IFinger: Intrusion Detection in Industrial Control Systems via Register-Based Fingerprinting

Abstract

Nowadays, the industrial control system (ICS) plays a vital role in critical infrastructures like the power grid. However, there is an increasing security concern that ICS devices are being vulnerable to malicious users/attackers, where any subtle changing or tampering attack would cause significant damage to industrial manufacturing. In this paper, we propose the iFinger , a novel detection approach designed to mitigate ICS attacks adapting to various industrial scenes. We take advantage of an important insight that industrial protocol packets include register status values that are used to reflect the physical characteristics of ICS controllers. The iFinger utilizes register states to generate ICS fingerprints to detect malicious attacks on industrial networks. Specifically, the boolean logic represents every register state sequence of the ICS controller, and the deterministic finite automaton (DFA) generates a device fingerprint. To discover the ICS attacks, we propose two detection approaches based on device fingerprints, including passive and active detection. We present a prototype of the iFinger and conduct real-world experiments to validate its performance. Results show that our approach achieves 97.1% F1 score in ICS device identification. Furthermore, we simulate two typical ICS attacks (replacement and code modification) to validate the effectiveness of our iFinger in industrial networks. Our device fingerprints would detect those malicious attacks within 2s latency at 98.0% recall.