Detecting control system misbehavior by fingerprinting programmable logic controller functionality

Author(s): Stockman, M; Dwivedi, D; Gentz, R; Peisert, S | Abstract: © 2019 Elsevier B.V. In recent years, attacks such as the Stuxnet malware have demonstrated that cyberattacks against control systems cause extensive damage. These attacks can result in physical damage to the networked systems under their control. In this paper, we discuss our approach for detecting such attacks by distinguishing between programs running on a programmable logic controller (PLC) without having to monitor communications. Using power signatures generated by an attached, high-frequency power measurement device, we can identify what a PLC is doing and when an attack may have altered what the PLC should be doing. To accomplish this, we generated labeled data for testing our methods and applied feature engineering techniques and machine learning models. The results demonstrate that Random Forests and Convolutional Neural Networks classify programs with up to 98% accuracy for major program differences and 84% accuracy for minor differences. Our results can be used for both online and offline applications.

[1]  Tsuyoshi Murata,et al.  {m , 1934, ACML.

[2]  Dimitrios Pendarakis,et al.  ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[3]  W. Press,et al.  Numerical Recipes: The Art of Scientific Computing , 1987 .

[4]  Walid G. Morsi,et al.  Non-Intrusive Load Monitoring Using Semi-Supervised Machine Learning and Wavelet Design , 2017, IEEE Transactions on Smart Grid.

[5]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[6]  Kymie M. C. Tan,et al.  "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  Yoshua Bengio,et al.  Convolutional networks for images, speech, and time series , 1998 .

[8]  Bogdan Copos Modeling Systems Using Side Channel Information , 2017 .

[9]  G. W. Hart,et al.  Nonintrusive appliance load monitoring , 1992, Proc. IEEE.

[10]  Berk Sunar,et al.  Trojan Detection using IC Fingerprinting , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[11]  Kim Zetter,et al.  Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon , 2014 .

[12]  Andy Liaw,et al.  Classification and Regression by randomForest , 2007 .

[13]  Anna Scaglione,et al.  Monitoring Security of Networked Control Systems: It's the Physics , 2014, IEEE Security & Privacy.

[14]  J. Tukey,et al.  An Algorithm for the Machine Calculation of , 2016 .

[15]  U. Rajendra Acharya,et al.  Application of deep convolutional neural network for automated detection of myocardial infarction using ECG signals , 2017, Inf. Sci..

[16]  A.G. Phadke,et al.  Synchronized phasor measurements in power systems , 1993, IEEE Computer Applications in Power.

[17]  Majid Hashemi,et al.  Ghost in the PLC: Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack , 2016 .

[18]  R. Quinlan,et al.  Decision tree discovery , 1999 .

[19]  Bin Yang,et al.  Active learning with cross-dataset validation in event-based non-intrusive load monitoring , 2017, 2017 25th European Signal Processing Conference (EUSIPCO).

[20]  Janne Riihijärvi,et al.  Performance Evaluation of Machine Learning Based Signal Classification Using Statistical and Multiscale Entropy Features , 2017, 2017 IEEE Wireless Communications and Networking Conference (WCNC).