Application of approximate matching on industrial control system (ICS) network communication using ssdeep algorithm

Date
2020
Authors
Mutua, Nelson Makau
Journal Title
Journal ISSN
Volume Title
Publisher
Strathmore University
Abstract
Industrial Control Systems (ICSs) are significant for functioning of numerous critical infrastructures for instance power plants, water treatment facilities and gas pipelines. In spite of the fact that security of such systems deserves attention, application of thorough security intelligence approaches to ICS is not a standard practice. ICS are becoming more and more connected, so they require heightened security. Intrusion Detection Systems (IDSs) do not work well to secure ICSs because they mostly work on a signature basis and there are not many known signatures to detect attacks on ICSs. Network communication is associated with many security challenges. Changes in Internet technologies have allowed for an increase in networked devices, the complexity of cybercrimes and the transfer of huge amounts of data, which can easily be intercepted and manipulated by attackers. Due to vulnerabilities in IDS used in ICS, there is need for a solution that can detect attacks at a higher rate. There have been several real-world documented incidents and cyber-attacks affecting ICSs which clearly illustrates critical infrastructure vulnerabilities. These reported incidents demonstrate that cyber-attacks on ICSs might cause a variety of financial damage and harmful events to humans and their environment. Based on the aforementioned challenges, the solution was actualized by implementing a technique for International Electrotechnical Commission (IEC) 60870-5 also known as IEC 104 network communication protocol analysis based on approximate pattern matching. This protocol was intentionally selected in this study because it is crucial for the communication control and the controlled stations in many ICSs. ICS profile was computed from normal ICS network communication. To detect anomalies, unknown ICS communication was compared to the profile using approximate pattern matching algorithm. This prototype applied Agile Software Methodology, for building of an evaluation tool. It provides opportunities to assess the project progress and direction throughout the development lifecycle. This is achieved though iterations and more frequent release with subsequent feedback. A python-based application was developed, tested and validated.
Description
Submitted in partial fulfillment of the requirements for the Degree of Master of Science in Information System Security at Strathmore University
Keywords
Approximate matching,, Vulnerability, Network traffic analysis, Industrial Control System (ICS), International Electro technical Commission, IEC 104
Citation