Hybrid-IDS-Based-On-ISA95

Hybrid-IDS-Based-On-ISA95

A hybrid intrusion detection system in industry 4.0 based on ISA95 standard Salwa Alem, David Espes, Eric Martin, Laurent Nana, Florent de Lamotte To cite this version: Salwa Alem, David Espes, Eric Martin, Laurent Nana, Florent de Lamotte. A hybrid intrusion detection system in industry 4.0 based on ISA95 standard. 2020. hal-02506109v2 HAL Id: hal-02506109 https://hal.archives-ouvertes.fr/hal-02506109v2 Preprint submitted on 8 Oct 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. A hybrid intrusion detection system in industry 4.0 based on ISA95 standard Salwa Alema;∗, David Espesb, Eric Martina, Laurent Nanab, Florent De Lamottea, aUniversity Bretagne Sud, Lab-STICC (Laboratoire des Sciences et Techniques de l'Information de la Communication et de la Connaissance), Lorient, France bUniversity of Western Brittany, Lab-STICC (Laboratoire des Sciences et Techniques de l'Information, de la Communication et de la Connaissance), Brest, France Abstract—Today with the emergence of an industrial In recent years, industries have been victims of attacks information system in industry of the future which includes the that came from the IT world and spread to the OT world connection between all trades, applications and the converged such as Stuxnet in Iran, Slammer in US, Shamoon in Saudi technologies between information technology and operational technology, cybersecurity has become urgent. Industrial Arabia, and Black energy in Ukraine [21]. Unfortunately, the Intrusion Detection System are no longer sufficient to counter OT world today does not have all the tools necessary to cyberattacks because of their natures, which is usually misuse, protect itself. Until now factories have mainly used firewalls and are unable to detect attacks that target the application as protection mechanisms that enforce access control. While layer of the Open Systems Interconnection model. Therefore, these mechanisms are very useful to restrict access to or from cybersecurity in industrial systems adopts known information technology security solutions, such as an Intrusion Detection some parts of the network, they cannot detect attacks. System which has to be modified, completed and adapted to Factories mainly use misuse IDS such as Suricata and Snort work in industrial field. We propose to deepen this approach as detection mechanisms. Their approach consists of searching by developing an adapted IDS to monitor industrial systems for the activity of the monitored element among known against illegitimate access and detect abnormal activities. For signatures attacks. The main advantage of this approach is this purpose, we expose in this paper our efficient hybrid intrusion detection solution based on International Society of that it allows the separation of the software from the signatures Automation 95 standard and neural network. Our research database, thus the update can be done independently. However, work is focused on Manufacturing Executive System which its major disadvantages are that the hackers can change these represents the central and main element in industry. signatures. Therefore, they are no longer recognized by the IDS. They need a daily update and the detect only previously Keywords: Industry 4.0, cyber physical system (CPS), intrusion detection system (IDS), ISA95, artificial intelligence. known attacks. In addition, this detection system depends on the quality of the signatures database. Both of Snort and I. INTRODUCTION Suricata have their specific limitations which discouraged us to use them. For instance, Snort is not suitable with high-speed Industry 4.0 is faced with several challenges which are networks, its decoders are limited, and its signatures base is summarized as flexibility, agility and corporate social responsi- unreliable [2]. Another kind of IDS is the behavioral one which bility requirements (CSR). The advent of this fourth industrial is used primarily in the IT world. Its implementation always generation means that all devices are connected and open to requires a learning phase during which it learns the normal the outside world, most data is deported and stored in media behavior of the monitored elements. Any other activity that other than the usual local hard drive such as in the Cloud, deviates from the normal behavior learned is considered as and the information technology (IT) world is specifically abnormal. The main added value of these IDS is the fact connected to the operational technology (OT) world. This that they detect unknown attacks like Zero-day attacks[22]. convergence is performed through the manufacturing executive The disadvantages of this technique are that it does not system (MES). The MES is the industrial management system assess the degree of criticality of the attack. In addition, with that bridges the gap between the information system (IS) at the this behavioral IDS it is difficult to define normal behavior top level of the factory, namely enterprise resource planning especially in the IT world which changes all the time. Because (ERP) and the field level called the automation systems of this last disadvantage, it generates a lot of false positives. [1]. It centralizes all information concerning the production, There some IDS which are both misuse and behavioral such maintenance, stock and products quality. Now that this border as Bro but the problem with Bro the fact that it is difficult is open, any attacks made in the past in the IT world can be to set up and configure because of its used scripting language replayed in the OT world. The notion of cybersecurity has and the need to have a solid knowledge in UNIX environment become an urgent need in industry of the future. to handle it [2]. *Corresponding author. For all of the elements previously mentioned and thanks to Email address: [email protected] MESA model (see Fig 1) that gives us a succession of transac- tions, step by step at the physical level, to realize a production for detecting intrusions. As for IDS, their main function is order (PO), we can easily define a reference behavior on which the attacks detection using either the misuse approach or the a hybrid IDS can be based. This model defines a general behavioral approach. request-response cycle that starts with requests or schedules, To be effective, both of them have to work in a complemen- converts them into a work schedule, dispatches work according tary way to each other. Firewalls represent the first security to the schedule, manages the execution of work, collects data barrier allowing control access and IDS strengthens further and converts the collected data back into responses [3]. security by analyzing flows authorized by firewalls. An IDS Our approach is composed of two steps. The first step is are mainly used in the IT world due to their working process our semantic IDS based on the MESA model which enables that we will explain later in this section. IDS can be classified the first of verification by checking the anomalies related according to the approach used in two kinds of IDS: either to the execution of the PO at the application level of the misuse or behavioral. industrial information system (IIS) and not at the machine • Misuse IDS is based on a set of attack descriptions, also (field level). By studying this model, our proposed IDS can called attack signatures [11]. It consists of defining attack detect 13 anomalies. In the second step, we use network scenarios and looking for traces of these scenarios. It traffic to train our neural network. Hence, we are able to uses either the machine log and this is called HIDS (Host distinguish anomalies from a real intrusion and reduce false Intrusion Detection System), or NIDS (Network Intrusion positives thanks to MESA model which takes into account Detection System). Misuse IDS are the most commonly several anomalies related to the equipment maintenance or used in industry. the stock for example. The paper is organized as follows. • Behavioral IDS relates to models of the normal behavior Section 1 provides a context and positioning of our research of a computer system [12]. The principle of this approach work. Section 2 discusses related works. Section 3 presents is to define a behavior reference representing the normal our approach including its two steps. Section 4 explains the behavior, then any activity which deviates from this experimentation environment and illustrates results. The paper reference behavior is considered as an intrusion. is completed by a conclusion and perspectives. Due to the MESA Model, using a behavioral IDS is now II. CONTEXT AND POSITIONING possible. This model is an abstract model of an industry A. Research work positioning including management and execution functions, different ac- tivities allowing the planning and execution of a PO and Today’s industries need a strong security strategy. Firewalls the various information exchanges between these activities. and antivirus protection are not enough efficient to protect Therefore, the planning and execution of a PO follow an against elaborate attacks. Their protection abilities are very accurate model that is considered by behavioral IDS as a limited and allow only the access control. Misuses IDS are reference. This model is explained in details in the next limited because of their inability to detect attacks that do not section. belong to their signature databases. For all these reasons, our research focuses on behavioral IDS for overall efficiency going C. TOWARDS AN EFFICIENT IDS BASED ON THE ISA95 up to the application layer using AI techniques.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    9 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us