WiP: Distributed Intrusion Detection System for TCP/IP-Based Connections in Industrial Environments Using Self-organizing Maps

WiP: Distributed Intrusion Detection System for TCP/IP-Based Connections in Industrial Environments Using Self-organizing Maps

연구 분야: Networking

학회: International Conference on Applied Cryptography and Network Security

Digitization of the industry comes along with improvements for modern production, because the processes can be influenced, monitored and coordinated. A digitized facility needs the possibility of communication between distributed nodes, e.g. to react to events or to provide useful information to adjust the production process. However, processes of communication can be misused by attackers. Security holes in different information systems can be found by third parties and exploited. Thus, growing data exchange needs growing security of communication. Modern intrusion detection systems (IDS) often do not fulfill the requirements of industrial systems, because they either neglect safety aspects or are not failure resistant or interrupt the data flow. The aim of this paper is to propose improvements regarding all those issues. In this paper, an online intrusion detection system architecture for industrial Ethernet is being researched on an industrial line testbed. In the current work, the requirements for intrusion detection in an industrial environment are analyzed and a hardware architecture to carry out online intrusion detection for Ethernet-based connections using a passive sniffer approach is proposed. The data is being processed in-place in a microcontroller. For the developed platform an intrusion detection algorithm using self-organizing map algorithm was implemented. The model has to be trained with normal vectors in a semi-supervised way. A prototype of the proposed architecture is evaluated on an industrial line testbed (cyber-physical factory) using TCP/IP/Ethernet header analysis. The proposed IDS, which is based on two microcontrollers, monitors an Ethernet 100-BaseTX cable and was able to detect TCP port scans, remote denial-of-service exploits and ARP cache poisoning which targeted the programmable logic controller in an industrial testbed. The proposed architecture can be used for online intrusion detection under speed restrictions.