Anomaly Detection Method Considering PLC Control Logic Structure for ICS Cyber Threat Detection
Anomaly detection systems are being studied to detect cyberattacks in industrial control systems (ICSs). Existing ICS anomaly detection systems monitor network packets or operational data. However, these anomaly detection systems cannot detect control logic targeted attacks such as Stuxnet. Control...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-03-01
|
| Series: | Applied Sciences |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2076-3417/15/7/3507 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849739140019519488 |
|---|---|
| author | Ju Hyeon Lee Il Hwan Ji Seung Ho Jeon Jung Taek Seo |
| author_facet | Ju Hyeon Lee Il Hwan Ji Seung Ho Jeon Jung Taek Seo |
| author_sort | Ju Hyeon Lee |
| collection | DOAJ |
| description | Anomaly detection systems are being studied to detect cyberattacks in industrial control systems (ICSs). Existing ICS anomaly detection systems monitor network packets or operational data. However, these anomaly detection systems cannot detect control logic targeted attacks such as Stuxnet. Control logic tampering detection studies also exist, but they detect code modifications rather than determining whether the logic is normal. These tampering detection methods classify control logic as abnormal if any code modifications occur, even if the logic represents normal behavior. For this reason, this paper proposes an anomaly detection method that considers the structure of control logic. The proposed embedding method performs embedding based on control logic Instruction List (IL) code. The opcode and operand of IL code use separate embedding models. The embedded vectors are then sequentially combined to preserve the IL structure. The proposed method was validated using Long Short-Term Memory (LSTM), LSTM-Autoencoder, and Transformer models with a dataset of normal and malicious control logic. All models achieved an anomaly detection performance with an F1 score of at least 0.81. Additionally, models adopting the proposed embedding method outperformed those using conventional embedding methods by 0.088259. The proposed control logic anomaly detection method enables the model to learn the context and structure of control logic and identify code with inherent vulnerabilities. |
| format | Article |
| id | doaj-art-bc544ab5fd6e4b30ba66bec2096e9e6d |
| institution | DOAJ |
| issn | 2076-3417 |
| language | English |
| publishDate | 2025-03-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Applied Sciences |
| spelling | doaj-art-bc544ab5fd6e4b30ba66bec2096e9e6d2025-08-20T03:06:20ZengMDPI AGApplied Sciences2076-34172025-03-01157350710.3390/app15073507Anomaly Detection Method Considering PLC Control Logic Structure for ICS Cyber Threat DetectionJu Hyeon Lee0Il Hwan Ji1Seung Ho Jeon2Jung Taek Seo3Department of Information Security, Gachon University, Seongnam-daero 1342, Seongnam-si 13120, Republic of KoreaDepartment of Information Security, Gachon University, Seongnam-daero 1342, Seongnam-si 13120, Republic of KoreaDepartment of Smart Security, Gachon University, Seongnam-daero 1342, Seongnam-si 13120, Republic of KoreaDepartment of Smart Security, Gachon University, Seongnam-daero 1342, Seongnam-si 13120, Republic of KoreaAnomaly detection systems are being studied to detect cyberattacks in industrial control systems (ICSs). Existing ICS anomaly detection systems monitor network packets or operational data. However, these anomaly detection systems cannot detect control logic targeted attacks such as Stuxnet. Control logic tampering detection studies also exist, but they detect code modifications rather than determining whether the logic is normal. These tampering detection methods classify control logic as abnormal if any code modifications occur, even if the logic represents normal behavior. For this reason, this paper proposes an anomaly detection method that considers the structure of control logic. The proposed embedding method performs embedding based on control logic Instruction List (IL) code. The opcode and operand of IL code use separate embedding models. The embedded vectors are then sequentially combined to preserve the IL structure. The proposed method was validated using Long Short-Term Memory (LSTM), LSTM-Autoencoder, and Transformer models with a dataset of normal and malicious control logic. All models achieved an anomaly detection performance with an F1 score of at least 0.81. Additionally, models adopting the proposed embedding method outperformed those using conventional embedding methods by 0.088259. The proposed control logic anomaly detection method enables the model to learn the context and structure of control logic and identify code with inherent vulnerabilities.https://www.mdpi.com/2076-3417/15/7/3507industrial control systemsanomaly detectioncontrol logicprogrammable logic controller cyber security |
| spellingShingle | Ju Hyeon Lee Il Hwan Ji Seung Ho Jeon Jung Taek Seo Anomaly Detection Method Considering PLC Control Logic Structure for ICS Cyber Threat Detection Applied Sciences industrial control systems anomaly detection control logic programmable logic controller cyber security |
| title | Anomaly Detection Method Considering PLC Control Logic Structure for ICS Cyber Threat Detection |
| title_full | Anomaly Detection Method Considering PLC Control Logic Structure for ICS Cyber Threat Detection |
| title_fullStr | Anomaly Detection Method Considering PLC Control Logic Structure for ICS Cyber Threat Detection |
| title_full_unstemmed | Anomaly Detection Method Considering PLC Control Logic Structure for ICS Cyber Threat Detection |
| title_short | Anomaly Detection Method Considering PLC Control Logic Structure for ICS Cyber Threat Detection |
| title_sort | anomaly detection method considering plc control logic structure for ics cyber threat detection |
| topic | industrial control systems anomaly detection control logic programmable logic controller cyber security |
| url | https://www.mdpi.com/2076-3417/15/7/3507 |
| work_keys_str_mv | AT juhyeonlee anomalydetectionmethodconsideringplccontrollogicstructureforicscyberthreatdetection AT ilhwanji anomalydetectionmethodconsideringplccontrollogicstructureforicscyberthreatdetection AT seunghojeon anomalydetectionmethodconsideringplccontrollogicstructureforicscyberthreatdetection AT jungtaekseo anomalydetectionmethodconsideringplccontrollogicstructureforicscyberthreatdetection |