KR101860395B1 - Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol - Google Patents
Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol Download PDFInfo
- Publication number
- KR101860395B1 KR101860395B1 KR1020170079947A KR20170079947A KR101860395B1 KR 101860395 B1 KR101860395 B1 KR 101860395B1 KR 1020170079947 A KR1020170079947 A KR 1020170079947A KR 20170079947 A KR20170079947 A KR 20170079947A KR 101860395 B1 KR101860395 B1 KR 101860395B1
- Authority
- KR
- South Korea
- Prior art keywords
- packet
- payload
- module
- rule
- control system
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Algebra (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A white list-based industrial control system abnormal behavior detection method using empirical data is disclosed. The method includes a step of collecting a predetermined object packet by mirroring a network switch located at a contact point between a control system network section and a business network section in an industrial control system, Generating a regular expression by analyzing header information and payload information of a packet collected from the packet analyzing module and generating and verifying a regular expression generated from the packet analyzing module as a whitelist rule, And detecting an abnormal behavior in the industrial control system by using the whitelisting rule generated from the white list module as a detection rule.
Description
An embodiment according to the concept of the present invention relates to a technology for detecting anomalous behavior of an industrial control system, and more particularly to a method for detecting anomalous behavior of an industrial control system including a non-standard protocol by using a to- And more particularly, to a method and apparatus capable of detecting a wireless network.
Industrial Control System (ICS) is an essential system for effective remote monitoring and control of distant systems in major national infrastructure and industrial sectors such as power, gas, water, and traffic. In the past, the industrial control system was installed and operated in an environment where only a limited number of users could access the external network. However, recently, remote control and automatic control through a network have become common by incorporating information and communication technology. The development of such an industrial control system has many advantages in terms of efficiency, but it has a lot of weaknesses from the security point of view in the past. In particular, it is possible to use Modbus, which is designed without consideration of authentication or encryption mechanism, Or security coding, etc., are currently facing serious security threats. Furthermore, recent cyber attacks using control system vulnerabilities are becoming increasingly sophisticated and intelligent, and recently, unknown security threats such as Stuxnet and Ransomware threats are emerging. Industrial control systems are a nation-based industry, and their ripple effects are so great that there is a growing interest in technology development to counter the threat of industrial control system security around the world.
Conventional blacklist-based security facilities are not only vulnerable to attacks such as zero-day attacks, but also can not respond quickly to intelligent and malignant Advanced Persistent Threat (APT) attacks. Furthermore, it is necessary to link with the external network such as the Internet in order to update malicious code detection pattern and antivirus periodically. However, frequent security update through such a connection point is a factor that seriously threatens the cyber stability of the industrial control system having a closed network structure . Therefore, the necessity of introducing a white list-based security facility to improve the vulnerability of blacklist-based security facilities has been raised. However, since the whitelist-based products are focused on application control in the development host, detailed detection at the network level And verification based on the empirical data has not been performed. In addition, white list-based products are presented based on specific protocols such as protocol specification and control massage. Therefore, there is a limit to apply them to a generation control network having a closed characteristic based on a non-standard protocol. For such a conventional white - ly based technology, we propose a white - list based fault detection scheme for control system security. P641 ~ 652, 2013.08.
Technical Solution According to an aspect of the present invention, there is provided a method for detecting an abnormal behavior of an industrial control system including a proprietary protocol based on a whitelist using empirical data of an industrial control system environment, And to provide a method and apparatus that can be used.
The white list-based industrial control system abnormality detection method for a non-standard protocol according to the present invention for an object of the present invention is characterized in that the packet collection module is provided with a mirroring function for a network switch located at a contact point between a control system network section and a business network section in an industrial control system Analyzing header information and payload information of a packet collected from the packet collecting module to generate a regular expression; and generating a regular expression from the packet analyzing module Generating and verifying the generated regular expression as a white list rule and detecting an abnormal behavior in the industrial control system by using the whitelist rule generated from the white list module as a detection rule.
According to an embodiment, the step of generating the regular expression by the packet analysis module may include the step of selecting a packet to be analyzed through a predetermined statistical analysis according to header information of a packet collected from the packet collection module And a payload analyzing unit in the packet analyzing module identifies payload characteristics of the analysis object packet selected as the header analyzing unit rotor to generate the regular expression.
In addition, the step of selecting a packet to be analyzed by the header analysis unit may include a packet transmission / reception IP statistical analysis step of grasping an IP bandwidth having the highest traffic among the preliminarily collected packets, A packet protocol statistical analysis step of analyzing the total protocol statistics to identify the most used protocol information, a step of analyzing the packet transmission / reception IP statistic, and a step of analyzing the session information or the port information And a packet analysis target range selection step of selecting the analysis target packet according to the identified IP band and protocol information and the identified session information or port information.
The generating of the regular expression by the payload analyzing unit may include extracting a payload for a packet analysis target range selected from the header analyzing unit, performing sorting on the extracted payload, Generating an identifier comprising a payload size and the same number of payloads to identify duplicate payloads, removing duplicate payloads, sorting the deduplicated payloads in descending order based on the identifiers, Dividing the payload into individual files based on the payload size, and generating the number of regular expressions corresponding to the number of the separated files.
In addition, the step of generating and verifying the regular expression as a whitelist rule may include generating a whitelist rule using a regular expression generated from the packet analysis module, The white list verification module in the whitelist module performs normal behavior detection verification by applying the generated white list rule to a predetermined object packet collected from the packet collection module in full, and the white list verification module performs the normal behavior detection verification And performing the abnormal behavior detection verification by applying the white list rule to a packet in which a partial payload of the used packet is changed.
According to an exemplary embodiment of the present invention, the step of performing the normal behavior detection verification by the whitelist verification unit may include setting a whitelist rule generated from the whitelist generation unit as a verification rule, and transmitting a predetermined object packet collected from the packet collection module Receiving; And checking the detection log according to the set verification rule to perform verification of the normal behavior detection.
According to an embodiment of the present invention, the step of performing the abnormal behavior detection verification by the whitelist verification unit may include generating abnormal payload data in which a part of the payload data of the packet verified as the normal behavior is changed in performing the normal behavior detection verification And performing verification of abnormal behavior detection through retransmission of a packet with respect to the generated abnormal payload data and detection log detection.
The white-list-based industrial control system abnormal behavior detection apparatus for the non-standard protocol according to the present invention as described above is mirrored to a network switch located at a contact point between a control system network section and a business network section to an industrial control system, A packet collecting module for collecting packets in total by defining a packet object to be collected, a range and a collection period from among all the packets transmitted to the switch, and a packet to be analyzed based on the header information of the packet collected from the packet collecting module, A packet analysis module for identifying a pattern characteristic of the payload information by analyzing payload information of the selected analysis target packet to generate a regular expression and a white list rule using a regular expression generated from the packet analysis module , The generated white list rule A white list module for verifying normal behavior detection and abnormal behavior detection in the order of detection and a whitelist rule verified by the white list module are defined as a detection rule and abnormal behavior detection for detecting an abnormal behavior in the industrial control system according to the detection rule Module.
According to an embodiment, the packet analysis module selects a packet to be analyzed through a statistical analysis on a transmission / reception IP, a statistical analysis on a protocol, and a statistical analysis on a session based on header information of a packet collected from the packet collection module And a payload analyzing unit for generating a regular expression by identifying a payload characteristic of a packet to be analyzed selected from the header analyzing unit.
According to an embodiment, the whitelist module may include a whitelist generator for generating a whitelist rule using a regular expression generated from the packet analyzer module, and a white list generator for collectively collecting the packets from the packet collector module, And a whitelist verifying unit for performing the abnormal behavior detection verification by applying the whitelist rule to a packet in which a partial payload of a packet used for the normal behavior detection verification is changed.
The white list-based industrial control system abnormal behavior detection method and detection apparatus for a non-standard protocol according to an exemplary embodiment of the present invention uses a whitelist based on empirical data of an industrial control system, There is an effect that an abnormal behavior in the control system can be detected.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to more fully understand the drawings recited in the detailed description of the present invention, a detailed description of each drawing is provided.
1 is a diagram illustrating an example of a white list-based industrial control system abnormal behavior detection apparatus for a non-standard protocol according to an exemplary embodiment of the present invention applied to an industrial control system.
2 is an internal configuration diagram of an abnormal behavior detection apparatus according to an embodiment of the present invention.
FIG. 3 is a flowchart illustrating a white list-based industrial control system abnormal behavior detection method for a nonstandard protocol according to an exemplary embodiment of the present invention.
4 is a flowchart illustrating a method of selecting a packet to be analyzed by the header analysis unit shown in FIG.
5 is a flowchart illustrating a method of generating a regular expression by deriving a pattern characteristic of the payload analysis unit shown in FIG.
6 is a flowchart illustrating a method of generating and verifying a whitelist module shown in FIG.
It is to be understood that the specific structural or functional descriptions of embodiments of the present invention disclosed herein are only for the purpose of illustrating embodiments of the inventive concept, But may be embodied in many different forms and is not limited to the embodiments set forth herein.
Embodiments in accordance with the concepts of the present invention are capable of various modifications and may take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. It is not intended to be exhaustive or to limit the invention to the particular forms disclosed, but on the contrary, is intended to cover all modifications, equivalents, or alternatives falling within the spirit and scope of the invention.
The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms are intended to distinguish one element from another, for example, without departing from the scope of the invention in accordance with the concepts of the present invention, the first element may be termed the second element, The second component may also be referred to as a first component.
It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise.
As used herein, the terms "comprise", "having", and the like are intended to specify that there are described features, integers, steps, operations, elements, parts or combinations thereof, , Steps, operations, components, parts, or combinations thereof, as a matter of principle.
Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
Terms such as those defined in commonly used dictionaries should be construed to include meanings consistent with meaning in the context of the relevant art and, unless expressly defined herein, are to be construed in an ideal or overly formal sense It does not.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
1 is a diagram illustrating an example in which a white list-based industrial control system anomaly detection apparatus (hereinafter, referred to as 'anomaly detection apparatus') for a non-standard protocol according to an embodiment of the present invention is applied to an industrial control system, 2 is an internal configuration diagram of an abnormal
An industrial control system (1) can include all of the systems used for effective remote monitoring and control of distantly distributed systems in key national infrastructure and industrial sectors such as power, gas, water, and transportation , The data acquired by the terminal device such as the measurement control device, the remote terminal unit (RTU) or the intelligent electronic device (IED) is transferred to the upper layer through the FEP (Front-End Processor) And communicating commands.
1 and 2, an abnormal
As used herein, a module may refer to a functional or structural combination of hardware for performing the technical idea and software for driving the hardware according to an embodiment of the present invention. For example, the module may be a logical or functional unit of a predetermined program code and a hardware resource to be executed by the program code, and does not necessarily mean only a physically connected program code or a kind of hardware.
The
The
Also, the
That is, the
Accordingly, the
According to the embodiment, the
The Device layer is an area for identifying device information, and may be an IP address, a MAC address, and the like. The communication layer is an area for identifying data flow information, and may be a source IP, a destination IP, and the like.
The service layer may be a source IP, a destination IP, a port number, and the like for identifying an application service being used. The protocol layer is an area for identifying a protocol used in the
On the other hand, the Statistics layer is an area for identifying a packet size occurring in an industrial control network environment from a statistical viewpoint, and may be a maximum total packet size, a maximum communication packet size between two nodes, and a minimum communication packet size between two nodes.
According to the embodiment, the
Referring again to FIG. 2, the
The
The
At this time, the
The reason why the packet to be analyzed is selected as described above is that the size of the packet (PCAP) collected through the
On the other hand, the payload analyzing unit 270 extracts the payload from the selected packet to be analyzed through the
Hereinafter, the analysis method performed by the
First, the
The
That is, the
In order to efficiently perform analysis of a large amount of packet data, the
That is, the
Subsequently, the
Herein, the term " session " means a logical connection for communication between users or between computers in a network environment, and the term " session period " do.
That is, the
Finally, the
That is, the
Meanwhile, the payload analyzing unit 270 generates a regular expression for applying to the white list rule by identifying the payload pattern characteristic using a predetermined analysis method for the packet analysis target range selected by the
First, the payload analyzing unit 270 extracts a payload for a packet analysis target range selected by the
According to an embodiment, the payload analyzing unit 270 may use a payload extraction program using a programming language such as a C language or a Perl language (Practical Extraction and Reporting Language, Perl) Can be extracted.
At this time, since the payload data of the extracted payload file are stored in the arbitrary order and the payload data of the same type are scattered in the file, the payload analyzer 270 determines the characteristics The same type of duplicate payload data must be removed.
Accordingly, the payload analyzing unit 270 performs sorting on the extracted payloads in order to efficiently remove duplicate payload data.
At this time, the payload analyzer 270 can sort the extracted payload data by designating a predetermined delimiter for sorting the extracted data file, and extract the extracted payload data using a command composed of the delimiter And generate a result file (payload.sort) according to the sort.
As described above, the sort file (payload.sort) generated by sorting the payload data by the payload analyzer 270 is a state in which data is sorted by the same payload type or there are duplicate payload data.
Therefore, the payload analyzing unit 270 generates a predetermined identifier (e.g., "payload size | redundant payload count") to remove redundant payload data from the sorted payload data.
Thereafter, the payload analysis unit 270 may remove duplicate payload data through an instruction consisting of the identifier (e.g., "payload size | number of duplicate payloads").
The identifier consists of the payload size and the number of duplicate payloads. This means that when the number of duplicate duplicate payloads is large, the occurrence frequency of the corresponding payload type is high. When the payload size is reflected in the white list rule, This means that the effect is high.
Using this point, the payload analyzer 270 arranges the deduplicated payload data in descending order based on the identifiers (based on the same payload count and payload size).
In succession, the payload analyzer 270 separates the payload results of the plurality of payload results generated in descending order on the basis of the identifiers based on the payload size.
The separated payloads can be generated as a single white list rule through a normalization process. The payload analysis unit 270 separates the payload file based on the payload size as described above, This is the process of defining the target range to be used.
That is, when the payload analyzing unit 270 analyzes the payload characteristics as described above and distributes the payload to a plurality of files, it is necessary to generate regular expressions as many as the number of separated files Can be interpreted as meaning.
The
Referring back to FIG. 2, the
The
The
That is, the
At this time, the
According to the embodiment, the
In order to verify the normal behavior detection, the
In order to verify the abnormal behavior detection, the
That is, the
On the other hand, the abnormal
Although the white
As a result, in the
FIG. 3 is a flowchart illustrating a white list-based industrial control system abnormal behavior detection method (hereinafter, referred to as 'abnormal behavior detection method') for a non-standard protocol according to an embodiment of the present invention.
1 to 3, an abnormal behavior detection method according to an exemplary embodiment of the present invention includes a step S100 of collecting a total number of packets by the
The step S100 of collecting the total packet PCAP by the
In step S300, the
Hereinafter, a method for generating a regular expression by analyzing the collected total packets by the
4 is a flowchart illustrating a method of selecting a packet to be analyzed by the
Referring to FIGS. 1 to 4, the
First, the
For example, the
In order to efficiently perform a large amount of packet data analysis, the
For example, the
In succession, the
That is, the
For example, the
Finally, the
FIG. 5 is a flowchart for explaining the step (S300) of generating the regular expression by deriving the pattern characteristic from the payload analyzing unit 270 shown in FIG.
1 to 5, the payload analyzing unit 270 identifies the payload pattern characteristic through a predetermined step S210 to S300 with respect to the previously selected packet analysis target range, A regular expression is generated (S300).
A series of processes (S210 to S300) for the payload analyzing unit 270 to identify the payload pattern characteristic and generate a regular expression are as follows.
First, the payload analyzing unit 270 performs a payload extracting step (S210), and the payload extracting step (S210) extracts a payload for a packet analysis target range selected by the
In this case, the payload files extracted in the payload extracting step (S210) are in a state in which payload data contents are loaded in an arbitrary order, and since payload data of the same type are scattered in the file, RTI ID = 0.0 > 270 < / RTI > must remove duplicate payload data of the same type to analyze the characteristics of the non-standard protocol.
The payload analyzing unit 270 performs a payload sorting step S230, and the payload sorting step S230 is performed to sort the payloads in advance (in order to effectively perform the removal of duplicate payload data) Sort).
At this time, the payload analyzer 270 arranges the extracted payload data by designating a predetermined delimiter for sorting the extracted data file (S230).
In succession, the payload analyzing unit 270 performs a payload deduplication step (S250), and the payload deduplication step (S250) is a step for removing redundant payload data among the aligned payloads.
In order to remove the duplicate payload data and identify the payload type, the payload analyzer 270 preferentially generates a predetermined identifier (e.g., "payload size | redundant payload count") (S240).
According to the embodiment, the payload analyzing unit 270 removes redundant data using an instruction composed of the identifier (e.g., "payload size | number of payloads") (S250).
The payload analyzer 270 sequentially performs a sorting step S270 in descending order of identifiers, and the descending order sorting step S270 is a step of sorting the deduplicated payload data by the identifier (based on the same payload count) Payload size basis) in descending order.
Thereafter, the payload analyzing unit 270 performs the payload separating step S280, and the payload separating step S280 separates the payload result details generated in the descending sorting step S270 into the payload size .
Since each file separated according to the payload separating step (S280) can be generated as a single white list rule through a normalization process, the present step (280) includes a step of defining a target range for generating a whitelist rule .
Finally, the payload analyzing unit 270 performs the regular expression generating step S300. In the regular expression generating step S300, the payload characteristic for the distributed file is derived according to the payload separating step S280 This is the step of generating a regular expression.
Referring again to FIG. 3, the steps (S400 through S500) of the
Hereinafter, a method of generating and verifying a white list by the
6 is a flowchart illustrating a method of generating and verifying a whitelist module shown in FIG.
Referring to FIGS. 1 to 6, the
The white
The white list verification step (S500) will be described in more detail. First, in order to verify normal behavior detection, the whitelist verification unit (350) checks whether the whitelist rule generated through the white list rule generation step (S400) (S410).
Thereafter, the packet collected from the
In order to verify the abnormal behavior detection, the
Thereafter, the abnormal behavior detection is verified through the retransmission of the packet for the generated abnormal payload data and the detection log check (S470).
Finally, the
Referring again to FIG. 3, the abnormal
As a result, the abnormal behavior detection method according to an embodiment of the present invention uses the whitelist based on the empirical data of the industrial control system to detect the abnormal behavior in the industrial control system without the standard for the non-standard protocol have.
The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention.
Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.
1: industrial control system 10: abnormal behavior detection device
30: control system network 70: business network network
100: Packet collection module 200: Packet analysis module
230: Header analyzer 270: Payload analyzer
300: Whitelist module 330: Whitelist generator
350: Whitelist verification unit 400: abnormal behavior detection module
Claims (10)
Selecting a packet to be analyzed through a predetermined statistical analysis according to header information of a packet collected from the packet collection module;
The packet analysis module extracting a payload for the selected packet analysis target range;
Performing the sorting on the extracted payload by the packet analysis module;
Wherein the packet analysis module generates an identifier configured to include a payload size and a same payload number to identify a payload type, thereby removing duplicate payloads;
The packet analysis module arranges the deduplicated payload in descending order based on the identifier;
The packet analysis module separating the descending sorted payload into individual files based on the payload size;
The packet analysis module generating a number of regular expressions corresponding to the number of the separated files;
Generating a whitelisting rule using a regular expression generated from the packet analysis module;
The white list module sets the generated white list rule as a verification rule, retransmits a predetermined object packet collected from the packet collection module, checks the detection log according to the set verification rule, and verifies normal behavior detection ;
Wherein the white list module generates the abnormal payload data in which a part of the payload data of the packet verified as the normal behavior is changed at the step of performing the normal behavior detection verification and transmits retransmission of the packet to the generated abnormal payload data And performing a verification of abnormal behavior detection through a detection log check; And
Detecting an abnormal behavior in the industrial control system by using the whitelist rule generated from the whitelist module as a detection rule; and detecting the abnormal behavior in the industrial control system based on the whitelist rule. .
A packet transmission / reception IP statistical analysis step of grasping an IP band having the highest traffic among the total collected packets;
A packet protocol statistical analysis step of analyzing the entire protocol statistics in the IP band identified in the IP statistical analysis step and grasping the most used protocol information;
A packet session statistical analysis step of identifying session information or port information for the IP band and protocol information identified in the packet transmission / reception IP statistical analysis step and the packet protocol statistical analysis step; And
A packet analysis target range selection step of selecting the analysis target packet according to the identified IP band and protocol information and the identified session information or port information; Way.
Selecting a packet to be analyzed through a statistical analysis on a transmission / reception IP, a statistical analysis on a protocol, and a statistical analysis on a session based on header information of the packet collected from the packet collection module, Extracts the payload, performs the sorting on the extracted payload, generates an identifier consisting of the payload size and the same payload number to identify the type of the payload, removes the duplicate payload , Sorting the deduplicated payloads in descending order based on the identifier, separating the payloads sorted in descending order into individual files based on the payload size, extracting the number of regular A packet analysis module for generating an expression;
Generates a white list rule by using the regular expression generated from the packet analysis module, performs normal behavior detection verification by applying the generated white list rule to the packet collected from the packet collection module in total, A whitelist module for performing an anomaly detection verification by applying the whitelist rule to a packet in which a partial payload of a packet used for the normal behavior detection verification is changed; And
An anomaly detection module for defining a whitelist rule validated by the whitelist module as a detection rule and detecting an anomaly in the industrial control system according to the detection rule; and a white list-based industrial control System abnormal behavior detection device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020170079947A KR101860395B1 (en) | 2017-06-23 | 2017-06-23 | Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020170079947A KR101860395B1 (en) | 2017-06-23 | 2017-06-23 | Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101860395B1 true KR101860395B1 (en) | 2018-07-02 |
Family
ID=62914308
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020170079947A KR101860395B1 (en) | 2017-06-23 | 2017-06-23 | Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101860395B1 (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102001813B1 (en) * | 2018-12-10 | 2019-07-18 | 한국남동발전 주식회사 | Apparatus and method for detecting abnormal behavior of nonstandard protocol payload using deep neural network algorithm |
KR102001812B1 (en) * | 2018-12-10 | 2019-10-01 | 한국남동발전 주식회사 | Apparatus and method of making whitelist for communication among devices using k-means algorithm |
KR102139138B1 (en) | 2020-04-27 | 2020-07-30 | (주) 앤앤에스피 | An ICS header profiling system for private Industrial Control System protocol |
KR102139140B1 (en) | 2020-04-27 | 2020-07-30 | (주) 앤앤에스피 | A tag data profiling system for private Industrial Control System protocol |
CN112217885A (en) * | 2020-09-27 | 2021-01-12 | 普联国际有限公司 | Dynamic management method, device, equipment and storage medium for components |
KR102249993B1 (en) * | 2019-12-26 | 2021-05-07 | 연세대학교 산학협력단 | Apparatus and method for controlling resource reselection in vehicle communication system |
WO2021107259A1 (en) * | 2019-11-29 | 2021-06-03 | (주) 앤앤에스피 | Method and system for iacs packet flow security monitoring in association with network packet whitelist |
CN113595781A (en) * | 2021-07-26 | 2021-11-02 | 陕西中科启元信息技术有限公司 | Internet of things communication protocol configuration method and device |
CN113645065A (en) * | 2021-07-21 | 2021-11-12 | 武汉虹旭信息技术有限责任公司 | Industrial control safety audit system and method based on industrial internet |
KR102332727B1 (en) * | 2020-12-04 | 2021-12-01 | 한국서부발전 주식회사 | Anomaly detection system using distrubuted storage of traffic of power plant contrl netwrok assets |
KR102345152B1 (en) * | 2020-12-04 | 2022-01-04 | 한국서부발전 주식회사 | Anomaly detection system using reliability evaluation of power plant contro network asset |
CN114938300A (en) * | 2022-05-17 | 2022-08-23 | 浙江木链物联网科技有限公司 | Industrial control system situation perception method and system based on equipment behavior analysis |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100694248B1 (en) * | 2006-04-25 | 2007-03-27 | 충남대학교산학협력단 | Apparatus for testing security policies in network security system and its method |
KR101538709B1 (en) * | 2014-06-25 | 2015-07-29 | 아주대학교산학협력단 | Anomaly detection system and method for industrial control network |
KR101548378B1 (en) * | 2014-08-14 | 2015-08-31 | 고려대학교 산학협력단 | Behavior signature generation system and method, and network traffic analyzation system and method with the same |
-
2017
- 2017-06-23 KR KR1020170079947A patent/KR101860395B1/en active IP Right Grant
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100694248B1 (en) * | 2006-04-25 | 2007-03-27 | 충남대학교산학협력단 | Apparatus for testing security policies in network security system and its method |
KR101538709B1 (en) * | 2014-06-25 | 2015-07-29 | 아주대학교산학협력단 | Anomaly detection system and method for industrial control network |
KR101548378B1 (en) * | 2014-08-14 | 2015-08-31 | 고려대학교 산학협력단 | Behavior signature generation system and method, and network traffic analyzation system and method with the same |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102001812B1 (en) * | 2018-12-10 | 2019-10-01 | 한국남동발전 주식회사 | Apparatus and method of making whitelist for communication among devices using k-means algorithm |
KR102001813B1 (en) * | 2018-12-10 | 2019-07-18 | 한국남동발전 주식회사 | Apparatus and method for detecting abnormal behavior of nonstandard protocol payload using deep neural network algorithm |
WO2021107259A1 (en) * | 2019-11-29 | 2021-06-03 | (주) 앤앤에스피 | Method and system for iacs packet flow security monitoring in association with network packet whitelist |
KR102249993B1 (en) * | 2019-12-26 | 2021-05-07 | 연세대학교 산학협력단 | Apparatus and method for controlling resource reselection in vehicle communication system |
KR102139140B1 (en) | 2020-04-27 | 2020-07-30 | (주) 앤앤에스피 | A tag data profiling system for private Industrial Control System protocol |
KR102139138B1 (en) | 2020-04-27 | 2020-07-30 | (주) 앤앤에스피 | An ICS header profiling system for private Industrial Control System protocol |
CN112217885A (en) * | 2020-09-27 | 2021-01-12 | 普联国际有限公司 | Dynamic management method, device, equipment and storage medium for components |
CN112217885B (en) * | 2020-09-27 | 2024-06-04 | 普联国际有限公司 | Dynamic management method, device, equipment and storage medium for components |
KR102332727B1 (en) * | 2020-12-04 | 2021-12-01 | 한국서부발전 주식회사 | Anomaly detection system using distrubuted storage of traffic of power plant contrl netwrok assets |
KR102345152B1 (en) * | 2020-12-04 | 2022-01-04 | 한국서부발전 주식회사 | Anomaly detection system using reliability evaluation of power plant contro network asset |
CN113645065A (en) * | 2021-07-21 | 2021-11-12 | 武汉虹旭信息技术有限责任公司 | Industrial control safety audit system and method based on industrial internet |
CN113645065B (en) * | 2021-07-21 | 2024-03-15 | 武汉虹旭信息技术有限责任公司 | Industrial control security audit system and method based on industrial Internet |
CN113595781A (en) * | 2021-07-26 | 2021-11-02 | 陕西中科启元信息技术有限公司 | Internet of things communication protocol configuration method and device |
CN113595781B (en) * | 2021-07-26 | 2024-03-29 | 北京创程科技有限公司 | Internet of things communication protocol configuration method and device |
CN114938300A (en) * | 2022-05-17 | 2022-08-23 | 浙江木链物联网科技有限公司 | Industrial control system situation perception method and system based on equipment behavior analysis |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101860395B1 (en) | Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol | |
CN109005157B (en) | DDoS attack detection and defense method and system in software defined network | |
Udd et al. | Exploiting bro for intrusion detection in a SCADA system | |
US10015188B2 (en) | Method for mitigation of cyber attacks on industrial control systems | |
US9860278B2 (en) | Log analyzing device, information processing method, and program | |
KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
KR101391781B1 (en) | Apparatus and Method for Detecting HTTP Botnet based on the Density of Web Transaction | |
CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
CN111935170A (en) | Network abnormal flow detection method, device and equipment | |
CN105554016A (en) | Network attack processing method and device | |
GB2382261A (en) | Inserting an intrusion prevention system into a network stack | |
KR20140088340A (en) | APPARATUS AND METHOD FOR PROCESSING DDoS IN A OPENFLOW SWITCH | |
KR102001813B1 (en) | Apparatus and method for detecting abnormal behavior of nonstandard protocol payload using deep neural network algorithm | |
KR102001812B1 (en) | Apparatus and method of making whitelist for communication among devices using k-means algorithm | |
CN107209834B (en) | Malicious communication pattern extraction device, system and method thereof, and recording medium | |
CN112910918A (en) | Industrial control network DDoS attack traffic detection method and device based on random forest | |
KR102500033B1 (en) | Method and apparatus for detecting anomalies in industrial control system | |
CN106911665B (en) | Method and system for identifying malicious code weak password intrusion behavior | |
Aminanto et al. | Automated threat-alert screening for battling alert fatigue with temporal isolation forest | |
Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
KR20110028106A (en) | Apparatus for controlling distribute denial of service attack traffic based on source ip history and method thereof | |
KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
JP6592196B2 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
KR20020072618A (en) | Network based intrusion detection system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |