Industrial Control Communication Research Articles

Development of a neural network structure for recognition of attacks in computer systems

The integration of industrial control communication networks and the Internet into the Industrial Control System (ICS) increases their vulnerability to cyber-attacks, leading to devastating consequences. Traditional intrusion detection systems (IDS) mostly rely on predefined models and are trained mostly on specific cyber attacks, which means that traditional IDS cannot deal with unknown attacks In addition, most IDSs do not take into account the imbalance of ICS datasets, and therefore suffer from low accuracy and high false positives when used. In the article, we propose an NCO-double-layer DIFF_RF-OPFYTHON intrusion detection method for ICS, which consists of NCO modules, two-layer DIFF_RF modules, and OPFYTHON modules. Detected traffic will be divided into three categories by the two-layer DIFF_RF module: known attacks, unknown attacks, and normal traffic. Next, the known attacks will be classified by the OPFYTHON module into specific attacks according to the characteristics of the attack traffic. We use the NCO module to improve model inputs and improve model accuracy. The results show that the proposed method outperforms traditional intrusion detection methods such as XGboost and SVM. Detecting unknown attacks is also significant. The accuracy of the data set used in this article reaches 98.13%. The detection rate of unknown and known attacks reaches 98.21% and 95.1%, respectively. In this article, the basic modules of the classifier are shallow machine learning algorithms. This can be improved by using a more powerful neural network architecture. In the article, all detected unknown attacks are marked as one category. In further studies, the unknown attacks can be clustered and analyzed to further classify the detected unknown attacks. It is worth noting that the number of unknown attacks is only a small part, so it is difficult to classify unknown attacks using cluster analysis. Since training a more powerful neural network requires a lot of data, it is important to investigate how to train a new model when the number of samples belonging to that class is limited.

ICPFuzzer: proprietary communication protocol fuzzing by using machine learning and feedback strategies

The fuzzing test is able to discover various vulnerabilities and has more chances to hit the zero-day targets. And ICS(Industrial control system) is currently facing huge security threats and requires security standards, like ISO 62443, to ensure the quality of the device. However, some industrial proprietary communication protocols can be customized and have complicated structures, the fuzzing system cannot quickly generate test data that adapt to various protocols. It also struggles to define the mutation field without having prior knowledge of the protocols. Therefore, we propose a fuzzing system named ICPFuzzer that uses LSTM(Long short-term memory) to learn the features of a protocol and generates mutated test data automatically. We also use the responses of testing and adjust the weight strategies to further test the device under testing (DUT) to find more data that cause unusual connection status. We verified the effectiveness of the approach by comparing with the open-source and commercial fuzzers. Furthermore, in a real case, we experimented with the DLMS/COSEM for a smart meter and found that the test data can cause a unusual response. In summary, ICPFuzzer is a black-box fuzzing system that can automatically execute the testing process and reveal vulnerabilities that interrupt and crash industrial control communication. Not only improves the quality of ICS but also improves safety.

Anomaly detection for industrial control operations with optimized ABC–SVM and weighted function code correlation analysis

Under the tendency of interconnection and interoperability in Industrial Internet, anomaly detection, which has been widely recognized, has won significant accomplishments in industrial cyber security. However, a crucial issue is how to effectively extract industrial communication features which can accurately and comprehensively describe industrial control operations. Aiming at the function code field in industrial Modbus/TCP communication protocol, this paper proposes a novel feature extraction algorithm based on weighted function code correlation, which not only indicates the contribution of single function code in the whole function code sequence, but also analyzes the correlation of different function codes. In order to design a serviceable detection engine, a dynamic adjusting ABC–SVM (Artificial Bee Colony–Support Vector Machine) anomaly detection model based on double mutations is also developed to identify abnormal behaviors in industrial control communications. The experimental results show that the proposed feature extraction algorithm can effectively reflect the changes of function control behavior in industrial control communications, and the improved ABC–SVM anomaly detection model can strengthen the detection performance by comparing with other anomaly detection engines.

Simulation analysis of communication performance of PROFIBUS in single and multiple master mode

With the application of digital information technology and communication technology, industrial intelligence and integration also began to develop rapidly, and the importance of the research on bus communication in industrial control communication also increased. As the first international bus standard, PROFIBUS has been widely used in the field of industrial control; in recent years, it was mainly used to connect devices to the control layer and convert data through token transmission. Based on the understanding of the transmission mechanism of PROFIBUS fieldbus protocol, this article carries out a simulation study on its communication performance. Through analysis of the data link layer, changing the target token cycle time (high and low priority) and random setting each site message number, as well as the number of master station and slave station, how the main token latency and packet loss rate and efficiency of bus affect the change of performance parameters was observed. For multiple communication systems, the relationship between the address value on the main token ring and transport performance is found by experiments on the site address value on the main token ring and the target token cycle time value. Finally, the scheduling algorithm is applied to the communication scheduling of PROFIBUS fieldbus. The results confirm that the scheduling algorithm has better transmission efficiency than the traditional MAC media access protocol under the condition that the load rate does not exceed 100%, which makes up for the shortcomings of the original PROFIBUS bus system and makes the communication performance better.

Research and Implementation of Modbus TCP Security Enhancement Protocol

Considering the security problem of Modbus TCP protocol, such as the lack of authentication mechanism, the protection mechanism of data transmission and abuse of function code, a secure industrial control communication protocol(Modbus-S protocol) is designed based on the original Modbus TCP protocol, which uses symmetric key algorithm to ensure the confidentiality of data; the uniqueness of data is guaranteed by the synchronization mechanism based on hash algorithm; digital signature algorithm is used to ensure the verifiability and integrity of data; finally, “White List” filtering mechanism is used to manage function codes based on roles to effectively prevent abuse of function codes. Through the verification and analysis of experiment, Modbus-S can fully compensate for the design defects of Modbus TCP protocol. Compared with the existing methods, this method has higher security and can comprehensively improve the communication security of Modbus TCP protocol.

An Implementation of Convergence Security Solution for Overcoming of Security Vulnerabilities in Industrial Control Communication Network

As ICT has been introduced into the traditional industrial field and the convergence industry environment has been developed, the industrial devices operated as closed networks are exposed to external networks, resulting in increased security vulnerability. If ICT networks with open and bi-directional features control industrial devices using unprotected industrial protocols, the physical and economic damage will increase rapidly. General Internet security equipment can be applied, but it is impossible to completely block security threats. In this paper, we analyze security flaws in ICT convergence industry control network and propose security technology to overcome these vulnerabilities. In addition, the convergence industry security gateway system has been developed by applying DPI Filtering Technology, Self-Similarity Technology, OPC-UA Protocol Gateway Technology and Unidirectional Communication Technology proposed in this paper. This system can be applied to the ICT convergence industry to improve the overall security level, and it is expected that the stability of ICT convergence products and services, which cover a wide range of household devices including automobiles and TVs. Future research will develop an industrial standard protocol conversion technology such as MQTT in addition to OPC-UA, and improve the processing performance and bandwidth of the system.

Function-Aware Anomaly Detection Based on Wavelet Neural Network for Industrial Control Communication

Function control, which is an essential link in industrial automation, is undergoing a growing integration with ICTs (Information Communication Technologies) because of the flexible manufacturing and convenient interoperability in CPSs (Cyber-Physical Systems). However, it has also brought the increasing dangers of cyberattacks caused by malicious or intentional industrial process control exploitations. In order to effectively detect these cyber intrusions and anomalies, this paper proposes a function-aware anomaly detection approach based on WNN (Wavelet Neural Network), which perceives the abnormal function control changes in industrial control communication. By appropriately extracting the time-related function control characteristics from industrial communication packets, this approach builds an optimized wavelet neural network to model the normal function control behaviors and calculates the detection threshold to differentiate the aberrant industrial process control activities. Additionally, a real-world control system, whose communication protocol is Modbus/TCP, is simulated to furnish the analyzed function control data. According to the experimental results, we fully demonstrate this approach has the fine detection accuracy and adequate real-time capability.