Abstract
By violating semantic constraints that the control process impose, the semantic attack leads the Industry Control Systems (ICS) into an undesirable state or critical state. The spread of semantic attack has caused huge economic losses and casualties to critical infrastructure. Therefore, detecting semantic attack is referred to an urgent and critical task. However, few existing detecting techniques can achieve satisfactory effects in detecting semantic attack of ICS, due to the high requirements of complete critical state-based semantic behavior features description, joint detection on multivariate type state variables, and validity of field states datasets under semantic attacks. In an effort to deal with above challenges, We label device states databases with temporal characteristics and divide impacts on states of field devices under semantic attacks into three categories, including absent in states set, confused sequences, irregular frequency. On this basis, we establish a behavioral model based on secondary labeling of states-duration evolution graph (BMSLS), then implement an adaptive secure state-based semantic attack detection framework furtherly. Compared with the traditional Auto Regression (AR) algorithm, the newer time series correlation graph model, and other five deep learning algorithms, our proposed framework demonstrates the superior effect on the detection of semantic attack.
Highlights
INTRODUCTIONReferred to sequence attack, represents a kind of activity that is legal at the protocol level, yet violates semantic constraints that a process imposes, including both semantically incorrect messages (e.g., conflicting commands) and operations that lead the Industry Control System (ICS)
We propose a behavioral model based on secondary labeling of States-duration Evolution Graph (SEG), named BMSLS that label operation mode of field devices in the control system automatically, according to various of device semantic behavior, which are manifested as the duration of the device state and the order relationship between different device states
To accurately detect semantic attacks in real time, we input the state data stream generated by the SCADA in real time into established behavioral model based on secondary labeling of SEG
Summary
Referred to sequence attack, represents a kind of activity that is legal at the protocol level, yet violates semantic constraints that a process imposes, including both semantically incorrect messages (e.g., conflicting commands) and operations that lead the Industry Control System (ICS). The methods to add semantic descriptions into network traffic characteristics, such as parameters relative to control commands or trusted measurement of the sensors, have been proposed to satisfy the new detection requirements. The above research has achieved periodic results, such as constructing description language and secure state-rules, improving attack detection accuracy, and so on. In the real ICS, the definition of critical state-based semantic behavior feature is a lack of comprehension. Requirements for validity and credibility of field states datasets under semantic attacks. State-based semantic attacks detection scheme requires a more realistic and effective state dataset. Compared to existing secure state-rules construction and model based methods, BMSLS has the following advantages.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IEEE Transactions on Network Science and Engineering
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
