Radio frequency based programmable logic controller anomaly detection.

摘要

The research goal involved developing improved methods for securing Programmable Logic Controller (PLC) devices against unauthorized entry and mitigating the risk of Supervisory Control and Data Acquisition (SCADA) attack by detecting malicious software and/or trojan hardware. A Correlation Based Anomaly Detection (CBAD) process was developed to enable 1) software anomaly detection---discriminating between various operating conditions to detect malfunctioning or malicious software, firmware, etc., and 2) hardware component discrimination ---discriminating between various hardware components to detect malfunctioning or counterfeit, trojan, etc., components.;Defense against software exploitation was implemented by 1) adopting a previously demonstrated capability that provides human-like discrimination of hardware devices using information extracted from intentional Radio Frequency (RF) emissions, and 2) adapting an RF-based verification methodology to exploit information in unintentional PLC emissions to detect anomalous operation resulting from software and/or hardware discrepancies and enhance SCADA security. Operational status verification (normal versus anomalous) is demonstrated using experimentally collected emissions from ten Allen Bradley SLC-500 PLCs executing custom Ladder Logic Programs (LLPs) designed to support the research methodology.;Performance for verification-based software anomaly detection was evaluated using the CBAD process. The CBAD verification process is sequence agnostic and can be used with untransformed Time Domain (TD) or transformed inputs, including those derived from untransformed TD, Hilbert transform (HT), and RF Distinct Native Attribute (RF-DNA) features. Relative to performance using untransformed TD sequences or RF-DNA features, CBAD performance using HT sequences was superior with an arbitrary Receiver Operating Characteristic (ROC) curve Equal Error Rate (EER) benchmark of EERB≤10.0% achieved for all PLC devices at a Signal-to-Noise Ratio (SNR) of SNR=0.0 dB; this benchmark was not achieved for any PLCs using untransformed TD sequences or RF-DNA features.;Performance for verification-based hardware anomaly detection was evaluated using a Generalized Relevance Learning Vector Quantized-Improved (GRLVQI) process with two input sequences, including one derived from TD RF-DNA features (NDim=156 dimensions) and one from Correlation Domain (CD) features (NDim=10 dimensions). For this assessment, ten Allen Bradley PLCs were divided into authorized/authentic and rogue/unknown groups containing five devices each. The GRLVQI model was trained using sequences from all authentic devices and each device in the unknown group was presented for verification against each of the authentic devices (25 total anomaly assessments). The GRLVQI anomaly detection capability was assessed using each of the two input sequence types and resultant performance was comparable. At SNR=15.0 dB an average EER≈1.3% was achieved for TD sequences as compared to an average EER≈1.6% for the CD sequences; both sequence types satisfied the EERB ≤10.0% benchmark for all PLC devices. While the EER value for TD sequences is 0.3% lower than CD sequences, the TD sequence has nearly 16 times the number of elements as the CD sequence and a correspondingly greater amount of computational resources would be required in an operational implementation.