National critical infrastructure networks, such as banks and industrial control systems (ICSs), can be serious damaged in the event of a security incident. Therefore, in all these major infrastructures, closed networks are constructed to cut off the attack path. However, owing to the emergence of cloud, Internet of Things (IoT), and artificial intelligence (AI) services, network interconnection is rapidly increasing; thus, many major infrastructure networks can no longer be called closed networks. The ICS, which was previously a strictly closed network, is now usually called Industrial Internet of Things (IIoT) and exhibits many changes, such as smart factories and remote control. Many payment modules use the financial network through IoT or AI-assisted services. In this massive connected environment, the existing closed network defense system may cause difficulties in providing the service. Therefore, there is a need for technology that can continuously monitor the possibility of advanced attacks. In this paper, we define the normal-behavior-based rules from the perspective of network forensics and conduct visualization studies to detect all possible attacks against the control protocol DNP3 (Distributed Network Protocol) and the financial protocol called FIX (Finance Information Exchange). Thus, we detected suspicious network packets on the ICS network and the financial network and identified abnormal behavior that could be the basis of serious attacks.
- This research was supported by the Ministry of Science and ICT (MSIT), Korea, under the Information Technology Research Center support program IITP-2018-2016-0-00304 supervised by the Institute for Information & Communications Technology Promotion (IITP). - This work was supported by an IITP grant funded by the Korean government (MSIT) (No. 2018-0-00336, Advanced Manufacturing Process Anomaly Detection to prevent the Smart Factory Operation Failure by Cyber Attacks). - This work was supported by the Ajou University research fund.Acknowledgements - This research was supported by the Ministry of Science and ICT (MSIT), Korea, under the Information Technology Research Center support program IITP-2018-2016-0-00304 supervised by the Institute for Information & Communications Technology Promotion (IITP). -This work was supported by an IITP grant funded by the Korean government (MSIT) (No. 2018-0-00336, Advanced Manufacturing Process Anomaly Detection to prevent the Smart Factory Operation Failure by Cyber Attacks). -This work was supported by the Ajou University research fund.
