In recent years, attacks such as the Stuxnet malware have demonstrated that cyberattacks against control systems cause extensive damage. These attacks can result in physical damage to the networked systems under their control. In this paper, we discuss our approach for detecting such attacks by distinguishing between programs running on a programmable logic controller (PLC) without having to monitor communications. Using power signatures generated by an attached, high-frequency power measurement device, we can identify what a PLC is doing and when an attack may have altered what the PLC should be doing. To accomplish this, we generated labeled data for testing our methods and applied feature engineering techniques and machine learning models. The results demonstrate that Random Forests and Convolutional Neural Networks classify programs with up to 98% accuracy for major program differences and 84% accuracy for minor differences. Our results can be used for both online and offline applications.

近年来，诸如Stuxnet恶意软件的攻击表明对控制系统的网络攻击会造成广泛的破坏。这些攻击可能会对其控制下的网络系统造成物理损坏。在本文中，我们讨论了通过区分可编程逻辑控制器（PLC）上运行的程序而无需监视通信来检测此类攻击的方法。使用连接的高频功率测量设备生成的功率签名，我们可以识别PLC在做什么以及何时受到攻击可能改变了PLC应该做什么。为此，我们生成了标记数据以测试我们的方法，并应用了特征工程技术和机器学习模型。结果表明，随机森林和卷积神经网络对程序进行分类，主要程序差异的准确度高达98％，次要差异的准确度高达84％。我们的结果可用于在线和离线应用程序。