Unknown Payload Anomaly Detection Based on Format and Field Semantics Inference in Cyber-Physical Infrastructure Systems

A cyber-physical infrastructure system (CPIS) is a system that controls and manages critical infrastructure such as smart manufacturing, water treatment facilities, power generation, and distribution facilities. Although these CPISs focus on the security of air-gapped network environments, strict isolation from the outside network is difficult to achieve, leading to various attacks. CPISs also comprise various devices and proprietary communication protocols that are used exclusively for each domain and site. Therefore, experts have to adopt a customized strategy to enhance security in CPIS networks after analyzing each domain, device, and protocol in advance. These methods require a significant amount of time, cost, and manpower; consequently, they are difficult to apply existing security methods in the real field. As a solution, a method is proposed herein that includes the following: 1) inferencing the CPIS protocol format and field semantics based on the characteristics of CPIS networks and protocols; 2) multilevel anomaly detection based on the meaning and values of each inferred field. The proposed method does not require knowledge of each site and protocol. In addition, the inference method can be used to analyze the payload field, including the state and measurement value, as well as the header field. Finally, we validate the proposed technique using an open-source CPIS network dataset including response injection, command injection, denial-of-service, and reconnaissance attacks. In addition, in the aspect of detection efficiency, the proposed technique exhibits comparable performance to that of existing knowledge-based anomaly detection methods.

Automated summary

Cyber-physical infrastructure systems (CPIS) are used to control and manage critical infrastructure, requiring customized strategies for enhancing security and anomaly detection. A proposed method infers protocol format and field semantics based on CPIS network and protocol characteristics, without relying on specific site and protocol information.