PDF(771 KB)
NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers
Yu-jun XIAO, Wen-yuan XU, Zhen-hua JIA, Zhuo-ran MA, Dong-lian QI
PDF(771 KB)
PDF(771 KB)
NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers
Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.
Industrial control system / Programmable logic controller / Side-channel / Anomaly detection / Long short-term memory neural networks
| [1] |
Alcaraz,C., Zeadally, S., 2013. Critical control system protection in the 21st century. Computer, 46(10):74–83. http://dx.doi.org/10.1109/MC.2013.69
|
| [2] |
Alcaraz,C., Zeadally, S., 2015. Critical infrastructure protection: requirements and challenges for the 21st century. Int. J. Crit. Infrastr. Protect., 8:53–66. http://dx.doi.org/10.1016/j.ijcip.2014.12.002
|
| [3] |
Bencsáth,B., Pék, G., Buttyán,L. ,
|
| [4] |
Bolton,W., 2015. Programmable Logic Controllers (6th Ed.). Newnes, USA.
|
| [5] |
Bullock,J., Conservatoire, U.C.E.B., 2007. LibXtract: a lightweight library for audio feature extraction. Proc. Int. Computer Music Conf., p.1–4.
|
| [6] |
Candes,E.J., Tao,T., 2006. Near-optimal signal recovery from random projections: universal encoding strategies? IEEE Trans. Inform. Theory, 52(12):5406–5425. http://dx.doi.org/10.1109/TIT.2006.885507
|
| [7] |
Cárdenas,A.A., Amin, S., Sastry,S. , 2008. Research challenges for the security of control systems. Proc. 3rd Conf. on Hot Topics in Security, Article 6.
|
| [8] |
Chen,T.M., Abu-Nimeh, S., 2011. Lessons from Stuxnet. Computer, 44(4):91–93. http://dx.doi.org/10.1109/MC.2011.115
|
| [9] |
Clark,S.S., Ransford, B., Rahmati,A. ,
|
| [10] |
Coletta,A., Armando, A., 2015. Security monitoring for industrial control systems. Proc. Conf. on Cybersecurity of Industrial Control Systems, p.48–62. http://dx.doi.org/10.1007/978-3-319-40385-4_4
|
| [11] |
Dalal,N., Triggs, B., 2005. Histograms of oriented gradients for human detection. Proc. IEEE Computer Society Conf. on Computer Vision and Pattern Recognition, p.886–893. http://dx.doi.org/10.1109/CVPR.2005.177
|
| [12] |
Formby,D., Srinivasan, P., Leonard,A. ,
|
| [13] |
García-Teodoro,P. , Díaz-Verdejo,J. , Maciá-Fernández,G. ,
|
| [14] |
Gers,F.A., Schmidhuber, J.A., Cummins,F. , 2000. Learning to forget: continual prediction with LSTM.Neur. Comput., 12(10):2451–2471. http://dx.doi.org/10.1162/089976600300015015
|
| [15] |
Gonzalez,C.A., Hinton, A., 2014. Detecting malicious software execution in programmable logic controllers using power fingerprinting. Proc. Int. Conf. on Critical Infrastructure Protection, p.15–27.http://dx.doi.org/10.1007/978-3-662-45355-1_2
|
| [16] |
Johnson,R.E., 2010. Survey of SCADA security challenges and potential attack vectors. Proc. Int. Conf. for Internet Technology and Secured Transactions, p.1–5.
|
| [17] |
Kesler,B., 2011. The vulnerability of nuclear facilities to cyber attack. Strat. Insights, 10(1):15–25.
|
| [18] |
Krotofil,M., Gollmann, D., 2013. Industrial control systems security: what is happening? Proc. 11th IEEE Int. Conf. on Industrial Informatics, p.670–675. http://dx.doi.org/10.1109/INDIN.2013.6622964
|
| [19] |
Langner,R., 2011. Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv.9(3):49–51. http://dx.doi.org/10.1109/MSP.2011.67
|
| [20] |
Lee,H., Battle, A., Raina,R. ,
|
| [21] |
Lowe,D.G., 2004. Distinctive image features from scaleinvariant keypoints. Int. J. Comput. Vis., 60(2):91-110. http://dx.doi.org/10.1023/B:VISI.0000029664.99615.94
|
| [22] |
Macaulay,T., Singer, B.L., 2011. Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS. CRC Press, USA.
|
| [23] |
Malhotra,P., Vig,L., Shroff,G.,
|
| [24] |
Manevitz,L.M., Yousef, M., 2002. One-class SVMs for document classification. J. Mach. Learn. Res., 2:139–154.
|
| [25] |
Mantere,M., Uusitalo, I., Sailio,M. ,
|
| [26] |
Morris,T., Vaughn, R., Dandass,Y. , 2012. A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems. Proc. 45th Hawaii Int. Conf. on System Science, p.2338–2345. http://dx.doi.org/10.1109/HICSS.2012.78
|
| [27] |
Nandakumar,K., Jain,A.K., 2004. Local correlation-based fingerprint matching. Proc. ICVGIP, p.503–508.
|
| [28] |
Ni,B., Moulin, P., Yang,X. ,
|
| [29] |
Pearson,K., 1901. Mathematical contributions to the theory of evolution. X. Supplement to a memoir on skew variation. Phil. Trans. R. Soc. A, 197:443–459.
|
| [30] |
Peng,Y., Xiang, C., Gao,H. ,
|
| [31] |
Piggin,R., 2015. Are industrial control systems ready for the cloud? Int. J. Crit. Infrastr. Protect., 9(C):38–40. http://dx.doi.org/10.1016/j.ijcip.2014.12.005
|
| [32] |
Ponomarev,S., Atkison, T., 2016. Industrial control system network intrusion detection by telemetry analysis. IEEE Trans. Depend. Sec. Comput., 13(2):252–260. http://dx.doi.org/10.1109/TDSC.2015.2443793
|
| [33] |
Pretorius,B., van Niekerk, B., 2016. Cyber-security for ICS/SCADA: a South African perspective.Int. J. Cyber Warf. Terror., 6(3):1–16. http://dx.doi.org/10.4018/IJCWT.2016070101
|
| [34] |
Shang,W., Zeng,P., Wan,M.,
|
| [35] |
Slay,J., Miller, M., 2007. Lessons learned from the Maroochy water breach. Proc. Int. Conf. on Critical Infrastructure Protection, p.73–82. http://dx.doi.org/10.1007/978-0-387-75462-8_6
|
| [36] |
Stone,S.J., Temple, M.A., Baldwin,R.O. , 2015. Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process. Int. J. Crit. Infrastr. Protect., 9(C):41–51. http://dx.doi.org/10.1016/j.ijcip.2015.02.001
|
| [37] |
Stouffer,K.A., Falco, J.A., Scarfone,K.A. , 2011. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations such as Programmable Logic Controllers (PLC). Technical Report SP 800-82, National Institute of Standards and Technology, USA.
|
| [38] |
Wang,H., Kläser, A., Schmid,C. ,
|
| [39] |
Xu,J., Yang,G., Man,H.,
|
| [40] |
Zhong,W., Lu,H., Yang,M., 2012. Robust object tracking via sparsity-based collaborative model. Proc. IEEE Conf. on Computer Vision and Pattern Recognition, p.1838–1845. http://dx.doi.org/10.1109/CVPR.2012.6247882
|
/
| 〈 |
|
〉 |
AI Summary
