Anomaly Detection Based on Temporal Behavior Monitoring in Programmable Logic Controllers

Seungjae Han,Seongje Cho,Keonyong Lee,Moonju Park

doi:10.3390/electronics10101218

Seungjae Han, Seongje Cho + Show 2 more

Open Access

https://doi.org/10.3390/electronics10101218

Copy DOI

Journal: Electronics	Publication Date: May 20, 2021
Citations: 1	License type: CC BY 4.0

Affiliation: Dankook University, Incheon National University

Abstract

As Programmable Logic Controllers (PLCs) are increasingly connected and integrated into the industrial Internet of things, cybersecurity threats to PLCs are also increasing. Adversaries can perform a denial of service (DoS) attack based on the transmission of a large number of network packets, and a control-logic injection attack through sophisticated packet transmission. We propose an approach to detecting and defending against attacks that exploit security vulnerabilities in a PLC system. In order to protect against indiscriminate packet transmission attacks that exploit uncontrolled resource consumption vulnerabilities, an abnormal temporal behavior detection method is proposed that monitors the CPU usage of tasks. If a temporal anomaly is detected, the proposed approach tries to detect control-flow anomalies by examining the sequences of function calls, then detects stack-based buffer overflow attacks. The proposed method is implemented in a water tank control system for evaluation purposes. The experimental results show that the proposed method can improve the security of the system by detecting anomalies in temporal behavior with little system overhead.

Highlights

Industrial Control System (ICS) may cause serious devastation in critical infrastructures, and Programmable Logic Controllers (PLCs) are very important in defending ICSs against the cyberattacks as PLCs are at the end of the control sequence, monitoring and controlling the physical system [3,4]
Temporal anomaly detection in this testbed system requires 28.75% of CPU utilization including the overhead of periodic monitoring CPU utilization, but the schedulability of the system is not affected because the execution period of the Statistic and the Monitor tasks are harmonically arranged with the PLC tasks, and the total utilization is only 66.25%
It is important to protect PLCs from malicious attacks, for PLCs are at the border between the computerized control system and the physical system

Summary

Introduction

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. A method for detecting a behavioral anomaly in task scheduling is presented to stop the DoS attacks by blocking the overrun of the misbehaving task. In case the control-flow alteration is detected, the proposed method reports that the integrity of the PLC software is compromised. Otherwise, it suspends the communication service of the PLC to protect the system from the DoS attack.

Related Works

Detecting CPU Usage Anomaly

Detecting Control-Flow Anomaly

Implementation

Experimental Results

Conclusions