1. Field of the Invention
The present invention relates to an abnormal traffic detection apparatus and method based on Modbus communication pattern learning, and more particularly, to an apparatus and method for previously detecting and responding to abnormal traffic.
2. Discussion of Related Art
Generally, a control system is a system of effectively monitoring and managing remote resources, and is being used for an operation of national key infrastructure such as power, gas, water and sewage, public transportation, etc.
Protocol standards with respect to the control system are being gradually converted from private to public (to international standard), and this conversion may cause a result in which more knowledge with respect to the control system and a network operation is provided to an attacker.
As a result, a risk of cyber infringement on the control system is continuously being increased, and when the cyber infringement on the control system is generated, since national chaos may be caused, a specific security management for the control system is required.
A Modbus protocol among communication protocols used in the control system is an industrial communication protocol developed by Modicon in 1979 for power line communication (PLC) control.
The Modbus protocol is an application layer message protocol of providing client/server based request/reply communication using various communication media, and is one of the most widely used communication protocols in the world.
Communication methods of the Modbus protocol are classified into a Modbus serial method, a Modbus plus method, and a Modbus/transmission control protocol (TCP) method, etc., and the Modbus plus method had been largely used for communication between host systems before the Modbus/TCP method was developed.
However, after the Modbus/TCP method was developed, the Modbus/TCP method holding a dominant position in terms of a communication speed and an operation of the system has been largely used, and the Modbus plus method and the Modbus serial method previously used have been used in a manner of being converted into the Modbus/TCP through a gateway and being connected to the host system.
The Modbus protocol is being used as a general protocol standard of the control system, but there is a problem in which an attack using the Modbus protocol is easy.
That is, recently, because of attacking a weak point of the Modbus protocol instead of attacking the control system using a malicious code such as Stuxnet, etc. when the control system uses the Modbus as a protocol standard, an attack risk is increased more.
For example, when using a Dismal attack tool which is first published in the Power of Community (POC) 2011, information regarding the control system used according to facilities such as hydroelectric power plants or nuclear power plants, etc. may be collected.
That is, when an information collection command is input to the Dismal attack tool, since the information is transmitted to the attacker regardless of a kind of the control system, a new type of attack may be generated through easy packet manipulation by the attacker, and a malicious command may be transmitted. Accordingly, there is a problem in which the control system is weaker on a protocol attack capable of attacking only by the packet manipulation than a zero-day attack such as Stuxnet.
Accordingly, in order to complement the weak point, a prior patent (Korean Patent Publication No. 10-2010-0078323), etc. discloses technology capable of implementing stable and reliable communication by preventing information leakage due to hacking generated by invasion from the outside and protecting information related to control and measurement data, etc. on a Modbus-based supervisory control and data acquisition (SCADA) network.
However, the prior patent has to encode or encrypt monitoring and control data transmitted from a host system such as a SCADA server through a security device before transmitting through the SCADA network, and has to decode the encoded data through a security device of a subsystem such as a remote terminal before the remote terminal receives the encoded data received through the SCADA network.
That is, the prior patent has problems in which a complex operation such as the decoding or encoding has to be performed whenever the SCADA server and the remote terminal transmit and receive data (information related to the control and measurement data, etc.) and it is difficult to respond to an internal attack which will be described later.
Meanwhile, since the Modbus protocol does not consider security items such as authentication, authorization, etc. with respect to a response of the server corresponding to a request of a client, security items in terms of service denial attacks besides the security weak point on the control protocol are required.
For example, loads of some devices may be caused by general network traffic such as broadcast/multicast, or some devices may be crashed.
As a result, concerns about activities of interfering with a safe operation of a control system of critical infrastructure are being increased due to intentional or unintentional behaviors, but currently, since enterprise security products such as firewalls, an intrusion detection system (IDS), an intrusion prevention system (IPS), etc. are concentrated in a border area of an external network, the enterprise security products are weak to problems that occur in an internal infrastructure.
That is, in a situation that intrusion paths including insider threats become diverse, since it is focused on security of a border network even in a control network, a measure of internal behavior analysis is weak.
Accordingly, in order to provide a safe service between the control systems, security on the protocol used in the control system is required.