The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Whitelist-Based Anomaly Detection for Industrial Control System Security

제어시스템 보안을 위한 whitelist 기반 이상징후 탐지 기법

  • 유형욱 (아주대학교 컴퓨터공학과) ;
  • 윤정한 (한국전자통신연구원 부설연구소) ;
  • 손태식 (아주대학교 정보컴퓨터공학과)
  • Received : 2013.04.25
  • Accepted : 2013.06.28
  • Published : 2013.08.30
Download PDF
⟨ Previous Next ⟩

Abstract

Recent cyber attacks targeting control systems are getting sophisticated and intelligent notoriously. As the existing signature based detection techniques faced with their limitations, a whitelist model with security techniques is getting attention again. However, techniques that are being developed in a whitelist model used at the application level narrowly and cannot provide specific information about anomalism of various cases. In this paper, we classify abnormal cases that can occur in control systems of enterprises and propose a new whitelist model for detecting abnormal cases.

최근 제어시스템을 대상으로 한 사이버공격이 점차 고도화 지능화됨에 따라 기존 시그니처(signature) 기반 탐지 기법은 한계에 봉착하였고, 이에 제어시스템 환경에 적합한 화이트리스트(whitelist) 기반 보안 기법이 새롭게 주목받고 있다. 그러나 최근 개발되고 있는 화이트리스트 기법들은 어플리케이션 레벨에서 한정적으로 사용되고 있으며, 무엇보다 블랙리스트(blacklist) 기반 보안 기법과 달리 이상 징후 유형에 대한 구체적 정보 제공이 불가능하다는 단점이 존재한다. 본 논문에서는 제어시스템에서 발생할 수 있는 이상 징후 유형들을 분류하고, 네트워크 레벨에서의 화이트리스트를 통해 이상 징후를 탐지할 수 있는 모델을 제시한다.

Keywords

References

  1. A. Ginter, "An analysis of Whitelisting security solutions and their applicability in control systems," in SCADA Security Sci. Symp. (S4) 2010, Miami, U.S.A., Jan. 2010.
  2. J. Yoon, W. Kim, and J. Seo, "Study on Technology Requirement using the Technological Trend of Security Products concerning Industrial Control System," J. Korea Inst. Inform. Security Crytology, vol. 22, no. 5, pp. 22-26, Aug. 2012.
  3. B. Zhu, A. Joseph, and S. Sastry, "A taxonomy of cyber attacks on SCADA systems," in Proc. IEEE Int. Conf. Internet Things (iThings/CPSCom), pp. 308-388, Dalian, China, Oct. 2011.
  4. I. N. Fovino, A. Coletta, and M. Masera, "Taxonomy of security solutions for the SCADA sector," ESCoRTS, Deliverable D22, Mar. 2010.
  5. D.-J. Kang, J.-J. Lee, S.-J. Kim, and J.-H. Park, "Analysis on cyber threats to SCADA systems," in Proc. IEEE Transmission Distribution Conf. Expo.: Asia Pacific, pp. 1-4, Seoul, Korea, Oct. 2009.
  6. M. Franz, "ICCP exposed: assessing the attack surface of the utility stack," in SCADA Security Sci. Symp. (S4), Miami, U.S.A., Jan. 2007.
  7. Y. J. Won, "Fault detection, diagnosis, and prediction for IP-based industrial control networks," Ph.D. dissertation, Dept. Elect. Comput. Eng., Postech, Korea, Nov. 2009.
  8. U.S. Homeland Security, "Common cybersecurity vulnerabilities in industrial control," Nat. Cyber Security Division, Control Syst. Security Program, May 2011.
  9. IEC, "IEC 62351 part1 : communication network and system security - introduction to security issues," IEC TS 62351-1, May 2007.
  10. Digital Bond, Quickdraw SCADA IDS, Retrieved June, 26, 2013, from http://www.digitalbond.com/tools/quickdraw/.
  11. M. Jang, G. Lee, S. Kim, B.-G. Min, W.-N. Kim, and J. Seo, "Testing vulnerabilities of DNP3," J. Security Eng., vol. 7, no. 1, Feb. 2010.
  12. X. Li, X. Liang, R. Lu, X. Shen, X. Lin, and H. Zhu, "Securing smart grid: cyber attacks," IEEE Commun. Mag., vol. 50, no. 8, pp. 38-45, Aug. 2012.