ICSTrace: A Malicious IP Traceback Model for Attacking Data of Industrial Control System

TL;DR

ICSTrace is a novel IP traceback model designed for industrial control systems that analyzes attack data to identify malicious IPs without requiring new network services.

Contribution

The paper introduces ICSTrace, a new model that extracts attack patterns from industrial control protocol data and clusters them to trace malicious IPs back to organizations.

Findings

ICSTrace effectively traces malicious IPs in industrial control systems.

The model accurately clusters attack patterns using Partial Seeded K-Means.

Evaluation shows high effectiveness on honeypot-captured attack data.

Abstract

Considering the attacks against industrial control system are mostly organized and premeditated actions, IP traceback is significant for the security of industrial control system. Based on the infrastructure of the Internet, we have developed a novel malicious IP traceback model-ICSTrace, without deploying any new services. The model extracts the function codes and their parameters from the attack data according to the format of industrial control protocol, and employs a short sequence probability method to transform the function codes and their parameter into a vector, which characterizes the attack pattern of malicious IP addresses. Furthermore, a Partial Seeded K-Means algorithm is proposed for the pattern's clustering, which helps in tracing the attacks back to an organization. ICSTrace is evaluated basing on the attack data captured by the large-scale deployed honeypots for industrial control system, and the results demonstrate that ICSTrace is effective on malicious IP traceback in industrial control system.