Publication Details
Application of Approximate Matching on Industrial Control System (ICS) Network Communication Using Ssdeep Algorithm
IEC 104, Industrial Control System, Ssdeep, Anomaly Detection, Network Traffic
Network communication is associated with many security challenges. Changes in
Internet technologies have allowed for an increase in networked devices, the
complexity of cybercrimes and the transfer of huge amounts of data, which can
easily be intercepted and manipulated by attackers. The goal of this research is
to prove the viability of using approximate pattern matching to profiling
Industrial Control System (ICS) communication. The approximate pattern matching
has been successfully used on comparing similarity of files in the past. Tshark
is a network protocol analyser that will be used to extract interesting fields of
an IEC 60870-5 protocol (aka IEC 104) from the ICS communication packet capture
files. IEC 104 is a protocol that provides a communication profile for sending
basic telecontrol messages between two systems in electrical engineering and
power system automation. This protocol enables communication between control
station and a substation via a standard TCP/IP network. The communication is
based on the client-server model. An ICS normal profile is computed from the
packet capture files to represent a normal ICS traffic. In the anomaly detection
phase, unknown ICS network traffic is compared to the normal profile using
approximate pattern matching algorithm. In this research, Ssdeep pattern matching
algorithm will be used to compute the matching score between profiles to identify
anomalies.
@techreport{BUT168671,
author="Nelson Makau {Mutua}",
title="Application of Approximate Matching on Industrial Control System (ICS) Network Communication Using Ssdeep Algorithm",
year="2020",
address="Brno",
pages="31",
url="https://www.fit.vut.cz/research/publication/12331/"
}