Malware can disrupt the operation of services in advanced metering infrastructure (AMI), which is at risk due to connectivity with the global Internet. In motion, malware may hide within the data payloads of legitimate AMI control traffic, implying the need for deep packet inspection. Some of the inspections one may make look for consistency with respect to data available only at the application layer, requiring one to position the analysis high in the protocol stack. Towards this end we propose a policy engine that examines both ingress and egress traffic to the AMI application layer. Policy engine rules may refer to the structure and behavior of the AMI protocol, and may also perform multi-stage analysis of data payloads looking for evidence that executable code is carried, rather than data. Our experimental results demonstrate that the policy engine is able to accurately distinguish between legitimate traffic and malware bearing traffic.
展开▼
