Anomaly Detection Method Considering PLC Control Logic Structure for ICS Cyber Threat Detection

Abstract

Read online

Anomaly detection systems are being studied to detect cyberattacks in industrial control systems (ICSs). Existing ICS anomaly detection systems monitor network packets or operational data. However, these anomaly detection systems cannot detect control logic targeted attacks such as Stuxnet. Control logic tampering detection studies also exist, but they detect code modifications rather than determining whether the logic is normal. These tampering detection methods classify control logic as abnormal if any code modifications occur, even if the logic represents normal behavior. For this reason, this paper proposes an anomaly detection method that considers the structure of control logic. The proposed embedding method performs embedding based on control logic Instruction List (IL) code. The opcode and operand of IL code use separate embedding models. The embedded vectors are then sequentially combined to preserve the IL structure. The proposed method was validated using Long Short-Term Memory (LSTM), LSTM-Autoencoder, and Transformer models with a dataset of normal and malicious control logic. All models achieved an anomaly detection performance with an F1 score of at least 0.81. Additionally, models adopting the proposed embedding method outperformed those using conventional embedding methods by 0.088259. The proposed control logic anomaly detection method enables the model to learn the context and structure of control logic and identify code with inherent vulnerabilities.

Keywords

• industrial control systems
• anomaly detection
• control logic
• programmable logic controller cyber security