Abstract
Industrial control device asset identification is essential to the active defense and situational awareness system for industrial control network security. However, industrial control device asset information is challenging to obtain, and efficient asset detection models and identification methods are urgently needed. Existing active detection techniques send many packets to the system, affecting device operation, while passive identification can only analyze publicly available industrial control data. Based on this problem, we propose an asset identification method including networked industrial control device asset detection, fingerprint feature extraction and classification. The proposed method use TCP SYN semi-networked probing in the asset detection phase to reduce the number of packets sent and remove honeypot device data. The fingerprint feature extraction phase considers the periodicity and long-term stability characteristics of industrial control device and proposes a set of asset fingerprint feature combinations. The classification phase uses an improved decision tree algorithm based on feature weight correction and uses AdaBoost ensemble learning algorithm to strengthen the classification model. The experimental results show that the detection technique proposed by our method has the advantages of high efficiency, low frequency and noise immunity.
Similar content being viewed by others
Availability of Data and Materials
More information about the data can be obtained by contacting the corresponding author.
Code Availability
More information about the code can be obtained by contacting the corresponding author.
References
Yu, K., Tan, L., Mumtaz, S., Al-Rubaye, S., Al-Dulaimi, A., Bashir, A.K., Khan, F.A.: Securing critical infrastructures: deep-learning-based threat detection in IIoT. IEEE Commun. Mag. 59(10), 76–82 (2021)
Zhang, D., Wang, Q.-G., Feng, G., Shi, Y., Vasilakos, A.V.: A survey on attack detection, estimation and control of industrial cyber-physical systems. ISA Trans. 116, 1–16 (2021)
Park, M., Oh, H., Lee, K.: Security risk measurement for information leakage in IoT-based smart homes from a situational awareness perspective. Sensors 19(9), 2148 (2019)
Liang, W., Li, K.-C., Long, J., Kui, X., Zomaya, A.Y.: An industrial network intrusion detection algorithm based on multifeature data clustering optimization model. IEEE Trans. Ind. Inf. 16(3), 2063–2071 (2019)
Calderon, P.: Nmap: Network Exploration and Security Auditing Cookbook - Second Edition Network Discovery and Security Scanning at Your Fingertips. Packt Publishing, Birmingham (2017)
Xenofontos, C., Zografopoulos, I., Konstantinou, C., Jolfaei, A., Khan, M.K., Choo, K.-K.R.: Consumer, commercial, and industrial IoT (in) security: attack taxonomy and case studies. IEEE Internet Things J. 9(1), 199–221 (2021)
Yan, J., Cai, C., Du, Z., Li, J.: A detection method of lost assets based on feature optimization and active-passive detection. In: Proc. of SPIE Vol, vol. 12260, pp. 1226008–1 (2022)
Houmz, A., Mezzour, G., Zkik, K., Ghogho, M., Benbrahim, H.: Detecting the impact of software vulnerability on attacks: a case study of network telescope scans. J. Netw. Comput. Appl. 195, 103230 (2021)
Durumeric, Z., Wustrow, E., Halderman, J.A.: Zmap: Fast internet-wide scanning and its security applications. In: USENIX Security Symposium, vol. 8, pp. 47–53 (2013)
Yarochkin, F.V., Arkin, O., Kydyraliev, M., Dai, S.-Y., Huang, Y., Kuo, S.-Y.: Xprobe2++: low volume remote network information gathering tool. In: 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, pp. 205–210 (2009). IEEE
Botta, A., Pescapé, A., Ventre, G.: Quality of service statistics over heterogeneous networks: analysis and applications. Eur. J. Oper. Res. 191(3), 1075–1088 (2008)
Avallone, S., Emma, D., Pescapè, A., Ventre, G.: High performance internet traffic generators. J. Supercomput. 35, 5–26 (2006)
Zakroum, M., François, J., Chrisment, I., Ghogho, M.: Monitoring network telescopes and inferring anomalous traffic through the prediction of probing rates. IEEE Trans. Netw. Serv. Manage. 19, 5170–5182 (2022)
PLCScan the internet. http://www.scada.sl/2012/11/plcscan.html (2012)
Bristow, M.: ModScan. https://code.google.com/archive/p/modscan/ (2020)
Tyagi, R., Paul, T., Manoj, B., Thanudas, B.: Packet inspection for unauthorized OS detection in enterprises. IEEE Secur. Privacy 13(4), 60–65 (2015)
Mavrakis, C.: Passive asset discovery and operating system fingerprinting in industrial control system networks. Wayback archive: http://web.archive.org/web/20190307110951/. https://pure.tue.nl/ws/files/46916656/840171-1.pdf (2015)
Kollmann, E.: Chatter on the wire: a look at DHCP traffic. Online]. http://myweb.cableone.net/xnih/download/chatter-dhcp.pdf. Accessed 19 May 2010 (2007)
Al Ghazo, A.T., Kumar, R.: ICS/SCADA device recognition: a hybrid communication-patterns and passive-fingerprinting approach. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 19–24 (2019). IEEE
Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by internet-wide scanning. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 542–553 (2015)
Simon, K., Moucha, C., Keller, J.: Contactless vulnerability analysis using google and Shodan. J. Univers. Comput. Sci. 23(4), 404–430 (2017)
Liu, C., Alrowaili, Y., Saxena, N., Konstantinou, C.: Cyber risks to critical smart grid assets of industrial control systems. Energies 14(17), 5501 (2021)
Dehlaghi-Ghadim, A., Balador, A., Moghadam, M.H., Hansson, H., Conti, M.: Icssim-a framework for building industrial control systems security testbeds. Comput. Ind. 148, 103906 (2023)
Priya, V.D., Chakkaravarthy, S.S.: Containerized cloud-based honeypot deception for tracking attackers. Sci. Rep. 13(1), 1437 (2023)
Networks, B.: Bayshore networks-industrial control cyber. https://bayshorenetworks.com/products/scrutiny/ (2023)
The Leader in OT & IoT security and visibility. https://www.nozominetworks.com/?gclid=EAIaIQobChMIoa2B3oHI8AIVgyRgCh0vDQPTEAAYASAAEgKTFPD_BwE (2023)
CyberX. https://cyberx-labs.com/ (2023)
Gbadamosi, A.-Q., Oyedele, L.O., Delgado, J.M.D., Kusimo, H., Akanbi, L., Olawale, O., Muhammed-yakubu, N.: IoT for predictive assets monitoring and maintenance: an implementation strategy for the UK rail industry. Autom. Constr. 122, 103486 (2021)
Song, J., Cho, C., Won, Y.: Analysis of operating system identification via fingerprinting and machine learning. Comput. Electric. Eng. 78, 1–10 (2019)
Beverly, R.: A robust classifier for passive TCP/IP fingerprinting. In: Passive and Active Network Measurement: 5th International Workshop, PAM 2004, Antibes Juan-les-Pins, France, April 19–20, 2004. Proceedings 5, pp. 158–167 (2004). Springer
Yang, K., Li, Q., Wang, H., Sun, L., Liu, J.: Fingerprinting industrial IoT devices based on multi-branch neural network. Expert Syst. Appl. 238, 122371 (2024)
Duan, C., Gao, H., Song, G., Yang, J., Wang, Z.: ByteIoT:: A practical IoT device identification system based on packet length distribution. IEEE Trans. Netw. Serv. Manage. 19(2), 1717–1728 (2021)
Al-Shehari, T., Shahzad, F.: Improving operating system fingerprinting using machine learning techniques. Int. J. Comput. Theory Eng. 6(1), 57 (2014)
Yang, Q., Yin, J., Ling, C., Pan, R.: Extracting actionable knowledge from decision trees. IEEE Trans. Knowl. Data Eng. 19(1), 43–56 (2006)
Wei-hua, J., Wei-hua, L., Jun, D.: The application of icmp protocol in network scanning. In: Proceedings of the Fourth International Conference on Parallel and Distributed Computing, Applications and Technologies, pp. 904–906 (2003). IEEE
Shamsi, Z., Nandwani, A., Leonard, D., Loguinov, D.: Hershel: single-packet OS fingerprinting. ACM SIGMETRICS Perform. Eval. Rev. 42(1), 195–206 (2014)
Naik, N., Shang, C., Jenkins, P., Shen, Q.: D-FRI-honeypot: a secure sting operation for hacking the hackers using dynamic fuzzy rule interpolation. IEEE Trans. Emerging Top. Comput. Intell. 5(6), 893–907 (2020)
Matherly, J.C.: Shodan the computer search engine. http://www.shodanhq.com/help (2009)
Naik, N., Jenkins, P., Savage, N., Yang, L.: A computational intelligence enabled honeypot for chasing ghosts in the wires. Complex Intell. Syst. 7, 477–494 (2021)
Lv, Z., Chen, D., Lou, R., Song, H.: Industrial security solution for virtual reality. IEEE Internet Things J. 8(8), 6273–6281 (2020)
Wang, X., Liu, F.: Data-driven relay selection for physical-layer security: a decision tree approach. IEEE Access 8, 12105–12116 (2020)
Niu, X., Ma, W.: Selective quantum ensemble learning inspired by improved AdaBoost based on local sample information. Complex Intell. Syst. 1–11 (2023)
Funding
This work was supported by National Key R &D Program of China NO.2021YFB3101700 and Technology project funding from State Grid Corporation of China NO.5700-202228452A-2-0-ZN.
Author information
Authors and Affiliations
Contributions
WY proposed experimental ideas, evaluated experimental data, and drafted manuscripts. YSF, ZXM, YJS designs experimental procedures collects data, and assists in manuscript writing. ZWJ, YY revises the manuscript and evaluates the data. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no competing interests.
Ethics Approval
Not applicable.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Yang, W., Fang, Y., Zhou, X. et al. Networked Industrial Control Device Asset Identification Method Based on Improved Decision Tree. J Netw Syst Manage 32, 32 (2024). https://doi.org/10.1007/s10922-024-09805-z
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10922-024-09805-z