A Comprehensive Network Anomaly Detection Framework based on Protocol Reverse Engineering for Industrial Control System
- 주제(키워드) Industrial Control Systems , network security , protocol reverse engineering , anomaly detection
- 주제(DDC) 004.6
- 발행기관 아주대학교
- 지도교수 손태식
- 발행년도 2022
- 학위수여년월 2022. 2
- 학위명 박사
- 학과 및 전공 일반대학원 AI융합네트워크학과
- 실제URI http://www.dcollection.net/handler/ajou/000000031818
- 본문언어 영어
- 저작권 아주대학교 논문은 저작권에 의해 보호받습니다.
초록/요약
With the advent of the era of the Fourth Industrial Revolution, industrial control systems are adopting Ethernet-based communication systems. As a result, connectivity and interoperability have increased, but new security threats are emerging as the boundaries of the hierarchical levels disappear and connections with the external devices increase. Since the ICS is deployed to critical infrastructure, the success of cyberattacks causes enormous social and economic damage. In fact, ICS cyberattacks are increasing and these attacks are becoming sophisticated and advanced. In order to cope with such advanced attacks, an anomaly detection system specialized in ICS should be applied, but security incidents are expected to continue as most ICS sites still rely on an isolated network environment-based security. In the thesis, we propose an anomaly detection framework for detecting cyberattacks in Ethernet-based ICS networks. The proposed framework is based on the traffic classification and protocol reverse engineering method without detailed knowledge of each field. In the case of traffic classification and protocol reverse engineering, a series of techniques are proposed to extract characteristics that can utilize anomaly detection without detailed knowledge of each site by inferring structure and semantics from the collected network data. In the case of anomaly detection, a framework for performing a defense-in-depth approach was proposed based on the deterministic of the extracted characteristics. We verified the effectiveness of these techniques experimentally compare to expert-knowledge based methods.
more목차
Chapter 1 Introduction 1
1.1 Overall Framework 3
1.2 Contribution to the Field 4
1.3 Thesis outline 5
Chapter 2 Background 6
2.1 ICS network 6
2.2 ICS communication protocols 11
2.3 Related works traffic analysis for ICS network 25
2.4 Related works of protocol reverse engineering for ICS 29
2.5 Related works of anomaly detection for ICS 32
Chapter 3 Protocol Reverse Engineering for ICS 35
3.1 Introduction 35
3.2 Traffic Classification 37
3.3 Protocol Reverse Engineering 45
3.4 Correlation Analysis of Payload Field 54
3.5 Discussion 57
Chapter 4 Comprehensive Anomaly detection for ICS 58
4.1 Introduction 58
4.2 Anomaly detection method 61
4.3 Experiment 72
4.4 Discussion 81
Chapter 5 Conclusion 82
5.1 Summary 82
5.2 Future works 83
5.3 Closing Remark 83
Bibliography 84
