With the advent of the era of the Fourth Industrial Revolution, industrial control systems are adopting Ethernet-based communication systems. As a result, connectivity and interoperability have increased, but new security threats are emerging as the boundaries of the hierarchical levels disappear and connections with the external devices increase. Since the ICS is deployed to critical infrastructure, the success of cyberattacks causes enormous social and economic damage. In fact, ICS cyberattacks are increasing and these attacks are becoming sophisticated and advanced. In order to cope with such advanced attacks, an anomaly detection system specialized in ICS should be applied, but security incidents are expected to continue as most ICS sites still rely on an isolated network environment-based security.
In the thesis, we propose an anomaly detection framework for detecting cyberattacks in Ethernet-based ICS networks. The proposed framework is based on the traffic classification and protocol reverse engineering method without detailed knowledge of each field.
In the case of traffic classification and protocol reverse engineering, a series of techniques are proposed to extract characteristics that can utilize anomaly detection without detailed knowledge of each site by inferring structure and semantics from the collected network data.
In the case of anomaly detection, a framework for performing a defense-in-depth approach was proposed based on the deterministic of the extracted characteristics. We verified the effectiveness of these techniques experimentally compare to expert-knowledge based methods.
