 63
5.2 Future Work 64
5.3 Closing Remarks 64
