Abstract
Industrial control system (ICS) protocols have been developed to obtain the values measured using sensors, control the field devices, and share the collected information. It is necessary to monitor the ICS network continuously based on the ICS protocol knowledge (protocol field’s meaning and protocol’s behavior) for detecting ICS attackers’ suspicious activities. However, the ICS protocols are often proprietary, making it difficult to obtain their exact specifications. Hence, we need an automatic ICS protocol analysis because the tasks involved in the manual reverse engineering are tedious. After analyzing the network traffic obtained from a real ICS, we found that the variable structures were common and packet fragmentation frequently occurred during the operation. We recognized the need for an automated process wherein the packet fragmentation and variable structures are considered. In this paper, we describe our ongoing research to resolve the intricate structures of the ICS protocols in addition to the existing statistical analysis approach and present the implementation results.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
LS Industrial Systems, http://www.lsis.com/.
References
Caballero, J., Song, D.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 317–329 (2007)
Cui, W., Kannan, J., Wang, H.J.: Discoverer: automatic protocol reverse engineering from network traces. In: USENIX Security, pp. 199–212 (2007)
Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering. In: ACM Conference on Computer and Communications Security, pp. 621–634 (2009)
Wang, Z., Jiang, X., Cui, W., Wang, X., Grace, M.: ReFormat: automatic reverse engineering of encrypted messages. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 200–215. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04444-1_13
Li, H., Shuai, B., Wang, J., Tang, C.: Protocol feature word construction based on machine learning n-gram generation, pp. 93–97 (2011)
Caballero, J., Song, D.: Automatic protocol reverse-engineering: message format extraction and field semantics inference. Comput. Netw. 57, 451–474 (2013)
Luo, J.Z., Yu, S.Z.: Position-based automatic reverse engineering of network protocols. J. Netw. Comput. Appl. 36, 1070–1077 (2013)
Sood, A.K., Enbody, R.J., Bansal, R.: Dissecting SpyEye-Understanding the design of third generation botnets. Comput. Netw. 57, 436–450 (2013)
Choi, S., Chang, Y., Yun, J.-H., Kim, W.: Multivariate statistic approach to field specifications of binary protocols in SCADA system. In: Rhee, K.-H., Yi, J.H. (eds.) WISA 2014. LNCS, vol. 8909, pp. 345–357. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15087-1_27
Tao, S., Yu, H., Li, Q.: Bit-oriented format extraction approach for automatic binary protocol reverse engineering, pp. 709–716 (2015)
Bermudez, I., Tongaonkar, A., Iliofotou, M., Mellia, M., Munaf, M.M.: Towards automatic protocol field inference. Comput. Commun. 84, 40–51 (2016)
Choi, K., Son, Y., Noh, J., Shin, H., Choi, J., Kim, Y.: Dissecting customized protocols: automatic analysis for customized protocols based on IEEE 802.15.4. In: ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 183–193 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Chang, Y., Choi, S., Yun, JH., Kim, S. (2018). One Step More: Automatic ICS Protocol Field Analysis. In: D'Agostino, G., Scala, A. (eds) Critical Information Infrastructures Security. CRITIS 2017. Lecture Notes in Computer Science(), vol 10707. Springer, Cham. https://doi.org/10.1007/978-3-319-99843-5_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-99843-5_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99842-8
Online ISBN: 978-3-319-99843-5
eBook Packages: Computer ScienceComputer Science (R0)