Open Access

ARTICLE

Event-Based Anomaly Detection for Non-Public Industrial Communication Protocols in SDN-Based Control Systems

Ming Wan¹, Jiangyuan Yao^2,*, Yuan Jing¹, Xi Jin^3,4

1 School of Information, Liaoning University, Shenyang 110036, China.
2 College of Information Science & Technology, University of Hainan, Haikou 570228, China.
3 Department of Computer Science and Engineering, Washington University, St Louis MO 63130, USA.
4 Shenyang Institute of Automation, Chinese Academy of Sciences , Shenyang 110016, China.

* Corresponding Author: Jiangyuan Yao. Email: .

Computers, Materials & Continua 2018, 55(3), 447-463. https://doi.org/ 10.3970/cmc.2018.02195

Abstract

As the main communication mediums in industrial control networks, industrial communication protocols are always vulnerable to extreme exploitations, and it is very difficult to take protective measures due to their serious privacy. Based on the SDN (Software Defined Network) technology, this paper proposes a novel event-based anomaly detection approach to identify misbehaviors using non-public industrial communication protocols, and this approach can be installed in SDN switches as a security software appliance in SDN-based control systems. Furthermore, aiming at the unknown protocol specification and message format, this approach first restructures the industrial communication sessions and merges the payloads from industrial communication packets. After that, the feature selection and event sequence extraction can be carried out by using the N-gram model and K-means algorithm. Based on the obtained event sequences, this approach finally trains an event-based HMM (Hidden Markov Model) to identify aberrant industrial communication behaviors. Experimental results clearly show that the proposed approach has obvious advantages of classification accuracy and detection efficiency.

---

Keywords

---