Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection

Today, the use of Ethernet-based protocols in industrial control systems (ICS) communications has led to the emergence of attacks based on information technology (IT) on supervisory control and data acquisition systems. In addition, the familiarity of Ethernet and TCP/IP protocols and the diversity and success of attacks on them raises security risks and cyber threats for ICS. This issue is compounded by the absence of encryption, authorization, and authentication mechanisms due to the development of industrial communications protocols only for performance purposes. Recent zero-day attacks, such as Triton, Stuxnet, Havex, Dragonfly, and Blackenergy, as well as the Ukraine cyber-attack, are possible because of the vulnerabilities of the systems; these attacksare carried by the protocols used in communication between PLC and I/O units or HMI and engineering stations. It is evident that there is a need for robust solutions that detect and prevent protocol-based cyber threats. In this paper, machine learning methods are evaluated for anomaly detection, particularly for EtherCAT-based ICS. To the best of the author’s knowledge, there has been no research focusing on machine learning algorithms for anomaly detection of EtherCAT. Before testing anomaly detection, an EtherCAT-based water level control system testbed was developed. Then, a total of 16 events were generated in four categories and applied on the testbed. The dataset created was used for anomaly detection. The results showed that the k-nearest neighbors (k-NN) and support vector machine with genetic algorithm (SVM GA) models perform best among the 18 techniques applied. In addition to detecting anomalies, the methods are able to flag the attack types better than other techniques and are applicable in EtherCAT networks. Also, the dataset and events can be used for further studies since it is difficult to obtain data for ICS due to its critical infrastructure and continuous real-time operation.

[1]  Raymond H. Myers,et al.  Probability and Statistics for Engineers and Scientists. , 1973 .

[2]  Imad H. Elhajj,et al.  Internal security attacks on SCADA systems , 2013, 2013 Third International Conference on Communications and Information Technology (ICCIT).

[3]  Kevser Ovaz Akpinar,et al.  Development of the ECAT Preprocessor with the Trust Communication Approach , 2018, Secur. Commun. Networks.

[4]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[5]  Roger Sauter,et al.  Introduction to Probability and Statistics for Engineers and Scientists , 2005, Technometrics.

[6]  Robert E. Johnson,et al.  Survey of SCADA security challenges and potential attack vectors , 2010, 2010 International Conference for Internet Technology and Secured Transactions.

[7]  L. Ibrahim ANOMALY NETWORK INTRUSION DETECTION SYSTEM BASED ON DISTRIBUTED TIME-DELAY NEURAL NETWORK (DTDNN) , 2010 .

[8]  Luciana Obregon,et al.  SANS Institute Information Security Reading Room Secure Architecture for Industrial Control Systems , 2019 .

[9]  Ryan Cunningham,et al.  Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[10]  Leandros A. Maglaras,et al.  Intrusion detection in SCADA systems using machine learning techniques , 2014, 2014 Science and Information Conference.

[11]  Khurum Nazir Junejo,et al.  Behaviour-Based Attack Detection and Classification in Cyber Physical Systems Using Machine Learning , 2016, CPSS@AsiaCCS.

[12]  Wei Gao,et al.  On SCADA control system command and response injection and intrusion detection , 2010, 2010 eCrime Researchers Summit.

[13]  Göran N Ericsson,et al.  Cyber Security and Power System Communication—Essential Parts of a Smart Grid Infrastructure , 2010, IEEE Transactions on Power Delivery.

[14]  Theodore J. Williams,et al.  A Reference Model for Computer Integrated Manufacturing from the Viewpoint of Industrial Automation , 1990 .

[15]  Nils Ole Tippenhauer,et al.  HAMIDS: Hierarchical Monitoring Intrusion Detection System for Industrial Control Systems , 2016, CPS-SPC '16.

[16]  S. Shankar Sastry,et al.  A Taxonomy of Cyber Attacks on SCADA Systems , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[17]  Marko Schuba,et al.  Intrusion Detection of the ICS Protocol EtherCAT , 2017 .

[18]  Ahmad-Reza Sadeghi,et al.  State-aware anomaly detection for industrial control systems , 2018, SAC.

[19]  Dayu Yang,et al.  Anomaly-Based Intrusion Detection for SCADA Systems , 2006 .

[20]  Seokjun Lee,et al.  Packet Diversity-Based Anomaly Detection System with OCSVM and Representative Model , 2016, 2016 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[21]  Joe Weiss,et al.  Bellingham, Washington, Control System Cyber Security Case Study , 1969 .

[22]  K. McLaughlin,et al.  Intrusion Detection System for IEC 60870-5-104 based SCADA networks , 2013, 2013 IEEE Power & Energy Society General Meeting.

[23]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[24]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[25]  Nils Ole Tippenhauer,et al.  Gamifying ICS Security Training and Research: Design, Implementation, and Results of S3 , 2017, CPS-SPC@CCS.

[26]  Giuliano Antoniol,et al.  Detecting buffer overflow via automatic test input data generation , 2008, Comput. Oper. Res..

[27]  Adriano Valenzano,et al.  Review of Security Issues in Industrial Networks , 2013, IEEE Transactions on Industrial Informatics.

[28]  Aiko Pras,et al.  Exploiting traffic periodicity in industrial control networks , 2016, Int. J. Crit. Infrastructure Prot..

[29]  Mohiuddin Ahmed,et al.  A survey of network anomaly detection techniques , 2016, J. Netw. Comput. Appl..

[30]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[31]  Dale C. Rowe,et al.  A survey SCADA of and critical infrastructure incidents , 2012, RIIT '12.

[32]  Paolo Ferrari,et al.  A Method for Anomalies Detection in Real-Time Ethernet Data Traffic Applied to PROFINET , 2018, IEEE Transactions on Industrial Informatics.

[33]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.