MCFM: Discover Sensitive Behavior from Encrypted Traffic in Industrial Control System

To tackle with advanced persistent threats against industrial control system, Siemens has developed S7CommPlus- TLS, a new version of the encrypted protocol challenging traditional DPI-based anomaly detection methods. However, the communication mode of industrial control system leads to the overlapping of periodic traffic and sensitive behavior traffic, and thus makes mainstream encrypted traffic classification methods exhibit a poor performance in S7CommPlus-TLS protocol. Therefore, we design a multiple clustering framework called MCFM, which can automatically extract sensitive behavior of S7CommPlus-TLS from network traffic. The first-clustering is used as a pre-processing model to separate and remove periodic traffic from overlapping flows according to the communication mode of industrial control system. Besides, we employ the second- clustering as a generator to extract the fingerprint of sensitive behaviors. Our comprehensive experiments on the simulation dataset covering six sensitive behaviors indicate that MCFM achieves an excellent performance, and outperforms present cutting-edge methods. To the best of our knowledge, this is the first work analyzing industrial control system from the perspective of encrypted traffic analysis.