KR102265134B1 - A Security Monitoring System using Packet Flow for automation control system - Google Patents

Abstract

It relates to a packet flow-based security monitoring system of an automation control system that performs security monitoring by linking packet flows for each IACS protocol to a network protocol in an Industrial Automation and Control System (IACS) environment. a traffic information collecting unit that collects the communication amount for each unit, and collects a series of communication amounts by measuring the communication amount per unit time in chronological order; a protocol classification unit for obtaining skewness and kurtosis of a corresponding protocol with respect to a series of packets for a predetermined reference time of each protocol, and classifying the corresponding protocol using the obtained skewness and kurtosis; a flow policy setting unit for obtaining a statistical value of the corresponding communication amount for a series of communication amounts for the reference time of each protocol, obtaining a reference range including a threshold range by using the statistics, and setting the reference range as a security policy; a flow statistics unit for extracting a series of communication amounts of the generated protocol and statistics of the corresponding communication amounts; And, when the communication amount of the generated protocol or the statistical value of the corresponding communication amount is out of the reference range, a configuration including a flow security analysis unit for detecting an abnormality is provided.
By constructing a comparison protocol list including traffic information such as the number of packets for each protocol, the amount of packets, and the number of simultaneous sessions by the system as described above, the comparison with the reference whitelist is facilitated to improve the processing speed for detecting anomalies can do it

Description

{ A Security Monitoring System using Packet Flow for automation control system }

The present invention relates to a packet flow-based security monitoring system of an automated control system that performs security monitoring by linking a packet flow for each IACS protocol to a network protocol in an Industrial Automation and Control System (IACS) environment. .

A general Industrial Automation and Control System (IACS) network consists of operating devices (HMI, EWS, etc.), control devices (PLC, DCS, RTU, etc.), field devices (sensors, actuators, etc.), and industrial control protocols (EtherNet/IP, EtherCat, Modbus, Profinet, S7 Comm, etc.) to communicate.

The IACS operating device automatically controls and operates the control device using the industrial control protocol according to the environment setting unless the administrator intervenes.

Whitelist configuration for industrial control protocols often includes cycle information (transmission time) for control commands along with MAC/LLC information, IP information, and PORT information [Patent Documents 1 and 2].

In some cases, the control command appears periodically with a certain request and response, but in some cases, the next request is determined according to the response characteristics of the request, and in some cases it is requested and responded only when necessary, so the number of transmitted packets or the amount of transmitted packets according to the control command It is difficult to clearly define the criteria for

In the prior art, traffic statistics information is extracted in a comparison unit time between the server and the client, and the amount of packets transmitted, the number of packets transmitted, and the number of simultaneous sessions within the comparison unit time are applied to the whitelist as a whole, but abnormal symptoms are recognized according to the characteristics of the control command There is a problem that the standard cannot be clearly presented.

Republic of Korea Patent Registration 10-1360591 (February 03, 2014) Korean Patent Laid-Open Patent No. 10-2044181 (November 07, 2019)

SUMMARY OF THE INVENTION An object of the present invention is to solve the above problems, and to provide a packet flow-based security monitoring system for an automated control system that efficiently configures a reference whitelist and a comparison protocol list.

In addition, an object of the present invention is to classify according to the characteristics of the IACS protocol into a Periodic protocol, a Normal protocol, a Normal-like protocol, and a Non-Normal protocol, and according to the classification, different It is to provide a packet flow-based security monitoring system of an automated control system that detects protocol anomalies as a standard.

In order to achieve the above object, the present invention relates to a packet flow-based security monitoring system of an automated control system that is interlocked with an operating device in an automated control network environment, and collects the communication amount for each protocol, but measures the communication amount per unit time in chronological order a traffic information collection unit that collects a series of communication volumes; a protocol classification unit for obtaining skewness and kurtosis of a corresponding protocol with respect to a series of packets for a predetermined reference time of each protocol, and classifying the corresponding protocol using the obtained skewness and kurtosis; a flow policy setting unit for obtaining a statistical value of the corresponding communication amount for a series of communication amounts for the reference time of each protocol, obtaining a reference range including a threshold range by using the statistics, and setting the reference range as a security policy; a flow statistics unit for extracting a series of communication amounts of the generated protocol and statistics of the corresponding communication amounts; And, it is characterized in that it comprises a flow security analysis unit for detecting the communication amount of the generated protocol or a statistical value of the corresponding communication amount out of the reference range as an abnormal symptom.

In addition, the present invention is characterized in that in the packet flow-based security monitoring system of the automated control system, the communication amount is the number of packets or the amount of packets.

In addition, in the present invention, in the packet flow-based security monitoring system of the automated control system, the protocol classification unit has skewness γ > 0 and γ > γ _base (γ _base is a preset reference skewness rate), or γ < 0 and γ < -γ _base , classify it as a non-normality protocol, and classify the remaining protocols that are not non-normality protocols into periodicity protocols, normality protocols, and pseudonormality protocols according to kurtosis, with kurtosis β being β < 0 and β < -β _{If the base} (β _base is the preset reference kurtosis rate), it is classified as a pseudonormality protocol, if β > 0 and β > β _base, it is classified as a periodicity protocol, and -β _base ≤ β ≤ β _base is characterized by classification with a normality protocol.

In addition, the present invention is characterized in that in the packet flow-based security monitoring system of the automated control system, the skewness γ and the kurtosis β are obtained by [Equation 1].

[Formula 1]

However, x is the communication amount, μ and σ are the average and standard deviation of the communication amount x, respectively, and E() represents the expected value.

In addition, in the present invention, in the packet flow-based security monitoring system of the automated control system, the flow policy setting unit extracts the minimum and maximum values of the communication amount for a reference time, and sets the standard scores of the extracted minimum and maximum values to the minimum standard, respectively. It is set as a score and a maximum standard score, and the flow security analysis unit uses the corresponding communication amount for security analysis only when the standard score of the communication amount of the generated protocol falls within the range within the minimum standard score and the maximum standard score. .

In addition, in the present invention, in the packet flow-based security monitoring system of the automated control system, the flow policy setting unit obtains the minimum and maximum thresholds of the communication amount for a reference time, and the minimum and maximum thresholds depend on the type of the classified protocol. It is set differently, and the flow security analysis unit is characterized in that when the communication amount of the protocol to be executed is out of the range within the minimum threshold and the maximum threshold, it is determined as an abnormality.

In addition, the present invention is characterized in that in the packet flow-based security monitoring system of the automated control system, the minimum threshold P _min and the maximum threshold P _max are obtained by [Equation 2].

[Formula 2]

However, μ ₀ is the mean, σ ₀ is the standard deviation, r ₁ and r ₂ are correlation coefficients, and correlation coefficients r ₁ and r ₂ are preset values for each classified protocol.

In addition, in the present invention, in the packet flow-based security monitoring system of the automated control system, the correlation coefficient of the periodicity protocol is set smaller than the correlation coefficient of the normality protocol, and the correlation coefficient of the similarity protocol is set larger than the correlation coefficient of the normality protocol, In the case of pseudonormality protocol, the correlation coefficient r ₁ is set smaller than the correlation coefficient r _{2 for} negative skewness, and the correlation coefficient r ₁ is set to be larger than the correlation coefficient r _{2 for positive skewness.} It is characterized in that it is set larger than the correlation coefficient of the periodicity protocol and smaller than the correlation coefficient of the normality protocol, and the large correlation coefficient is set larger than that of the normality protocol and smaller than the correlation coefficient of the pseudonormality protocol.

In addition, the present invention provides a packet flow-based security monitoring system of an automated control system, wherein the flow policy setting unit obtains a minimum traffic trend change and a maximum traffic trend change of the communication amount during a reference time, and the flow security analysis unit determines the generated protocol. A traffic trend change of the traffic is calculated, and when the calculated traffic trend change is out of a range between the minimum traffic trend change and the maximum traffic trend change, it is determined as an abnormality.

In addition, the present invention is characterized in that in the packet flow-based security monitoring system of the automated control system, the minimum performance change Trend _min and the maximum performance change Trend _max are calculated by applying [Equation 3].

[Equation 3]

However, S _b is the communication amount of the corresponding protocol during the reference time (learning section), T _b is the total communication amount of all protocols during the reference time, and () _min , () _max are the minimum and maximum values of the values in (). indicates.

As described above, according to the packet flow-based security monitoring system of the automated control system according to the present invention, a comparison protocol list including traffic information such as the number of packets for each protocol, the amount of packets, and the number of simultaneous sessions is configured, thereby providing a reference whitelist The effect of improving the processing speed for detecting anomalies is obtained by making comparison with .

In addition, according to the packet flow-based security monitoring system of the automated control system according to the present invention, the protocols based on the kurtosis ratio and the skewness ratio for the reference whitelist are divided into a Periodic protocol, a Normal protocol, and a Normal protocol. -like) protocol and non-normal protocol to monitor anomalies, thereby increasing the analysis power of protocols between the IACS operating device and the control device and between the control device and the field device to increase the detection rate of anomalies is obtained

In addition, according to the packet flow-based security monitoring system of the automated control system according to the present invention, the determination standard for each protocol characteristic information, the determination standard for the periodicity protocol, the determination standard for the regularity protocol, the determination standard for the similar normality protocol, By providing the judgment criteria for non-normal protocol and the judgment criteria for protocol trend conversion, it is possible to reduce the false positive rate and increase the accuracy of the detection of anomalies in the packet flow for each protocol between the IACS operating device and the control device or between the control device and the field device. effect is obtained.

1 is a block diagram of a configuration of an entire system for implementing the present invention.
Figure 2 is a block diagram of the configuration of the packet flow-based security monitoring system of the automated control system according to an embodiment of the present invention.
3 is a flowchart illustrating a method of collecting communication information for each protocol according to an embodiment of the present invention.
4 is a flowchart illustrating a method of setting a flow policy for each protocol according to an embodiment of the present invention.
5 is a flowchart illustrating a method for security monitoring a protocol according to an embodiment of the present invention.
6 is a graph showing protocol classification according to distribution characteristics according to an embodiment of the present invention.
7 is a graph showing the distribution for each protocol classification according to an embodiment of the present invention.
8 is a table showing correlation coefficients for each protocol classification according to an embodiment of the present invention.

Hereinafter, specific contents for carrying out the present invention will be described with reference to the drawings.

In addition, in demonstrating this invention, the same part is attached|subjected with the same code|symbol, and the repetition description is abbreviate|omitted.

First, the configuration of the entire system for implementing the present invention will be described with reference to FIG. 1 .

As shown in FIG. 1 , the entire system for implementing the present invention includes a control device 300 for controlling the field device 400 , an operating device 200 for controlling the control device 300 , and an operating device 200 . ) and a control device 300 or a security monitoring system 100 for detecting abnormal signs by monitoring the network between the control device 300 and the field device 400 .

First, the field device 400 is a device installed in an industrial facility site, such as a sensor or an actuator, and is used to measure/collect or control state data.

Next, the control device 300 is a device for controlling the field device 400, preferably, it is composed of a PLC (Programmable Logic Controller), DCS (Distributed Control System), RTU (Remote Terminal Unit), and the like. In addition, the control device 300 receives a control command from the operating device 200 to control the field device 400 , receives operating information from the field device 400 , and transmits and reports the operation information to the operating device 200 . do.

Next, the operating device 200 is a device for controlling the control device 300 , and includes a Human Machine Interface (HMI), an Engineering Workstation (EWS), and the like. That is, the operating device 200 issues a control command to the control device 300 or collects and monitors operation information of the field device 400 from the control device 300 . Meanwhile, the operating device 200 and the control device 300 or the control device 300 and the field device 400 communicate using an Industrial Control System (ICS) protocol.

Next, the security monitoring system 100 collects the traffic information of the protocol between the operating device 200 and the control device 300 or the Zea device 300 and the field device 400, and analyzes the collected traffic information. detect the signs At this time, the security monitoring system 100 collects protocol traffic information by tapping the network connected between the operating device 200 and the control device 300 or the control device 300 and the field device 400 or mirroring the switch.

Next, the configuration of the packet flow-based security monitoring system 100 according to an embodiment of the present invention will be described with reference to FIG. 2 .

As shown in FIG. 2 , the security monitoring system 100 according to an embodiment of the present invention provides traffic for a protocol between the operating device 200 and the control device 300 or the control device 300 and the field device 400 . Traffic information collection unit 110 for collecting information, protocol classification unit 121 for classifying protocols, flow policy setting unit 122 for setting policies for flows of each protocol, and extracting statistics on the executed protocol flows It is composed of a flow statistic unit 131 and a flow security analysis unit 132 that detects abnormal symptoms using statistics.

First, the traffic information collection unit 110 monitors network traffic between the operating device 200 and the control device 300 or the control device 300 and the field device 400, selects a monitoring target protocol, and Collect traffic information for

That is, the traffic information collection unit 110 selects a monitoring target protocol. Preferably, when controlled by the white list, only the protocol registered in the white list is monitored. That is, the monitoring target protocol is pre-registered and set in the whitelist. More preferably, a protocol authorized by a command or input of an administrator or the like is registered in the whitelist. The security monitoring system 100 allows communication only with protocols registered in the white list.

In addition, the traffic information collection unit 110 collects traffic information by tapping or switch mirroring in order to monitor the network between the operating device 200 and the control device 300 or the control device 300 and the field device 400 . do.

Traffic information is collected for each protocol and consists of the number of packets and the amount of packets. In addition, the traffic information includes protocol characteristic information, such as the number of simultaneous sessions.

The traffic information of a protocol is the amount that the corresponding protocol transmits and receives packets, and it means that the communication amount per unit time is collected in chronological order. In particular, since the traffic volume is listed in chronological order, the collected traffic information can be viewed as a flow.

That is, the traffic information collecting unit 110 measures the communication amount per unit time in time order, and collects a series of communication amounts. For example, at time t ₁ , t ₂ , t ₃ , ... at unit time intervals, each of x ₁ , x ₂ , x ₃ , ... is measured, and a series of traffic is collected.

Accordingly, the number of packets is collected as the number of packets transmitted/received per unit time, and the packet amount represents the sum of the sizes of packets transmitted/received per unit time. The number of packets or the amount of packets is referred to as a communication volume.

On the other hand, the number of simultaneous sessions indicates the number of sessions simultaneously established in the corresponding protocol. The number of concurrent sessions is maintained within a predetermined range, and when the number of concurrent sessions is out of the range, it may be regarded as an abnormality. Therefore, the number of simultaneous sessions is not collected as a series of communication volumes, but is used as characteristic information (or attribute information) of the corresponding protocol.

In addition, traffic information is collected for each protocol. In particular, preferably, traffic information is collected for each protocol registered in the whitelist.

Next, the protocol classification unit 121 classifies the protocol by using the statistical value of the number of packets. In particular, statistics are calculated using the communication amount of the number of packets collected during the reference time range, and classification is performed using this.

The reference time range (or learning time interval) represents the time required to acquire statistics when the protocol operates normally. In other words, when the protocol operates normally, the traffic volume or characteristics (attributes) are collected for a certain period of time, the protocol is classified, the statistics of the corresponding protocol are obtained, and the monitoring standard of the security policy is set using the obtained statistics.

Specifically, each protocol (preferably, each protocol registered in the white list) is classified according to the skewness and kurtosis ratio of the number of packets in a certain reference time range (or learning interval). The skewness and kurtosis ratios are calculated using the average and standard deviation of the number of protocol packets.

Protocols can be divided into protocols operating in the IP layer and protocols operating in the Ethernet layer, but all protocols that can be monitored are targeted. Alternatively, an administrator may select a monitoring protocol target. In addition, when controlled by the white list, classification is performed only on protocols registered in the white list.

Also, all protocols are classified into Periodic protocol, Normal protocol, Normal-like protocol, and Non-Normal protocol.

Specifically, the protocol classification unit 121 calculates the average and standard deviation of the number of packets for each protocol (protocol belonging to the whitelist) in a preset reference time range to obtain skewness and kurtosis, and skewness and kurtosis. According to the rate, it is classified into Periodic protocol, Normal protocol, Normal-like protocol, and Non-Normal protocol.

For the number of packets x per protocol per unit time, the mean μ and standard deviation σ are calculated as in Equations 1 and 2.

[Equation 1]

[Equation 2]

Here, x _i represents a communication amount (or the number of packets) per i-th unit time in the reference time range. N represents the reference time by unit time. That is, when the reference time range is divided into unit times, all are divided into N unit time intervals.

That is, in the reference time range, the number of packets per unit time (communication amount) x ₁ , x ₂ , ..., x _N is obtained, and the average and standard deviation are obtained from these. That is, the number of packets per unit time x _i can be said to be the number of packets transmitted and received in the i-th unit time.

Skewness γ can be calculated as follows.

[Equation 3]

Here, E( ) represents the expected value.

On the other hand, skewness is regarded as positive skewness when γ > 0 with respect to 0, and negative skewness when γ < 0.

If Positive Skew. (left-skewed distribution) and γ > γ _base, or Negative Skew. (right-skewed distribution) and γ < -γ _base , interpret as normal distribution Because it is difficult, it is classified as a Non-Normal protocol.

Here, γ _base is a reference skewness, and is a preset value.

Next, if it is not classified as a Non-Normal protocol, it can be interpreted as a normal distribution. That is, the remaining protocols are classified into a periodic protocol, a normal protocol, and a normal-like protocol using the kurtosis rate.

Kurtosis β can be calculated as

[Equation 4]

With respect to a normal distribution of 0, kurtosis is considered leptokutic when β > 0 (positive kurtosis), and platykutic when β < 0 (negative kurtosis).

If it is platykutic and β < -β _base, it is classified as a Normal-like protocol, and _{if it is leptokutic and β > β base,} it is classified as a Periodic protocol. In addition, the remaining -β _base ≤ β ≤ β _base is classified according to the Normal protocol.

β _base is a reference kurtosis ratio, and is a value set in advance.

In addition, the protocol classification unit 121 stores statistical values such as the average μ of each protocol, the standard deviation σ, the maximum value max x, and the minimum value min x.

As described above, protocols are classified into four categories: periodicity, normality, pseudonormality, and nonnormality (negative distortion, positive distortion). When an abnormal symptom is detected, it depends on the correlation coefficients r ₁ and r ₂ of [Equation 8] below according to the classified type of each protocol. For all protocols, correlation coefficients r ₁ and r ₂ of [Equation 8] can be defined for each protocol, but too many policy settings are required and it is difficult to set each protocol. To solve this problem, by classifying protocols into periodicity, normality, pseudonormality, and nonnormality (negative distortion, positive distortion), etc., and applying a representative correlation coefficient, policy setting can be made conveniently.

Next, the flow policy setting unit 122 sets a security policy according to each protocol. The content of the security policy of each protocol may vary according to the classification of the corresponding protocol.

The flow policy setting unit 122 calculates statistics such as standard deviation and average using the communication volume collected in the reference time range (or learning section), and uses the calculated statistics to determine the detection standard (or reference range) of the security policy set In particular, the security policy of each protocol is calculated and stored for each communication amount such as the number of packets and the amount of packets.

That is, the detection criteria ranges such as the standard score range for filtering measurement errors, the threshold range for detecting a security risk state, and the traffic trend range are set as the security policy. That is, it sets a threshold for each communication amount for each protocol and stores statistics. In particular, according to the Periodic protocol, the Normal protocol, and the Normal-like protocol, a threshold value for each communication volume is set and statistical values are stored.

_{Specifically, statistical values such as the average and standard deviation μ V} , σ _V , min/max min _V , and max _V of the packet volume in the reference time range for each protocol are obtained and stored.

At this time, in the same way as previously obtained the average and standard deviation of the number of packets, the communication amount per unit time is calculated for each protocol amount (packet amount, etc.) in the reference time range, and the average and standard deviation are obtained therefrom.

Preferably, the related statistical values are the average and standard deviation for each communication volume, and are stored in the security policy to calculate the standard score. These statistics will be referred to as learned statistics.

That is, the flow policy setting unit 122 extracts the minimum value (min) and the maximum value (max) of each communication amount, and converts the extracted minimum value x _min and maximum value x _max into standard scores using Equation 5 below. . Set the minimum and minimum values converted into standard scores as the minimum standard score Z _min and the maximum standard score Z _max , respectively, and use them as a standard filter.

_{Thresholds Z min} , Z _max for communication amount x such as CPU clock ticks per unit time can be calculated as follows.

[Equation 5]

The mean μ ₀ and standard deviation σ ₀ are the values measured in the reference time interval of learning and are already learned data, and x is the value measured per unit time in the learning interval. μ, σ, and x are calculated for each protocol.

In addition, the flow policy setting unit 122 _{calculates the thresholds P min} , P _max and stores it as a security policy. _{That is, the minimum threshold P min} and the maximum threshold P _max are obtained as standard deviations for the average value of the reference time (learning section), and are calculated as follows.

[Equation 6]

Here, μ ₀ and σ ₀ represent the average and standard deviation of the communication volume for each protocol. r represents the correlation coefficient. In particular, r ₁ and r ₂ represent a correlation coefficient of the minimum threshold and a correlation coefficient of the maximum threshold, respectively. The correlation coefficient r is a preset value for each protocol.

The correlation coefficient r is set differently for each protocol. For example, r=1 for the Periodic protocol, r=3 for the Normal protocol, and r=4 for the Normal-like protocol. That is, it may be set differently according to the protocol type (classified type). Also, why the negative case of Fig of non sex (Non-normal) protocol for P _min of r = 1.5, P _max of r = 3.5, an amount skewness of non sex (Non-normal) protocol for P _min r =3.5, r=1.5 of _{P max, etc.} That is, in the case of a non-normal protocol, the correlation coefficient r may be differently set according to the negative/positive of skewness and also according to the minimum/maximum threshold.

In addition, the flow policy setting unit 122 also calculates the range of the traffic trend change, that is, the minimum and maximum values of the traffic trend change, and stores it as a security policy.

The standard range of the trend for each protocol is calculated by the following formula. That is, the minimum traffic trend change trend _min and maximum traffic trend change trend _max for each protocol for overall performance are obtained.

[Equation 7]

Here, S _b is the communication amount for each protocol during the reference time (learning section), and T _b is the total communication amount of all protocols during the reference time. () _min , () _max represents the minimum and maximum values of the values in (). Learning to set the monitoring reference range may be performed multiple times, _{and S b} and T _b are calculated in each learning.

For example, if the learning time is 1 hour and the reference time is 5 minutes, (S _b /T _b ) ₁ , (S _b /T _b ) ₁ , ..., (S _b /T _{b ) per unit time during the learning time} ) ₁₂ to 12 are observed. Find the minimum trend (S _b /T _b ) _min and the maximum trend (S _b /T _b ) _{max out} of 12.

Also, preferably, the flow policy setting unit 122 collects traffic attribute information (traffic characteristic information) of each protocol, that is, the number of simultaneous sessions, and the like, and the maximum number of min and the maximum of the corresponding attribute (the number of simultaneous sessions, etc.) Save the number max as a security policy.

In addition, the flow policy setting unit 122 performs a function of updating the security policy in a reference time unit. That is, the flow policy setting unit 122 updates information on the number of packets, the amount of packets, and the number of simultaneous sessions in the security policy, and then ends.

Next, the flow statistics unit 131 calculates a statistical value (or characteristic value) for the communication amount of the protocol in the comparison time range. In particular, the characteristic value is calculated using the collected traffic information during the comparison time range. The comparison time range is a time interval for monitoring a protocol, and indicates a comparison interval or a monitoring interval.

In other words, the traffic information collected in the comparison time range is subjected to periodicity (Normal) protocol characteristics, normality (Normal) protocol characteristics, pseudo-normality (Normal-like) protocol characteristics, and non-normality according to the change of characteristic information for each protocol. Calculate protocol characteristics, etc.

Specifically, the flow statistic unit 131 calculates a standard score and a trend for the communication amount per unit time within the comparison time range. Preferably, the flow statistics unit 131 may compare whether the corresponding protocol is in the reference whitelist.

First, the flow statistic unit 131 calculates a standard score z for the amount of communication x per unit time as follows.

[Equation 8]

Average μ ₀ , standard deviation σ ₀ is the value measured in the reference time interval of learning and is the already learned data, and x is the value (communication amount) measured per unit time in the current comparison time interval. μ ₀ , σ ₀ , and x are calculated for each protocol and used.

Next, the flow statistics unit 131 calculates a trend for each protocol.

[Equation 9]

Here, S _c is the communication _{amount for each protocol during the comparison time, and T c} is the total communication amount of all protocols during the comparison time.

Next, the flow security analysis unit 132 detects anomalies by comparing the communication amount and statistics for the analysis target protocol with the detection standard (or detection standard range) of the security policy. In this case, the classification of the protocol to be analyzed is first checked, and a comparison method is applied differently according to the protocol classification. This is because the detection criteria may differ depending on the protocol classification (type).

First, the flow security analysis unit 132 filters each communication amount x in the standard score range. Protocols are divided into Periodic protocol, Normal protocol, Normal-like protocol, and Non-normal protocol. For each protocol, filtering rules are applied as follows.

[Equation 10]

Here, Z is the standard score of x obtained by the flow statistic unit 131 above. In addition, Z _min and Z _max are the minimum standard score and the maximum standard score of the corresponding protocol, respectively.

That is, based on the min and max values for each protocol displayed during the learning period, the values out of the minimum standard score Z _min and the maximum standard score Z _max are determined. Only the communication amount x satisfying Equation 10 is used for analysis, and the communication amount x outside the corresponding range is excluded.

In addition, the flow security analysis unit 132 detects anomalies by comparing the communication amount x of the analysis target protocol with a threshold for each type of communication amount (the number of packets, the amount of packets, etc.).

The current threshold P is the measurement x in comparison units (per unit time of comparison time). The current communication amount x or the current threshold P must satisfy the following equation.

[Equation 13]

However, when P=x, it is a comparative unit measurement.

That is, when the communication amount x (or the current threshold P) is less than the _{minimum threshold P min for each protocol or greater than the maximum threshold P max} , it is determined as an abnormal symptom and a warning is generated.

Also, the flow security analysis unit 132 determines whether a trend for each protocol is within a trend range.

A trend for each protocol must satisfy the following equation.

[Equation 14]

Here, _{Trend min} and _{Trend max} are the minimum traffic trend change and the maximum traffic trend change for each protocol, respectively.

That is, when the current trend change Trend _{is smaller than the minimum trend change Trend min} or greater than the maximum trend change Trend _max , it is determined as an abnormality and a warning is generated.

Next, a method of collecting traffic information according to an embodiment of the present invention will be described with reference to FIG. 3 . The method of collecting traffic information according to the present invention is performed by the traffic information collecting unit 110 .

As shown in FIG. 3 , protocol resource information between the operating device 200 and the control device 300 or the control device 300 and the field device 400 is collected by tapping or mirroring ( S101 ). In this case, traffic information is collected during the reference time range or the comparison time range.

Next, the source MAC for each protocol. Configure protocol list information based on the destination MAC (S102).

Next, it is checked whether the collected protocol packet is an IP protocol (S103). If it is an IP protocol, the protocol list information is subdivided based on the source IP/PORT and the destination IP/PORT for each protocol (S104). If it is not an IP protocol, Ethernet Length (Type) and LLC/Length-based protocol list information for each protocol are subdivided.

Next, it is checked whether the collected protocol packet is a control protocol (S106). If it is a control protocol, the control command group-based protocol list information is subdivided (S107). If it is not a control protocol, step S108 is performed.

Next, for each final classified protocol list, packet number information is collected as primary traffic information, packet amount information is collected as secondary traffic information, and simultaneous session number information is collected as tertiary traffic information (S108).

The configured traffic information is transmitted to the protocol classification unit 121 or the flow statistics unit 131 . At this time, the traffic information transmitted to the protocol classification unit 121 is collected and configured based on a reference time, and the traffic information transmitted to the flow statistics unit 131 is collected and configured based on the comparison time.

Next, a method for setting a protocol flow policy according to an embodiment of the present invention will be described with reference to FIG. 4 . The protocol flow policy setting method according to the present invention is performed by the protocol classifying unit 121 and the flow policy setting unit 122 .

As shown in FIG. 4 , when a protocol receives traffic information from the traffic information collection unit 110 , the protocol classification unit 121 checks whether the protocol is in the reference whitelist ( S201 ). If the protocol is not in the standard whitelist, the administrator re-examines whether the protocol is an authorized protocol or an unauthorized protocol (S202).

If it is in the whitelist, see if there is any unobserved performance (traffic) per reference time (203). If the unobserved performance (the number of packets, the amount of packets) is 0, and it is not executed like the non-resident protocol, it is excluded from the statistics (S204) and only the observed portion is applied to the statistics.

If traffic per reference time is observed, the average μ, standard deviation σ, minimum value min, and maximum value max for the communication amount x in the reference time range for each protocol are calculated (S205).

Next, calculate the skewness γ and kurtosis β for each protocol, and if the skewness _{is outside the -γ base} ≤ γ ≤ γ _base , it is classified as a non-normal protocol, and the kurtosis is β > β while the skewness is within the allowable range. If the _base periodicity (Period) protocol, -β _base ≤ β ≤ β _base is normality (Normal) protocol, β> -β _base is similar to normality (Normal-like) to be classified as the protocol (S206).

_{Next, a minimum standard score Z min} and a maximum standard score Z _max are calculated based on the classified minimum value min and maximum value max for each protocol ( S207 ).

_{Next, a minimum threshold P min} and a maximum threshold P _max are calculated based on the standard deviation correlation coefficient r for each classified protocol ( S208 ).

_{Next, the minimum traffic trend change Trend min} and the maximum traffic trend change Trend _max for each classified protocol compared to the overall performance are calculated (S209).

Next, it is checked whether there is secondary traffic information to be processed (S210). If there is traffic information to be processed secondary, the average and standard deviation μ _V , σ _V of the packet volume (Packer Volume) in the standard time range for each protocol, and the maximum/minimum communication volume (packet volume) min _V , max _V are calculated (211) .

Next, processes S207, S208, and S209 are repeated for the amount of packets for the secondary traffic information.

If there is no secondary traffic information to be processed, it is checked whether there is tertiary traffic information to be processed (S212). If there is tertiary traffic information, a minimum/maximum value of the number of simultaneous sessions is obtained (S213). The maximum and minimum values indicate the monitoring reference range (or acceptable range).

If there is no tertiary traffic information to be processed, the process of the protocol classifying unit 121 and the flow policy setting unit 122 is terminated.

Next, a method for security monitoring a protocol according to an embodiment of the present invention will be described with reference to FIG. 5 . The security monitoring method according to the present invention is performed by the flow statistics unit 131 or the flow security analysis unit 132 .

First, when the flow statistics unit 131 receives traffic information of a protocol (protocol to be inspected) from the traffic information collection unit 110, it checks whether the corresponding protocol is in the reference whitelist (S301).

If the corresponding protocol is not in the reference whitelist, a warning about the occurrence of an unauthorized protocol is generated (S302) and the process is terminated.

If the corresponding protocol is a protocol in the reference whitelist, it is checked whether the characteristics of each protocol are within an allowable range (minimum/maximum value range) (S303). That is, it is checked whether the number of simultaneous sessions is within the minimum/maximum value range (S303). If it is out of the allowable range, it is determined that the protocol integrity has been changed, and a warning is issued (S304) and the process is terminated.

Next, if there is no change in the properties of each protocol (ie, the number of allowed simultaneous sessions), a standard score and a protocol trend of the corresponding protocol are calculated (S305). _{In particular, the standard score Z score} for the communication amount x per comparison time is calculated and the protocol trend trend is calculated.

Preferably, in addition to the number of packets, a standard score and a protocol packet trend for each type of communication amount such as a packet amount may be calculated.

Next, it is checked whether the standard score Z for the protocol is within the allowable range (Z _min ≤ Z ≤ Z _{max ) between the minimum standard score Z min} and the maximum standard score Z _max ( S306 ).

If the standard score is out of the allowable range, a warning that filtering out of the standard allowable range is generated (S307) and the end.

Next, it is checked whether the protocol-specific limit value P=x (comparative unit measurement value) is _{smaller than P min} (P < P _min ) ( S308 ). If P is _{smaller than P min} , a warning according to the protocol characteristics is generated (S309) and the process is terminated.

Preferably, warnings such as increased periodicity and man-in-the-middle attack warnings for periodic protocols, changes in average characteristics of protocols, and changes in skewness for non-normality protocols may be generated for normality or pseudo-normality protocols.

Next, it is checked whether the protocol-specific limit value P=x (comparative unit measurement) is _{greater than P max} (P > P _max ) (S310). If P is _{greater than P max} , a warning according to the protocol characteristics is generated ( S311 ) and the process is terminated.

Preferably, for a periodicity protocol, a warning of reduced periodicity, a replay attack caution warning, a change in the average characteristic of the protocol, a distortion degree change for a non-normality protocol, etc. may be generated for a normality or pseudonormality protocol.

Next, it is checked whether the comparison time trend change Trand = S _C /T _C (the protocol trend during the comparison time/the overall trend of the comparison time) is _{smaller than the reference time minimum trend change Trend min} (Trand < Trand _min ) ( S312 ). If Trand is _{smaller than Trnad min} , a warning about protocol transmission rate degradation and service stop warning is generated (S309) and the process is terminated.

Next, it is checked whether the comparison time trend change Trand = S _C /T _C (comparison time protocol trend/comparison time overall trend) is _{greater than the reference time maximum trend change Trend max} (Trand > Trand _max ) (S312). If Trand is _{greater than Trnad max} , a warning about the protocol transmission rate increase and denial of service warning is generated (S309) and the process is terminated.

Next, protocol classification according to characteristics according to an embodiment of the present invention will be described with reference to FIGS. 6 and 7 .

In the present invention, it is possible to find not only the possibility of replay attack or man-in-the-middle attack possibility according to the change of period for a control protocol having periodic characteristics such as (401) periodicity protocol, but also (402) regularity protocol, (403) for other protocols. ) by analyzing protocol characteristics with pseudonormality protocol, (404) non-normality protocol with positive skewness, (405) non-normality protocol with negative skewness, etc. can be analyzed.

Meanwhile, as shown in FIG. 6 , each protocol shows different distribution characteristics according to classification. Therefore, depending on each distribution characteristic of the protocol classification, the correlation coefficient varies when setting the threshold range. Hereinafter, a method for determining a correlation coefficient according to each classification will be described.

First, the normal protocol refers to a protocol having a normal distribution characteristic. If the center of the normal distribution is the mean μ, the degree (deviation) away from the mean is called the standard deviation σ.

As shown in Figure 7a, in the normal distribution, the probability of -1σ ≤ x ≤ 1σ is 68.3%, the probability of -2σ ≤ x ≤ 2σ is 95.4%, and the probability of -3σ ≤ x ≤ 3σ is 99.7%, and most of the usage is 2σ. (95%) is observed.

If the case outside the range of ±2σ is set as an anomaly as a policy, r ₁ and r ₂ are each 2 because it is a symmetric structure on both sides of the average, and it is calculated as follows.

P _min = μ- 2σ, P _max = μ+ 2σ

In other words, if it does not come within 95%, it can be warned as an abnormal symptom.

As another embodiment, the administrator may subdivide into interest if outside ±2σ, caution if outside ±3σ, boundary if outside ±4σ, etc. as needed.

Preferably, in the case of a normality protocol, the correlation coefficient r is set between 1.5 and 3. That is, the correlation coefficient is set so that the normal distribution is determined between 90% and 99% of the normal distribution.

Likewise, in each of the following classification cases, the level of the warning stage can be divided into several by varying the correlation coefficient.

Next, the Periodic protocol is a protocol with higher kurtosis than the normal distribution, and the probability distribution is narrower. For example, in a protocol with high kurtosis, if the control system sends a command in 0.1 second, data is transmitted 60 times in 1 minute, and the protocol performs 60 operations. If it is assumed that 57 to 63 data transmissions are observed per minute in actual observation, the protocol performs 57 to 63 operations, and most of the usage is observed within ±1σ.

As shown in FIG. 7B , it can be seen that the distribution of the periodicity processor has a probability of 95% or more within the ±1σ range. At this time, if a case outside the range of ±1σ is set as an anomaly as a policy, r ₁ and r ₂ are each 1 because it is a symmetric structure on both sides of the average, and it is calculated as follows.

P _min = μ - σ, P _max = μ + σ

That is, if it has a 95% or higher probability within the ±1σ range, it can be warned as an anomaly if it does not come within 95%.

Preferably, in the case of a periodicity protocol, the correlation coefficient r is set between 0.8 and 1.5. That is, it is determined to be smaller than the correlation coefficient of the normality protocol. Preferably, it is set to be 50-70% smaller than the correlation coefficient of normality.

Next, the Normal-like protocol can be interpreted similarly to the Normal, but the probability distribution is wider. As shown in FIG. 7C , the probability within ±3σ may be 90% or more, and the probability within ±4σ may be 95% or more.

If a case outside the range of ±4σ is set as an anomaly as a policy, the correlation coefficients r ₁ and r ₂ are each 4 because it is a bilaterally symmetric structure in the mean, and it is calculated as follows.

P _min = μ- 4σ, P _max = μ+ 4σ

Assuming that it has a probability of 95% or more within the ±4σ range as shown in FIG. 7c, if it does not come within 95%, it may be warned as an abnormal symptom.

Preferably, in the case of a pseudonormality protocol, the correlation coefficient r is set between 3 and 5. That is, it is determined to be larger than the correlation coefficient of the normality protocol. Preferably, it is set to be 150-200% larger than the correlation coefficient of normality.

Next, the Non-Normal protocol is a case outside the range of skewness that can be interpreted as a normal distribution. The median value is the most frequent in skewness, but it is calculated as an average value to give the calculation consistency.

As shown in FIG. 7D , since both sides of the structure are asymmetric on the average, r ₁ and r ₂ are different and r ₁ =3.5 and r ₂ =2.5 are applied to calculate as follows.

P _min = μ- 3.5σ, P _max = μ+ 2.5σ

As shown in the figure below _{, assuming that there is a 95% or higher probability within the range of r 1} =3.5, r ₂ =2.5, if it does not come within 95%, it can be warned as an anomaly.

Preferably, in the case of a non-normality protocol, r ₁ is _{set larger than r 2 for negative skewness (right-skewed distribution), and r 1} is set smaller than _{r 2 for} positive skewness (left-skewed distribution). do.

Also, preferably, in the case of a non-normality protocol, one correlation coefficient r is set between 1 and 2.5, and the other correlation coefficient r is set between 2 and 4. That is, the small correlation coefficient is set to be larger than the correlation coefficient of the periodicity protocol and smaller than the correlation coefficient of the normality protocol. In addition, the correlation coefficient having a large magnitude is set to be larger than the correlation coefficient of the normality protocol and smaller than the correlation coefficient of the pseudonormality protocol.

Correlation coefficients for each protocol classification (for each type) are shown in FIG. 8 .

In the above, embodiments according to the present disclosure have been described with reference to the accompanying drawings, but those of ordinary skill in the art to which the present invention pertains will realize that the present invention may be implemented in other specific forms without changing the technical spirit or essential features. You will understand that you can. It should be understood that the embodiments described above are illustrative in all respects and not restrictive.

100: security monitoring system 110: traffic information collection unit
121: protocol classification unit 122: flow policy setting unit
131: flow statistics unit 132: flow security analysis unit
200: operating device 300: control device
400: field device

Claims (10)

In an automated control network environment, in a packet flow-based security monitoring system of an automated control system that is interlocked with an operating device,
a traffic information collection unit that collects the communication amount for each protocol, and collects a series of communication amounts by measuring the communication amount per unit time in chronological order;
a protocol classification unit for obtaining skewness and kurtosis of a corresponding protocol with respect to a series of packets for a predetermined reference time of each protocol, and classifying the corresponding protocol using the obtained skewness and kurtosis;
a flow policy setting unit for obtaining a statistical value of the corresponding communication amount for a series of communication amounts for the reference time of each protocol, obtaining a reference range including a threshold range by using the statistics, and setting the reference range as a security policy;
a flow statistics unit for extracting a series of communication amounts of the generated protocol and statistics of the corresponding communication amounts; and;
A flow security analysis unit that detects as an abnormal symptom when the communication amount of the generated protocol or the statistics of the corresponding communication amount is out of the reference range,
If the skewness γ is γ > 0 and γ > γ _base (γ _base is a preset reference skewness rate), or γ < 0 and γ < -γ _base , classify it as a non-normal protocol, The remaining protocols other than this are classified as periodicity protocol, normality protocol, and pseudonormality protocol according to kurtosis, but if kurtosis β is β < 0 and β < -β _base (β _base is the preset reference kurtosis rate), it is a pseudo-normality protocol, If β > 0 and β > β _base, it is classified as a periodicity protocol, and -β _base ≤ β ≤ β _base is a packet flow-based security monitoring system of an automated control system, characterized in that it is classified as a normality protocol.
According to claim 1,
The communication amount is a packet flow-based security monitoring system of an automated control system, characterized in that the number of packets or the amount of packets.
delete According to claim 1,
The skewness γ and kurtosis β are packet flow-based security monitoring system of an automated control system, characterized in that it is obtained by [Equation 1].
[Formula 1]

However, x is the communication amount, μ and σ are the average and standard deviation of the communication amount x, respectively, and E() represents the expected value.
According to claim 1,
The flow policy setting unit extracts the minimum and maximum values of the communication volume for the reference time, and sets the extracted minimum and maximum standard scores as the minimum standard score and the maximum standard score, respectively,
The flow security analysis unit uses the corresponding communication amount for security analysis only when the standard score of the communication amount of the generated protocol falls within the range of the minimum standard score and the maximum standard score. system.
According to claim 1,
The flow policy setting unit obtains the minimum and maximum thresholds of the communication volume for a reference time, and the minimum and maximum thresholds are set differently depending on the type of the classified protocol,
The flow security analysis unit packet flow-based security monitoring system of an automated control system, characterized in that when the communication amount of the protocol to be executed is out of range within the minimum and maximum thresholds, it is determined as an abnormality.
7. The method of claim 6,
The minimum threshold P _min and the maximum threshold P _max are packet flow-based security monitoring system of an automated control system, characterized in that obtained by [Equation 2].
[Formula 2]

However, μ ₀ is the mean, σ ₀ is the standard deviation, r ₁ and r ₂ are correlation coefficients, and correlation coefficients r ₁ and r ₂ are preset values for each classified protocol.
8. The method of claim 7,
The correlation coefficient of the periodicity protocol is set smaller than the correlation coefficient of the normality protocol, the correlation coefficient of the pseudonormality protocol is set larger than that of the normality protocol, and in the case of a non-normality protocol, the correlation coefficient r ₁ is correlated with negative skewness Set larger than the coefficient r ₂ , and set the correlation coefficient r ₁ smaller than the correlation coefficient r _{2 for} positive skewness, but set the small correlation coefficient to be larger than the correlation coefficient of the periodicity protocol and smaller than the correlation coefficient of the normality protocol, A packet flow-based security monitoring system of an automated control system, characterized in that the correlation coefficient with a large size is set to be larger than the correlation coefficient of the normality protocol and smaller than the correlation coefficient of the pseudonormality protocol.
According to claim 1,
The flow policy setting unit obtains a minimum traffic trend change and a maximum traffic trend change of the communication amount for a reference time,
The flow security analysis unit calculates the traffic trend change of the generated protocol communication amount, and if the calculated traffic trend change is out of the range within the minimum traffic trend change and the maximum traffic trend change, it is determined as an abnormality. The system's packet flow-based security monitoring system.
10. The method of claim 9,
A packet flow-based security monitoring system of an automated control system, characterized in that the minimum traffic trend change Trend _min and the maximum traffic trend change Trend _{max are calculated by applying [Equation 3].}
[Equation 3]

However, S _b is the communication amount of the corresponding protocol during the reference time (learning section), T _b is the total communication amount of all protocols during the reference time, and () _min , () _max are the minimum and maximum values of the values in (). indicates.

Images