repository
Multimodel-based Detection Framework for Robust Industrial Control Systems
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.advisor | 손태식 | - |
| dc.contributor.author | 이석준 | - |
| dc.date.accessioned | 2018-11-08T08:17:02Z | - |
| dc.date.available | 2018-11-08T08:17:02Z | - |
| dc.date.issued | 2017-02 | - |
| dc.identifier.other | 24904 | - |
| dc.identifier.uri | https://dspace.ajou.ac.kr/handle/2018.oak/12309 | - |
| dc.description | 학위논문(박사)--아주대학교 일반대학원 :컴퓨터공학과,2017. 2 | - |
| dc.description.tableofcontents | Chapter 1 Introduction 1 1.1 Contribution to the Field 3 1.2 Overall Framework 5 1.3 Thesis Outline 8 Chapter 2 Background and Related Works 9 2.1 Security Threat of Industrial Control System 9 2.2 Anomaly Detection System for Industrial Control System 11 Chapter 3 Multimodel-based Detection Framework 15 3.1 Raw Packet Preprocessor 15 3.2 Whitelist Engine 17 3.3 Single Packet Anomaly Detection Engine 20 3.4 Packet Sequence Pattern Detection Engine 29 3.5 Entropy-based Traffic Anomaly Detection Engine 33 Chapter 4 Experimental Methods and Results 35 4.1 Simulation Environment 35 4.2 Simulated Dataset Description 41 4.3 Results with Simulated Environment 46 4.4 Detection Results of Simulation Environment 60 4.5 Detection Framework Validation with Real-world Dataset 61 Chapter 5 Conclusion 63 5.1 Summary 63 5.2 Future Work 64 5.3 Closing Remarks 64 | - |
| dc.language.iso | eng | - |
| dc.publisher | The Graduate School, Ajou University | - |
| dc.rights | 아주대학교 논문은 저작권에 의해 보호받습니다. | - |
| dc.title | Multimodel-based Detection Framework for Robust Industrial Control Systems | - |
| dc.title.alternative | Multimodel-based Detection Framework for Robust Industrial Control Systems | - |
| dc.type | Thesis | - |
| dc.contributor.affiliation | 아주대학교 일반대학원 | - |
| dc.contributor.alternativeName | Seokjun Lee | - |
| dc.contributor.department | 일반대학원 컴퓨터공학과 | - |
| dc.date.awarded | 2017. 2 | - |
| dc.description.degree | Doctoral | - |
| dc.identifier.localId | 770673 | - |
| dc.identifier.url | http://dcoll.ajou.ac.kr:9080/dcollection/jsp/common/DcLoOrgPer.jsp?sItemId=000000024904 | - |
| dc.subject.keyword | Control System | - |
| dc.subject.keyword | Intrusion Detection | - |
| dc.subject.keyword | Anomaly Detection | - |
| dc.subject.keyword | Whitelist | - |
| dc.description.alternativeAbstract | As a number of attacks such as Stuxnet and BlackEnergy targeting the control system of critical infrastructure have happened, the importance of security enhancement for the facilities such as Industrial Control System (ICS) has emerged. In this thesis, we conduct effective Network Intrusion Detection System (NIDS) by reflecting the common characteristics of ICS environment that has a relatively regular communication between network nodes. In order to establish more effective detection models for ICS environment, we propose a multimodel-based detection framework which is combined with four anomaly detection engines: whitelist engine, single packet anomaly detection engine, packet sequence pattern detection engine, traffic anomaly detection engine. In detection, observing packets that have unidentified header, whitelist engine decides the packet as anomalies. The whitelist engine automatically construct whitelist from network packets based on pre-selected features from packet header. The single packet anomaly detection engine cope with the threats such as injection attacks, integrity attacks, malformed packet, etc. As learning-based single packet anomaly detection model, anomaly detection system uses a model constructed with a well-known learning method One Class SVM (OCSVM) and a newly proposed representative detection model invented for solving the limitation of OCSVM. We also consider the sequence of packets. The packet sequence pattern detection make a detection model with the packet sequences as like packet sequence pattern library with packet sequences from normal dataset with each protocols. This detection engine used for detecting anomalies which has a sequence problem such as packet out-of-order, packet duplication, packet loss. Finally, we consider the traffic anomaly detection for detect traffic anomalies such as burst of traffic, network scanning, packet flooding from a single node, etc. We demonstrate to validate our proposed detection framework using four detection engine on simulated ICS environment that reflects real-world traffic on Korean power grid. | - |
- Appears in Collections:
- Graduate School of Ajou University > Department of Computer Engineering > 4. Theses(Ph.D)
- Files in This Item:
- There are no files associated with this item.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.
-
- License
- STATISTICS
- Total Visit :3,784,192
- Total Download :1,819
- Today View :5,629
