Anomaly Detection Based on Temporal Behavior Monitoring in Programmable Logic Controllers

As Programmable Logic Controllers (PLCs) are increasingly connected and integrated into the industrial Internet of things, cybersecurity threats to PLCs are also increasing. Adversaries can perform a denial of service (DoS) attack based on the transmission of a large number of network packets, and a control-logic injection attack through sophisticated packet transmission. We propose an approach to detecting and defending against attacks that exploit security vulnerabilities in a PLC system. In order to protect against indiscriminate packet transmission attacks that exploit uncontrolled resource consumption vulnerabilities, an abnormal temporal behavior detection method is proposed that monitors the CPU usage of tasks. If a temporal anomaly is detected, the proposed approach tries to detect control-flow anomalies by examining the sequences of function calls, then detects stack-based buffer overflow attacks. The proposed method is implemented in a water tank control system for evaluation purposes. The experimental results show that the proposed method can improve the security of the system by detecting anomalies in temporal behavior with little system overhead.