Industrial Control Systems (ICSs) are often used to control the functionality of devices and/or machinery that perform manufacturing and/or production operations within an industrial environment. For example, a nuclear power plant may implement and/or rely on an ICS to regulate the production and/or distribution of electrical power. A typical ICS may include a collection of sensors, actuators, controllers, control valves, motors, robotic devices, and/or other computing devices that communicate using a specialized application-layer protocol that is designed for ICS environments. In many ICSs, application-layer messages are exchanged between ICS components using a standard transport-layer protocol such as the Internet protocol suite (also known as Transmission Control Protocol (TCP) over Internet Protocol (IP) or TCP/IP).
Anomaly detection is a traditional method for detecting suspicious communications within a network. Traditional anomaly-detection systems will often use baselines of cyclic message sequences to detect when abnormal (e.g., malicious) message sequences are present on a network. Before baselining a cyclic message sequence, a conventional anomaly-detection system will generally need to (i) understand the structure and/or purpose of each message in the cyclic message sequence and (ii) identify and collect many instances of the same cyclic message sequence from which a baseline may be derived.
While the network traffic in a typical ICS network is generally highly cyclic and predictable when compared to the network traffic in a typical Information Technology (IT) network, the task of determining baselines for normal cyclic application-layer message sequences in ICS networks has traditionally been difficult for conventional anomaly-detection technologies because the cyclic application-layer message sequences are often obscured. Cyclic application-layer message sequences are often obscured in ICS network traffic since (i) the application-layer protocols with which components of ICSs communicate are often proprietary or hidden and rarely documented and/or available to the public and (ii) cyclic application-layer message sequences in ICS networks are generally exchanged over a single transport-layer connection that is long lived and void of any semantic bookending such as connection-establishment or connection-termination handshakes.
For at least these reasons, conventional anomaly-detection technologies generally do not understand the structure and/or purpose of the messages in the cyclic application-layer message sequences observed in ICS networks and generally are unable to identify and collect many instances of the same cyclic application-layer message sequence. Accordingly, conventional anomaly-detection technologies may be unable to baseline ICS network traffic and may be somewhat ineffective at identifying malfunctioning and/or compromised devices within ICSs, potentially leaving such systems susceptible to accidents and/or attacks. The instant disclosure, therefore, identifies and addresses a need for systems and methods for detecting obscure cyclic application-layer message sequences in transport-layer message sequences.