A SEQUENCE-AWARE INTRUSION DETECTION SYSTEM FOR ETHERNET/IP INDUSTRIAL CONTROL NETWORKS

Abstract

Industrial control systems (ICS) regulate and monitor critical cyber-physical systems such as the power grid and manufacturing plants. ICS networks are also vulnerable to cyber attacks, and existing defenses against these attacks are similar to those employed by traditional network intrusion detection systems (IDS). However, a typical IDS may not detect semantic attacks on the physical end devices because they follow the protocol specifications to bypass the IDS signatures. Sequence-based attacks, a subset of semantic attacks, can manipulate the ordering of valid commands to cause unsafe conditions for the physical devices. Based on a previous method of detecting sequence-based attacks by using discrete-time Markov chains (DTMC) to model normal ICS network traffic, we implemented a DTMC model for the EtherNet/IP and CIP industrial protocols and observed its effectiveness at recognizing sequence-based attacks. We developed four additional methods for DTMC model creation and compared their ability to detect attacks that the previous method failed to observe. All methods successfully identified attacks causing invalid states or invalid transitions, and only two methods could find localized anomalies. The results confirmed that a DTMC-based sequence-aware IDS could help improve the security posture of national critical infrastructure and Department of the Navy control systems.