Programmable logic controllers (PLCs), i.e., the core of control systems, are well-known to be vulnerable to a variety of cyber attacks. To mitigate this issue, we design PLC-Sleuth, a novel noninvasive intrusion detection/localization system for PLCs, which is built on a set of control invariants—i.e., the correlations between sensor readings and the concomitantly triggered PLC commands—that exist pervasively in all control systems. Specifically, taking the system’s supervisory control and data acquisition log as input, PLC-Sleuth abstracts/identifies the system’s control invariants as a control graph using data-driven structure learning, and then monitors the weights of graph edges to detect anomalies thereof, which is in turn, a sign of intrusion. We have implemented and evaluated PLC-Sleuth using both a platform of ethanol distillation system (EDS) and a realistically simulated Tennessee Eastman (TE) process. The results show that PLC-Sleuth can: 1) identify control invariants with 100%/98.11% accuracy for EDS/TE; 2) detect PLC intrusions with 98.33%/0.85 ‰ true/false positives (TPs/FPs) for EDS and 100%/0% TP/FP for TE; and 3) localize intrusions with 93.22%/96.76% accuracy for EDS/TE.

中文翻译：

---

使用控制不变量检测 PLC 入侵


众所周知，可编程逻辑控制器（PLC）作为控制系统的核心，容易受到各种网络攻击。为了缓解这个问题，我们设计了 PLC-Sleuth，这是一种新型的 PLC 无创入侵检测/定位系统，它建立在一组控制不变量的基础上，即传感器读数与伴随触发的 PLC 命令之间的相关性，这些变量普遍存在于所有控制系统。具体来说，以系统的监控和数据采集日志为输入，PLC-Sleuth利用数据驱动的结构学习将系统的控制不变量抽象/识别为控制图，然后监控图边的权重以检测其异常，即反过来，这是入侵的迹象。我们使用乙醇蒸馏系统 (EDS) 平台和真实模拟的田纳西伊士曼 (TE) 流程来实施和评估 PLC-Sleuth。结果表明，PLC-Sleuth 可以： 1）以 100%/98.11% 的准确度识别 EDS/TE 的控制不变量； 2) 检测 PLC 入侵，EDS 的真/假阳性 (TP/FP) 为 98.33%/0.85 ‰，TE 的 TP/FP 为 100%/0%； 3) EDS/TE 的入侵定位准确率为 93.22%/96.76%。