The present invention generally relates to an unauthorized communication detection system and an unauthorized communication detection method for verifying validity of a communication packet flowing in a control system and detecting unauthorized communication.
Control systems to be used in automobiles or social infrastructures such as electric power supply, rail transport, water supply, and gas supply, are required to maintain a pressure and a temperature that are set in advance by operating an apparatus such as a valve or an actuator based on information from sensors. In order to realize this operation, a built-in apparatus such as a controller needs to acquire information from sensors regularly, confirm and notify states to other controllers, servers, and the like, and perform control as necessary. Therefore, in general, a large amount of communication occurs periodically in a control system, and the control system performs processing based on the communication data.
Meanwhile, the control system has used a dedicated OS and a dedicated protocol so far, and is installed separately in an area that cannot be accessed from an external network such as the Internet. Thus, the control system has been considered to be immune from a cyber-attack such as a so-called computer virus or DoS attack. However, a general-purpose OS and a general protocol are increasingly adopted for reduction of costs, and also, the control system is promoted to be coupled to an information system for improved efficiency. In addition, in recent years, computer viruses targeting control systems have been found, which necessitates a technology for detecting infection of, for example, malware, and unauthorized access from outside not only in an information system but also in a control system.
In order to address this issue, a known technology uses a list of traffic patterns that are likely to occur in a network of a control system to detect unauthorized communication when a communication packet does not conform to the list (for example, see Japanese Patent Application Publication No. 2012-34273). Moreover, another known technology monitors a communication packet and physical measurement values of a control system, and correlates the communication packet with the physical measurement values, to thereby detect an unauthorized communication packet (for example, see Japanese Patent Application Publication No. 2014-179074).