KR102139138B1 - An ICS header profiling system for private Industrial Control System protocol - Google Patents

Abstract

The present invention relates to a private ICS protocol profiling system for group- and cycle-based abnormal behavior detection. The system analyzes packets transmitted and received in a private industrial control protocol communication environment between operating and control devices in an industrial control system network. The system includes: a packet extraction and data separation unit extracting a packet between the control and operating devices and separating a network header, an ICS header, and an ICS payload; a field object property analysis unit dividing the ICS header into variable and fixed fields and detecting a packet transmission-representing object property field (hereinafter, object property field) from the fixed field; a group property analysis unit detecting a field value-grouped field (hereinafter, group field) from the variable field; a transmission cycle property analysis unit detecting a transmission pattern or cycle of packets in which the group field has a certain field value; and a packet profiling unit profiling the ICS header information and setting as a profile the object property field, the group field, and the transmission pattern or cycle. The above-described method and system performs analysis by dividing a private ICS protocol packet into a network packet header and an ICS protocol payload and dividing the ICS protocol payload into an ICS header and an ICS payload.

Description

Profiling system of private ICS protocol for group and cycle-based anomaly detection {An ICS header profiling system for private Industrial Control System protocol}

The present invention extracts a packet structure by analyzing packets by a private ICS (Industrial Control System) protocol, extracts the contents of the ICS header of the ICS packet according to the extracted packet structure, collects characteristic information of the ICS header, group, and It relates to a profiling system of a private ICS protocol for detecting period-based anomalies.

In general, the industrial control system network consists of operating devices (HMI, EWS, etc.), control devices (PLC, DCS, RTU, etc.), field devices (sensors, actuators, etc.) and communicates using industrial control protocols.

Industrial control protocols may use standard protocols such as Modbus, Distributed Network Protocol 3 (DNP3), InterControl Center Communications Protocol (ICCP), OLE for process control (OPC), but the company's own private protocol is used. There are cases.

Anomaly detection for the standard industrial control protocol is profiled by subdividing network header information (Ethernet header information, IP header information, TCP/UDP header information), ICS header information, and ICS payload data defined in the standard protocol. It consists of a white list or applies machine learning or deep learning. Through this, the detection rate of abnormal behaviors is increased, and the false positive rate is reduced, and the traceability of abnormal behaviors is increased.

In the case of the private industrial protocol, the structure of the ICS protocol cannot be analyzed, so it is classified only into network header information and network payload data [Patent Document 1]. In addition, when this is configured as a white list or when machine learning or deep learning is applied, there is a problem that an abnormal behavior detection rate decreases and a false positive rate increases. In addition, there is a problem in that the traceability of the network payload data with ICS information is poor when it occurs.

Korean Registered Patent Publication No. 10-1860395 (announced on Jul. 02, 2018)

The object of the present invention is to solve the problems as described above, and analyze the packets by the private industrial control system (ICS) protocol to extract the packet structure, and the contents of the ICS header of the ICS packet according to the extracted packet structure It is to provide a private ICS protocol profiling system for group and cycle-based anomaly detection by extracting and collecting characteristic information of an ICS header.

Particularly, an object of the present invention is to analyze field characteristic information, field group information, and transmission cycle characteristics of a private ICS header of a private ICS protocol, so that ICS abnormal behavior can be detected by data of a field group or its periodic characteristics. , Providing a system for profiling a closed ICS protocol for group and cycle-based anomaly detection.

In order to achieve the above object, the present invention analyzes packets transmitted/received in an environment communicating with a closed ICS protocol between an operating device and a control device in an industrial control system (ICS) network, and is closed for group and cycle-based abnormal behavior detection. A ICS protocol profiling system, comprising: a packet extraction and data separation unit for extracting packets between a control device and an operating device and separating a network header, an ICS header, and an ICS payload; A field object characteristic analysis unit for dividing the ICS header into a variable field and a fixed field, and detecting a field (hereinafter referred to as an object characteristic field) of an object characteristic indicating packet transmission in the fixed field; A group characteristic analysis unit that detects a field (hereinafter referred to as a group field) grouped by a field value in the variable field; A transmission period characteristic analysis unit detecting a transmission pattern or transmission period of packets in which the group field has a specific field value; And a packet profiling unit profiling the ICS header information, but setting the object characteristic field, the group field, and a transmission pattern or a transmission period as a profile.

In addition, the present invention is a profiling system of a private ICS protocol for group and cycle-based anomaly detection, wherein the object characteristic is at least one of packet length, port information, destination information, source information, and global protocol information. do.

In addition, in the present invention, in the profiling system of a private ICS protocol for group and period-based anomaly detection, the packet extraction and data separation unit separates the packet into a network header and a network payload, and separate network payload. Is classified into an ICS header and an ICS payload based on a preset size, and when a length field is detected among the object property fields, the size to separate according to the field value of the corresponding length field is adjusted.

In addition, in the present invention, in the profiling system of a private ICS protocol for group and period-based anomaly detection, the field object characteristic analysis unit does not change the field value when the packet transmission information of the network header of the packet is the same. It is characterized in that the field is divided into a fixed field, and a field in which the field value is changed is divided into a variable field.

In addition, in the present invention, in the profiling system of a private ICS protocol for group and period-based anomaly detection, the field object characteristic analysis unit samples a set of packets in which only one specific object characteristic is different among a plurality of object characteristics, The ICS header field is overlapped with respect to the set of sampled packets, and a field in which the field value is changed among the fixed fields is found and defined as a field of the corresponding object characteristic.

In addition, in the present invention, in the profiling system of the private ICS protocol for group and period-based anomaly detection, the field object characteristic analysis unit samples a packet that satisfies the condition of the object characteristic and constructs a packet set. It is characterized by checking the condition of an object property using header information.

In addition, in the present invention, in the profiling system of a private ICS protocol for group and period-based anomaly detection, the field object characteristic analysis unit selects a predefined field when searching for a field in which the field value is changed among the fixed fields. It is characterized by finding among the rest of the fixed fields.

In addition, the present invention, in the profiling system of a private ICS protocol for group and period-based anomaly detection, the field object characteristic analysis unit, when detecting a field of an object characteristic, packet length information, port information, destination information, It is characterized by detecting a field of object characteristics in the order of origin information and global protocol information.

In addition, in the present invention, in the profiling system of the private ICS protocol for group and period-based anomaly detection, the field group characteristic analysis unit samples a packet set and uses a window for a variable field of packets of the sampled packet set. While moving, the field values of the field corresponding to the window are grouped into the same group as a group, and when grouped into groups having a predetermined number of thresholds or less, the field is defined as a group field. .

In addition, the present invention is characterized in that in the profiling system of the private ICS protocol for group and cycle-based anomaly detection, the window is set to 1 byte, and after moving all the variable fields, it is repeatedly performed by incrementing by 1 byte. do.

In addition, in the present invention, in the profiling system of a private ICS protocol for detecting anomalous activity based on a group and a cycle, the field group characteristic analysis unit samples a packet set for each session and groups it by a packet set for each session, and representative values of the groups If this is different for each session, the corresponding field is classified into a session group field, and for the remaining variable fields excluding the session group field, a packet set is sampled for each operating system and grouped by a packet set for each operating system, and representative values of the groups If it is different for each operating system, the corresponding field is classified into a system group field, and for the remaining variable fields other than the session group field and the system group field, the entire packet set is sampled and grouped by the packet set to classify it into a global group field. It is characterized by.

In addition, in the present invention, in the profiling system of a private ICS protocol for detecting anomalous activity based on a group and a cycle, the transmission cycle characteristic analysis unit may include at least one of a source and a destination, a length, a port, a system group, and a global group. It is characterized by detecting the transmission pattern and period of the packet, but sampling the packet in time to detect the pattern and period according to the time sequence and the interval.

As described above, according to the profiling system of the private ICS protocol for detecting group and cycle-based abnormal behavior according to the present invention, even if the detailed structure of the ICS header by the private ICS protocol is unknown, the structure and transmission pattern are automatically An extractable effect is obtained.

In addition, according to the profiling system of the private ICS protocol for group and cycle-based anomaly detection according to the present invention, by extracting characteristic information and transmission patterns of the ICS header by the private ICS protocol, the detailed structure of the private ICS protocol is unknown. Even if it has the effect of detecting the abnormal behavior of the ICS packet is obtained.

In particular, according to the profiling system of the private ICS protocol for group and cycle-based anomaly detection according to the present invention, the effect of analyzing field object properties, field group properties, and transmission cycle properties for the private ICS header is obtained. .

In addition, according to the profiling system of the private ICS protocol for group and cycle-based anomaly detection according to the present invention, by profiling the private ICS header, an abnormal sign in the industrial control system network through whitelist configuration and flow characteristic configuration An effect that can be used for detection is obtained.

1 is a block diagram of a configuration diagram of an entire system for carrying out the present invention.
2 is a diagram illustrating a packet profiling system 100 for a private ICS protocol according to an embodiment of the present invention.
3 is a diagram showing a packet configuration by a private ICS protocol according to an embodiment of the present invention.
4 is a diagram illustrating an operation concept of analyzing characteristics of a header field object in the field object characteristic analysis unit 121 according to an embodiment of the present invention.
FIG. 5 is a diagram illustrating an operation concept of characteristic analysis of a header field group in the field group characteristic analysis unit 122 according to an embodiment of the present invention.
6 is an exemplary diagram for a process of analyzing characteristics of a header field group by a window according to an embodiment of the present invention.
7 is a diagram illustrating a transmission pattern and a cycle according to an embodiment of the present invention.
8 is a flowchart illustrating a detailed operation process of the packet extraction and data separation unit 110 according to an embodiment of the present invention.
9 is a flowchart illustrating a detailed process of analyzing the characteristics of a field object of the field object characteristic analysis unit 121 according to an embodiment of the present invention.
10 is a flow chart showing the detailed process of the field group characteristic analysis of the field group characteristic analysis unit 122 according to an embodiment of the present invention.
11 is a flowchart illustrating a detailed process of analyzing the transmission period characteristics of the transmission period characteristic analysis unit 123 according to an embodiment of the present invention.
12 is a diagram showing ICS header information profiling by the packet profiling unit 140 according to an embodiment of the present invention.
13 is a flowchart illustrating an ICS anomaly detection process using private ICS header information profiling according to an embodiment of the present invention.

Hereinafter, specific contents for carrying out the present invention will be described in accordance with the drawings.

In describing the present invention, the same parts are denoted by the same reference numerals, and repeated explanation is omitted.

First, the configuration of the entire system for carrying out the present invention will be described with reference to FIG. 1.

As shown in FIG. 1, the entire system for carrying out the present invention includes a control device 300 for controlling a field device, an operating device 200 for transmitting a control command to the control device 300, and a control device 300 ) And the profiling system 100 for profiling packets between the operating devices 200.

First, the control device 300 is a device that controls a field device, and is preferably composed of a PLC (Programmable Logic Controller), DCS (Distributed Control System), RTU (Remote Terminal Unit), and the like. Field devices are devices that are installed at industrial facility sites such as sensors and actuators.

In addition, the control device 300 receives a control command from the operating device 200 to control the field device. In addition, the control device 300 receives the operation information from the field device and transmits it to the operating device 200 and reports it.

Next, the operating device 200 is a device that controls the control device 300, and is composed of a human machine interface (HMI), an engineering workstation (EWS), and the like. That is, the operating device 200 issues a control command to the control device 300 or collects and monitors operation information of a field device from the control device 300.

Meanwhile, the operating device 200 and the control device 300 communicate using an Industrial Control System (ICS) protocol. At this time, the standard ICS protocol is used, or the industry's own private ICS protocol is used.

Next, the profiling system 100 performs a normal packet profiling function for detecting abnormal behavior for the private ICS protocol when using the private ICS protocol between the operating device 200 and the control device 300.

Here, profiling refers to detecting a structure of a private ICS protocol (especially a header structure) and a transmission pattern of an ICS packet, and storing it as a profile (or profile information). Profiles are used to detect ICS anomalies. That is, if an unprofiled action occurs, the action can be regarded as an abnormal action.

In addition, the profiling system 100 monitors communication between the operating device 200 and the control device 300. At this time, tapping the communication line between the two with tap equipment, or using a mirroring port of the switch, monitors the corresponding communication.

In particular, the profiling system 100 monitors the communication, collects a significant amount of packets (especially, private ICS packets), and performs profiling using the collected packets.

Next, a configuration of a profiling system of a private ICS protocol for detecting abnormal behavior based on groups and cycles according to an embodiment of the present invention will be described with reference to FIG. 2. 2 is a diagram illustrating a packet profiling system 100 for a private ICS protocol.

2, the profiling system 100 according to an embodiment of the present invention includes a packet extraction and data separation unit 110, a field object characteristic analysis unit 121, a field group characteristic analysis unit 122, It may include a transmission period characteristic analysis unit 123, a packet profiling unit 140.

First, the packet extraction and data separation unit 110 extracts an ICS conversation packet from communication between the operating device 200 and the control device 300 and separates the network header and network payload data from the extracted packet. At this time, the network header is composed of headers for networking, such as an Ethernet header, a logical link control (LLC) header, an IP header, and a TCP/UDP header. That is, the network header is composed of at least one of the standard network headers.

In addition, the packet extraction and data separation unit 110 separates the ICS header and the ICS payload from the separated network payload data. That is, the network payload data is separated based on the reference header length. At this time, the reference header length is a preset value, and is set to an arbitrary n bytes (n bytes set in advance). Preferably, n is set to a normal standard header length, for example, within 20 bytes based on the TCP header.

Meanwhile, the packet extraction and data separation unit 110 may readjust n bytes according to the length information field analysis of the ICS header.

Next, the field object characteristic analysis unit 121 analyzes fields representing object characteristics such as protocol information and unit information in the packet header except for fields that are changed for each packet or maintained only during one session in the ICS header field.

That is, the field object characteristic analysis unit 121 is based on a fixed field whose field value is not changed during communication between the operating device 200 and the control device 300, a length information field, a port information field, a destination unit information field, The source unit information field, the protocol information field, and the like can be analyzed.

Next, the field group characteristic analysis unit 122 analyzes fields representing field group characteristics, such as a control command group.

That is, the field group characteristic analysis unit 122 changes information for each packet or is maintained for only one session based on a variable field in which the field value is changed during communication between the operating device 200 and the control device 300. Except, the system group property field and the global protocol group property field, which are represented as group information in one system or in the entire system, can be analyzed.

Next, the transmission period characteristic analysis unit 123 analyzes message transmission period characteristics and aperiodic characteristics, etc., which appear according to packet length, port, control command, etc. in the conversation packet between the operating device 200 and the control device 300.

Next, the profiling unit 140 profils based on the ICS header field object characteristic information, the ICS header field group characteristic information, and the ICS transmission cycle characteristic information based on the protocol header information.

Next, the structure of an ICS packet according to a private ICS protocol according to an embodiment of the present invention will be described with reference to FIG. 3. 3 is a block diagram of an ICS packet structure using a private ICS protocol according to an embodiment of the present invention.

Referring to FIG. 3, the packet structure according to the private ICS protocol may include TCP/UPD upper ICS packet 1100, Ethernet upper ICS packet 1200, and modified Ethernet upper ICS packet 1300.

First, the TCP/UDP upper ICS packet 1100 is composed of a network packet header 1100a and an ICS protocol payload 1100b. Here, the network packet header 1100a is composed of an Ethernet header 1100a-1, an IP header 1100a-2, a TCP/UPD header 1100a-3, and the like, and the ICS protocol payload 1100b is a network packet payload. It consists of ICS header 110b-1 and ICS payload 1100b-2 as data.

Second, the Ethernet upper ICS packet 1200 is composed of a network packet header 1200a and an ICS protocol payload 1200b. Here, the network packet header 1200a is composed of an Ethernet header 1200a-1 and the like, and the ICS protocol payload 1200b is network packet payload data as the ICS header 120b-1 and the ICS payload 1200b-2. It is composed.

Next, the modified Ethernet upper ICS packet 1300 is composed of a network packet header 1300a and an ICS protocol payload 1300b. Here, the network hacker header 1300a is composed of an Ethernet header 1300a-1, an LLC header 1300a-2, and the ICS protocol payload 1100b is the network packet payload data and the ICS header 110b-1. It consists of ICS payload (1100b-2).

The network packet header (or network header) means a header at a network layer, and is composed of a source for transmitting a packet, a destination for receiving a packet, and a port representing a session.

Next, a method of analyzing the object characteristics of the ICS header field by the field object characteristic analysis unit 121 according to an embodiment of the present invention will be described with reference to FIG. 4.

Previously, the ICS header and the ICS payload are previously separated from the network payload data of the ICS packet by the packet extraction and data separation unit 110. That is, the ICS header and the ICS payload are separated based on a predetermined size (an arbitrary n bytes, etc.). In addition, in the ICS header, a field object characteristic representing a constant value according to an object target may be analyzed. Hereinafter, the separated ICS header is analyzed.

Referring to FIG. 4, first, packets having the same source, destination and port of the network header (or network packet header) and the same packet size are configured as a packet set (multiple packets). Then, by overlapping the ICS header field with respect to the configured packet set, the field value is divided into a fixed field in which the field value is not changed and a variable field in which the field value is changed (2100). That is, preferably, the source and destination are the same (1:1), and the ICS header field is overlapped with the same port and the same size of the packet set object to be divided into a fixed field and a variable field (2100).

Here, the source, destination, and port refer to the address and port of the network packet header (hereinafter referred to as the network header). That is, the source, destination, and port are extracted from the network packet header of the corresponding packet.

Next, a packet set having the same source, destination, and port of the network header but having different packet sizes is configured, and the ICS header field is overlapped with respect to the configured packet set to find a field in which the field value is changed among the fixed fields and length. It is defined as an information field (2200). That is, by overlapping the ICS header field for a packet set of the same port (1:1) and the same port and different size, the field value is changed to find a field (or fixed field) that maintains the same value for each length. Defined as the length information field.

Next, configure the packet set with the same source and destination of the network header and different ports, and overlap the ICS header field with the target of the configured packet set to find the field whose field value changes among the remaining undefined fixed fields. It is defined as (2300). That is, the field value is changed by overlapping the ICS header field targeting a packet set with the same source and destination (1:1) and different ports, and the field (or fixed field) that maintains the same value for each port is searched for the port information field. define.

Next, a packet set with the same origin and a different destination is composed of a packet set, and the ICS header field is overlapped with respect to the configured packet set to find a field whose field value is changed among the remaining undefined fields and define it as a source information field. (2400). That is, the field value is changed by overlapping the ICS header field targeting a packet set having the same origin and different destination (1:N), and a field maintaining the same value for each destination is found and defined as a destination unit information field.

Finally, a packet set with a different origin of the network header is formed, and the ICS header field is overlapped with respect to the configured packet set to find a field in which the field value is changed among the remaining undefined fixed fields and define it as a source information field (2500) ). That is, the field value is changed by overlapping the ICS header field targeting a packet set having a different source and destination (M:N), and a field maintaining the same value for each source is found and defined as a source unit information field.

In addition, the entire packet set is applied to the remaining fixed fields that are not defined in the above process, thereby defining global protocol information fields and other variable fields. That is, a fixed field is defined as a global protocol information field without changing in the change comparison process (overlapping the ICS header field) for the entire packet set (all collected and sampled packet sets), and the change field missing from the field definition Is defined as other variable field.

On the other hand, as described above, the object is a property related to packet transmission, and is divided into packet length, port, source, destination, and transport protocol. That is, the objects are those that are determined to exchange messages (or packets) between the operating device and the control device. Specifically, the object refers to length information, port information, destination information, source information, global protocol information, and the like. These are for message transmission (or packet transmission) and are not related to commands/functions. Therefore, the field of the object property of the ICS header is directly related to the transmission information of the network header.

On the other hand, preferably, the order of obtaining each field object (length/size, port, destination, source) in a fixed field is sequentially defined in the order of length, port, destination, source, and the like. Preferably, such an order is determined according to whether it is easy to collect packets meeting each requirement. For example, it is difficult to collect packets having the same length, port, and destination and different sources. Therefore, the source is not first, but the last.

Next, a method of analyzing the group characteristics of the ICS header field by the field group characteristic analysis unit 122 according to an embodiment of the present invention will be described with reference to FIGS. 5 and 6.

The field group characteristic analysis unit 122 analyzes the characteristics of the fields appearing as a group in the ICS header field for the variable fields of the ICS header classified in the first step of FIG. 4 and other variable fields remaining until the last step. The variable fields of the header and the other variable fields (or other fields) are added together to be referred to as an extended variable field.

Referring to FIG. 5, these extended variable fields are composed of a group field, a sequence number field, a session information field, a checksum field (CRC), a timestamp field, and a sequence field. That is, it is not known how the extended variable field is constructed, but the ICS header is composed of all or some of these fields.

In particular, the group field is a field for a function/function code such as read variable, write variable, stop, start, or a function/function type. The number of functions/commands, etc. is fixed, and used repeatedly. Therefore, the corresponding group field forms a group in which the corresponding field values are constant and has only the field values in the group.

For example, if the measured data is transmitted every hour, a session is established every hour and a command for requesting the measured data is sent, and the measured data is transmitted in response. At this time, functions/commands for forming a session, measurement data request functions/commands, measurement data transfer functions/commands, and the like are sequentially reciprocated, and data will be transmitted.

In addition, the group field is a field that is changed whenever a session is changed because the corresponding field value is maintained only within a session (hereinafter, a session group field), a field maintained only in a specific system (hereinafter, a system group property field or a system group field), and an entire packet It is divided into fields maintained for (hereinafter referred to as global protocol group characteristic field or global group field).

However, the session group field is a field maintained for only one session and cannot be detected because it is changed for each session. In addition, since the sequence number field, session information field, checksum field, timestamp field, and sequence field are basically used fields in the ICS protocol, abnormal behavior cannot be detected through these fields.

Among the above fields, fields required for detecting abnormal behavior are a system group field and a global group field. That is, the system group field indicates a function/command such as a system code or message type, and the global group field indicates a function/command such as a function code. Therefore, it is possible to detect an abnormal behavior by detecting a pattern in which a function/command code is executed.

First, the size is set by incrementing one by one from the window size 1 (1 byte) for variable fields or extended variable fields (3100). That is, the window size is set to 1 byte, and an extended variable field is analyzed for each field characteristic by 1 byte. For example, if the total header length is 8 bytes, all 8 of 1 byte are analyzed (or sequentially). And when the 1-byte window is completed, all 7 of 2 bytes each are analyzed with the next 2-byte size. In this way, the window size is increased by 1 byte and analyzed. Preferably, the window sizes are increased to 1, 2, 3 and 4 bytes respectively. 6 shows a case where the window size is 2 bytes.

Next, characteristics of each field are analyzed by a window having a set size (3200). That is, the analyzed field can be analyzed as a group field, a sequence number field, a session information field, a checksum field, a timestamp field, a sequence field, and other variable fields.

Sequence number field, session information field, checksum field, timestamp field, sequence field, and other variable fields are values that change each time a packet changes or change every time a session changes. It can be used for and can be checked separately (3200).

In the field group characteristic analysis unit 122, whether the field value is a group formed during one session, a group formed within one system, or a group formed globally in the entire system, targets the group field formed as a group. It can be analyzed (3300).

The field group characteristic analysis unit 122 may analyze the system group characteristic field and the global protocol group characteristic field as the group characteristic of the header field, except for the session group characteristic field maintained only for one session (3300).

Here, the system group characteristic field may indicate a system code, a message type, etc., and the global protocol group characteristic field may represent a function code, an OP code, or the like.

Meanwhile, the field group characteristic analysis unit 122 samples the ICS header set (or packet set), and when the fields corresponding to a specific window in the sampled ICS header set are grouped by the same field value (especially, a specific number or less) Grouped into groups), the field is classified as a group field or a group characteristic field. That is, if the corresponding field values of each header are the same, they are grouped into one group. The field value will be referred to as the representative value of the group. If the number of groups is K, all K groups have different representative values.

Preferably, if the number of groups is equal to or less than a preset threshold number, it is determined that the grouping is performed. That is, if the number of groups generated by grouping the field values of the corresponding field is equal to or less than a predetermined threshold number, the field is classified as a group characteristic field.

In the example of FIG. 6, this is the case when the window size is 2 bytes. If the ICS header is 8 bytes and the window size is 2 bytes, grouping can be performed with all 7 windows. The third task performs grouping on the 3rd and 4th bytes. The entire packet set or ICS header set is all n cases. Let n be 100,000. At this time, the field values of the third and fourth bytes of all 100,000 ICS headers are grouped.

In general, the number of commands/functions does not exceed 100. Therefore, if the corresponding field is a command/function field, the number of groups does not exceed 100 when grouping by the same field value. Since the corresponding field is 2 bytes, the possible field value is 2 ¹⁶ = 65,536. For example, if the corresponding field is an error correction code field, the number of cases (the number of groups) will be at least several thousand to tens of thousands.

Also, the threshold number may be set differently according to the window size. That is, one byte has a total of 256 cases, but the threshold number may be less than that of 2 bytes.

In addition, the number of elements (ICS headers) belonging to one group may also be used to determine whether the group. For example, if 100 groups are grouped, two groups have a large amount of headers, and if the remaining 98 groups all have only one header as an element, the corresponding field may not be a group field.

In addition, the field group characteristic analysis unit 122 samples a packet set (ICS header set) for each session and groups it by a packet set for each session, and if the representative values of the groups are different for each session, classifies the field as a session group field. do.

For example, K ₁ groups are created by grouping the packet set of the first session, and K ₂ groups are created by grouping the packet set of the second session. At this time, if the number of K ₁ groups or their representative values differs from the number of K ₂ groups or their representative values, the field values of the corresponding field are changed for each session. That is, field values of the corresponding field are maintained only during one session.

That is, the session group field is maintained only for one session, and when the session is changed, the field values are changed to a predetermined number of different values.

In addition, the field group characteristic analysis unit 122 samples the packet set (ICS header set) for each system for the remaining extended variable fields except for the session group field, groups them by the packet set for each system, and represents the representative values of the groups. If the system is different, the field is classified as a system group field. The system group field is classified in the same way as the session group field.

Here, the system refers to software or hardware operated by the operating device 200 or the control device 300, a network system (or an operating system). If different devices run the same operating system, they are classified as the same system.

The field group characteristic analysis unit 122 stores and stores the type of the operating system in advance as operating system information. Preferably, the operating system information is information mapping the type of operating system to the address of the source or destination of the network header. Therefore, the operating system can be distinguished by the address of the source or destination of the network header.

In addition, the field group characteristic analysis unit 122 samples the entire packet set (ICS header set) for the remaining extended variable fields except for the session group field and the system group field, and groups them by the packet set. Then, when grouping is performed in a group having a predetermined number of thresholds or less, the corresponding field is classified as a global group field.

Next, a method of analyzing the periodic characteristics of the ICS header field by the transmission period characteristic analysis unit 123 according to an embodiment of the present invention will be described with reference to FIG. 7.

The transmission period characteristic analysis unit 123 detects the transmission pattern and period of the packet for the source and destination, length, port, system group, global group, and the like. To this end, all packets transmitted and received are tapped, but the packets are sampled in time to detect patterns and periods according to the time sequence and the interval.

As shown in Fig. 7(a), the period means that the same packet is repeated at regular time intervals. Also, as shown in Fig. 7(b), the pattern refers to a series of repeated packets. 7(b), it can be seen that the pattern of the packet is repeated with a periodicity.

At this time, the same packet refers to the same packet, and the same packet is regarded as the same packet according to object characteristics or field characteristics such as a source and a destination, a length, a port, a system group, and a global group. As an example, in the case of a length characteristic, packets of the same length are regarded as packets of the same type.

In addition, preferably, the characteristic determined by the same kind is determined as one characteristic. Further, two or more characteristics may be combined to determine the same type. For example, a characteristic may be selected by combining a source, a destination, and a length, and packets of the same case may be set to the same type.

Preferably, the transmission period characteristic analysis unit 123 analyzes the periodicity sequentially by determining one characteristic in order of the source and destination, length, port, system group, and global group.

Next, a detailed process of the operation of the packet extraction and data separation unit 110 according to an embodiment of the present invention will be described with reference to FIG. 8.

Referring to FIG. 8, first, when a control network packet is collected, the collected packet is dividedly stored based on a predetermined time (S101), and a communication communication packet between the operating device 200 and the control device 300 is extracted (S102). can do.

It is determined whether the conversation packet between the operating device 200 and the control device 300 is a standard ICS protocol (S103), and if it is not a standard ICS protocol, it is performed in a standard ICS protocol analysis model (S104), and if it is a private ICS protocol, the operating device 200 or The control device 300 may configure a unique flow set by classifying the packet set into the source packet (S105).

The packet set originating from the operating device and the packet set originating from the control device are separately stored (S106), and the packet set for each destination, packet size, and port can be subdivided and stored for the packet set (S107). .

Separate the network layer header (Ethernet header, LLC header, IP header, TCP/UDP header, etc.) and the ICS protocol payload for the ICS protocol packet (S108), and any n bytes (typical header length, for the ICS protocol payload). For example, you can set the TCP header 20 bytes, etc.) to the ICS header and split the rest into the ICS payload.

If it is an ICS header by determining whether it is an ICS header (S110), if header analysis is performed (S111), it may be determined whether adjustment to the ICS header length n bytes is necessary according to analysis such as ICS header length (S113).

If adjustment for the ICS header length n bytes is required, the process is performed again from step S109. If no adjustment is required, analysis can be completed.

Next, a detailed process of analyzing the field object characteristics of the field object characteristic analysis unit 121 according to an embodiment of the present invention will be described with reference to FIG. 9. 9A and 9B are flowcharts illustrating a process of analyzing field object characteristics of the field object characteristic analysis unit 121.

Referring to FIG. 9A, the field object characteristic analysis unit 121 may first analyze a field object characteristic for a packet having the same source and destination (1:1).

For the ICS header analysis, a 1:1 conversation packet set having the same source address and destination address is prepared based on the MAC or IP address (S201), and the ICS header is overlapped and the field is set for a packet set divided into the same port and the same size. It can analyze the change of (S202).

If the field value is changed by determining whether the overlapped field maintains a fixed field value (S203), it is defined as a variable field and the field group characteristics are analyzed (S204).

If the fixed field value is maintained as a result of the determination of S203, it is possible to analyze a change of fields by preparing a set of subpacked packets of the same pod and different size and overlapping the ICS header for the remaining fixed fields (S205).

If the overlapped field is changed and the changed field value maintains a constant value for each packet size (S206), if the changed field value is a fixed value for each packet size, it may be defined as a length information field (S207).

If the result of the determination of S206 is not a fixed value for each packet size, a set of subdivided packets of different ports and different sizes may be prepared and the change of fields may be analyzed by overlapping the ICS header for the remaining fixed fields (S208).

If the overlapped field is changed and the changed field value maintains a constant value for each port (S209), if the changed field value is a fixed value for each port, it may be defined as a port information field (S210).

If the result of the determination of S209 is not a fixed value for each port, the process of Figure 8b can be performed.

Referring to FIG. 9B, the field object characteristic analysis unit 121 may analyze the field object characteristics while changing the source and destination.

A set of packets (1:N) having different destinations at the same source may be prepared and the change of fields may be analyzed (S301) by overlapping the ICS header for the remaining fixed fields.

If the overlapped field is changed and the changed field value maintains a constant value for each destination (S302), if the changed field value is a fixed value for each destination, it may be defined as a destination unit information field (S303).

If the result of the determination of S302 is not a fixed value for each destination, a packet set (M:N) having a different source and destination may be prepared and the change of fields may be analyzed by overlapping the ICS header for the remaining fixed fields (S304).

If the overlapped field is changed and the changed field value maintains a constant value for each source (S304), if the changed field value is a fixed value for each source, it may be defined as a source unit information field (S303).

In the entire packet analysis process, it may be determined whether the field maintains a fixed field value (S307 ), and the undefined changed fields may be defined as other variable fields and analysis of field group characteristics may be performed (S308 ).

As a result of the determination of S307, if a fixed field value is maintained in the entire packet analysis process, it may be determined whether the corresponding field is NULL (S309).

If the result of the determination of S309 is NULL, it is defined as a NULL field (S310). If not NULL, it is defined as a global protocol information field (S311), and ICS header analysis can be completed.

Next, a detailed process of analyzing the group characteristic of the ICS header field by the field group characteristic analysis unit 122 according to an embodiment of the present invention will be described with reference to FIG. 10. 10A and 9B are flowcharts showing detailed processes of the field group characteristic analysis of the field group characteristic analysis unit 122 according to an embodiment of the present invention.

Referring to FIG. 10A, the field group characteristic analysis unit 122 may first analyze a field group characteristic for a packet having the same source and destination (1:1).

A variable field may be prepared from a 1:1 conversation packet set having the same source address and destination address and iteratively performed for each variable field (S401).

In one variable field, the window size is increased by 1 by the unit change field size from window size=1 byte to analyze (S402 ).

If it is determined whether the value to be changed in the variable field forms a group (S403), and if a group is formed, it can be designated as a group field and the corresponding value can be stored as a group (S404).

As a result of the determination of S403, if the changed value of the variable field does not form a group, detailed field conditions such as a sequence number field, a session information field, a checksum field, a timestamp field, and a sequence field may be compared (S405).

According to the detailed field characteristics of each field, it is determined whether there is a designated field (S406), and if there is no designated field, an arbitrary variable field may be designated (S407).

As a result of the determination of S406, if there is a field designated according to detailed field characteristics for each field, it may be designated as a sequence number field, a session information field, a checksum field, a timestamp field, a sequence field (S408).

If the inspection is completed up to the size of the variable field (S409), if the inspection is not completed, the window size may be increased by 1 to perform again from step S402.

As a result of the determination of S409, if the inspection is completed, the defined field may be redefined (S410) including a small byte based on a large byte, and the process of Figure 8b may be performed.

Referring to FIG. 10B, the field group characteristic analysis unit 122 may analyze the group field characteristics while changing the source and destination.

In a packet set having the same origin and different destinations, group relationships may be compared for each group field (S501).

It is determined whether a group is formed in one system based on the origin (S502), and if it is changed according to a session, it may be designated as a session group field (S503).

As a result of the determination of S503, if a group is formed in one system, the group relationship may be compared for each remaining group field in a packet set having a different source and destination (S504).

If it is determined whether a group is formed over the entire system (S505) and a group is formed within only one system, the system group field may be designated and corresponding values may be stored in the group (S506).

As a result of the determination of S505, if a group is formed in the entire system, it can be designated as a global protocol field group, the corresponding values are stored in the group (S507), and change field analysis can be completed.

Next, a detailed process of the characteristic analysis of the transmission period of the transmission period characteristic analysis unit 123 according to an embodiment of the present invention will be described with reference to FIG. 11.

Referring to FIG. 11, it may be first analyzed whether periodicity occurs in all packets between a source and a destination (S601).

It is possible to analyze the packet periodicity according to the length information (S602), analyze the packet periodicity according to the port information (S603), analyze the packet periodicity according to the system group (S604), and analyze the periodicity according to the global protocol group (S605). have.

If the ICS packet has a periodicity (S606), if it does not have a periodicity, it can be classified as aperiodic traffic (S607).

As a result of the determination of S606, if there is a periodicity, a period with the smallest interval may be set as a basic period (S608) and periodicity analysis may be completed.

Next, the profiling structure of the ICS header according to an embodiment of the present invention will be described with reference to FIG. 12.

Referring to FIG. 12, the packet profiling unit 140 may profile ICS header information based on the analyzed information, and profile the ICS payload information based on the information analyzed by the payload analysis unit 130. have. That is, the packet profiling unit 140 defines the structure of the ICS header and the ICS payload and sets it as profile data.

The network packet basic information 5100 is used as index information for private ICS protocol packet profiling. The network packet basic information 5100 may include Ethernet header information 5100-1, LLC header information 5100-2, IP header information 5100-3, and TCP/UDP header information 5100-4. .

Profiling for the private ICS head information may be profiled with ICS header field object property information 5200, ICS header field group property information 5300, ICS packet cycle property information 5300, and the like.

The ICS header field object characteristic information 5200 includes a source unit field 5200-1, a destination unit field 5200-2, a global protocol information field 5200-3, a length information field 5200-4, and a port information field. (5200-5).

The ICS header field group characteristic information 5300 includes system group fields #1, 2, ..., n (5300-1), global protocol group fields #1, 2, ..., m (5300-2), and the like. Can be configured.

The ICS header field periodic characteristic information 5400 includes periodic characteristic classification (5400-1), periodic time (5400-2), number of packets per period (5400-3), and amount of packets per period (5400-4). Can be. Here, the periodic characteristic classification indicates periodic or aperiodic.

Profiling of the private ICS payload information may be configured with ICS payload tag mapping information 5500.

Next, a process of detecting an ICS anomaly utilizing private ICS header information profiling according to an embodiment of the present invention will be described with reference to FIG. 13.

Referring to FIG. 13, when a whitelist is constructed by using the basic information of the network packet 5100, it is determined whether communication is allowed between the transmitted MAC and the received MAC (S801), and the transmitted IP is received. It is determined whether communication is allowed (S802), and whether it is an authorized service port (S803).

In addition, the ICS header field object property information 5200 is used to determine whether it is a permitted field object property (S804), and the ICS header field group property information 5300 is used to determine whether it is a permitted field group property (S805) and ICS. By using the packet period characteristic information 5300, it may be determined whether the message transmission time (period) is appropriate (S806). In addition, it is possible to compare the relationship between the conversation packets to determine whether the request and response relationship is appropriate (S807).

In the above, although the invention made by the present inventors has been specifically described according to embodiments, the present invention is not limited to the embodiments, and can be variously changed without departing from the gist thereof.

100: profiling system 110: packet extraction and data separation
121: field object characteristic analysis unit 122: field group characteristic analysis unit
123: transmission cycle characteristic analysis unit 140: packet profiling unit
200: operating device 300: control device

Claims (10)

In an industrial control system (ICS) network, the profiling system of a private ICS protocol for detecting group and cycle-based abnormal behavior, which analyzes packets transmitted and received in an environment communicating with a private ICS protocol between the operating device and the control device,
A packet extraction and data separation unit for extracting a packet between a control device and an operating device and separating a network header, an ICS header, and an ICS payload;
A field object characteristic analysis unit for dividing the ICS header into a variable field and a fixed field, and detecting a field (hereinafter referred to as an object characteristic field) of an object characteristic indicating packet transmission in the fixed field;
A field group characteristic analysis unit for detecting a field (hereinafter, a group field) grouped by a field value in the variable field;
A transmission period characteristic analysis unit detecting a transmission pattern or transmission period of packets in which the group field has a specific field value; And,
Private profile for group and period-based anomaly detection, comprising: a packet profiling unit profiling the ICS header, and setting the object characteristic field, the group field, and a transmission pattern or a transmission period as a profile. Profiling system for the ICS protocol. According to claim 1,
The object characteristic is at least one of packet length, port information, destination information, source information, and global protocol information. A profiling system of a private ICS protocol for group and period-based anomaly detection. According to claim 1,
The packet extraction and data separation unit divides the packet into a network header and a network payload, and classifies the separated network payload into an ICS header and an ICS payload based on a preset size, but the length of the object characteristic field Profiling system of a private ICS protocol for group and period-based anomaly detection, characterized in that when a field is detected, the size to be separated is adjusted according to the field value of the corresponding length field. According to claim 1,
The field object characteristic analysis unit classifies a field in which the field value does not change into a fixed field and a field in which the field value changes into a variable field when the packet transmission information of the network header of the packet is the same. Profiling system of private ICS protocol for cycle-based anomaly detection. According to claim 2,
The field object characteristic analysis unit,
When the object characteristic is packet length, port information, destination information, or source information, a packet length of a packet, a port, destination, or a packet of a network header of a packet is sampled, but a set of different packets is sampled and the sampled packet set Overlay the ICS header field for the target, find the field whose field value is changed among the fixed fields, and define it as a field of the corresponding object property,
When the object property is a global protocol information field, if an object property field of packet length, port information, destination information, and source information is defined, the entire packet set is applied to the remaining fixed fields to be fixed and unchanged. Profiling system of a private ICS protocol for group and cycle-based anomaly detection, characterized in that is defined as a global protocol information field. The method of claim 5,
The field object characteristic analysis unit detects group- and period-based anomaly, characterized by checking the condition of the object characteristic using network header information when constructing a packet set by sampling a packet that satisfies the condition of the object characteristic. Profiling system for private ICS protocols. The method of claim 5,
The field object characteristic analysis unit, when searching for a field in which the field value is changed among the fixed fields, finds among the remaining fixed fields except for the previously defined fields Profile of the private ICS protocol for detecting group and period-based anomaly Ring system. The method of claim 7,
The field object characteristic analysis unit detects a field of object characteristics in the order of packet length information, port information, destination information, source information, and global protocol information when detecting a field of object characteristics. Profiling system of private ICS protocol for behavior detection. According to claim 1,
The field group characteristic analysis unit samples a packet set and moves a variable field of packets of the sampled packet set to a window, grouping packets having the same field values in the field corresponding to the window into a group, in advance When grouped into a group having a number of thresholds or less, the profiling system of a closed ICS protocol for group and period-based anomaly detection, characterized in that the field is defined as a group field. The method of claim 9,
The field group characteristic analysis unit samples a packet set for each session and groups it by a packet set for each session. If the representative values of the groups are different for each session, the corresponding field is classified as a session group field, and the remaining variable fields except for the session group field With respect to, a packet set is sampled for each operating system and grouped by a packet set for each operating system. If the representative values of the groups are different for each operating system, the corresponding field is classified into a system group field, and a session group field and a system group field are grouped. The profiling system of a private ICS protocol for detecting group and cycle-based anomaly, characterized in that the entire packet set is sampled for the remaining extended variable fields, grouped by the packet set, and classified into a global group field.

Images