Detection of replay attack traffic in ICS network

Abstract

The malicious codes and attacks against ICS today are becoming more advanced and intelligent. The security risk for ICS is increasing, and it’s becoming more important to secure the cyber safety of ICS from these security threats. Recent ICS not only uses serial communication protocol, but also an Ethernet-based control communication protocol. Malicious codes attacking ICS attempts to imitate the corresponding control protocol to insert malware into the payload for communication, or imitates normal control packets for malicious control or disabling of control devices. Also, multiple presentations exist on the possible scenarios of various cyber attack targeting. However, current IDS/IPS for ICS functions with technology to detect attacks based on a blacklist, and thus cannot detect attacks exhibiting new techniques. In order to solve these problems, there have been recent studies on white list based attack detection technology for practical application on ICS. However, current studies on white list based detection technology utilizes a white list based on IP address, service port number information, etc., and thus cannot be utilized to detect attacks exhibiting a replay pattern or in which only data value is changed inside a normal command. This study suggests a technology that can detect attacks exhibiting a replay pattern against ICS, using white list based detection and machine learning to educate control traffic and apply the results to actual detection. © 2019, Springer Nature Switzerland AG.