As a number of attacks such as Stuxnet and BlackEnergy targeting the control system of critical infrastructure have happened, the importance of security enhancement for the facilities such as Industrial Control System (ICS) has emerged. In this thesis, we conduct effective Network Intrusion Detection System (NIDS) by reflecting the common characteristics of ICS environment that has a relatively regular communication between network nodes. In order to establish more effective detection models for ICS environment, we propose a multimodel-based detection framework which is combined with four anomaly detection engines: whitelist engine, single packet anomaly detection engine, packet sequence pattern detection engine, traffic anomaly detection engine.
In detection, observing packets that have unidentified header, whitelist engine decides the packet as anomalies. The whitelist engine automatically construct whitelist from network packets based on pre-selected features from packet header. The single packet anomaly detection engine cope with the threats such as injection attacks, integrity attacks, malformed packet, etc. As learning-based single packet anomaly detection model, anomaly detection system uses a model constructed with a well-known learning method One Class SVM (OCSVM) and a newly proposed representative detection model invented for solving the limitation of OCSVM. We also consider the sequence of packets. The packet sequence pattern detection make a detection model with the packet sequences as like packet sequence pattern library with packet sequences from normal dataset with each protocols. This detection engine used for detecting anomalies which has a sequence problem such as packet out-of-order, packet duplication, packet loss. Finally, we consider the traffic anomaly detection for detect traffic anomalies such as burst of traffic, network scanning, packet flooding from a single node, etc.
We demonstrate to validate our proposed detection framework using four detection engine on simulated ICS environment that reflects real-world traffic on Korean power grid.
