Skip to main content
Publication

Overshadow Plc to Detect Remote Control-logic Injection Attacks

by Hyunguk Yoo, Sushma Kalle, Jared M Smith, Irfan Ahmed
Publication Type
Conference Paper
Journal Name
Lecture Notes in Computer Science
Book Title
Detection of Intrusions and Malware, and Vulnerability Assessment
Publication Date
Page Numbers
109 to 132
Volume
11543
Issue
DIMVA 2019
Conference Name
International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019)
Conference Location
Gothenburg, Sweden
Conference Sponsor
Special Interest Group in Security – Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI)
Conference Date
-

Programmable logic controllers (PLCs) in industrial control systems (ICS) are vulnerable to remote control logic injection attacks. Attackers target the control logic of a PLC to manipulate the behavior of a physical process such as nuclear plants, power grids, and gas pipelines. Control logic attacks have been studied extensively in the literature, including hiding the transfer of a control logic over the network from both packet header-based signatures, and deep packet inspection. For instance, these attacks transfer a control logic code as data, into small fragments (one-byte per packet), that are further padded with noise data. To detect control logic in ICS network traffic, this paper presents Shade, a novel shadow memory technique that observes the network traffic to maintain a local copy of the current state of a PLC memory. To analyze the memory contents, Shade employs a classification algorithm with 42 unique features categorized into five types at different semantic levels of a control logic code, such as number of rungs, number of consecutive decompiled instructions, and n-grams. We then evaluate Shade against control logic injection attacks on two PLCs, Modicon M221 and MicroLogix 1400 from two ICS vendors, Schneider electric and Allen-Bradley, respectively. The evaluation results show that Shade can detect an attack instance (i.e., identifying at least one attack packet during the transfer of a malicious control logic) accurately without any false alarms.