水处理系统网络攻击的检测和定位：基于熵的方法

刘可; 汪慕峰; 麻荣宽; 张镇勇; 魏强

doi:10.1631/FITEE.2000546

Your Location：

Home >

Browse articles >

水处理系统网络攻击的检测和定位：基于熵的方法

常规文章 | Updated：2022-05-19

- 水处理系统网络攻击的检测和定位：基于熵的方法
  Enhanced Publication
- Detection and localization of cyber attacks on water treatment systems: an entropy-based approach
- 信息与电子工程前沿（英文） 2022年23卷第4期页码：587-603
- Affiliations：
  
  1.State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou450001, China
  2.College of Control Science and Engineering, Zhejiang University, Hangzhou310027, China
- Author bio：
  
  E-mail: bendawang@gmail.com;
  E-mail: csewmf@zju.edu.cn;
  E-mail: rongkuan233@gmail.com;
  E-mail: zhangzhenyong@zju.edu.cn;
  ‡Corresponding author
- Funds：
  
  National Natural Science Foundation of China(61833015)
- DOI：10.1631/FITEE.2000546
  中图分类号： TP316.4
- 纸质出版日期：2022-04，
  
  网络出版日期：2022-04-01，
  
  收稿日期：2020-10-13，
  
  录用日期：2021-01-21
- Accepted：
Scan QR Code
刘可, 汪慕峰, 麻荣宽, 等. 水处理系统网络攻击的检测和定位：基于熵的方法[J]. 信息与电子工程前沿（英文）, 2022,23(4):587-603.

KE LIU, MUFENG WANG, RONGKUAN MA, et al. Detection and localization of cyber attacks on water treatment systems: an entropy-based approach. [J]. Frontiers of information technology & electronic engineering, 2022, 23(4): 587-603.
刘可, 汪慕峰, 麻荣宽, 等. 水处理系统网络攻击的检测和定位：基于熵的方法[J]. 信息与电子工程前沿（英文）, 2022,23(4):587-603. DOI： 10.1631/FITEE.2000546.

KE LIU, MUFENG WANG, RONGKUAN MA, et al. Detection and localization of cyber attacks on water treatment systems: an entropy-based approach. [J]. Frontiers of information technology & electronic engineering, 2022, 23(4): 587-603. DOI： 10.1631/FITEE.2000546.

摘要

随着工业4.0的发展，水处理系统作为一种典型工业信息物理系统逐渐接入互联网。先进的信息技术使水处理系统在可靠性、效率和经济性方面受益。然而，网络和基础设施中潜在的漏洞使水处理系统很容易遭受网络攻击。由于水处理系统对于实时性和可用性的严苛要求，传统的面向信息系统的防御机制无法直接应用于水处理系统。本文提出一种基于熵的入侵检测方法来抵御针对系统中控制器（如可编程逻辑控制器）的攻击。由于水处理系统运行条件的变化，在模型采用静态阈值进行检测时会产生较高误报率。因此本文提出一种动态阈值调整机制来提高所提方法的检测性能。为验证所提方法，我们建立了一个包含超过50个测量点的高保真水处理系统测试平台。在两种攻击场景下进行实验，共涵盖了36次攻击。结果表明，所提方法能够实现97.22%的检测率和1.67%的误报率。

Abstract

With the advent of Industry 4.0

water treatment systems (WTSs) are recognized as typical industrial cyber-physical systems (iCPSs) that are connected to the open Internet. Advanced information technology (IT) benefits the WTS in the aspects of reliability

efficiency

and economy. However

the vulnerabilities exposed in the communication and control infrastructure on the cyber side make WTSs prone to cyber attacks. The traditional IT system oriented defense mechanisms cannot be directly applied in safety-critical WTSs because the availability and real-time requirements are of great importance. In this paper

we propose an entropy-based intrusion detection (EBID) method to thwart cyber attacks against widely used controllers (e.g.

programmable logic controllers) in WTSs to address this issue. Because of the varied WTS operating conditions

there is a high false-positive rate with a static threshold for detection. Therefore

we propose a dynamic threshold adjustment mechanism to improve the performance of EBID. To validate the performance of the proposed approaches

we built a high-fidelity WTS testbed with more than 50 measurement points. We conducted experiments under two attack scenarios with a total of 36 attacks

showing that the proposed methods achieved a detection rate of 97.22% and a false alarm rate of 1.67%.

关键词

工业信息物理系统水处理系统入侵检测异常状态检测和定位信息论

Keywords

Industrial cyber-physical systemWater treatment systemIntrusion detectionAbnormal stateDetection and localizationInformation theory

references

Barbosa RRR, Sadre R, Pras A, 2012. Towards periodicity based anomaly detection in SCADA networks. Proc 17th IEEE Int Conf on Emerging Technologies & Factory Automation, p.1-4. doi: 10.1109/ETFA.2012.6489745http://doi.org/10.1109/ETFA.2012.6489745

Bereziński P, Jasiul B, Szpyrka M, 2015. An entropy-based network anomaly detection method. Entropy, 17(4):2367-2408. doi: 10.3390/e17042367http://doi.org/10.3390/e17042367

Carcano A, Coletta A, Guglielmi M, et al., 2011. A multi-dimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans Ind Inform, 7(2):179-186. doi: 10.1109/TII.2010.2099234http://doi.org/10.1109/TII.2010.2099234

Cover TM, Thomas JA, 2012. Elements of Information Theory. John Wiley & Sons, New York, USA, p.250-252.

Farwell JP, Rohozinski R, 2011. Stuxnet and the future of cyber war. Survival, 53(1):23-40. doi: 10.1080/00396338.2011.555586http://doi.org/10.1080/00396338.2011.555586

Feng C, Reddy Palleti V, Mathur A, et al., 2019. A systematic framework to generate invariants for anomaly detection in industrial control systems. Proc Network and Distributed Systems Security Symp, p.1-22. doi: 10.14722/ndss.2019.23265http://doi.org/10.14722/ndss.2019.23265

Formby D, Srinivasan P, Leonard A, et al., 2016. Who's in control of your control system? Device fingerprinting for cyber-physical systems. Proc Network and Distributed Systems Security Symp, p.1-15. doi: 10.14722/ndss.2016.23142http://doi.org/10.14722/ndss.2016.23142

Fovino IN, Coletta A, Carcano A, et al., 2012. Critical state-based filtering system for securing SCADA network protocols. IEEE Trans Ind Electron, 59(10):3943-3950. doi: 10.1109/TIE.2011.2181132http://doi.org/10.1109/TIE.2011.2181132

Geng YY, Wang Y, Liu WW, et al., 2019. A survey of industrial control system testbeds. IOP Conf Ser Mater Sci Eng, 569(4):042030. doi: 10.1088/1757-899x/569/4/042030http://doi.org/10.1088/1757-899x/569/4/042030

Goldenberg N, Wool A, 2013. Accurate modeling of Modbus/ TCP for intrusion detection in SCADA systems. Int J Crit Infrastruct Protect, 6(2):63-75. doi: 10.1016/j.ijcip.2013.05.001http://doi.org/10.1016/j.ijcip.2013.05.001

Hadeli H, Schierholz R, Braendle M, et al., 2009. Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. Proc IEEE Conf on Emerging Technologies & Factory Automation, p.1-8. doi: 10.1109/ETFA.2009.5347134http://doi.org/10.1109/ETFA.2009.5347134

Hu Y, Li H, Luan TH, et al., 2020. Detecting stealthy attacks on industrial control systems using a permutation entropy-based method. Fut Gener Comput Syst, 108:1230-1240. doi: 10.1016/j.future.2018.07.027http://doi.org/10.1016/j.future.2018.07.027

ICS-CERT, 2016. ICS-CERT Annual Assessment Report. Technical Report. NCCIC/ICS-CERT, Washington DC, USA.

Kaspersky ICS CERT, 2019. Threat Landscape for Industrial Automation Systems. H2 2018. Kaspersky. Available from https://ics-cert.kaspersky.com/publications/reports/2019/03/27/threat-landscape-for-industrial-automation-systems-h2-2018/https://ics-cert.kaspersky.com/publications/reports/2019/03/27/threat-landscape-for-industrial-automation-systems-h2-2018/ [Accessed on Jan. 1, 2021].

Kaspersky ICS CERT, 2020a. Targeted Attacks on Israeli Water Supply and Wastewater Treatment Facilities. Available from https://ics-cert.kaspersky.com/news/2020/04/29/israel-water-cyberattacks/https://ics-cert.kaspersky.com/news/2020/04/29/israel-water-cyberattacks/ [Accessed on Jan. 1, 2021].

Kaspersky ICS CERT, 2020b. Threat Landscape for Industrial Automation Systems. Vulnerabilities Identified in 2019. Kaspersky. Available from https://ics-cert.kaspersky.com/reports/2020/04/24/threat-landscape-for-industrial-automation-systems-vulnerabilities-identified-in-2019/https://ics-cert.kaspersky.com/reports/2020/04/24/threat-landscape-for-industrial-automation-systems-vulnerabilities-identified-in-2019/ [Accessed on Jan. 1, 2021].

Khraisat A, Gondal I, Vamplew P, et al., 2019. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, 2:20. doi: 10.1186/s42400-019-0038-7http://doi.org/10.1186/s42400-019-0038-7

Kleinmann A, Wool A, 2014. Accurate modeling of the Siemens S7 SCADA protocol for intrusion detection and digital forensics. J Dig Forens Secur Law, 9(2):37-50. doi: 10.15394/jdfsl.2014.1169http://doi.org/10.15394/jdfsl.2014.1169

Lee R, Slowik J, Miller B, et al., 2017. Industroyer/ Crashoverride: Zero Things Cool about a Threat Group Targeting the Power Grid. Technical Report. Black Hat, USA.

Lin H, Slagell A, di Martino C, et al., 2013. Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol. Proc 8th Annual Cyber Security and Information Intelligence Research Workshop, p.1-4. doi: 10.1145/2459976.2459982http://doi.org/10.1145/2459976.2459982

Linda O, Manic M, Vollmer T, et al., 2011a. Fuzzy logic based anomaly detection for embedded network security cyber sensor. Proc IEEE Symp on Computational Intelligence in Cyber Security, p.202-209. doi: 10.1109/CICYBS.2011.5949392http://doi.org/10.1109/CICYBS.2011.5949392

Linda O, Manic M, Alves-Foss J, et al., 2011b. Towards resilient critical infrastructures: application of type-2 fuzzy logic in embedded network security cyber sensor. Proc 4th Int Symp on Resilient Control Systems, p.26-32. doi: 10.1109/ISRCS.2011.6016083http://doi.org/10.1109/ISRCS.2011.6016083

Ma RK, Cheng P, Zhang ZY, et al., 2019. Stealthy attack against redundant controller architecture of industrial cyber-physical system. IEEE Int Things J, 6(6):9783-9793. doi: 10.1109/JIOT.2019.2931349http://doi.org/10.1109/JIOT.2019.2931349

Maglaras LA, Jiang JM, 2014. Intrusion detection in SCADA systems using machine learning techniques. Proc Science and Information Conf, p.626-631. doi: 10.1109/SAI.2014.6918252http://doi.org/10.1109/SAI.2014.6918252

Mathur AP, Tippenhauer NO, 2016. SWaT: a water treatment testbed for research and training on ICS security. Proc Int Workshop on Cyber-Physical Systems for Smart Water Networks, p.31-36. doi: 10.1109/CySWater.2016.7469060http://doi.org/10.1109/CySWater.2016.7469060

Morris T, Vaughn R, Dandass Y, 2012. A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems. Proc 45th IEEE Hawaii Int Conf on System Sciences, p.2338-2345. doi: 10.1109/HICSS.2012.78http://doi.org/10.1109/HICSS.2012.78

Navaz ASS, Sangeetha V, Prabhadevi C, 2013. Entropy based anomaly detection system to prevent DDoS attacks in cloud. Int J Comput Appl, 62(15):42-47. doi: 10.5120/10160-5084http://doi.org/10.5120/10160-5084

Nelson T, Chaffin M, 2011. Common Cybersecurity Vulnerabilities in Industrial Control Systems. Technical Report. The U.S. Department of Homeland Security (DHS) National Cyber Security Division, Washington DC, USA.

Ponomarev S, Atkison T, 2016. Industrial control system network intrusion detection by telemetry analysis. IEEE Trans Depend Sec Comput, 13(2):252-260. doi: 10.1109/TDSC.2015.2443793http://doi.org/10.1109/TDSC.2015.2443793

Qian Q, Che HY, Zhang R, 2009. Entropy based method for network anomaly detection. Proc 15th IEEE Pacific Rim Int Symp on Dependable Computing, p.189-191. doi: 10.1109/PRDC.2009.38http://doi.org/10.1109/PRDC.2009.38

Sample C, Schaffer K, 2013. An overview of anomaly detection. IT Prof, 15(1):8-11. doi: 10.1109/MITP.2013.7http://doi.org/10.1109/MITP.2013.7

SecurityWeek, 2016. Attackers Alter Water Treatment Systems in Utility Hack: Report. Available from https://www.securityweek.com/attackers-alter-water-treatment-systems-utility-hack-reporthttps://www.securityweek.com/attackers-alter-water-treatment-systems-utility-hack-report [Accessed on Jan. 1, 2021].

Song ZW, Liu ZH, 2019. Abnormal detection method of industrial control system based on behavior model. Comput Secur, 84:166-178. doi: 10.1016/j.cose.2019.03.009http://doi.org/10.1016/j.cose.2019.03.009

Stouffer K, Pillitteri V, Lightman S, et al., 2011. Guide to Industrial Control Systems (ICSs) Security. NIST Special Publication 800-82. doi: 10.6028/NIST.SP.800-82r2http://doi.org/10.6028/NIST.SP.800-82r2

Tate RF, 1954. Correlation between a discrete and a continuous variable. Point-biserial correlation. Ann Math Stat, 25(3):603-607. doi: 10.1214/aoms/1177728730http://doi.org/10.1214/aoms/1177728730

Ten CW, Manimaran G, Liu CC, 2010. Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans Syst Man Cybern A, 40(4):853-865. doi: 10.1109/TSMCA.2010.2048028http://doi.org/10.1109/TSMCA.2010.2048028

Terai A, Abe S, Kojima S, et al., 2017. Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile. Proc IEEE European Symp on Security and Privacy Workshops, p.132-138. doi: 10.1109/EuroSPW.2017.62http://doi.org/10.1109/EuroSPW.2017.62

The Wall Street Journal's San Francisco Bureau, 2015. Iranian Hackers Infiltrated New York Dam in 2013. Available from https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559 [Accessed on Jan. 1, 2021].

Vollmer T, Manic M, 2009. Computationally efficient neural network intrusion security awareness. Proc 2nd Int Symp on Resilient Control Systems, p.25-30. doi: 10.1109/ISRCS.2009.5251357http://doi.org/10.1109/ISRCS.2009.5251357

Vollmer T, Alves-Foss J, Manic M, 2011. Autonomous rule creation for intrusion detection. Proc IEEE Symp on Computational Intelligence in Cyber Security, p.1-8. doi: 10.1109/CICYBS.2011.5949394http://doi.org/10.1109/CICYBS.2011.5949394

Walton B, 2016. Water Sector Prepares for Cyberattacks. Available from https://www.circleofblue.org/2016/world/water-sector-prepares-cyberattackshttps://www.circleofblue.org/2016/world/water-sector-prepares-cyberattacks [Accessed on Jan. 1, 2021].

Wang YS, Fan KF, Lai YX, et al., 2017. Intrusion detection of industrial control system based on Modbus TCP protocol. Proc 13th IEEE Int Symp on Autonomous Decentralized System, p.156-162. doi: 10.1109/ISADS.2017.29http://doi.org/10.1109/ISADS.2017.29

Wikipedia, 2020a. Critical Infrastructure. Available from https://en.wikipedia.org/wiki/Critical_infrastructurehttps://en.wikipedia.org/wiki/Critical_infrastructure [Accessed on Jan. 1, 2021].

Wikipedia, 2020b. Water Treatment. Available from https://en.wikipedia.org/wiki/Water_treatmenthttps://en.wikipedia.org/wiki/Water_treatment [Accessed on Jan. 1, 2021].

Yu W, Wang X, Xuan D, et al., 2006. Effective detection of active worms with varying scan rate. Proc Securecomm and Workshops, p.1-10. doi: 10.1109/SECCOMW.2006.359549http://doi.org/10.1109/SECCOMW.2006.359549

Zhang F, Kodituwakku HADE, Hines JW, et al., 2019. Multi-layer data-driven cyber-attack detection system for industrial control systems based on network, system, and process data. IEEE Trans Ind Inform, 15(7):4362-4369. doi: 10.1109/TII.2019.2891261http://doi.org/10.1109/TII.2019.2891261

浏览量

Downloads

CSCD

文章被引用时，请邮件提醒。

Submit

工具集

关联资源

暂无数据