Research on Network Attack and Defense of SCADA System Model Based on FNN

Tao Yu School of Electrical Engineering and Information

Southwest Petroleum University Chengdu, China

yut1988@126.com

Xiedong Cao, Zhidi Chen, Chela Zhang School of Electrical Engineering and Information

Southwest Petroleum University Chengdu, China

cowyco@126.com

Abstract—In order to guarantee the safety operation of the SCADA system under network attack condition, it is important to construct an intelligent model on SCADA system including reasoning and judgment in network attack and defense. This paper describes the network attack knowledge based on the theory of the factor expression of knowledge, and studies the formal knowledge theory of SCADA network from the factor state space, equivalence partitioning, etc. It utilizes the factor neural network (FNN) theory which contains high-level knowledge and quantitative reasoning described to establish a predictive model including analytic FNN and analogous FNN. This model abstracts and builds an equivalent and corresponding network attack and defense knowledge factors system. Analysis shows that the network attack and defense strategy model of SCADA system according to the FNN has effective security defense performance in network attack, and it provides new methods of researching the security defense theory of SCADA system under the condition of network attack.

Keywords-SCADA; network attack and defense; factor expression; factor neural network; security defense

I. INTRODUCTION With the wide application of SCADA in such

complicated systems as massive oil-gas pipeline network and large scale power grid, as well as the continuously increased need of informatization, network and intelligentization, SCADA system has gradually developed as the open complex giant system. In recent years, cloud computing technology has been thoroughly applied into the SCADA system, and data of SCADA system has gained important strategic significance. These factors have made the network attack on SCADA system disastrous. In order to guarantee the normal operation and to monitor the safety status of SCADA system timely, an intelligent defense model under the network attack factors of SCADA system is needed [1].

In the factor neural network (FNN) theory which is information processing systems engineering, basis is the factor expression of knowledge and formal framework is factor neurons and neural network. FNN aims to achieve the storage and application of knowledge and to complete the engineering simulation process of the intelligent behavior.

Based on the theory of the factor expression of knowledge researched, the factor neural network is combined with security system theory of SCADA system.

Utilizing the knowledge engineering theory of intelligent information processing of FNN, the network attack and defense strategy model of SCADA system according to the FNN is constructed, providing new methods of studying the security defense theory of SCADA system under the condition of network attack.

II. THE PATTERN OF THE FACTOR EXPRESSION OF KNOWLEDGE

Factor expression of knowledge makes the organic relation among different knowledge or knowledge expression, realizing the dynamic reasoning between knowledge and the transformation of knowledge expression. Thus, factors can be used to construct the framework of neural network, to organize and encapsulate the descriptive, declarative and procedural knowledge, and to utilize the relational factors in slot elements of frame structure to construct the chain of relationships in neural network, forming the knowledge network system with a framework for the node and boundary chain of relational factors [2].

A. Factor State Space and Factor Expression of Knowledge

1) Factor state space based on the object [Definition 1].Set o O is a described object in the

domain of U and f is a described factor. The object o is related to factor f and has certain nonzero state Xo(f), written as

R(o, f)=Xo(f) O(f)={o| R(o, f)�0, f F, o U} called O(f) is the set of object related to factor f in the

domain of U. O(F)={o| R(o, F)�0, F U, o U} called O(F) is the set of object related to factor F in the

domain of U. [Definition 2]. If O and V are the sets comprising some

objects o O and some factors f V, a matching (O, V) is given. Then

o O, f V| f is related to o, and f V, o O| o is related to f

[Definition 3]. For a given matching (O, V) and o O and f V, a correlation R written as

R(o, f)=�, where � [0,1] is correlation. When R(o, f)=1, o is clearly related to f. When R(o, f)=0, o is not related to f.

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.374

1418

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.374

1417

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.374

1417

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.374

1417

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.374

1417

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.374

1417

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.374

1417

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.374

1417

When R(o, f)=1, defining as D(f)={o| R(o, f)=1} V(o)={f| R(o, f)=1} Factor f can be regarded as a mapping, and function in a

certain object o to access to certain state f(o). f: O� X o� f(o)=Xo(f) among them, X(f)={Xo(f)| o O}, X(f) is the state space

of the f. 2) Factor expression of knowledge

[Definition 4]. In the domain of U, the atomic mode of knowledge factors is a triple,

M(O)=<O, F, X>, where O is the set of objects of the knowledge description of U. F is the factors set when the U is used to describe the O. X is performance status about F when F is used to

describe O, and X={Xo(f)| f F, o O} [Definition 5]. In the domain of U={Ui},the relational

mode between the mode of knowledge that form of expression for the

R(M(o))=<RM, M(o), XM>, where RM is a knowledge mode. M(o) is atomic mode of knowledge representation in

knowledge mode, M(o)={Mi(o)| i=1,2,…,n}. XM is expressed structure group states and state

transform relations of the atomic mode M(o) in RM. The atomic mode of knowledge factor expression gives a

set of discrete that is perceived described of the object, this is constituted the basis of knowledge expression with factors. The relational mode of knowledge factor expression can associate with various relational knowledge or different knowledge expression, this can realize the transformation of the different ways of knowledge and knowledge reasoning. They provide basis of expression and processing of knowledge in FNN [3].

B. System Description Based on The Object of SCADA Network Attack Being a knowledge network focusing on the network

attack and the description of defense objects of SCADA system, the model built should gather the information status, organizational structure and behavior rules of network attack, making itself an integrated analysis model for knowledge expression and application.

Let U be the considered domain, SA is considered as an offensive and defensive system of SCADA. A real-world SCADA network system consists of a number of different types of subsystems, attributes and their relationship posed. Thus, the knowledge structure of SCADA network attack is described by a four elements according to different perspectives. Using the

SA={ds, as, fs, ys| ds D, as A, fs F, ys Y, s S}<S> to express the SA, where

S={s} is for a variety of cognitive and describes a set of ideas, where s describes as a cognitive or descriptive point of network attack.

A={as} is for a set of expression in network attack under s point, where as is expressed in a variety of existence conditions and offensive function.

D={ds} is for a set of correlation in network attack under s point, where ds describes the relationship with conditions and functions and results of various attack factors.

F={fs} is expressed attacks in the planning process and described the various factors under s point of view a set of state space, where fs describes the state for the user, file variable, process parameters, input/output parameters, system services, network connection parameters, system environment variables, etc.

Y={ys} is expressed attack planning factors involved in features state space, such as the state space of fsw contains examination, upload, download, modify, delete, etc. fsw=fswi(i=1,2,…,n) is file type. This may correspond to existence of a fsw factor space.

[Definition 6]. SA is a cognitive or description model under s point, then

M=<<O, G> F, X> O={o}<called objects set in the M> Where o is the equivalent clustering of object of SA

under s point. G={g}<called structure of M> Where g is the equivalent transformation of SA under s

point. F={f}<called the cognitive or describe factor sets of M> Where f is cognitive and describe factors of SA under s

point. X={x}<called factor expression state set of M> Where x is a reflected factors system state of SA while

choose F as the express views under s point [4]. Constructing the SCADA system under network attack

condition contains a number of factors related to attack target and attack conditions. Those factors can constitute implementing factor sets {as} according to the theory of factors space. After the functional decomposition of each functional factor, the sub-function factors can ensure the independency via the orthogonal with each other. Function of factors can be qualified from the state space of factors, achieving the goal of comprehensive evaluation of defense. For example, a factor based analysis of the attack by two attackers via the administrative authority on SCADA system’s RTU, can find whether the valve of the oil-gas pipeline will be open or closed, and in this way makes the right defense strategy.

III. INFERENCE PATTERN OF SCADA SECURITY DEFENSE

A. Inference model based on analytic FNN The network attack and defense system of SCADA is

divided into different granularity spaces based on various requirements, and equivalence relation can be established based on fine granularities, obtaining the relatively coarse-grained space, and a few coarse-grained model spaces can be combined to obtain a smaller and more systematic model. Generally, if those classifications form a chain of partial order, a systematic hierarchical model can be gained.

14191418141814181418141814181418

Let U be the considered domain, SA is considered as an offensive and defensive system of SCADA. In order to recognize and express the actual network attack and defense system of SCADA, that is SA, various inductions and abstractions of SA are need. For example, attack factors can be divided into eavesdropping, deception, denial of service and data-driven attacks, with each type composed by many sub-factors with some similar characteristics. In the domain of U, assuming that a cognition or description on view s has been chosen, thus based on s point, as can be categorized according to equivalent relation.

When SCADA system is under the safe operation, some attacks from the network, including the Internet and Intranet, can be directly perceived and judged. To induct and arrange all attack and defense factors involved in the process of SCADA security defense, to determine the attack space and defense space within the domain, namely to divide two types of factors, G and F, and to established the relationship between factors of similar types. Meanwhile, the state sets of various attack and defense factors XG and XF are determined.

Based on analyzing the attack and defense experience, defense rules between network attack and security defense of the system are established. The rules reflect the corresponding relationship between state vectors being attacked and defended, and the security defense matrix R is established on the basis, so that a forward reasoning process is realized.

XG·R�XF Because of the intricate interrelationship between the

attack factors and security defense, the security defense prediction mechanism based on backward reasoning is established.

XF·R’�XG Where R’ is the backward reasoning matrix. The SCADA security defense system realizes the

security defense mainly by the comprehensive inferential strategy. The main basis of the security defense by analytic factor neurons is the security defense matrix R based on the rules, and the followings is obtained according to R when the system obtains a group of the attack state XG’.

XG’·R�XF’ Generally, the primary inference XF’ may not be a proper

defense strategy, so the system performs inferences again according to the result, and performs comprehensive inferences according to the supplementary condition XG”.

(XG’+XG”)·R�XF” The inference may be a process repeated for multiple

times, and the system model makes a final security defense strategy according to the result of the comprehensive factor inferences.

B. Inference model based on analogous FNN The purpose of establishing the factor neural network is

to use FNN as a specific information processing system to simulate the intelligent behavior to deal with the detailed thinking process of unsafe network factors and with rules without a very clear recognition, and with analytical mathematical model hard to establish appropriately due to

the complicated offensive and defensive process. Under this circumstance, a simulated neural network system based on analogous FNN focus on external security defense is needed to be built [5].

Let U be the considered domain, O is the set of objects of the knowledge description of the U, F is the factors set when the U is used to described the O, Xo(F) is performance status about F when F is used to described O. Suppose the target center on the SCADA system and base on the insecurity factor F , in order to construct an information processing system, the functions are need as follows.

• The capability of reappearing the knowledge on the object, especially the associative memory ability expected, the capability of arousing the memory and making correct defense response after a group of specific dangerous information is input into an analogous information processing system.

• The capability of memorizing the experience, wherein the system is capable of performing processing to give a proper defense mechanism according to the past experience after a problem to resolve is input.

• The function of acknowledging and learning realizes the memory and association of the experience and the knowledge.

• The capability of a certain robustness and adaptivity and the function of processing uncertain information process fuzzy information.

The analogous FNN is based on the analogous factor neurons, and the centered is the object of system domain, the factors as a basis to build functional knowledge storage and use of one's information processing unit, with external matching implicit way to complete the processing of information.

Figure 1. The analogous factor neurons model

In Fig. 1, the f1, f2,…, fm are input factors that have some connection with o, each input factors called a perceived channel of the simulation type of factors neurons, and the g1, g2,…, gn are output factors of the o, they represent different output response [6]. Where

Fo={f1, f2,…, fm} Go={g1, g2,…, gn} Xo(Fo)={xo(fi)| i=1,2,…,m} Yo(Go)={xo(gj)| j=1,2,…,n} For one of the simulation type of factors neurons, the

external function can be used to express by Yo(Go)=R(Xo(Fo)) Analogous factor neural network model is mainly based

on experiential learning. When unknown factors attack the

14201419141914191419141914191419

security of SCADA system, the system will directly deposit the pretreated insecurity factors as factors state. For factors with uncertain information in the original attack, in order to shorten the sample time and speed up the learning process of model, step-by-step learning strategies will be used on time step. When factor is incomplete or contains errors, analogous factor neurons or network modules have the ability to restore or regenerate right defense response. Thus, analogous FNN will continue to self-perfection during the process of network attack and defense.

IV. STRATEGY SURUCTURE OF SCADA SECURITY DEFENSE

The network attack process is the process of capturing the information and escalating the privilege according to attack conditions and goals [7]. According to the researched object SCADA system in the thesis, a network attack set is formed on the basis of attack factors, knowledge acquisition and attack knowledge operation chains, and a maximum attack effect and loss structure SCADA network attack knowledge model are represented by Fig. 2.

Figure 2. The knowledge model of SCADA network attack

Figure 3. The flow chart of security defense strategy

The SCADA security defense system should be a multi-mode combined structure responding to the network attack knowledge: on one hand performing the inferences according to the rules to automatically defend visitors from the dangerous network outside the gate; on the other hand using a comprehensive inference system integrating the knowledge produced by sample learning with the application to memorize the information of the attackers which are recorded in the past so that the attacks are unable to produce dangers again. A flow chart of the constructed security defense strategy establishing to the object SCADA system is represented by Fig. 3.

The system adopts the inferring and learning way to organically combine the FNN based security influence factor driving with the reverse FNN defense target driving. In the system, the knowledge base establishes knowledge factors space rattan net based on the factor presentation of the knowledge so as to form an intelligent security defense strategy model of the SCADA under the network attack mode.

V. CONCLUSION The network is bringing a revolution to the traditional

SCADA system. The storage, operation and sharing mode of network bring changes for SCADA as well as more insecurity factors. SCADA system is constantly being attacked by various factors from the network, and defense and attack with a purpose is like the attack and defense war. This paper describes the network attack knowledge based on the theory of the factor expression of knowledge, utilizing the analytic FNN and analogous FNN presents a security defense theory based on FNN of SCADA network, in order to realize an intelligent network attack and defense system with security status early warning and security defense assessment to complex SCADA network. And more wide and deep analysis of the network attack and defense can be conducted with the utilization of the research model.

REFERENCES [1] V. M. Igure, S. A. Laughter, et al, “Security issues in SCADA

networks,” Computers &Security, vol. 25(7), 2006, pp.498-506. [2] P. Z. Wang, H. H. Li, “Mathematical theory of knowledge

representation,” Tianjin Science and Technology Department, Tianjin, 1994.

[3] Z. L. Liu, Y. C. Liu, “Factor neural network theory and implementation strategy research,” Beijing Normal University Press, Beijing, 1992.

[4] L. Yang, X. D. Cao, et al, “A New Formal Description Model of Network Attacking and Defence Knowledge of Oil and Gas Field SCADA System,” Asia-Pacific Web Conference (APWeb), Kunming, China, 2012, pp.2-10.

[5] Z. L. Liu, Y. C. Liu, “Factor neural network theory and application,” Guizhou Science and Technology Department, Guiyang, 1994.

[6] X. D. Cao, C. D. Wei, et al, “The Geological Disasters Defence Expert System of the Massive Pipeline Network SCADA System Based on FNN,” Asia-Pacific Web Conference (APWeb), Kunming, China, 2012, pp.19-26.

[7] C. X. Guo, Z. L. Liu, et al, “Network Attack Knowledge Model Based on Factor Space Theory,” Telecommunication Engineering, vol. 49(10), 2009, pp.11–14.

14211420142014201420142014201420