NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers

Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a mal...

Full description

Saved in:
Bibliographic Details
Published in:Frontiers of information technology & electronic engineering 2017-04, Vol.18 (4), p.519-534
Main Authors: Xiao, Yu-jun, Xu, Wen-yuan, Jia, Zhen-hua, Ma, Zhuo-ran, Qi, Dong-lian
Format: Article
Language:English
Subjects:
Actuators
Anomalies
Anti-virus software
Casualties
Communications Engineering
Computer Hardware
Computer Science
Computer Systems Organization and Communication Networks
Control systems
Critical components
Critical infrastructure
Electrical Engineering
Electronics and Microelectronics
Industrial electronics
Instrumentation
Intrusion detection systems
Malware
Networks
Neural networks
Pharmacists
Power consumption
Power management
Power measurement
Programmable logic controllers
Software
System effectiveness
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.
ISSN:2095-9184
2095-9230
DOI:10.1631/FITEE.1601540