KR101860395B1 - Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol - Google Patents

Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol Download PDF

Info

Publication number
KR101860395B1
KR101860395B1 KR1020170079947A KR20170079947A KR101860395B1 KR 101860395 B1 KR101860395 B1 KR 101860395B1 KR 1020170079947 A KR1020170079947 A KR 1020170079947A KR 20170079947 A KR20170079947 A KR 20170079947A KR 101860395 B1 KR101860395 B1 KR 101860395B1
Authority
KR
South Korea
Prior art keywords
packet
payload
module
rule
control system
Prior art date
Application number
KR1020170079947A
Other languages
Korean (ko)
Inventor
문덕력
오미룡
강형구
Original Assignee
한국남동발전 주식회사
온시큐리티 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국남동발전 주식회사, 온시큐리티 주식회사 filed Critical 한국남동발전 주식회사
Priority to KR1020170079947A priority Critical patent/KR101860395B1/en
Application granted granted Critical
Publication of KR101860395B1 publication Critical patent/KR101860395B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A white list-based industrial control system abnormal behavior detection method using empirical data is disclosed. The method includes a step of collecting a predetermined object packet by mirroring a network switch located at a contact point between a control system network section and a business network section in an industrial control system, Generating a regular expression by analyzing header information and payload information of a packet collected from the packet analyzing module and generating and verifying a regular expression generated from the packet analyzing module as a whitelist rule, And detecting an abnormal behavior in the industrial control system by using the whitelisting rule generated from the white list module as a detection rule.

Description

TECHNICAL FIELD [0001] The present invention relates to a white list-based industrial control system abnormality detection method and apparatus for a non-standard protocol,

An embodiment according to the concept of the present invention relates to a technology for detecting anomalous behavior of an industrial control system, and more particularly to a method for detecting anomalous behavior of an industrial control system including a non-standard protocol by using a to- And more particularly, to a method and apparatus capable of detecting a wireless network.

Industrial Control System (ICS) is an essential system for effective remote monitoring and control of distant systems in major national infrastructure and industrial sectors such as power, gas, water, and traffic. In the past, the industrial control system was installed and operated in an environment where only a limited number of users could access the external network. However, recently, remote control and automatic control through a network have become common by incorporating information and communication technology. The development of such an industrial control system has many advantages in terms of efficiency, but it has a lot of weaknesses from the security point of view in the past. In particular, it is possible to use Modbus, which is designed without consideration of authentication or encryption mechanism, Or security coding, etc., are currently facing serious security threats. Furthermore, recent cyber attacks using control system vulnerabilities are becoming increasingly sophisticated and intelligent, and recently, unknown security threats such as Stuxnet and Ransomware threats are emerging. Industrial control systems are a nation-based industry, and their ripple effects are so great that there is a growing interest in technology development to counter the threat of industrial control system security around the world.

Conventional blacklist-based security facilities are not only vulnerable to attacks such as zero-day attacks, but also can not respond quickly to intelligent and malignant Advanced Persistent Threat (APT) attacks. Furthermore, it is necessary to link with the external network such as the Internet in order to update malicious code detection pattern and antivirus periodically. However, frequent security update through such a connection point is a factor that seriously threatens the cyber stability of the industrial control system having a closed network structure . Therefore, the necessity of introducing a white list-based security facility to improve the vulnerability of blacklist-based security facilities has been raised. However, since the whitelist-based products are focused on application control in the development host, detailed detection at the network level And verification based on the empirical data has not been performed. In addition, white list-based products are presented based on specific protocols such as protocol specification and control massage. Therefore, there is a limit to apply them to a generation control network having a closed characteristic based on a non-standard protocol. For such a conventional white - ly based technology, we propose a white - list based fault detection scheme for control system security. P641 ~ 652, 2013.08.

Technical Solution According to an aspect of the present invention, there is provided a method for detecting an abnormal behavior of an industrial control system including a proprietary protocol based on a whitelist using empirical data of an industrial control system environment, And to provide a method and apparatus that can be used.

The white list-based industrial control system abnormality detection method for a non-standard protocol according to the present invention for an object of the present invention is characterized in that the packet collection module is provided with a mirroring function for a network switch located at a contact point between a control system network section and a business network section in an industrial control system Analyzing header information and payload information of a packet collected from the packet collecting module to generate a regular expression; and generating a regular expression from the packet analyzing module Generating and verifying the generated regular expression as a white list rule and detecting an abnormal behavior in the industrial control system by using the whitelist rule generated from the white list module as a detection rule.

According to an embodiment, the step of generating the regular expression by the packet analysis module may include the step of selecting a packet to be analyzed through a predetermined statistical analysis according to header information of a packet collected from the packet collection module And a payload analyzing unit in the packet analyzing module identifies payload characteristics of the analysis object packet selected as the header analyzing unit rotor to generate the regular expression.

In addition, the step of selecting a packet to be analyzed by the header analysis unit may include a packet transmission / reception IP statistical analysis step of grasping an IP bandwidth having the highest traffic among the preliminarily collected packets, A packet protocol statistical analysis step of analyzing the total protocol statistics to identify the most used protocol information, a step of analyzing the packet transmission / reception IP statistic, and a step of analyzing the session information or the port information And a packet analysis target range selection step of selecting the analysis target packet according to the identified IP band and protocol information and the identified session information or port information.

The generating of the regular expression by the payload analyzing unit may include extracting a payload for a packet analysis target range selected from the header analyzing unit, performing sorting on the extracted payload, Generating an identifier comprising a payload size and the same number of payloads to identify duplicate payloads, removing duplicate payloads, sorting the deduplicated payloads in descending order based on the identifiers, Dividing the payload into individual files based on the payload size, and generating the number of regular expressions corresponding to the number of the separated files.

In addition, the step of generating and verifying the regular expression as a whitelist rule may include generating a whitelist rule using a regular expression generated from the packet analysis module, The white list verification module in the whitelist module performs normal behavior detection verification by applying the generated white list rule to a predetermined object packet collected from the packet collection module in full, and the white list verification module performs the normal behavior detection verification And performing the abnormal behavior detection verification by applying the white list rule to a packet in which a partial payload of the used packet is changed.

According to an exemplary embodiment of the present invention, the step of performing the normal behavior detection verification by the whitelist verification unit may include setting a whitelist rule generated from the whitelist generation unit as a verification rule, and transmitting a predetermined object packet collected from the packet collection module Receiving; And checking the detection log according to the set verification rule to perform verification of the normal behavior detection.

According to an embodiment of the present invention, the step of performing the abnormal behavior detection verification by the whitelist verification unit may include generating abnormal payload data in which a part of the payload data of the packet verified as the normal behavior is changed in performing the normal behavior detection verification And performing verification of abnormal behavior detection through retransmission of a packet with respect to the generated abnormal payload data and detection log detection.

The white-list-based industrial control system abnormal behavior detection apparatus for the non-standard protocol according to the present invention as described above is mirrored to a network switch located at a contact point between a control system network section and a business network section to an industrial control system, A packet collecting module for collecting packets in total by defining a packet object to be collected, a range and a collection period from among all the packets transmitted to the switch, and a packet to be analyzed based on the header information of the packet collected from the packet collecting module, A packet analysis module for identifying a pattern characteristic of the payload information by analyzing payload information of the selected analysis target packet to generate a regular expression and a white list rule using a regular expression generated from the packet analysis module , The generated white list rule A white list module for verifying normal behavior detection and abnormal behavior detection in the order of detection and a whitelist rule verified by the white list module are defined as a detection rule and abnormal behavior detection for detecting an abnormal behavior in the industrial control system according to the detection rule Module.

According to an embodiment, the packet analysis module selects a packet to be analyzed through a statistical analysis on a transmission / reception IP, a statistical analysis on a protocol, and a statistical analysis on a session based on header information of a packet collected from the packet collection module And a payload analyzing unit for generating a regular expression by identifying a payload characteristic of a packet to be analyzed selected from the header analyzing unit.

According to an embodiment, the whitelist module may include a whitelist generator for generating a whitelist rule using a regular expression generated from the packet analyzer module, and a white list generator for collectively collecting the packets from the packet collector module, And a whitelist verifying unit for performing the abnormal behavior detection verification by applying the whitelist rule to a packet in which a partial payload of a packet used for the normal behavior detection verification is changed.

The white list-based industrial control system abnormal behavior detection method and detection apparatus for a non-standard protocol according to an exemplary embodiment of the present invention uses a whitelist based on empirical data of an industrial control system, There is an effect that an abnormal behavior in the control system can be detected.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to more fully understand the drawings recited in the detailed description of the present invention, a detailed description of each drawing is provided.
1 is a diagram illustrating an example of a white list-based industrial control system abnormal behavior detection apparatus for a non-standard protocol according to an exemplary embodiment of the present invention applied to an industrial control system.
2 is an internal configuration diagram of an abnormal behavior detection apparatus according to an embodiment of the present invention.
FIG. 3 is a flowchart illustrating a white list-based industrial control system abnormal behavior detection method for a nonstandard protocol according to an exemplary embodiment of the present invention.
4 is a flowchart illustrating a method of selecting a packet to be analyzed by the header analysis unit shown in FIG.
5 is a flowchart illustrating a method of generating a regular expression by deriving a pattern characteristic of the payload analysis unit shown in FIG.
6 is a flowchart illustrating a method of generating and verifying a whitelist module shown in FIG.

It is to be understood that the specific structural or functional descriptions of embodiments of the present invention disclosed herein are only for the purpose of illustrating embodiments of the inventive concept, But may be embodied in many different forms and is not limited to the embodiments set forth herein.

Embodiments in accordance with the concepts of the present invention are capable of various modifications and may take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. It is not intended to be exhaustive or to limit the invention to the particular forms disclosed, but on the contrary, is intended to cover all modifications, equivalents, or alternatives falling within the spirit and scope of the invention.

The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms are intended to distinguish one element from another, for example, without departing from the scope of the invention in accordance with the concepts of the present invention, the first element may be termed the second element, The second component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise.

As used herein, the terms "comprise", "having", and the like are intended to specify that there are described features, integers, steps, operations, elements, parts or combinations thereof, , Steps, operations, components, parts, or combinations thereof, as a matter of principle.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.

Terms such as those defined in commonly used dictionaries should be construed to include meanings consistent with meaning in the context of the relevant art and, unless expressly defined herein, are to be construed in an ideal or overly formal sense It does not.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram illustrating an example in which a white list-based industrial control system anomaly detection apparatus (hereinafter, referred to as 'anomaly detection apparatus') for a non-standard protocol according to an embodiment of the present invention is applied to an industrial control system, 2 is an internal configuration diagram of an abnormal behavior detection apparatus 10 according to an embodiment of the present invention.

An industrial control system (1) can include all of the systems used for effective remote monitoring and control of distantly distributed systems in key national infrastructure and industrial sectors such as power, gas, water, and transportation , The data acquired by the terminal device such as the measurement control device, the remote terminal unit (RTU) or the intelligent electronic device (IED) is transferred to the upper layer through the FEP (Front-End Processor) And communicating commands.

1 and 2, an abnormal behavior detection apparatus 10 according to an embodiment of the present invention includes a network switch (not shown) between a control system network 30 of an industrial control system 1 and a business network 70 SW, and includes a packet acquisition module 100, a packet analysis module 200, a whitelist module 300, and an abnormal behavior detection module 400.

As used herein, a module may refer to a functional or structural combination of hardware for performing the technical idea and software for driving the hardware according to an embodiment of the present invention. For example, the module may be a logical or functional unit of a predetermined program code and a hardware resource to be executed by the program code, and does not necessarily mean only a physically connected program code or a kind of hardware.

The packet collection module 100 in the anomaly detection device 10 defines a packet object, a scope, and a collection period to collect among all the packets generated in the industrial control system 1, and collects the packets corresponding thereto do.

The packet collecting module 100 may be connected to the control system network 30 so as to collect all the packets generated inside the industrial control system 1 in order to increase the accuracy of the white- And is connected to a contact section (e.g., network switch SW) between the network 70. [

Also, the packet collection module 100 mirrors the packets coming into the network switch SW to collect the corresponding packets (PCAP) in order to minimize the influence on the industrial control system 1 in operation.

That is, the packet collection module 100 mirrors the network switch SW located at the contact point between the control system network 30 and the business network 70 to collect the total packet PCAP.

Accordingly, the packet collection module 100 can collect the entire packet (PCAP) for a predetermined protocol of the industrial control system 1 by mirroring the network switch SW.

According to the embodiment, the packet collection module 100 can classify the object of the packet to be collected according to a predetermined layer, and the layer is classified into a Statistics layer, a Protocol layer, a Service layer, a Communication layer, and a Device layer .

The Device layer is an area for identifying device information, and may be an IP address, a MAC address, and the like. The communication layer is an area for identifying data flow information, and may be a source IP, a destination IP, and the like.

The service layer may be a source IP, a destination IP, a port number, and the like for identifying an application service being used. The protocol layer is an area for identifying a protocol used in the industrial control system 1 Usage of protocol type Information can be standard protocol details, packet maximum length, offset, and protocol signatures.

On the other hand, the Statistics layer is an area for identifying a packet size occurring in an industrial control network environment from a statistical viewpoint, and may be a maximum total packet size, a maximum communication packet size between two nodes, and a minimum communication packet size between two nodes.

According to the embodiment, the packet collection module 100 can set the collection period of the packets to be collected to various periods (for example, 30 days) according to the user setting.

Referring again to FIG. 2, the packet analysis module 200 includes a header analysis unit 230 and a payload analysis unit 270.

The packet analysis module 200 selects a packet to be analyzed based on the header information of the packet PCAP, analyzes the payload value of the selected packet to be analyzed, and generates a regular expression for applying the packet to the whitelist rule Role.

The header analysis unit 230 in the packet analysis module 200 analyzes the packet data PCAP based on the header information among the packet data PCAP collected from the packet collection module 100, Select the range.

At this time, the header analyzing unit 230 analyzes the header information of the collected packet (PCAP) to check IP, port information, protocol statistical information, session (Session statistics information, etc.) of the packet And analyzes the size and number of collected packets accurately, and selects packets to be analyzed using statistics such as IP, port, and protocol.

The reason why the packet to be analyzed is selected as described above is that the size of the packet (PCAP) collected through the packet collection module 100 is more than several tens of terabytes (TB) This is because the above analysis time may be required.

On the other hand, the payload analyzing unit 270 extracts the payload from the selected packet to be analyzed through the header analyzing unit 230, separates the extracted payload into payloads of the same size, And generates a regular expression for identifying and applying to the whitelisting rule.

Hereinafter, the analysis method performed by the header analysis unit 230 and the payload analysis unit 270 will be described in more detail.

First, the header analysis unit 230 selects a target packet range to be analyzed through a predetermined statistical analysis method.

The header analysis unit 230 analyzes the most important network flow interval (for example, the IP band having the highest traffic) in the target environment through statistical analysis on the transmission / reception IP to identify the main network flow information in the environment of the industrial control system 1, .

That is, the header analyzer 230 generates statistical information on the transmission / reception IP and finds an IP band having the highest traffic according to the generated statistical information.

In order to efficiently perform analysis of a large amount of packet data, the header analyzing unit 230 sequentially analyzes statistics of the entire protocol in the corresponding IP band and transmits the most used protocol (for example, the number of frames or the largest capacity) Identify information.

That is, the header analyzing unit 230 generates the packet protocol statistical information as described above, and analyzes the generated statistical information to find the most important protocol (for example, TCP protocol) in the previously found IP band.

Subsequently, the header analyzing unit 230 generates session statistical information for a main protocol of the main IP band to identify a meaningful data packet range among a large number of packets, and extracts main session information or port information .

Herein, the term " session " means a logical connection for communication between users or between computers in a network environment, and the term " session period " do.

That is, the header analyzer 230 can identify session information or port information for the main protocol of the main IP band.

Finally, the header analysis unit 230 selects a final packet target range to be analyzed based on the result of performing the statistical analysis method described above.

That is, the header analyzing unit 230 can select the packet information of the session interval using the predetermined protocol among the predetermined IP bandwidths as the analysis target range.

Meanwhile, the payload analyzing unit 270 generates a regular expression for applying to the white list rule by identifying the payload pattern characteristic using a predetermined analysis method for the packet analysis target range selected by the header analyzing unit 230 .

First, the payload analyzing unit 270 extracts a payload for a packet analysis target range selected by the header analyzing unit 230.

According to an embodiment, the payload analyzing unit 270 may use a payload extraction program using a programming language such as a C language or a Perl language (Practical Extraction and Reporting Language, Perl) Can be extracted.

At this time, since the payload data of the extracted payload file are stored in the arbitrary order and the payload data of the same type are scattered in the file, the payload analyzer 270 determines the characteristics The same type of duplicate payload data must be removed.

Accordingly, the payload analyzing unit 270 performs sorting on the extracted payloads in order to efficiently remove duplicate payload data.

At this time, the payload analyzer 270 can sort the extracted payload data by designating a predetermined delimiter for sorting the extracted data file, and extract the extracted payload data using a command composed of the delimiter And generate a result file (payload.sort) according to the sort.

As described above, the sort file (payload.sort) generated by sorting the payload data by the payload analyzer 270 is a state in which data is sorted by the same payload type or there are duplicate payload data.

Therefore, the payload analyzing unit 270 generates a predetermined identifier (e.g., "payload size | redundant payload count") to remove redundant payload data from the sorted payload data.

Thereafter, the payload analysis unit 270 may remove duplicate payload data through an instruction consisting of the identifier (e.g., "payload size | number of duplicate payloads").

The identifier consists of the payload size and the number of duplicate payloads. This means that when the number of duplicate duplicate payloads is large, the occurrence frequency of the corresponding payload type is high. When the payload size is reflected in the white list rule, This means that the effect is high.

Using this point, the payload analyzer 270 arranges the deduplicated payload data in descending order based on the identifiers (based on the same payload count and payload size).

In succession, the payload analyzer 270 separates the payload results of the plurality of payload results generated in descending order on the basis of the identifiers based on the payload size.

The separated payloads can be generated as a single white list rule through a normalization process. The payload analysis unit 270 separates the payload file based on the payload size as described above, This is the process of defining the target range to be used.

That is, when the payload analyzing unit 270 analyzes the payload characteristics as described above and distributes the payload to a plurality of files, it is necessary to generate regular expressions as many as the number of separated files Can be interpreted as meaning.

The header analysis unit 230 in the packet analysis module 200 analyzes the packet analysis target range based on the header information among the packet data PCAP collected from the packet collection module 100, And the payload analyzing unit 270 identifies the pattern characteristic of the payload extracted from the selected packet to be analyzed through the header analyzing unit 230 and generates a regular expression for applying it to the white list rule.

Referring back to FIG. 2, the whitelist module 300 in the abnormal behavior detection apparatus 10 includes a whitelist generation unit 330 and a whitelist verification unit 350.

The whitelist generating unit 330 generates a whitelist rule, that is, a Snort rule, using the regular expression generated from the payload analyzing unit 270.

The whitelist verification unit 350 verifies whether normal behavior detection and abnormal behavior detection are normally performed through the whitelist rule generated by the whitelist generation unit 330.

That is, the whitelist verification unit 350 verifies whether the white list rule is normally operated on a large number of packets collected by the packet collection module 100 according to the whitelist rule generated by the whitelist generation unit 330 .

At this time, the whitelist verification unit 350 may be implemented as a separate network intrusion detection system (NIDS) such as Snort, and the whitelist rule generated by the whitelist generation unit 330 may be referred to as a verification rule .

According to the embodiment, the whitelist verification unit 350 may verify whether the white list rule is normally operated on a specific packet collected separately by the packet collection module 100. [

In order to verify the normal behavior detection, the whitelist verification unit 350 uses the whitelist rule generated by the whitelist generation unit 330 as a verification rule, retransmits the packet collected from the packet collection module 100, Check the log.

In order to verify the abnormal behavior detection, the whitelist verification unit 350 generates abnormal payload data in which a part of the payload data of the packet used in the verification of the normal behavior detection is changed, It verifies whether abnormal behavior detection is performed properly through self-packet retransmission of data and detection log detection.

That is, the whitelist verification unit 350 changes the normal payload 11 to the abnormal payload 10, retransmits the entire packet including the changed abnormal payload data, confirms the detection log, Is detected.

On the other hand, the abnormal behavior detection module 400 defines a detection rule as a detection rule, which is verified by the white list verification unit 350, and detects an abnormal behavior in the control system 1 according to the detection rule.

Although the white list verification unit 350 and the abnormal behavior detection module 400 are described as separate components in this specification, the whitelist verification unit 350 and the abnormal behavior detection module 400 are not a separate physical structure, As shown in FIG.

As a result, in the industrial control system 1 in which the non-standard protocol is mainly used, the abnormal behavior detection apparatus 10 according to the embodiment of the present invention generates a whitelist based on the empirical data, It is said that there is an effect that can detect the behavior.

FIG. 3 is a flowchart illustrating a white list-based industrial control system abnormal behavior detection method (hereinafter, referred to as 'abnormal behavior detection method') for a non-standard protocol according to an embodiment of the present invention.

1 to 3, an abnormal behavior detection method according to an exemplary embodiment of the present invention includes a step S100 of collecting a total number of packets by the packet collection module 100, (S500) of generating whitelists by the whitelist module 300 (S500) and detecting an abnormal behavior in the industrial control system (S300) (S600).

The step S100 of collecting the total packet PCAP by the packet collecting module 100 may be performed by a network switch SW located at a point of contact between the control system network 30 and the business network 70 in order to increase the accuracy of the whitelist. (PCAP) through mirroring (Mirroring).

In step S300, the packet analysis module 200 analyzes a collected total packet to generate a regular expression. In step S300, a target packet to be analyzed is selected based on the header information of the packet (PCAP) Analyzing the load value and generating a regular expression for applying to the white list rule.

Hereinafter, a method for generating a regular expression by analyzing the collected total packets by the packet analysis module 200 will be described in detail with reference to FIGS. 4 and 5. FIG.

4 is a flowchart illustrating a method of selecting a packet to be analyzed by the header analyzer 230 shown in FIG.

Referring to FIGS. 1 to 4, the header analyzing unit 230 selects a target packet range to be analyzed through a predetermined statistical analysis step (S110 to S200).

First, the header analyzing unit 230 performs packet transmission / reception IP statistical analysis step S110 for identifying main network flow information in the industrial control system environment, and the packet transmission / reception IP statistical analysis step (S110) And analyzes the most important network flow period (for example, the IP bandwidth having the highest traffic) in the target environment through analysis.

For example, the header analyzing unit 230 can find the IP band having the highest traffic through the statistical analysis on the transmission / reception IP.

In order to efficiently perform a large amount of packet data analysis, the header analyzing unit 230 performs a packet protocol statistical analysis step (S 130) for identifying main protocol information, and a packet protocol statistical analysis step (S 130) And analyzes the statistics of the entire protocol in the band to grasp the most important protocol information.

For example, the header analyzing unit 230 finds the most important protocol (for example, TCP Protocol) in the IP band previously found through the packet protocol statistical analysis step S110 (S130).

In succession, the header analyzing unit 230 performs a packet session statistical step S150 for identifying a meaningful data packet range among a large number of packets, and the packet session statistical step S150 is performed for a main protocol Such as session information and port information, with respect to TCP (e.g., TCP).

That is, the header analyzer 230 identifies the session information or the port information for the main protocol of the main IP band (S150).

For example, the header analyzer 230 can identify port information or session information for a main protocol of the main IP band.

Finally, the header analysis unit 230 performs a packet analysis target range selection step S200 for selecting a target range for packet analysis, and analyzes the result based on the results of the statistical analysis steps S100 to S150 described above A final packet target range is selected (S200).

FIG. 5 is a flowchart for explaining the step (S300) of generating the regular expression by deriving the pattern characteristic from the payload analyzing unit 270 shown in FIG.

1 to 5, the payload analyzing unit 270 identifies the payload pattern characteristic through a predetermined step S210 to S300 with respect to the previously selected packet analysis target range, A regular expression is generated (S300).

A series of processes (S210 to S300) for the payload analyzing unit 270 to identify the payload pattern characteristic and generate a regular expression are as follows.

First, the payload analyzing unit 270 performs a payload extracting step (S210), and the payload extracting step (S210) extracts a payload for a packet analysis target range selected by the header analyzing unit 230 to be.

In this case, the payload files extracted in the payload extracting step (S210) are in a state in which payload data contents are loaded in an arbitrary order, and since payload data of the same type are scattered in the file, RTI ID = 0.0 > 270 < / RTI > must remove duplicate payload data of the same type to analyze the characteristics of the non-standard protocol.

The payload analyzing unit 270 performs a payload sorting step S230, and the payload sorting step S230 is performed to sort the payloads in advance (in order to effectively perform the removal of duplicate payload data) Sort).

At this time, the payload analyzer 270 arranges the extracted payload data by designating a predetermined delimiter for sorting the extracted data file (S230).

In succession, the payload analyzing unit 270 performs a payload deduplication step (S250), and the payload deduplication step (S250) is a step for removing redundant payload data among the aligned payloads.

In order to remove the duplicate payload data and identify the payload type, the payload analyzer 270 preferentially generates a predetermined identifier (e.g., "payload size | redundant payload count") (S240).

According to the embodiment, the payload analyzing unit 270 removes redundant data using an instruction composed of the identifier (e.g., "payload size | number of payloads") (S250).

The payload analyzer 270 sequentially performs a sorting step S270 in descending order of identifiers, and the descending order sorting step S270 is a step of sorting the deduplicated payload data by the identifier (based on the same payload count) Payload size basis) in descending order.

Thereafter, the payload analyzing unit 270 performs the payload separating step S280, and the payload separating step S280 separates the payload result details generated in the descending sorting step S270 into the payload size .

Since each file separated according to the payload separating step (S280) can be generated as a single white list rule through a normalization process, the present step (280) includes a step of defining a target range for generating a whitelist rule .

Finally, the payload analyzing unit 270 performs the regular expression generating step S300. In the regular expression generating step S300, the payload characteristic for the distributed file is derived according to the payload separating step S280 This is the step of generating a regular expression.

Referring again to FIG. 3, the steps (S400 through S500) of the white list module 300 to create and verify the white list are as follows. Generates a white list rule using the regular expression generated from the payload analysis unit 270, and verifies whether normal behavior detection and abnormal behavior detection are normally performed through the generated white list rule.

Hereinafter, a method of generating and verifying a white list by the white list module 300 will be described in detail with reference to FIG.

6 is a flowchart illustrating a method of generating and verifying a whitelist module shown in FIG.

Referring to FIGS. 1 to 6, the whitelist generating unit 330 generates a whitelist rule (S400). The whitelist rule generating step S400 is a pre-task for applying a whitelist-based rule. And generates the white list rule using the regular expression generated from the load analysis unit 270. [

The white list verification unit 350 performs a white list verification step S500 and the white list verification step S500 is a step of checking whether the packet collection module 100 ) Is a step of verifying whether or not the white list rule is operating normally with respect to a large number of packets collected by the user.

The white list verification step (S500) will be described in more detail. First, in order to verify normal behavior detection, the whitelist verification unit (350) checks whether the whitelist rule generated through the white list rule generation step (S400) (S410).

Thereafter, the packet collected from the packet collecting module 100 is retransmitted and the detection log is checked according to the set basic rule to verify normal behavior detection (S430).

In order to verify the abnormal behavior detection, the whitelist verification unit 350 generates abnormal payload data in which some of the payload data of the packet used in the verification of the normal behavior detection is changed (S450).

Thereafter, the abnormal behavior detection is verified through the retransmission of the packet for the generated abnormal payload data and the detection log check (S470).

Finally, the whitelist verification unit 350 compares the detection event and the detection log obtained through steps S400 to S470 to verify whether the whitelist rule is operating properly (S500).

Referring again to FIG. 3, the abnormal behavior detection module 400 performs a step S600 of detecting an abnormal behavior in the industrial control system 1, and the abnormal behavior detection step S600 includes an abnormal behavior detection module 400 specifies the whitelist rule validated by the whitelist verification unit 350 as its own rule and detects an abnormal behavior in the control system 1. [

As a result, the abnormal behavior detection method according to an embodiment of the present invention uses the whitelist based on the empirical data of the industrial control system to detect the abnormal behavior in the industrial control system without the standard for the non-standard protocol have.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention.

Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.

1: industrial control system 10: abnormal behavior detection device
30: control system network 70: business network network
100: Packet collection module 200: Packet analysis module
230: Header analyzer 270: Payload analyzer
300: Whitelist module 330: Whitelist generator
350: Whitelist verification unit 400: abnormal behavior detection module

Claims (10)

Collecting predetermined target packets by mirroring the packet collection module on a network switch located at a contact point between a control system network section and a business network section in an industrial control system;
Selecting a packet to be analyzed through a predetermined statistical analysis according to header information of a packet collected from the packet collection module;
The packet analysis module extracting a payload for the selected packet analysis target range;
Performing the sorting on the extracted payload by the packet analysis module;
Wherein the packet analysis module generates an identifier configured to include a payload size and a same payload number to identify a payload type, thereby removing duplicate payloads;
The packet analysis module arranges the deduplicated payload in descending order based on the identifier;
The packet analysis module separating the descending sorted payload into individual files based on the payload size;
The packet analysis module generating a number of regular expressions corresponding to the number of the separated files;
Generating a whitelisting rule using a regular expression generated from the packet analysis module;
The white list module sets the generated white list rule as a verification rule, retransmits a predetermined object packet collected from the packet collection module, checks the detection log according to the set verification rule, and verifies normal behavior detection ;
Wherein the white list module generates the abnormal payload data in which a part of the payload data of the packet verified as the normal behavior is changed at the step of performing the normal behavior detection verification and transmits retransmission of the packet to the generated abnormal payload data And performing a verification of abnormal behavior detection through a detection log check; And
Detecting an abnormal behavior in the industrial control system by using the whitelist rule generated from the whitelist module as a detection rule; and detecting the abnormal behavior in the industrial control system based on the whitelist rule. . delete The method of claim 1, wherein the packet analysis module selects the analysis target packet comprises:
A packet transmission / reception IP statistical analysis step of grasping an IP band having the highest traffic among the total collected packets;
A packet protocol statistical analysis step of analyzing the entire protocol statistics in the IP band identified in the IP statistical analysis step and grasping the most used protocol information;
A packet session statistical analysis step of identifying session information or port information for the IP band and protocol information identified in the packet transmission / reception IP statistical analysis step and the packet protocol statistical analysis step; And
A packet analysis target range selection step of selecting the analysis target packet according to the identified IP band and protocol information and the identified session information or port information; Way. delete delete delete delete The network control unit is mirrored to a network switch located at a point of contact between the control system network section and the business network section of the industrial control system and defines a packet object to be collected and a collection period from among all the packets transmitted to the network switch, Gt;
Selecting a packet to be analyzed through a statistical analysis on a transmission / reception IP, a statistical analysis on a protocol, and a statistical analysis on a session based on header information of the packet collected from the packet collection module, Extracts the payload, performs the sorting on the extracted payload, generates an identifier consisting of the payload size and the same payload number to identify the type of the payload, removes the duplicate payload , Sorting the deduplicated payloads in descending order based on the identifier, separating the payloads sorted in descending order into individual files based on the payload size, extracting the number of regular A packet analysis module for generating an expression;
Generates a white list rule by using the regular expression generated from the packet analysis module, performs normal behavior detection verification by applying the generated white list rule to the packet collected from the packet collection module in total, A whitelist module for performing an anomaly detection verification by applying the whitelist rule to a packet in which a partial payload of a packet used for the normal behavior detection verification is changed; And
An anomaly detection module for defining a whitelist rule validated by the whitelist module as a detection rule and detecting an anomaly in the industrial control system according to the detection rule; and a white list-based industrial control System abnormal behavior detection device. delete delete
KR1020170079947A 2017-06-23 2017-06-23 Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol KR101860395B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020170079947A KR101860395B1 (en) 2017-06-23 2017-06-23 Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020170079947A KR101860395B1 (en) 2017-06-23 2017-06-23 Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol

Publications (1)

Publication Number Publication Date
KR101860395B1 true KR101860395B1 (en) 2018-07-02

Family

ID=62914308

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020170079947A KR101860395B1 (en) 2017-06-23 2017-06-23 Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol

Country Status (1)

Country Link
KR (1) KR101860395B1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102001813B1 (en) * 2018-12-10 2019-07-18 한국남동발전 주식회사 Apparatus and method for detecting abnormal behavior of nonstandard protocol payload using deep neural network algorithm
KR102001812B1 (en) * 2018-12-10 2019-10-01 한국남동발전 주식회사 Apparatus and method of making whitelist for communication among devices using k-means algorithm
KR102139138B1 (en) 2020-04-27 2020-07-30 (주) 앤앤에스피 An ICS header profiling system for private Industrial Control System protocol
KR102139140B1 (en) 2020-04-27 2020-07-30 (주) 앤앤에스피 A tag data profiling system for private Industrial Control System protocol
CN112217885A (en) * 2020-09-27 2021-01-12 普联国际有限公司 Dynamic management method, device, equipment and storage medium for components
KR102249993B1 (en) * 2019-12-26 2021-05-07 연세대학교 산학협력단 Apparatus and method for controlling resource reselection in vehicle communication system
WO2021107259A1 (en) * 2019-11-29 2021-06-03 (주) 앤앤에스피 Method and system for iacs packet flow security monitoring in association with network packet whitelist
CN113595781A (en) * 2021-07-26 2021-11-02 陕西中科启元信息技术有限公司 Internet of things communication protocol configuration method and device
CN113645065A (en) * 2021-07-21 2021-11-12 武汉虹旭信息技术有限责任公司 Industrial control safety audit system and method based on industrial internet
KR102332727B1 (en) * 2020-12-04 2021-12-01 한국서부발전 주식회사 Anomaly detection system using distrubuted storage of traffic of power plant contrl netwrok assets
KR102345152B1 (en) * 2020-12-04 2022-01-04 한국서부발전 주식회사 Anomaly detection system using reliability evaluation of power plant contro network asset
CN114938300A (en) * 2022-05-17 2022-08-23 浙江木链物联网科技有限公司 Industrial control system situation perception method and system based on equipment behavior analysis

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100694248B1 (en) * 2006-04-25 2007-03-27 충남대학교산학협력단 Apparatus for testing security policies in network security system and its method
KR101538709B1 (en) * 2014-06-25 2015-07-29 아주대학교산학협력단 Anomaly detection system and method for industrial control network
KR101548378B1 (en) * 2014-08-14 2015-08-31 고려대학교 산학협력단 Behavior signature generation system and method, and network traffic analyzation system and method with the same

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100694248B1 (en) * 2006-04-25 2007-03-27 충남대학교산학협력단 Apparatus for testing security policies in network security system and its method
KR101538709B1 (en) * 2014-06-25 2015-07-29 아주대학교산학협력단 Anomaly detection system and method for industrial control network
KR101548378B1 (en) * 2014-08-14 2015-08-31 고려대학교 산학협력단 Behavior signature generation system and method, and network traffic analyzation system and method with the same

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102001812B1 (en) * 2018-12-10 2019-10-01 한국남동발전 주식회사 Apparatus and method of making whitelist for communication among devices using k-means algorithm
KR102001813B1 (en) * 2018-12-10 2019-07-18 한국남동발전 주식회사 Apparatus and method for detecting abnormal behavior of nonstandard protocol payload using deep neural network algorithm
WO2021107259A1 (en) * 2019-11-29 2021-06-03 (주) 앤앤에스피 Method and system for iacs packet flow security monitoring in association with network packet whitelist
KR102249993B1 (en) * 2019-12-26 2021-05-07 연세대학교 산학협력단 Apparatus and method for controlling resource reselection in vehicle communication system
KR102139140B1 (en) 2020-04-27 2020-07-30 (주) 앤앤에스피 A tag data profiling system for private Industrial Control System protocol
KR102139138B1 (en) 2020-04-27 2020-07-30 (주) 앤앤에스피 An ICS header profiling system for private Industrial Control System protocol
CN112217885A (en) * 2020-09-27 2021-01-12 普联国际有限公司 Dynamic management method, device, equipment and storage medium for components
CN112217885B (en) * 2020-09-27 2024-06-04 普联国际有限公司 Dynamic management method, device, equipment and storage medium for components
KR102332727B1 (en) * 2020-12-04 2021-12-01 한국서부발전 주식회사 Anomaly detection system using distrubuted storage of traffic of power plant contrl netwrok assets
KR102345152B1 (en) * 2020-12-04 2022-01-04 한국서부발전 주식회사 Anomaly detection system using reliability evaluation of power plant contro network asset
CN113645065A (en) * 2021-07-21 2021-11-12 武汉虹旭信息技术有限责任公司 Industrial control safety audit system and method based on industrial internet
CN113645065B (en) * 2021-07-21 2024-03-15 武汉虹旭信息技术有限责任公司 Industrial control security audit system and method based on industrial Internet
CN113595781A (en) * 2021-07-26 2021-11-02 陕西中科启元信息技术有限公司 Internet of things communication protocol configuration method and device
CN113595781B (en) * 2021-07-26 2024-03-29 北京创程科技有限公司 Internet of things communication protocol configuration method and device
CN114938300A (en) * 2022-05-17 2022-08-23 浙江木链物联网科技有限公司 Industrial control system situation perception method and system based on equipment behavior analysis

Similar Documents

Publication Publication Date Title
KR101860395B1 (en) Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol
CN109005157B (en) DDoS attack detection and defense method and system in software defined network
Udd et al. Exploiting bro for intrusion detection in a SCADA system
US10015188B2 (en) Method for mitigation of cyber attacks on industrial control systems
US9860278B2 (en) Log analyzing device, information processing method, and program
KR101070614B1 (en) Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation
KR101391781B1 (en) Apparatus and Method for Detecting HTTP Botnet based on the Density of Web Transaction
CN108289088A (en) Abnormal traffic detection system and method based on business model
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
CN111935170A (en) Network abnormal flow detection method, device and equipment
CN105554016A (en) Network attack processing method and device
GB2382261A (en) Inserting an intrusion prevention system into a network stack
KR20140088340A (en) APPARATUS AND METHOD FOR PROCESSING DDoS IN A OPENFLOW SWITCH
KR102001813B1 (en) Apparatus and method for detecting abnormal behavior of nonstandard protocol payload using deep neural network algorithm
KR102001812B1 (en) Apparatus and method of making whitelist for communication among devices using k-means algorithm
CN107209834B (en) Malicious communication pattern extraction device, system and method thereof, and recording medium
CN112910918A (en) Industrial control network DDoS attack traffic detection method and device based on random forest
KR102500033B1 (en) Method and apparatus for detecting anomalies in industrial control system
CN106911665B (en) Method and system for identifying malicious code weak password intrusion behavior
Aminanto et al. Automated threat-alert screening for battling alert fatigue with temporal isolation forest
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
KR20110028106A (en) Apparatus for controlling distribute denial of service attack traffic based on source ip history and method thereof
KR101488271B1 (en) Apparatus and method for ids false positive detection
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
KR20020072618A (en) Network based intrusion detection system

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant