idnits 2.17.1 draft-li-sacm-anomaly-detection-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet has text resembling RFC 2119 boilerplate text. -- The document date (February 23, 2017) is 2612 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 SACM Working Group S. Li 2 Internet Draft M. Wei 3 Interned status: Standards Track H. Wang 4 Expires: August 27, 2017 Q. Huang 5 P. Wang 6 J. Liao 7 Chongqing University of 8 Posts and Telecommunications 9 February 23, 2017 11 Anomaly Detection of Industrial Control System based on Modbus/TCP 12 draft-li-sacm-anomaly-detection-00 14 Abstract 16 Aiming at the vulnerability and security threat of Industrial 17 Control System, this document proposed a detection model based on 18 the characteristics of Modbus/TCP protocol. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF), its areas, and its working groups. Note that 27 other groups may also distribute working documents as Internet- 28 Drafts. 30 Internet-Drafts are draft documents valid for a maximum of six 31 months and may be updated, replaced, or obsoleted by other documents 32 at any time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 The list of current Internet-Drafts can be accessed at 36 http://www.ietf.org/ietf/1id-abstracts.txt 38 The list of Internet-Draft Shadow Directories can be accessed at 39 http://www.ietf.org/shadow.html 41 This Internet-Draft will expire on August 27, 2017. 43 Copyright Notice 45 Copyright (c) 2017 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with 53 respect to this document. Code Components extracted from this 54 document must include Simplified BSD License text as described in 55 Section 4.e of the Trust Legal Provisions and are provided without 56 warranty as described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction ................................................ 2 61 1.1. Requirements Notation .................................. 3 62 1.2. Terms Used ............................................. 3 63 2. Overview of the detection scheme ............................ 3 64 3. A detection model based on Modbus protocol features.......... 4 65 4. Security Considerations ..................................... 7 66 5. IANA Considerations ......................................... 7 67 6. References .................................................. 7 68 6.1. Normative References ................................... 7 69 6.2. Informative References ................................. 7 71 1. Introduction 73 With the development of industrialization and informatization, 74 increasing information technology is applied to the industrial field. 75 Due to the hardware and software, which are widely used in 76 Industrial Control Systems, come from different vendors, and the ICS 77 need to interact the information with the outside net, both of them 78 make Industrial Control Systems more and more open, and face more 79 security threats. 81 The research of anomaly detection for ICS is introduced as follows. 82 For example, the anomaly detection of communication protocol 83 datagram format has the premise of obtaining a specific proprietary 84 protocol specification, the detection method based on protocol 85 message format is liable to cause lower detection rate, and is not 86 easy to expand. Another anomaly detection mechanism is the 87 configuration of blacklist and whitelist, in order to realize this 88 mechanism, engineers need to run the system, and set the blacklist 89 and whitelist according to the ICS state. 91 In addition, most research work focus on intrusion detection 92 algorithm, the key to improve the detection rate is to extract 93 efficient features of anomaly detection. Research on intrusion 94 detection algorithm shows that, the basic principle of neural 95 network method is to use learning algorithm to study the 96 relationship between input and output vectors, and to sum up a new 97 input-output relationship. The neural network algorithm has rather 98 high computational complexity, and very large demand for samples, 99 while it is difficult for Industrial Control System to extract more 100 samples. Genetic algorithm is a natural selection based on the best 101 search algorithm, but it has higher coding complexity, and longer 102 training time. 104 However, Support Vector Machine algorithm is a kind of data 105 classification method based on statistical learning theory. It has 106 many advantages, such as few samples, good generalization and global 107 optimization. Therefore, the SVM algorithm based on clustering is 108 suitable for the anomaly detection of ICS. 110 1.1. Requirements Notation 112 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 113 "SHOULD", "SHOULD NOT", "MAY" in this document are to be interpreted 114 as described in [RFC2119] 116 1.2. Terms Used 118 ICS: Industrial Control System. 120 SVM: Support Vector Machines. SVM is specified in [CoVa1995]. 122 Security: It means the specific security mechanism or security 123 algorithm. 125 2. Overview of the detection scheme 127 In this document, the establishment of the system anomaly detection 128 model is based on the periodic characteristics of Industrial Control 129 System and communication protocol message characteristics of 130 Modbus/TCP. The industrial control network equipment involved in the 131 anomaly detection process includes security gateway, programmable 132 logic controller, security management platform and controlled device, 133 wherein the security gateway includes an anomaly detection subsystem 134 and a packet depth analysis system. The packet depth analysis system 135 executes depth analysis and feature extraction for Modbus/TCP packet, 136 the anomaly detection subsystem is used to detect the underlying 137 network data and generate an alarm response to the abnormal data. 138 Depending on the specific technological process, the programmable 139 logic controller issues control commands to the controlled device 140 for orderly production. Security management platform is responsible 141 for the configuration of security mechanism and the handling of 142 abnormal alarm in the security gateway. Controlled equipment, 143 including level gauge, pressure gauge, temperature sensor and so on, 144 is responsible for the collection of physical quantity in the 145 industrial production process. The detection process is as follows. 147 (1) Capture the communication data between master and slave devices 148 through the security gateway, and then analyze the data. 150 (2) According to the packet format of Modbus/TCP protocol, the 151 packet depth analysis system directs at the feature fields that 152 should exist in the packet and the expected values for those fields, 153 analyzes the packets in depth layer-by-layer, and removes the excess 154 attribute characteristics, only leaving the characteristics related 155 to the system behavior patterns. 157 (3) According to the eigenvectors extracted by the packet depth 158 analysis system, the anomaly detection subsystem constructs the 159 classifier for the purpose of measurement, statistics and abnormal 160 detection, and sends an alarm to the security management platform 161 for abnormal results. 163 3. A detection model based on Modbus protocol features 165 Modbus/TCP is an application layer protocol that embeds a Modbus 166 frame into a TCP frame, its message transmission service is to 167 provide communication between client and server, and these devices 168 are connected to an Ethernet TCP/IP network. Modbus/TCP protocol is 169 specified in [RFC793] and [RFC791]. Modbus/TCP packets include two 170 parts, Modbus Application Protocol (MBAP) and Protocol Data Unit 171 (PDU). For the Modbus Application Protocol packet header, it 172 contains the transaction ID, protocol ID, length, and unit ID. The 173 protocol data unit includes the function code and data. The 174 transaction ID represents the packet identification of the Modbus 175 request/response transaction processing. The function code 176 represents the control command, which is sent by the master device 177 to the slave device, each specific function code represents a 178 different operation. According to the source address and the 179 destination address of the packet, the direction of transmission of 180 data packets is generated. 182 Extract transaction identifier, slave function code, slave 183 communication address, and packet transfer direction eigenvector, 184 port number elements as the eigenvector, and construct a number of 185 different categories of eigenvalues in the eigenvector, which makes 186 the description of the behavior pattern of the system more accurate 187 and reasonable, and the detection accuracy of detection model is 188 also improved. 190 An anomaly detection model of SVM based on K-means clustering is 191 constructed by the acquired eigenvectors, and these eigenvectors are 192 based on communication behaviors. This process is shown in Figure 1. 194 (1) The k-means clustering algorithm is used to preprocess the 195 protocol feature vector, which randomly selects the k objects as the 196 initialization cluster, and calculates the average of the data in 197 each cluster. The standard criterion function is used to determine 198 whether the cluster center is stable or not. 200 (2) By using the clustered data as the input data, the SVM 201 classifier is constructed. 203 (3) There are three main steps involved in SVM algorithm. Firstly, 204 construct the hyperplanes of classification. Secondly, select the 205 appropriate training parameters, which include the penalty factor 206 and the radial basis function. Finally, obtain the decision function 207 in SVM. 209 +------------+ 210 | Receive | 211 |data packets| 212 +------------+ 213 | 214 V 215 +---------------+ +-------------------------+ 216 | Select the | |Construct a sample | 217 |kernel function| |vector based on the | 218 +---------------+ |protocol characteristics | 219 +-------------------------+ 220 | | 221 V V 222 +-------------------+ +----------------+ 223 | Set the | |The samples are | 224 |training parameters| |divided into | 225 +-------------------+ |k subclasses | 226 +----------------+ 227 | | 228 V <------------------------ 229 +---------------------+ 230 | The clustering | 231 | result is obtained | 232 +---------------------+ 233 | 234 V 235 +------------------+ 236 | SVM classifier | 237 | is constructed | 238 +------------------+ 239 | 240 V 241 +--------------------+ +----------------+ 242 | Data classification|-------> |Data is abnormal| 243 +--------------------+ +----------------+ 244 | | 245 V V 246 +--------------------+ +---------------+ 247 | Industrial Control| |Security alerts| 248 | System is normal | +---------------+ 249 +--------------------+ 251 Figure 1 SVM anomaly detection model based on clustering 253 4. Security Considerations 255 TBD. 257 5. IANA Considerations 259 This memo includes no request to IANA. 261 6. References 263 6.1. Normative References 265 6.2. Informative References 267 [RFC2119] 268 Bradner, S., "Key words for use in RFCs to Indicate 269 Requirement Levels", BCP 14, RFC 2119, March 1997. 271 [RFC791] 272 Postel J. RFC 791: Internet protocol[J]. 1981. 274 [RFC793] 275 Postel J. RFC 793: Transmission control protocol, September 276 1981[J]. Status: Standard, 2003, 88. 278 [CoVa1995] 279 Cortes C, Vapnik V. Support-vector networks[J]. Machine 280 learning, 1995, 20(3): 273-297. 282 Authors' Addresses 284 Shuaiyong Li 285 Key Laboratory of Industrial Internet of Things & Networked Control 286 Ministry of Education 287 Chongqing University of Posts and Telecommunications 288 2 Chongwen Road 289 Chongqing, 400065 290 China 292 Email: lishuaiyong@cqupt.edu.cn 294 Min Wei 295 Key Laboratory of Industrial Internet of Things & Networked Control 296 Ministry of Education 297 Chongqing University of Posts and Telecommunications 298 2 Chongwen Road 299 Chongqing, 400065 300 China 302 Email: weimin@cqupt.edu.cn 304 Hao Wang 305 Key Laboratory of Industrial Internet of Things & Networked Control 306 Ministry of Education 307 Chongqing University of Posts and Telecommunications 308 2 Chongwen Road 309 Chongqing, 400065 310 China 312 Email: wanghao@cqupt.edu.cn 314 Qingqing Huang 315 Key Laboratory of Industrial Internet of Things & Networked Control 316 Ministry of Education 317 Chongqing University of Posts and Telecommunications 318 2 Chongwen Road 319 Chongqing, 400065 320 China 322 Email: huangqq@cqupt.edu.cn 324 Ping Wang 325 Key Laboratory of Industrial Internet of Things & Networked Control 326 Ministry of Education 327 Chongqing University of Posts and Telecommunications 328 2 Chongwen Road 329 Chongqing, 400065 330 China 332 Phone: (86)-23-6246-1061 333 Email: wangping@cqupt.edu.cn 335 Jie Liao 336 Key Laboratory of Industrial Internet of Things & Networked Control 337 Ministry of Education 338 Chongqing University of Posts and Telecommunications 339 2 Chongwen Road 340 Chongqing, 400065 341 China 343 Email: 928053580@qq.com