Intrusion detection method for control logic injection attack against programmable logic controller

doi:10.11772/j.issn.1001-9081.2022050914

Journal of Computer Applications ›› 2023, Vol. 43 ›› Issue (6): 1861-1869.DOI: 10.11772/j.issn.1001-9081.2022050914

Special Issue: 网络空间安全

• Cyber security • Previous Articles Next Articles

Intrusion detection method for control logic injection attack against programmable logic controller

Yiting SUN¹^,², Yue GUO³(), Changjin LI³, Hongjun ZHANG³, Kang LIU⁴, Junjiao Liu¹^,², Limin SUN¹^,²

^1.Beijing Key Laboratory of IOT Information Security Technology （Institute of Information Engineering，Chinese Academy of Sciences），Beijing 100093，China
^2.School of Cyber Security，University of Chinese Academy of Sciences，Beijing 100049，China
^3.Xuchang Cigarette Factory，Henan Zhongyan Industry Company Limited，Xuchang Henan 461000，China
^4.Henan Xintuotu Information Technology Company Limited，Zhengzhou Henan 450000，China

Received:2022-06-27 Revised:2022-08-10 Accepted:2022-08-11 Online:2022-09-23 Published:2023-06-10
Contact: Yue GUO
About author:SUN Yiting， born in 1996， M. S. candidate. Her research interests include industrial control security.
LI Changjin， born in 1972， engineer. His research interests include silk making equipment and technology in tobacco industry.
ZHANG Hongjun， born in 1974， engineer. His research interests include silk making equipment and technology in tobacco industry.
LIU Kang， born in 1991. His research interests include communication management in tobacco industry.
LIU Junjiao， born in 1992， Ph. D. candidate. His research interests include industrial control security.
SUN Limin， born in 1966， Ph. D.， professor. His research interests include industrial control security.
Supported by:
National Natural Science Foundation of China(61702506)

可编程逻辑控制器的控制逻辑注入攻击入侵检测方法

孙怡亭¹^,², 郭越³(), 李长进³, 张红军³, 刘康⁴, 刘俊矫¹^,², 孙利民¹^,²

^1.物联网信息安全技术北京市重点实验室(中国科学院信息工程研究所), 北京 100093
^2.中国科学院大学网络空间安全学院, 北京 100049
^3.河南中烟工业有限责任公司许昌卷烟厂, 河南许昌 461000
^4.河南新拓途信息技术有限公司, 郑州 450000

通讯作者: 郭越
作者简介:孙怡亭（1996—），女，甘肃白银人，硕士研究生，主要研究方向：工控安全
郭越（1976—），男，河南长垣人，工程师，主要研究方向：设备管理Email：907279615@qq.com
李长进（1972—），男，河南许昌人，工程师，主要研究方向：烟草行业制丝设备及工艺
张红军（1974—），男，河南许昌人，工程师，主要研究方向：烟草行业制丝设备及工艺
刘康（1991—），男，河南新乡人，主要研究方向：烟草行业通信管理
刘俊矫（1992—），男，山东烟台人，博士研究生，主要研究方向：工控安全
孙利民（1966—），男，北京人，教授，博士，主要研究方向：工控安全。
基金资助:
国家自然科学基金资助项目(61702506)

Abstract

Abstract:

Control logic injection attack against Programmable Logic Controller （PLC） manipulate the physical process by tampering with the control program， thereby achieving the purpose of affecting the control process or destroying the physical facilities. Aiming at PLC control logic injection attacks， an intrusion detection method based on automatic whitelist rules generation was proposed， called PLCShield （Programmable Logic Controller Shield）. Based on the fact that PLC control program carries comprehensive and complete physical process control information， the proposed method mainly includes two stages： firstly， by analyzing the PLC program’s configuration file， instruction function， variable attribute， execution path and other information， the detection rules such as program attribute， address， value range and structure were extracted； secondly， combining actively requesting a “snapshot” of the PLC’s running and passively monitoring network traffic was used to obtain real-time information such as the current running status of PLC and the operation and status in the traffic， and the attack behavior was identified by comparing the obtained information with the detection rules. Four PLCs of different manufacturers and models were used as research cases to verify the feasibility of PLCShield. Experimental results show that the attack detection accuracy of the proposed method can reach more than 97.71%. The above prove that the proposed method is effective.

Key words: Programmable Logic Controller (PLC), control logic, injection attack, whitelist mechanism, attack detection

摘要：

可编程逻辑控制器（PLC）的控制逻辑注入攻击通过篡改控制程序操纵物理过程，从而达到影响控制过程或破坏物理设施的目的。针对PLC控制逻辑注入攻击，提出了一种基于白名单规则自动化生成的入侵检测方法PLCShield （Programmable Logic Controller Shield）。所提方法以PLC控制程序承载着全面、完整的物理过程控制信息为依据，主要包括两个阶段：首先，通过分析PLC程序的配置文件、指令功能、变量属性和执行路径等信息，提取程序属性、地址、值域和结构等检测规则；其次，采用主动请求PLC的运行“快照”和被动监听网络流量结合的方式，实时获取PLC当前的运行状态和流量中的操作、状态等信息，并通过对比得到的信息与检测规则识别攻击行为。以4款不同厂商和型号的PLC作为研究案例验证PLCShield的可行性，实验结果表明所提方法的攻击检测准确度达到97.71%以上，验证了所提方法的有效性。

关键词: 可编程逻辑控制器, 控制逻辑, 注入攻击, 白名单机制, 攻击检测

CLC Number:

TP393.08

Yiting SUN, Yue GUO, Changjin LI, Hongjun ZHANG, Kang LIU, Junjiao Liu, Limin SUN. Intrusion detection method for control logic injection attack against programmable logic controller[J]. Journal of Computer Applications, 2023, 43(6): 1861-1869.

孙怡亭, 郭越, 李长进, 张红军, 刘康, 刘俊矫, 孙利民. 可编程逻辑控制器的控制逻辑注入攻击入侵检测方法[J]. 《计算机应用》唯一官方网站, 2023, 43(6): 1861-1869.

Figures/Tables 18

References 25

1	STOUFFER K， FALCO J， SCARFONE K， et al. Guide to Industrial Control Systems （ICS） security： NIST Special Publication 800-82 Revision 2 ［EB/OL］. （2015-05）［2022-03-11］..
2	LANGNER R. Stuxnet： dissecting a cyberwarfare weapon［J］. IEEE Security and Privacy， 2011， 9（3）： 49-51. 10.1109/msp.2011.67
3	LEE R M， ASSANTE M J， CONWAY T. Analysis of the cyber attack on the Ukrainian power grid： defense use case： traffic light protocol： white［EB/OL］. （2016-03-18）［2022-03-11］..
4	SENTHIVEL S， DHUNGANA S， YOO H， et al. Denial of engineering operations attacks in industrial control systems［C］// Proceedings of the 8th ACM Conference on Data and Application Security and Privacy. New York： ACM， 2018： 319-329. 10.1145/3176258.3176319
5	KALLE S， AMEEN N， YOO H， et al. CLIK on PLCs！ attacking control logic with decompilation and virtual PLC ［C］// Proceedings of the 2019 Workshop on Binary Analysis Research. Reston， VA： Internet Society， 2019： 1-12. 10.14722/bar.2019.23074
6	KLICK J， LAU S， MARZIN D， et al. Internet-facing PLCs — a new back orifice ［C/OL］// Proceedings of the 2015 Blackhat USA ［2022-03-11］.. 10.1109/cns.2015.7346865
7	YOO H， AHMED I. Control logic injection attacks on industrial control systems［C］// Proceedings of the 2019 IFIP International Conference on ICT Systems Security and Privacy Protection， IFIPAICT 562. Cham： Springer， 2019： 33-48. 10.1007/978-3-030-22312-0_3
8	International Electrotechnical Commission. Programmable controllers — part 3： programming languages： IEC 61131-3 ［S］. Rosslyn， VA： National Electrical Manufacturers Association， 2005.
9	SUN R M， MERA A， LU L， et al. SoK： attacks on industrial control logic and formal verification-based defenses［C］// Proceedings of the 2021 IEEE European Symposium on Security and Privacy. Piscataway： IEEE， 2021： 385-402. 10.1109/eurosp51992.2021.00034
10	SPENNEBERG R， BRÜGGEMANN M， SCHWARTKE H. PLC-blaster： a worm living solely in the PLC ［C/OL］// Proceedings of the 2016 Black Hat Asia ［2022-03-11］..
11	GOVIL N， AGRAWAL A， TIPPENHAUER N O. On ladder logic bombs in industrial control systems ［C］// Proceedings of the 2017 International Workshop on Security and Privacy Requirements Engineering/ International Workshop on the Security of Industrial Control Systems and Cyber-Physical Systems， LNCS 10683. Cham： Springer， 2018： 110-126.
12	SENTHIVEL S， AHMED I， ROUSSEV V. SCADA network forensics of the PCCC protocol ［J］. Digital Investigation， 2017， 22： S57-S65. 10.1016/j.diin.2017.06.012
13	MALCHOW J O， MARZIN D， KLICK J， et al. PLC Guard： a practical defense against attacks on cyber-physical systems［C］// Proceedings of the 2015 IEEE Conference on Communications and Network Security. Piscataway： IEEE， 2015： 326-334. 10.1109/cns.2015.7346843
14	ABBASI A， HOLZ T， ZAMBON E， et al. ECFI： asynchronous control flow integrity for programmable logic controllers［C］// Proceedings of the 33rd Annual Computer Security Applications Conference. New York： ACM， 2017： 437-448. 10.1145/3134600.3134618
15	Bond Digital. Quickdraw-Snort： digital Bond’s IDS/IPS rules for ICS and ICS protocols［EB/OL］. （2020-10-03）［2022-03-11］..
16	YOO H， KALLE S， SMITH J， et al. Overshadow PLC to detect remote control-logic injection attacks ［C］// Proceedings of the 2019 International Conference on Detection of Intrusions and Malware， and Vulnerability Assessment， LNCS 11543. Cham： Springer， 2019： 109-132.
17	NEWELL J， PANG L N， TREMAINE D， et al. Translation of IEC 61131-3 function block diagrams to PVS for formal verification with real-time nuclear application［J］. Journal of Automated Reasoning， 2018， 60（1）： 63-84. 10.1007/s10817-017-9415-7
18	ZHANG M， CHEN C Y， KAO B C， et al. Towards automated safety vetting of plc code in real-world plants ［C］// Proceedings of the 2019 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2019： 522-538. 10.1109/sp.2019.00034
19	JANICKE H， NICHOLSON A， WEBBER S， et al. Runtime-monitoring for industrial control systems［J］. Electronics， 2015， 4（4）： 995-1017. 10.3390/electronics4040995
20	McLAUGHLIN S E， ZONOUZ S A， POHLY D J， et al. A trusted safety verifier for process controller code ［C］// Proceedings of the 2014 Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2014： 1-15. 10.14722/ndss.2014.23043
21	CHANG T Y， WEI Q， LIU W W， et al. Detecting PLC program malicious behaviors based on state verification ［C］// Proceedings of the 2018 International Conference on Cloud Computing and Security， LNCS 11067. Cham： Springer， 2018： 241-255.
22	FERNÁNDEZ ADIEGO B， DARVAS D， BLANCO VIÑUELA E， et al. Applying model checking to industrial-sized PLC programs［J］. IEEE Transactions on Industrial Informatics， 2015， 11（6）： 1400-1410. 10.1109/tii.2015.2489184
23	CHADWICK S， JAMES P， ROGGENBACH M， et al. Formal methods for industrial interlocking verification ［C］// Proceedings of the 2018 International Conference on Intelligent Rail Transportation. Piscataway： IEEE， 2018： 1-5. 10.1109/icirt.2018.8641579
24	RAWLINGS B C， WASSICK J M， YDSTIE B E. Application of formal verification and falsification to large-scale chemical plant automation systems［J］. Computers and Chemical Engineering， 2018， 114： 211-220. 10.1016/j.compchemeng.2017.11.004
25	中国科学院信息工程研究所. PLC控制逻辑攻击检测方法及装置： 202111306385.0 ［P］. 2022-04-19.
	Institute of Information Engineering，Chinese Academy of Sciences. PLC control logic attack detection method and device： 202111306385.0 ［P］. 2022-04-19.

文件类型	含义	文件类型	含义
0x03	配置文件	0x87	计数器
0x22	控制逻辑	0x88	控制位
0x82	输出	0x89	整型
0x83	输入	0x8A	浮点数
0x84	状态	0x8E	ASCII
0x85	二进制位	0x8D	字符串
0x86	计时器	0x93	PID

文件类型	含义	文件类型	含义
0x03	配置文件	0x87	计数器
0x22	控制逻辑	0x88	控制位
0x82	输出	0x89	整型
0x83	输入	0x8A	浮点数
0x84	状态	0x8E	ASCII
0x85	二进制位	0x8D	字符串
0x86	计时器	0x93	PID

存储位置/B	存储内容	存储位置/B	存储内容
1~2	文件类型	5~6	文件起始地址
3~4	大小	7~10	填充字段

存储位置/B	存储内容	存储位置/B	存储内容
1~2	文件类型	5~6	文件起始地址
3~4	大小	7~10	填充字段

梯级结构字段	字段含义	大小/B
Rung start	梯级起始	2
Rung Signature	梯级签名	2
Rung size	梯级大小	2
Instruction Type	操作码	2
File No	文件号	1
Word Offset	字偏移量	2
Bit Address	位地址	2

Intrusion detection method for control logic injection attack against programmable logic controller

可编程逻辑控制器的控制逻辑注入攻击入侵检测方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 18

References 25

Related Articles 13

Recommended Articles

Metrics

IL指令	二进制指令	IL指令	二进制指令
MOV	00 70	OTE	00 BC
AND	00 8C	MUL	00 A4
OR	00 90	DIV	00 A8
JMP	00 58	TOD	01 48
END	00 30	MVM	00 98
SUB	00 A0	XOR	00 94
XIC	00 E4	NOT	00 6C
LIM	00 FC	AIC	01 FC
ADD	00 9C	JSR	00 54
SQR	01 18	RET	00 24
XIO	00 E8	LBL	00 EC

文件类型	大小/B	起始地址
配置文件	412	0x4e00
程序块LAD2	30	0x52aa
程序块LAD3	92	0x52c8
程序块LAD4	16	0x5324
程序块LAD5	32	0x5334
程序块LAD6	80	0x5354

数据类型	物理地址
整型INTEGER	N：7/0
整型INTEGER	N：7/17
计时器TIMER	T4：34

指令名	西门子S7 300/S7 400			施耐德M221				MicroLogix 1400
指令名	TIA （指令数目）	反编译（指令数目）	准确度/%	指令名	So Machine Basic （指令数目）	反编译（指令数目）	准确度/%	指令名	RSLogix 500 （指令数目）	反编译（指令数目）	准确度/%
A	330	330	100	LD	540	540	100	XIC	462	462	100
JU	46	46	100	LDN	151	151	100	XIO	257	257	100
CLR	10	10	100	AND	164	164	100	OTE	82	82	100
R	27	27	100	ANDN	52	52	100	TON	125	125	100
NOP	67	67	100	ANDR	81	81	100	MCR	5	5	100
JL	8	8	100	ANDF	3	3	100	LEQ	3	3	100
UC	51	51	100	LDR	21	21	100	ADD	2	2	100
T	52	52	100	R	16	16	100	SUB	11	11	100
=	159	159	100	AND（	58	58	100	MUL	4	4	100
OPN	33	33	100	）	11	11	100	JSR	53	53	100
AN	81	81	100	BLK	32	32	100	EQU	8	8	100
O	64	64	100	OUT_BLK	32	32	100	OTU	15	15	100
ON	21	21	100	END_BLK	32	32	100	END	97	97	100

攻击样本种类	攻击次数	告警次数	西门子S7 300/S7 400			施耐德M221			MicroLogix 1400
攻击样本种类	攻击次数	告警次数	检测精度/ %	误报率/%	漏报率/%	检测精度/ %	误报率/%	漏报率/%	检测精度/ %	误报率/%	漏报率/%
恶意程序完全覆盖	300	300	100.00	0.00	0.00	100.00	0.00	0.00	100.00	0.00	0.00
注入/删除/替换程序块	482	482	100.00	0.00	0.00	100.00	0.00	0.00	100.00	0.00	0.00
块级控制流劫持	240	237	100.00	0.00	0.00	97.14	0.00	3.33	99.29	0.00	1.11
注入/删除梯级	384	384	100.00	0.00	0.00	100.00	0.00	0.00	100.00	0.00	0.00
非法地址读/写操作	921	943	99.01	1.57	0.24	92.50	6.89	8.67	97.84	2.29	2.79
恶意指令注入/篡改	945	907	97.71	2.72	1.68	94.40	1.87	7.31	97.14	1.06	3.98
非法数据篡改	675	666	98.55	0.66	3.53	94.39	4.95	6.29	96.75	2.41	4.24
碎片噪声填充攻击	226	222	98.76	0.00	1.64	98.82	0.00	1.81	98.49	0.00	1.81

[1]	Zihao YAO, Yuanming LI, Ziqiang MA, Yang LI, Lianggen WEI. Multi-object cache side-channel attack detection model based on machine learning [J]. Journal of Computer Applications, 2024, 44(6): 1862-1871.
[2]	Jihui LIU, Chengwan HE. Online detection of SQL injection attacks based on ECA rules and dynamic taint analysis [J]. Journal of Computer Applications, 2023, 43(5): 1534-1542.
[3]	Xiangju LIU, Xiaobao LU, Xianjin FANG, Linsong SHANG. Low-rate denial-of-service attack detection method under software defined network environment [J]. Journal of Computer Applications, 2022, 42(4): 1301-1307.
[4]	LIU Xiangju, LIU Pengcheng, XU Hui, ZHU Xiaojuan. Distributed denial of service attack detection method based on software defined Internet of things [J]. Journal of Computer Applications, 2020, 40(3): 753-759.
[5]	TIAN Jiwei, WANG Buhong, SHANG Fute. False data injection attacks based on robust principal component analysis in smart grid [J]. Journal of Computer Applications, 2017, 37(7): 1943-1947.
[6]	CHEN Hong, WAN Guangxue, XIAO Zhenjiu. Intrusion detection method of deep belief network model based on optimization of data processing [J]. Journal of Computer Applications, 2017, 37(6): 1636-1643.
[7]	ZHANG Ye, LU Yuliang. Control flow analysis method of PLC program [J]. Journal of Computer Applications, 2017, 37(12): 3581-3585.
[8]	MAN Yujia, YIN Qing, ZHU Xiaodong. Fine-grained data randomization technique based on field-sensitive pointer analysis [J]. Journal of Computer Applications, 2016, 36(6): 1567-1572.
[9]	WEN Liang, JIANG Wei, PAN Xiong, ZHOU Keran, DONG Qi, WANG Junlong. Optimization design of preventing fault injection attack on distributed embedded systems [J]. Journal of Computer Applications, 2016, 36(2): 495-498.
[10]	LIU Dai-fei DUAN Hua-yan ZHU Meng-zi. Development and application of intelligent control system for post parcel servo based on Modbus protocol [J]. Journal of Computer Applications, 2012, 32(05): 1477-1480.
[11]	LIU Qing-lin MENG Ke LI Su-feng. Attack detection method based on statistical process control in collaborative recommender system [J]. Journal of Computer Applications, 2012, 32(03): 707-709.
[12]	Yang Su . Detecting worms based on candidate combination frequent pattern in Internet backbones [J]. Journal of Computer Applications, 2009, 29(1): 178-180.
[13]	WANG Sheng,SUN Le-chang,GAN Guo-zheng. Application research based on Granger causality test for attack detection [J]. Journal of Computer Applications, 2005, 25(06): 1282-1285.