Lai Yingxu

Intrusion Detection of Industrial Control System Based on Modbus TCP Protocol

Modbus over TCP/IP is one of the most popular industrial network protocol that are widely used in critical infrastructures. However, vulnerability of Modbus TCP protocol has attracted widely concern in the public. The traditional intrusion detection methods can identify some intrusion behaviors, but there are still some problems. In this paper, we present an innovative approach, SD-IDS (Stereo Depth IDS), which is designed for perform real-time deep inspection for Modbus TCP traffic. SD-IDS algorithm is composed of two parts: rule extraction and deep inspection. The rule extraction module not only analyzes the characteristics of industrial traffic, but also explores the semantic relationship among the key field in the Modbus TCP protocol. The deep inspection module is based on rule-based anomaly intrusion detection. Furthermore, we use the online test to evaluate the performance of our SD-IDS system. Our approach get a low rate of false positive and false negative.

Software Behavior Analysis Method Based on Behavior Template

Software security is not only related to our life, but also close to the security of our society. This paper proposed a method called software behaviors analysis method based on behavior template (SABT). According to the context of source code, we build and form a behavior template as a system to detect malicious behavior of software, including function transfer map and function block transfer map. We utilize some relative algorithms and technology in SABT, which include the method of stubbing interrupts, building behavior template and forming automaton to detect abnormal software behavior. Behavior template consists of function transfer map and minimum function transfer map. Compared with traditional method, such as N-gram, FSA, Var-gram, SABT can get higher cover rate of code and detect abnormal more effetely and efficiently.

Analysis of Industrial Control Systems Traffic Based on Time Series

With the growing demand of location-independent access to Industrial Control Systems (ICS), anomaly detection scheme for industrial Ethernet which highly satisfied with demanding real-time and reliable industrial applications becomes one of the problems in ICS. In this paper, we present an innovative approach to build a traffic model based on structural time series model. Basic structural model which decomposes time series into four factors is established by the stationary analysis of industrial traffic. Parameters in the model are identified by state space model which is conducted from the training sequence using standard Kalman filter recursions and EM algorithm. Furthermore, performance of state space model is evaluated by the experimental comparative results that confirm significant improvement in detection accuracy and the validity of abnormal data localization.

Study and Implementation of Trust Evaluation Access Control Mechanism Based on XEN

With the use of virtualization, threats appears gradually in domains constituted by host and virtual machines (VMs). Access control between VMs becomes a necessary method of the security management of virtualized platform. The traditional Mandatory Access Control (MAC) based on fixed security policy is greatly restricted on flexibility. In this paper, we proposed a quantitatively trust evaluation method based on VMs historical behavior, which combined with existing MAC mechanism, to build a flexible, fine-grained access control mechanism.