基于奇异谱分析的工业控制系统入侵检测方法

Asuka Terai, T. Chiba, Hideyuki Shintani, Shoya Kojima, Shingo Abe, I. Koshijima
{"title":"基于奇异谱分析的工业控制系统入侵检测方法","authors":"Asuka Terai, T. Chiba, Hideyuki Shintani, Shoya Kojima, Shingo Abe, I. Koshijima","doi":"10.2495/RISK180171","DOIUrl":null,"url":null,"abstract":"Because of their automated processing capabilities, industrial control systems (ICSs) currently play a crucial role in plant operations. It was not long before ICS had been completely insulated from the Internet. However, because of the improved reliability of ICS devices and systems, we could find only a few plants that did not use ICS in conjunction with the Internet. As a result, the extended accessibility of almost every ICS component makes such systems vulnerable to cyber-attacks. Because of this, intrusion detection systems, which monitor ICS network traffic and detect suspicious activities within the components themselves, are extremely important. Previous studies argued that packet intervals could ideally be regarded as indicators of the hazardous status of ICSs against hacking activities, and proposed intrusion detection methodologies relying solely on packet intervals. However, these methodologies with supervised machine-learning have inevitably been compromised by cyber-attacks whose characteristics are different than those of the training dataset. We hypothesize that packet intervals in an ICS network used for automated industrial processes, which are forced to produce a certain type of periodicity, reflect a particular type of packet interval patterns. In other words, certain anomalous behaviors never fail to interfere with this pattern. This paper proposes an intrusion detection method using a singular spectrum analysis to monitor time series packets. We evaluated our proposed method on our cybersecurity testbed using penetration tests. The results verified the validity of our system realized in the packet interval periodicity. Furthermore, we examined the optimum parameter set for the singular spectrum analysis in the proposed method. From this experiment, we successfully designated criteria for the parameter-set based on the period of the packet intervals during normal operations. The proposed method successfully detected all three types of attacks within 4 sec, without producing a false alert during normal operations.","PeriodicalId":21504,"journal":{"name":"Risk Analysis XI","volume":"132 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2018-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"INTRUSION DETECTION METHOD FOR INDUSTRIAL CONTROL SYSTEMS USING SINGULAR SPECTRUM ANALYSIS\",\"authors\":\"Asuka Terai, T. Chiba, Hideyuki Shintani, Shoya Kojima, Shingo Abe, I. Koshijima\",\"doi\":\"10.2495/RISK180171\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Because of their automated processing capabilities, industrial control systems (ICSs) currently play a crucial role in plant operations. It was not long before ICS had been completely insulated from the Internet. However, because of the improved reliability of ICS devices and systems, we could find only a few plants that did not use ICS in conjunction with the Internet. As a result, the extended accessibility of almost every ICS component makes such systems vulnerable to cyber-attacks. Because of this, intrusion detection systems, which monitor ICS network traffic and detect suspicious activities within the components themselves, are extremely important. Previous studies argued that packet intervals could ideally be regarded as indicators of the hazardous status of ICSs against hacking activities, and proposed intrusion detection methodologies relying solely on packet intervals. However, these methodologies with supervised machine-learning have inevitably been compromised by cyber-attacks whose characteristics are different than those of the training dataset. We hypothesize that packet intervals in an ICS network used for automated industrial processes, which are forced to produce a certain type of periodicity, reflect a particular type of packet interval patterns. In other words, certain anomalous behaviors never fail to interfere with this pattern. This paper proposes an intrusion detection method using a singular spectrum analysis to monitor time series packets. We evaluated our proposed method on our cybersecurity testbed using penetration tests. The results verified the validity of our system realized in the packet interval periodicity. Furthermore, we examined the optimum parameter set for the singular spectrum analysis in the proposed method. From this experiment, we successfully designated criteria for the parameter-set based on the period of the packet intervals during normal operations. The proposed method successfully detected all three types of attacks within 4 sec, without producing a false alert during normal operations.\",\"PeriodicalId\":21504,\"journal\":{\"name\":\"Risk Analysis XI\",\"volume\":\"132 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-06-06\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Risk Analysis XI\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.2495/RISK180171\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Risk Analysis XI","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.2495/RISK180171","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2

摘要

由于其自动化处理能力,工业控制系统(ics)目前在工厂运营中起着至关重要的作用。不久之后,ICS就完全与互联网隔绝了。然而,由于ICS设备和系统的可靠性得到了提高,我们发现只有少数工厂没有将ICS与互联网结合使用。因此,几乎每个ICS组件的扩展可访问性使此类系统容易受到网络攻击。因此,监视ICS网络流量并检测组件内部可疑活动的入侵检测系统就变得极其重要。以前的研究认为,包间隔可以理想地视为ics对黑客活动的危险状态的指标,并提出了仅依赖包间隔的入侵检测方法。然而,这些具有监督机器学习的方法不可避免地会受到网络攻击的影响,这些攻击的特征与训练数据集的特征不同。我们假设用于自动化工业过程的ICS网络中的数据包间隔反映了特定类型的数据包间隔模式,这些过程被迫产生某种类型的周期性。换句话说,某些异常行为总是会干扰这种模式。提出了一种利用奇异谱分析对时间序列数据包进行监控的入侵检测方法。我们使用渗透测试在我们的网络安全测试平台上评估了我们提出的方法。实验结果验证了系统在包间隔周期性下实现的有效性。在此基础上,研究了奇异谱分析的最佳参数集。在此实验中,我们成功地根据正常操作中数据包间隔的周期为参数集指定了标准。该方法成功地在4秒内检测到所有三种类型的攻击,并且在正常操作期间不会产生错误警报。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
INTRUSION DETECTION METHOD FOR INDUSTRIAL CONTROL SYSTEMS USING SINGULAR SPECTRUM ANALYSIS
Because of their automated processing capabilities, industrial control systems (ICSs) currently play a crucial role in plant operations. It was not long before ICS had been completely insulated from the Internet. However, because of the improved reliability of ICS devices and systems, we could find only a few plants that did not use ICS in conjunction with the Internet. As a result, the extended accessibility of almost every ICS component makes such systems vulnerable to cyber-attacks. Because of this, intrusion detection systems, which monitor ICS network traffic and detect suspicious activities within the components themselves, are extremely important. Previous studies argued that packet intervals could ideally be regarded as indicators of the hazardous status of ICSs against hacking activities, and proposed intrusion detection methodologies relying solely on packet intervals. However, these methodologies with supervised machine-learning have inevitably been compromised by cyber-attacks whose characteristics are different than those of the training dataset. We hypothesize that packet intervals in an ICS network used for automated industrial processes, which are forced to produce a certain type of periodicity, reflect a particular type of packet interval patterns. In other words, certain anomalous behaviors never fail to interfere with this pattern. This paper proposes an intrusion detection method using a singular spectrum analysis to monitor time series packets. We evaluated our proposed method on our cybersecurity testbed using penetration tests. The results verified the validity of our system realized in the packet interval periodicity. Furthermore, we examined the optimum parameter set for the singular spectrum analysis in the proposed method. From this experiment, we successfully designated criteria for the parameter-set based on the period of the packet intervals during normal operations. The proposed method successfully detected all three types of attacks within 4 sec, without producing a false alert during normal operations.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信