System and method for identifying application layer behavior

US 10,630,701 B2
Filed: 12/07/2017
Issued: 04/21/2020
Est. Priority Date: 11/29/2017
Status: Active Grant

First Claim

Patent Images

1. A system for identifying application layer behavior, comprising:

a storage, being configured to store a normal behavior status list;

a transmitter, being configured to intercept a current packet which is propagated between a master device and a slave device in an industrial control system and send information of the current packet for analysis; and

a processor electrically connected with the storage and the transmitter, being configured to determine a current status of the application layer behavior of the industrial control system by analyzing application layer data of the current packet and identify whether the current status of the application layer behavior is normal according to the normal behavior status list;

wherein the processor detects from the current packet a corresponding value stored for a corresponding parameter in a corresponding memory address among a plurality of memory addresses of the slave device, and determines the current status of the application layer behavior of the industrial control system according to the corresponding value and values stored in the slave device for other parameters in the parameter group to which the corresponding parameter belongs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for identifying application layer behavior are disclosed. In order to detect intrusion into an industrial control system, the system and method determine a current status of application layer behavior of the industrial control system by analyzing a current packet which is propagated between a master device and a slave device in the industrial control system, and identify whether the current status of the application layer behavior is normal according to a normal behavior status list.

25 Citations

12 Claims

1. A system for identifying application layer behavior, comprising:
- a storage, being configured to store a normal behavior status list;
  
  a transmitter, being configured to intercept a current packet which is propagated between a master device and a slave device in an industrial control system and send information of the current packet for analysis; and
  
  a processor electrically connected with the storage and the transmitter, being configured to determine a current status of the application layer behavior of the industrial control system by analyzing application layer data of the current packet and identify whether the current status of the application layer behavior is normal according to the normal behavior status list;
  
  wherein the processor detects from the current packet a corresponding value stored for a corresponding parameter in a corresponding memory address among a plurality of memory addresses of the slave device, and determines the current status of the application layer behavior of the industrial control system according to the corresponding value and values stored in the slave device for other parameters in the parameter group to which the corresponding parameter belongs.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system for identifying the application layer behavior of claim 1, wherein:
    - the transmitter is further configured to intercept a plurality of reference packets propagated between the master device and the slave device within a reference time interval and send information of the plurality of reference packets for analysis; and
      
      the processor is further configured to;
      
      detect from the plurality of reference packets a plurality of groups of reference values stored for a plurality of parameters respectively in the plurality of memory addresses of the slave device within the reference time interval;
      
      calculate a plurality of groups of correlation features of the plurality of groups of reference values respectively, calculate correlations between the plurality of parameters by analyzing the plurality of groups of correlation features, and divide the plurality of parameters into a plurality of parameter groups according to the correlations between the plurality of parameters; and
      
      calculate status feature combinations of parameters comprised in each of the plurality of parameter groups, and define all the calculated status feature combinations as a plurality of normal behavior statuses to create the normal behavior status list that records the plurality of normal behavior statuses.
  - 3. The system for identifying the application layer behavior of claim 2, wherein the processor analyzes the plurality of groups of correlation features through feature comparison processing.
  - 4. The system for identifying the application layer behavior of claim 2, wherein the processor analyzes the plurality of groups of correlation features through machine learning processing.
  - 5. The system for identifying the application layer behavior of claim 2, wherein each of the status feature combinations is related to at least one of a value dispersion degree, a value tendency and a value potential tendency.
  - 6. The system for identifying the application layer behavior of claim 1, wherein the industrial control system adopts a Modbus communication protocol.

7. A method for identifying application layer behavior, comprising the following steps:
- intercepting a current packet which is propagated between a master device and a slave device in an industrial control system and sending information of the current packet for analysis; and
  
  determining, by the system for identifying the application layer behavior, a current status of the application layer behavior of the industrial control system by analyzing application layer data of the current packet and identifying, by the system for identifying the application layer behavior, whether the current status of the application layer behavior is normal according to a normal behavior status list;
  
  wherein the system for identifying the application layer behavior detects from the current packet a corresponding value stored for a corresponding parameter in a corresponding memory address among a plurality of memory addresses of the slave device, and determines the current status of the application layer behavior of the industrial control system according to the corresponding value and values stored in the slave device for other parameters in the parameter group to which the corresponding parameter belongs.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method for identifying the application layer behavior of claim 7, further comprising:
    - intercepting a plurality of reference packets propagated between the master device and the slave device within a reference time interval and sending information of the plurality of reference packets for analysis;
      
      detecting, by the system for identifying the application layer behavior, from the plurality of reference packets a plurality of groups of reference values stored for a plurality of parameters respectively in the plurality of memory addresses of the slave device within the reference time interval;
      
      calculating, by the system for identifying the application layer behavior, a plurality of groups of correlation features of the plurality of groups of reference values respectively, calculating, by the system for identifying the application layer behavior, correlations between the plurality of parameters by analyzing the plurality of groups of correlation features, and dividing, by the system for identifying the application layer behavior, the plurality of parameters into a plurality of parameter groups according to the correlations between the plurality of parameters; and
      
      calculating, by the system for identifying the application layer behavior, status feature combinations of parameters comprised in each of the plurality of parameter groups, and defining, by the system for identifying the application layer behavior, all the calculated status feature combinations as a plurality of normal behavior statuses to create the normal behavior status list that records the plurality of normal behavior statuses.
  - 9. The method for identifying the application layer behavior of claim 8, wherein the system for identifying the application layer behavior analyzes the plurality of groups of correlation features through feature comparison processing.
  - 10. The method for identifying the application layer behavior of claim 8, wherein the system for identifying the application layer behavior analyzes the plurality of groups of correlation features through machine learning processing.
  - 11. The method for identifying the application layer behavior of claim 8, wherein each of the status feature combinations is related to at least one of a value dispersion degree, a value tendency and a value potential tendency.
  - 12. The method for identifying the application layer behavior of claim 7, wherein the industrial control system adopts a Modbus communication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Institute For Information Industry
Original Assignee
Institute For Information Industry
Inventors
Lin, Chih-Ta, Wu, Sung-Lin, Lee, Mei-Ling
Primary Examiner(s)
Zhao, Don G

Application Number

US15/835,377
Publication Number

US 20190166138A1
Time in Patent Office

866 Days
Field of Search
US Class Current
CPC Class Codes

G05B 19/0425   Safety, monitoring

G05B 23/024   Quantitative history assess...

H04L 63/1416   Event detection, e.g. attac...

System and method for identifying application layer behavior

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

System and method for identifying application layer behavior

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others