Publication Details
Application of Approximate Matching on Industrial Control System (ICS) Network Communication Using Ssdeep Algorithm
IEC 104, Industrial Control System, Ssdeep, Anomaly Detection, Network Traffic
Network communication is associated with many security challenges. Changes in Internet technologies have allowed for an increase in networked devices, the complexity of cybercrimes and the transfer of huge amounts of data, which can easily be intercepted and manipulated by attackers. The goal of this research is to prove the viability of using approximate pattern matching to profiling Industrial Control System (ICS) communication. The approximate pattern matching has been successfully used on comparing similarity of files in the past. Tshark is a network protocol analyser that will be used to extract interesting fields of an IEC 60870-5 protocol (aka IEC 104) from the ICS communication packet capture files. IEC 104 is a protocol that provides a communication profile for sending basic telecontrol messages between two systems in electrical engineering and power system automation. This protocol enables communication between control station and a substation via a standard TCP/IP network. The communication is based on the client-server model. An ICS normal profile is computed from the packet capture files to represent a normal ICS traffic. In the anomaly detection phase, unknown ICS network traffic is compared to the normal profile using approximate pattern matching algorithm. In this research, Ssdeep pattern matching algorithm will be used to compute the matching score between profiles to identify anomalies.
@techreport{BUT168671,
author="Nelson Makau {Mutua}",
title="Application of Approximate Matching on Industrial Control System (ICS) Network Communication Using Ssdeep Algorithm",
year="2020",
address="Brno",
pages="31",
url="https://www.fit.vut.cz/research/publication/12331/"
}