University of Twente Student Theses

Login

Detecting anomalies in programmable logic controllers through parameter modeling

Raghuraman, C. (2021) Detecting anomalies in programmable logic controllers through parameter modeling.

[img] PDF
1MB
Abstract:Industrial Control Systems (ICS) are used to control and automate critical processes in various industrial sectors. Programmable Logic Controllers (PLCs) are a major component within the ICS infrastructure and are used to control logical operations within the system. With the increase of attacks on ICS in recent years, there is a need for robust security solutions in this domain. ICS have different components that are manufactured by various vendors, and therefore, a security solution for ICS must be compatible across a variety of proprietary hardware and software systems. Most ICS security mechanisms are deployed at the higher levels of the ICS setup, making it difficult to secure critical lower level devices such as the PLCs. This thesis proposes an anomaly detection mechanism for ICS that is based on the input and output values of the PLC. This solution views the PLC as a "black-box", thereby enabling its deployment on any PLC, irrespective of the PLC’s manufacturer. One-Class Support Vector Machine (OCSVM) is a semi-supervised machine learning algorithm and is used in this thesis to model the parameters of the PLC during normal or baseline functioning. The OCSVM is trained to be sensitive to changes in the PLC’s parameters and it classifies PLC data as inliers or outliers. Outlier detection or anomaly detection by the OCSVM indicates that the PLC data has to be investigated further to determine if said outlier or anomaly is an indication of any malicious activity in the ICS environment. The mechanism proposed in this thesis is tested on two different ICS environments, namely Fortiphyd and Elite Town. Attacks are simulated on both environments to acquire necessary data and the performance of the OCSVM on both ICS setups is analyzed during the training phase and the testing phase. The results from the experiments support the working of the anomaly detection mechanism proposed in this thesis and its advantages and provide some directions for further improvement and future work.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Programme:Computer Science MSc (60300)
Link to this item:https://purl.utwente.nl/essays/88654
Export this item as:BibTeX
EndNote
HTML Citation
Reference Manager

 

Repository Staff Only: item control page