A Sequence-Aware Intrusion Detection System for Ethernet/IP Industrial Control Networks

Abstract

Industrial control systems (ICS) regulate and monitor critical cyber-physical systems such as the powergrid and manufacturing plants. ICS networks are also vulnerable to cyber attacks, and existing defensesagainst these attacks are similar to those employed by traditional network intrusion detection systems (IDS).However, a typical IDS may not detect semantic attacks on the physical end devices because they follow theprotocol specifications to bypass the IDS signatures. Sequence-based attacks, a subset of semantic attacks,can manipulate the ordering of valid commands to cause unsafe conditions for the physical devices. Basedon a previous method of detecting sequence-based attacks by using discrete-time Markov chains (DTMC) tomodel normal ICS network traffic, we implemented a DTMC model for the EtherNet/IP and CIP industrialprotocols and observed its effectiveness at recognizing sequence-based attacks. We developed fouradditional methods for DTMC model creation and compared their ability to detect attacks that the previousmethod failed to observe. All methods successfully identified attacks causing invalid states or invalidtransitions, and only two methods could find localized anomalies. The results confirmed that a DTMC-basedsequence-aware IDS could help improve the security posture of national critical infrastructure andDepartment of the Navy control systems.

Document Details

Document Type

Technical Report

Publication Date

Sep 01, 2020

Accession Number

AD1126684

Entities

Tags