NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers

  • Yu-jun Xiao
  • Wen-yuan Xu
  • Zhen-hua Jia
  • Zhuo-ran Ma
  • Dong-lian Qi
Article
  • 108 Downloads

Abstract

Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.

Key words

Industrial control system Programmable logic controller Side-channel Anomaly detection Long short-term memory neural networks 

CLC number

TP309.1 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alcaraz, C., Zeadally, S., 2013. Critical control system protection in the 21st century. Computer, 46(10): 74–83. http://dx.doi.org/10.1109/MC.2013.69CrossRefGoogle Scholar
  2. Alcaraz, C., Zeadally, S., 2015. Critical infrastructure protection: requirements and challenges for the 21st century. Int. J. Crit. Infrastr. Protect., 8: 53–66. http://dx.doi.org/10.1016/j.ijcip.2014.12.002CrossRefGoogle Scholar
  3. Bencsáth, B., Pék, G., Buttyán, L., et al., 2012. The cousins of Stuxnet: Duqu, Flame, and Gauss. Fut. Int., 4(4): 971–1003. http://dx.doi.org/10.3390/fi4040971CrossRefGoogle Scholar
  4. Bolton, W., 2015. Programmable Logic Controllers (6th Ed.). Newnes, USA.CrossRefGoogle Scholar
  5. Bullock, J., Conservatoire, U.C.E.B., 2007. LibXtract: a lightweight library for audio feature extraction. Proc. Int. Computer Music Conf., p.1–4.Google Scholar
  6. Candes, E.J., Tao, T., 2006. Near-optimal signal recovery from random projections: universal encoding strategies? IEEE Trans. Inform. Theory, 52(12): 5406–5425. http://dx.doi.org/10.1109/TIT.2006.885507MathSciNetCrossRefGoogle Scholar
  7. Cárdenas, A.A., Amin, S., Sastry, S., 2008. Research challenges for the security of control systems. Proc. 3rd Conf. on Hot Topics in Security, Article 6.Google Scholar
  8. Chen, T.M., Abu-Nimeh, S., 2011. Lessons from Stuxnet. Computer, 44(4): 91–93. http://dx.doi.org/10.1109/MC.2011.115CrossRefGoogle Scholar
  9. Clark, S.S., Ransford, B., Rahmati, A., et al., 2013. WattsUpDoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. Proc. USENIX Workshop on Health Information Technologies, p.1–11.Google Scholar
  10. Coletta, A., Armando, A., 2015. Security monitoring for industrial control systems. Proc. Conf. on Cybersecurity of Industrial Control Systems, p.48–62. http://dx.doi.org/10.1007/978-3-319-40385-4_4Google Scholar
  11. Dalal, N., Triggs, B., 2005. Histograms of oriented gradients for human detection. Proc. IEEE Computer Society Conf. on Computer Vision and Pattern Recognition, p.886–893. http://dx.doi.org/10.1109/CVPR.2005.177Google Scholar
  12. Formby, D., Srinivasan, P., Leonard, A., et al., 2016. Who’s in control of your control system? Device fingerprinting for cyber-physical systems. Proc. Network and Distributed System Security Symp., p.1–13.Google Scholar
  13. García-Teodoro, P., Díaz-Verdejo, J., Maciá-Fernández, G., et al., 2009. Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur., 28(1-2):18–28. http://dx.doi.org/10.1016/j.cose.2008.08.003CrossRefGoogle Scholar
  14. Gers, F.A., Schmidhuber, J.A., Cummins, F., 2000. Learning to forget: continual prediction with LSTM. Neur. Comput., 12(10): 2451–2471. http://dx.doi.org/10.1162/089976600300015015CrossRefGoogle Scholar
  15. Gonzalez, C.A., Hinton, A., 2014. Detecting malicious software execution in programmable logic controllers using power fingerprinting. Proc. Int. Conf. on Critical Infrastructure Protection, p.15–27. http://dx.doi.org/10.1007/978-3-662-45355-1_2Google Scholar
  16. Johnson, R.E., 2010. Survey of SCADA security challenges and potential attack vectors. Proc. Int. Conf. for Internet Technology and Secured Transactions, p.1–5.Google Scholar
  17. Kesler, B., 2011. The vulnerability of nuclear facilities to cyber attack. Strat. Insights, 10(1): 15–25.Google Scholar
  18. Krotofil, M., Gollmann, D., 2013. Industrial control systems security: what is happening? Proc. 11th IEEE Int. Conf. on Industrial Informatics, p.670–675. http://dx.doi.org/10.1109/INDIN.2013.6622964Google Scholar
  19. Langner, R., 2011. Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3): 49–51. http://dx.doi.org/10.1109/MSP.2011.67CrossRefGoogle Scholar
  20. Lee, H., Battle, A., Raina, R., et al., 2006. Efficient sparse coding algorithms. Proc. 19th Int. Conf. on Neural Information Processing Systems, p.801–808.Google Scholar
  21. Lowe, D.G., 2004. Distinctive image features from scaleinvariant keypoints. Int. J. Comput. Vis., 60(2): 91–110. http://dx.doi.org/10.1023/B:VISI.0000029664.99615.94CrossRefGoogle Scholar
  22. Macaulay, T., Singer, B.L., 2011. Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS. CRC Press, USA.CrossRefGoogle Scholar
  23. Malhotra, P., Vig, L., Shroff, G., et al., 2015. Long short term memory networks for anomaly detection in time series. Proc. European Symp. on Artificial Neural Networks, Computational Intelligence and Maching Learning, p.89–94.Google Scholar
  24. Manevitz, L.M., Yousef, M., 2002. One-class SVMs for document classification. J. Mach. Learn. Res., 2: 139–154.MATHGoogle Scholar
  25. Mantere, M., Uusitalo, I., Sailio, M., et al., 2012. Challenges of machine learning based monitoring for industrial control system networks. Proc. 26th Int. Conf. on Advanced Information Networking and Applications Workshops, p.968–972. http://dx.doi.org/10.1109/WAINA.2012.135Google Scholar
  26. Morris, T., Vaughn, R., Dandass, Y., 2012. A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems. Proc. 45th Hawaii Int. Conf. on System Science, p.2338–2345. http://dx.doi.org/10.1109/HICSS.2012.78Google Scholar
  27. Nandakumar, K., Jain, A.K., 2004. Local correlation-based fingerprint matching. Proc. ICVGIP, p.503–508.Google Scholar
  28. Ni, B., Moulin, P., Yang, X., et al., 2015. Motion part regularization: improving action recognition via trajectory group selection. Proc. IEEE Conf. on Computer Vision and Pattern Recognition, p.3698–3706. http://dx.doi.org/10.1109/CVPR.2015.7298993Google Scholar
  29. Pearson, K., 1901. Mathematical contributions to the theory of evolution. X. Supplement to a memoir on skew variation. Phil. Trans. R. Soc. A, 197: 443–459.MATHGoogle Scholar
  30. Peng, Y., Xiang, C., Gao, H., et al., 2015. Industrial control system fingerprinting and anomaly detection. Proc. Int. Conf. on Critical Infrastructure Protection, p.73–85. http://dx.doi.org/10.1007/978-3-319-26567-4_5CrossRefGoogle Scholar
  31. Piggin, R., 2015. Are industrial control systems ready for the cloud? Int. J. Crit. Infrastr. Protect., 9(C):38–40. http://dx.doi.org/10.1016/j.ijcip.2014.12.005CrossRefGoogle Scholar
  32. Ponomarev, S., Atkison, T., 2016. Industrial control system network intrusion detection by telemetry analysis. IEEE Trans. Depend. Sec. Comput., 13(2): 252–260. http://dx.doi.org/10.1109/TDSC.2015.2443793CrossRefGoogle Scholar
  33. Pretorius, B., van Niekerk, B., 2016. Cyber-security for ICS/SCADA: a South African perspective. Int. J. Cyber Warf. Terror., 6(3): 1–16. http://dx.doi.org/10.4018/IJCWT.2016070101CrossRefGoogle Scholar
  34. Shang, W., Zeng, P., Wan, M., et al., 2016. Intrusion detection algorithm based on OCSVM in industrial control system. Secur. Commun. Netw., 9(10): 1040–1049. http://dx.doi.org/10.1002/sec.1398CrossRefGoogle Scholar
  35. Slay, J., Miller, M., 2007. Lessons learned from the Maroochy water breach. Proc. Int. Conf. on Critical Infrastructure Protection, p.73–82. http://dx.doi.org/10.1007/978-0-387-75462-8_6CrossRefGoogle Scholar
  36. Stone, S.J., Temple, M.A., Baldwin, R.O., 2015. Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process. Int. J. Crit. Infrastr. Protect., 9(C):41–51. http://dx.doi.org/10.1016/j.ijcip.2015.02.001CrossRefGoogle Scholar
  37. Stouffer, K.A., Falco, J.A., Scarfone, K.A., 2011. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations such as Programmable Logic Controllers (PLC). Technical Report SP800-82, National Institute of Standards and Technology, USA.Google Scholar
  38. Wang, H., Kläser, A., Schmid, C., et al., 2013. Dense trajectories and motion boundary descriptors for action recognition. Int. J. Comput. Vis., 103(1): 60–79. http://dx.doi.org/10.1007/s11263-012-0594-8MathSciNetCrossRefGoogle Scholar
  39. Xu, J., Yang, G., Man, H., et al., 2013. L1 graph based on sparse coding for feature selection. Proc. Int. Symp. on Neural Networks, p.594–601. http://dx.doi.org/10.1007/978-3-642-39065-4_71Google Scholar
  40. Zhong, W., Lu, H., Yang, M., 2012. Robust object tracking via sparsity-based collaborative model. Proc. IEEE Conf. on Computer Vision and Pattern Recognition, p.1838–1845. http://dx.doi.org/10.1109/CVPR.2012.6247882Google Scholar

Copyright information

© Zhejiang University and Springer-Verlag GmbH Germany, part of Springer Nature 2017

Authors and Affiliations

  • Yu-jun Xiao
    • 1
  • Wen-yuan Xu
    • 1
  • Zhen-hua Jia
    • 2
  • Zhuo-ran Ma
    • 1
  • Dong-lian Qi
    • 1
  1. 1.School of Electrical EngineeringZhejiang UniversityHangzhouChina
  2. 2.Wireless Information Network LaboratoryRutgers UniversityNorth BrunswickUSA

Personalised recommendations