*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Network Based Fingerprinting Techniques for Industrial Control Systems
Committee:
Dr. Raheem Beyah, Chair, Advisor
Dr. John Copeland, Co-Advisor
Dr. Henry Owen, ECE
Dr. Yusun Chang, ECE
Dr. Alenka Zajic, ECE
Dr. Saman Zonouz
Abstract:
Fingerprinting techniques operating over the network were proposed to identify various
aspects of industrial control systems (ICSs) including software, hardware, and physical
devices. First, a detailed traffic characterization was performed on several power substation networks to guide the development of the techniques. Round trip times for the resourcestarved embedded devices were observed to be heavily clustered based on device type no matter how large the physical distance between them, suggesting they were largely based on processing time. This insight led to the development of cross-layer response time fingerprinting to passively identify device types based on the processing time between TCP level acknowledgments and application layer responses, with classification accuracy reaching 99% on real-world substation traffic. Complementing these techniques by addressing a different aspect of ICS networks, methods were developed to fingerprint the physical devices of the ICS. Previous work on physical fingerprinting was extended to improve relay classification from 92% to 100% and extend the scope of the methods to valves, motors, and pumps. Building on the idea behind the cross-layer response time methods, techniques were explored that expand the scope to general programmable logic controllers by generating program fingerprints from the execution times of control programs. The security of this technique was enhanced by the addition of proof-of-work functions to provide an upper bound guarantee that no additional instructions are being executed in the program. Performance of all the fingerprinting techniques were discussed with respect to their potential to contribute to a holistic, ICS-specific intrusion detection system.
