ICSTrace: A Malicious IP Traceback Model for Attacking Data of Industrial Control System
This addresses security for industrial control systems by enabling traceback of organized attacks, though it appears incremental as it builds on existing IP traceback methods.
The authors tackled the problem of tracing malicious IP addresses in industrial control systems by developing ICSTrace, a model that extracts and clusters attack patterns from protocol data, and demonstrated its effectiveness using real-world honeypot data.
Considering the attacks against industrial control system are mostly organized and premeditated actions, IP traceback is significant for the security of industrial control system. Based on the infrastructure of the Internet, we have developed a novel malicious IP traceback model-ICSTrace, without deploying any new services. The model extracts the function codes and their parameters from the attack data according to the format of industrial control protocol, and employs a short sequence probability method to transform the function codes and their parameter into a vector, which characterizes the attack pattern of malicious IP addresses. Furthermore, a Partial Seeded K-Means algorithm is proposed for the pattern's clustering, which helps in tracing the attacks back to an organization. ICSTrace is evaluated basing on the attack data captured by the large-scale deployed honeypots for industrial control system, and the results demonstrate that ICSTrace is effective on malicious IP traceback in industrial control system.