Internet DRAFT - draft-li-sacm-anomaly-detection
draft-li-sacm-anomaly-detection
SACM Working Group S. Li
Internet Draft M. Wei
Interned status: Standards Track H. Wang
Expires: August 27, 2017 Q. Huang
P. Wang
J. Liao
Chongqing University of
Posts and Telecommunications
February 23, 2017
Anomaly Detection of Industrial Control System based on Modbus/TCP
draft-li-sacm-anomaly-detection-00
Abstract
Aiming at the vulnerability and security threat of Industrial
Control System, this document proposed a detection model based on
the characteristics of Modbus/TCP protocol.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on August 27, 2017.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
Li, et al. Expires August 27, 2017 [Page 1]
�
Internet-Draft Anomaly Detection of ICS February 2017
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction ................................................ 2
1.1. Requirements Notation .................................. 3
1.2. Terms Used ............................................. 3
2. Overview of the detection scheme ............................ 3
3. A detection model based on Modbus protocol features.......... 4
4. Security Considerations ..................................... 7
5. IANA Considerations ......................................... 7
6. References .................................................. 7
6.1. Normative References ................................... 7
6.2. Informative References ................................. 7
1. Introduction
With the development of industrialization and informatization,
increasing information technology is applied to the industrial field.
Due to the hardware and software, which are widely used in
Industrial Control Systems, come from different vendors, and the ICS
need to interact the information with the outside net, both of them
make Industrial Control Systems more and more open, and face more
security threats.
The research of anomaly detection for ICS is introduced as follows.
For example, the anomaly detection of communication protocol
datagram format has the premise of obtaining a specific proprietary
protocol specification, the detection method based on protocol
message format is liable to cause lower detection rate, and is not
easy to expand. Another anomaly detection mechanism is the
configuration of blacklist and whitelist, in order to realize this
mechanism, engineers need to run the system, and set the blacklist
and whitelist according to the ICS state.
In addition, most research work focus on intrusion detection
algorithm, the key to improve the detection rate is to extract
efficient features of anomaly detection. Research on intrusion
Li, et al. Expires August 27, 2017 [Page 2]
�
Internet-Draft Anomaly Detection of ICS February 2017
detection algorithm shows that, the basic principle of neural
network method is to use learning algorithm to study the
relationship between input and output vectors, and to sum up a new
input-output relationship. The neural network algorithm has rather
high computational complexity, and very large demand for samples,
while it is difficult for Industrial Control System to extract more
samples. Genetic algorithm is a natural selection based on the best
search algorithm, but it has higher coding complexity, and longer
training time.
However, Support Vector Machine algorithm is a kind of data
classification method based on statistical learning theory. It has
many advantages, such as few samples, good generalization and global
optimization. Therefore, the SVM algorithm based on clustering is
suitable for the anomaly detection of ICS.
1.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "MAY" in this document are to be interpreted
as described in [RFC2119]
1.2. Terms Used
ICS: Industrial Control System.
SVM: Support Vector Machines. SVM is specified in [CoVa1995].
Security: It means the specific security mechanism or security
algorithm.
2. Overview of the detection scheme
In this document, the establishment of the system anomaly detection
model is based on the periodic characteristics of Industrial Control
System and communication protocol message characteristics of
Modbus/TCP. The industrial control network equipment involved in the
anomaly detection process includes security gateway, programmable
logic controller, security management platform and controlled device,
wherein the security gateway includes an anomaly detection subsystem
and a packet depth analysis system. The packet depth analysis system
executes depth analysis and feature extraction for Modbus/TCP packet,
the anomaly detection subsystem is used to detect the underlying
network data and generate an alarm response to the abnormal data.
Depending on the specific technological process, the programmable
logic controller issues control commands to the controlled device
for orderly production. Security management platform is responsible
Li, et al. Expires August 27, 2017 [Page 3]
�
Internet-Draft Anomaly Detection of ICS February 2017
for the configuration of security mechanism and the handling of
abnormal alarm in the security gateway. Controlled equipment,
including level gauge, pressure gauge, temperature sensor and so on,
is responsible for the collection of physical quantity in the
industrial production process. The detection process is as follows.
(1) Capture the communication data between master and slave devices
through the security gateway, and then analyze the data.
(2) According to the packet format of Modbus/TCP protocol, the
packet depth analysis system directs at the feature fields that
should exist in the packet and the expected values for those fields,
analyzes the packets in depth layer-by-layer, and removes the excess
attribute characteristics, only leaving the characteristics related
to the system behavior patterns.
(3) According to the eigenvectors extracted by the packet depth
analysis system, the anomaly detection subsystem constructs the
classifier for the purpose of measurement, statistics and abnormal
detection, and sends an alarm to the security management platform
for abnormal results.
3. A detection model based on Modbus protocol features
Modbus/TCP is an application layer protocol that embeds a Modbus
frame into a TCP frame, its message transmission service is to
provide communication between client and server, and these devices
are connected to an Ethernet TCP/IP network. Modbus/TCP protocol is
specified in [RFC793] and [RFC791]. Modbus/TCP packets include two
parts, Modbus Application Protocol (MBAP) and Protocol Data Unit
(PDU). For the Modbus Application Protocol packet header, it
contains the transaction ID, protocol ID, length, and unit ID. The
protocol data unit includes the function code and data. The
transaction ID represents the packet identification of the Modbus
request/response transaction processing. The function code
represents the control command, which is sent by the master device
to the slave device, each specific function code represents a
different operation. According to the source address and the
destination address of the packet, the direction of transmission of
data packets is generated.
Extract transaction identifier, slave function code, slave
communication address, and packet transfer direction eigenvector,
port number elements as the eigenvector, and construct a number of
different categories of eigenvalues in the eigenvector, which makes
the description of the behavior pattern of the system more accurate
Li, et al. Expires August 27, 2017 [Page 4]
�
Internet-Draft Anomaly Detection of ICS February 2017
and reasonable, and the detection accuracy of detection model is
also improved.
An anomaly detection model of SVM based on K-means clustering is
constructed by the acquired eigenvectors, and these eigenvectors are
based on communication behaviors. This process is shown in Figure 1.
(1) The k-means clustering algorithm is used to preprocess the
protocol feature vector, which randomly selects the k objects as the
initialization cluster, and calculates the average of the data in
each cluster. The standard criterion function is used to determine
whether the cluster center is stable or not.
(2) By using the clustered data as the input data, the SVM
classifier is constructed.
(3) There are three main steps involved in SVM algorithm. Firstly,
construct the hyperplanes of classification. Secondly, select the
appropriate training parameters, which include the penalty factor
and the radial basis function. Finally, obtain the decision function
in SVM.
Li, et al. Expires August 27, 2017 [Page 5]
�
Internet-Draft Anomaly Detection of ICS February 2017
+------------+
| Receive |
|data packets|
+------------+
|
V
+---------------+ +-------------------------+
| Select the | |Construct a sample |
|kernel function| |vector based on the |
+---------------+ |protocol characteristics |
+-------------------------+
| |
V V
+-------------------+ +----------------+
| Set the | |The samples are |
|training parameters| |divided into |
+-------------------+ |k subclasses |
+----------------+
| |
V <------------------------
+---------------------+
| The clustering |
| result is obtained |
+---------------------+
|
V
+------------------+
| SVM classifier |
| is constructed |
+------------------+
|
V
+--------------------+ +----------------+
| Data classification|-------> |Data is abnormal|
+--------------------+ +----------------+
| |
V V
+--------------------+ +---------------+
| Industrial Control| |Security alerts|
| System is normal | +---------------+
+--------------------+
Figure 1 SVM anomaly detection model based on clustering
Li, et al. Expires August 27, 2017 [Page 6]
�
Internet-Draft Anomaly Detection of ICS February 2017
4. Security Considerations
TBD.
5. IANA Considerations
This memo includes no request to IANA.
6. References
6.1. Normative References
6.2. Informative References
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC791]
Postel J. RFC 791: Internet protocol[J]. 1981.
[RFC793]
Postel J. RFC 793: Transmission control protocol, September
1981[J]. Status: Standard, 2003, 88.
[CoVa1995]
Cortes C, Vapnik V. Support-vector networks[J]. Machine
learning, 1995, 20(3): 273-297.
Li, et al. Expires August 27, 2017 [Page 7]
�
Internet-Draft Anomaly Detection of ICS February 2017
Authors' Addresses
Shuaiyong Li
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Chongqing, 400065
China
Email: lishuaiyong@cqupt.edu.cn
Min Wei
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Chongqing, 400065
China
Email: weimin@cqupt.edu.cn
Hao Wang
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Chongqing, 400065
China
Email: wanghao@cqupt.edu.cn
Qingqing Huang
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Chongqing, 400065
China
Email: huangqq@cqupt.edu.cn
Ping Wang
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Li, et al. Expires August 27, 2017 [Page 8]
�
Internet-Draft Anomaly Detection of ICS February 2017
Chongqing, 400065
China
Phone: (86)-23-6246-1061
Email: wangping@cqupt.edu.cn
Jie Liao
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Chongqing, 400065
China
Email: 928053580@qq.com
Li, et al. Expires August 27, 2017 [Page 9]
�
