Internet DRAFT - draft-li-sacm-anomaly-detection

draft-li-sacm-anomaly-detection



SACM Working Group                                               S. Li
Internet Draft                                                  M. Wei
Interned status: Standards Track                               H. Wang
Expires: August 27, 2017                                      Q. Huang
                                                               P. Wang
                                                               J. Liao
                                               Chongqing University of
                                          Posts and Telecommunications
                                                     February 23, 2017


  Anomaly Detection of Industrial Control System based on Modbus/TCP
                    draft-li-sacm-anomaly-detection-00


Abstract

   Aiming at the vulnerability and security threat of Industrial
   Control System, this document proposed a detection model based on
   the characteristics of Modbus/TCP protocol.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on August 27, 2017.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors. All rights reserved.



Li, et al.             Expires August 27, 2017                [Page 1]

 Internet-Draft          Anomaly Detection of ICS         February 2017


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.

Table of Contents


   1. Introduction ................................................ 2
      1.1. Requirements Notation .................................. 3
      1.2. Terms Used ............................................. 3
   2. Overview of the detection scheme ............................ 3
   3. A detection model based on Modbus protocol features.......... 4
   4. Security Considerations ..................................... 7
   5. IANA Considerations ......................................... 7
   6. References .................................................. 7
      6.1. Normative References ................................... 7
      6.2. Informative References ................................. 7

1. Introduction

   With the development of industrialization and informatization,
   increasing information technology is applied to the industrial field.
   Due to the hardware and software, which are widely used in
   Industrial Control Systems, come from different vendors, and the ICS
   need to interact the information with the outside net, both of them
   make Industrial Control Systems more and more open, and face more
   security threats.

   The research of anomaly detection for ICS is introduced as follows.
   For example, the anomaly detection of communication protocol
   datagram format has the premise of obtaining a specific proprietary
   protocol specification, the detection method based on protocol
   message format is liable to cause lower detection rate, and is not
   easy to expand. Another anomaly detection mechanism is the
   configuration of blacklist and whitelist, in order to realize this
   mechanism, engineers need to run the system, and set the blacklist
   and whitelist according to the ICS state.

   In addition, most research work focus on intrusion detection
   algorithm, the key to improve the detection rate is to extract
   efficient features of anomaly detection. Research on intrusion


Li, et al.             Expires August 27, 2017                [Page 2]

 Internet-Draft          Anomaly Detection of ICS         February 2017


   detection algorithm shows that, the basic principle of neural
   network method is to use learning algorithm to study the
   relationship between input and output vectors, and to sum up a new
   input-output relationship. The neural network algorithm has rather
   high computational complexity, and very large demand for samples,
   while it is difficult for Industrial Control System to extract more
   samples. Genetic algorithm is a natural selection based on the best
   search algorithm, but it has higher coding complexity, and longer
   training time.

   However, Support Vector Machine algorithm is a kind of data
   classification method based on statistical learning theory. It has
   many advantages, such as few samples, good generalization and global
   optimization. Therefore, the SVM algorithm based on clustering is
   suitable for the anomaly detection of ICS.

1.1. Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "MAY" in this document are to be interpreted
   as described in [RFC2119]

1.2. Terms Used

   ICS: Industrial Control System.

   SVM: Support Vector Machines. SVM is specified in [CoVa1995].

   Security: It means the specific security mechanism or security
   algorithm.

2. Overview of the detection scheme

   In this document, the establishment of the system anomaly detection
   model is based on the periodic characteristics of Industrial Control
   System and communication protocol message characteristics of
   Modbus/TCP. The industrial control network equipment involved in the
   anomaly detection process includes security gateway, programmable
   logic controller, security management platform and controlled device,
   wherein the security gateway includes an anomaly detection subsystem
   and a packet depth analysis system. The packet depth analysis system
   executes depth analysis and feature extraction for Modbus/TCP packet,
   the anomaly detection subsystem is used to detect the underlying
   network data and generate an alarm response to the abnormal data.
   Depending on the specific technological process, the programmable
   logic controller issues control commands to the controlled device
   for orderly production. Security management platform is responsible


Li, et al.             Expires August 27, 2017                [Page 3]

 Internet-Draft          Anomaly Detection of ICS         February 2017


   for the configuration of security mechanism and the handling of
   abnormal alarm in the security gateway. Controlled equipment,
   including level gauge, pressure gauge, temperature sensor and so on,
   is responsible for the collection of physical quantity in the
   industrial production process. The detection process is as follows.

   (1) Capture the communication data between master and slave devices
   through the security gateway, and then analyze the data.

   (2) According to the packet format of Modbus/TCP protocol, the
   packet depth analysis system directs at the feature fields that
   should exist in the packet and the expected values for those fields,
   analyzes the packets in depth layer-by-layer, and removes the excess
   attribute characteristics, only leaving the characteristics related
   to the system behavior patterns.

   (3) According to the eigenvectors extracted by the packet depth
   analysis system, the anomaly detection subsystem constructs the
   classifier for the purpose of measurement, statistics and abnormal
   detection, and sends an alarm to the security management platform
   for abnormal results.

3. A detection model based on Modbus protocol features

   Modbus/TCP is an application layer protocol that embeds a Modbus
   frame into a TCP frame, its message transmission service is to
   provide communication between client and server, and these devices
   are connected to an Ethernet TCP/IP network. Modbus/TCP protocol is
   specified in [RFC793] and [RFC791]. Modbus/TCP packets include two
   parts, Modbus Application Protocol (MBAP) and Protocol Data Unit
   (PDU). For the Modbus Application Protocol packet header, it
   contains the transaction ID, protocol ID, length, and unit ID. The
   protocol data unit includes the function code and data. The
   transaction ID represents the packet identification of the Modbus
   request/response transaction processing. The function code
   represents the control command, which is sent by the master device
   to the slave device, each specific function code represents a
   different operation. According to the source address and the
   destination address of the packet, the direction of transmission of
   data packets is generated.

   Extract transaction identifier, slave function code, slave
   communication address, and packet transfer direction eigenvector,
   port number elements as the eigenvector, and construct a number of
   different categories of eigenvalues in the eigenvector, which makes
   the description of the behavior pattern of the system more accurate



Li, et al.             Expires August 27, 2017                [Page 4]

 Internet-Draft          Anomaly Detection of ICS         February 2017


   and reasonable, and the detection accuracy of detection model is
   also improved.

   An anomaly detection model of SVM based on K-means clustering is
   constructed by the acquired eigenvectors, and these eigenvectors are
   based on communication behaviors. This process is shown in Figure 1.

   (1) The k-means clustering algorithm is used to preprocess the
   protocol feature vector, which randomly selects the k objects as the
   initialization cluster, and calculates the average of the data in
   each cluster. The standard criterion function is used to determine
   whether the cluster center is stable or not.

   (2) By using the clustered data as the input data, the SVM
   classifier is constructed.

   (3) There are three main steps involved in SVM algorithm. Firstly,
   construct the hyperplanes of classification. Secondly, select the
   appropriate training parameters, which include the penalty factor
   and the radial basis function. Finally, obtain the decision function
   in SVM.



























Li, et al.             Expires August 27, 2017                [Page 5]

 Internet-Draft          Anomaly Detection of ICS         February 2017


             +------------+
             | Receive    |
             |data packets|
             +------------+
                     |
                     V
             +---------------+     +-------------------------+
             |    Select the |     |Construct a sample       |
             |kernel function|     |vector based on the      |
             +---------------+     |protocol characteristics |
                                   +-------------------------+
                     |                          |
                     V                          V
             +-------------------+       +----------------+
             |     Set the       |       |The samples are |
             |training parameters|       |divided into    |
             +-------------------+       |k subclasses    |
                                         +----------------+
                     |                            |
                     V   <------------------------
             +---------------------+
             | The clustering      |
             | result is obtained  |
             +---------------------+
                     |
                     V
             +------------------+
             | SVM classifier   |
             | is constructed   |
             +------------------+
                     |
                     V
             +--------------------+         +----------------+
             | Data classification|-------> |Data is abnormal|
             +--------------------+         +----------------+
                      |                            |
                      V                            V
            +--------------------+         +---------------+
            |  Industrial Control|         |Security alerts|
            |  System is normal  |         +---------------+
            +--------------------+

          Figure 1 SVM anomaly detection model based on clustering






Li, et al.             Expires August 27, 2017                [Page 6]

 Internet-Draft          Anomaly Detection of ICS         February 2017


4. Security Considerations

   TBD.

5. IANA Considerations

   This memo includes no request to IANA.

6. References

6.1. Normative References

6.2. Informative References

[RFC2119]
           Bradner, S., "Key words for use in RFCs to Indicate
           Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC791]
           Postel J. RFC 791: Internet protocol[J]. 1981.

[RFC793]
           Postel J. RFC 793: Transmission control protocol, September
           1981[J]. Status: Standard, 2003, 88.

[CoVa1995]
           Cortes C, Vapnik V. Support-vector networks[J]. Machine
           learning, 1995, 20(3): 273-297.




















Li, et al.             Expires August 27, 2017                [Page 7]

 Internet-Draft          Anomaly Detection of ICS         February 2017


Authors' Addresses

   Shuaiyong Li
   Key Laboratory of Industrial Internet of Things & Networked Control
   Ministry of Education
   Chongqing University of Posts and Telecommunications
   2 Chongwen Road
   Chongqing, 400065
   China

   Email: lishuaiyong@cqupt.edu.cn

   Min Wei
   Key Laboratory of Industrial Internet of Things & Networked Control
   Ministry of Education
   Chongqing University of Posts and Telecommunications
   2 Chongwen Road
   Chongqing, 400065
   China

   Email: weimin@cqupt.edu.cn

   Hao Wang
   Key Laboratory of Industrial Internet of Things & Networked Control
   Ministry of Education
   Chongqing University of Posts and Telecommunications
   2 Chongwen Road
   Chongqing, 400065
   China

   Email: wanghao@cqupt.edu.cn

   Qingqing Huang
   Key Laboratory of Industrial Internet of Things & Networked Control
   Ministry of Education
   Chongqing University of Posts and Telecommunications
   2 Chongwen Road
   Chongqing, 400065
   China

   Email: huangqq@cqupt.edu.cn

   Ping Wang
   Key Laboratory of Industrial Internet of Things & Networked Control
   Ministry of Education
   Chongqing University of Posts and Telecommunications
   2 Chongwen Road


Li, et al.             Expires August 27, 2017                [Page 8]

 Internet-Draft          Anomaly Detection of ICS         February 2017


   Chongqing, 400065
   China

   Phone: (86)-23-6246-1061
   Email: wangping@cqupt.edu.cn

   Jie Liao
   Key Laboratory of Industrial Internet of Things & Networked Control
   Ministry of Education
   Chongqing University of Posts and Telecommunications
   2 Chongwen Road
   Chongqing, 400065
   China

   Email: 928053580@qq.com

































Li, et al.             Expires August 27, 2017                [Page 9]