How to reverse engineer ICS protocols using pair-HMM

Abstract

Industrial control systems (ICSs) are used to control and monitor industrial processes ranging from critical infrastructures, such as power grids and water supply, to manufacturing. However, the design of ICS emphasizes mainly on the reliability and efficiency but not security. Thus, ICS, especially the ones for critical infrastructures, become clear targets for attacks. There were many examples of serious attacks on ICS in the past years. The problem of protecting ICS is now a major concern. On the other hand, the network protocols of ICS are usually proprietary. Even for the same industry (e.g., how to control elevators), the specifications of the protocols are not standardized and depend on the vendors. Moreover, these specifications may not be accessible easily. This poses a challenge to security community as it is difficult to learn each protocol one by one and develop a generic protection scheme for ICS, even for the same industry. In this paper, we attempt to tackle this issue by proposing a reverse engineering technique to learn the protocols automatically. Technical speaking, our proposed solution is based on network trace for ICS private protocols. We cluster the source packets, represent protocols using sequences of critical packets, then use pair-HMM to align these sequences to obtain nonredundant sequences as protocol templates. Our experiments show that these templates can effectively represent important fields and attributes of the protocols.