Detecting intrusions in encrypted control traffic

Abstract

Because of a lack of attack signatures and different forms of attacks, signature-based network intrusion detection systems currently provide insufficient protection for industrial control traffic. A combination of two anomaly detection approaches found in the literature, one based on network flows and the other on protocol specific deep-packet inspection, seems to be able to detect many expected threats. Deep-packet inspection cannot be used however, when payloads cannot be read because they are encrypted, or the protocol is unfamiliar. This paper proposes an intrusion detection approach that does not need to inspect the payload, and can still perform much the same function as the deep-packet approach. It consists of three steps: separate insertions caused by commands from the background of polling cycle traffic, recognize and react on known insertions, and alert on unknown insertions. The approach is implemented using searches for series of packets, based on the edit distance from approximate string matching. Tests show that this implementation can perform the steps necessary for the approach.