RNN-based anomaly detection in DNP3 transport layer

Abstract

As more sophisticated cyberattacks against industrial control systems (ICSs) such as crashoverride and TRITON occur frequently, the security of ICS is becoming more and more emphasized. Currently, many security researches have been conducted on ICSs, but most studies focus on messages at the application layer containing data, and the transport layer for data transmission is not considered. However, problems at the transport layer can interfere with normal data acquisition and cause problems in availability which is a key characteristic of the control system. In addition, attacks that exploit this point do not require detailed knowledge of the control system, which may result in fatal results with a lower level of difficulty than other attacks, so security of the transport layer should also be considered as an important factor. Therefore, in this paper, we 1)analyze the transport layer attack that interferes with data acquisition and the protocols that attacks are effective by analyzing from an attacker's perspective, 2) analyzed transport layer attacks in the DNP3 protocol widely used in ICSs, 3) in order to detect this, propose a many to one bidirectional recurrent neural network (RNN) based detection technique considering the characteristics of ICS, and 4) describe the verification of the proposed model through an actual substation's DNP3 packet.