Industrial control protocol covert channel detection method and system
By acquiring multi-source communication data in industrial control networks, performing protocol identification and hierarchical parsing, dividing multi-scale behavior windows, calculating entropy features, and performing adaptive detection, the adaptability and real-time performance issues of concealed channel detection in existing technologies are solved, achieving highly reliable concealed channel detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGZHOU ELECTRIC POWER COMM NETWORK LTD
- Filing Date
- 2026-04-10
- Publication Date
- 2026-06-05
AI Technical Summary
Existing industrial control protocol covert channel detection technologies suffer from poor adaptability, high false alarm rate, high false alarm rate, and insufficient real-time performance when faced with complex scenarios involving diverse protocols, varied covert methods, and the normalization of zero-day attacks. These issues make it difficult to meet the high reliability, adaptability, and intelligent security protection requirements of industrial control networks.
By acquiring multi-source communication data from industrial control networks, protocol identification and hierarchical parsing are performed, multi-scale behavioral windows are divided, information entropy, transfer entropy and structural entropy are calculated, a dynamic baseline entropy profile is constructed, and entropy drift is detected based on adaptive sliding threshold. Combined with multi-dimensional feature clustering and logical consistency verification, high-confidence suspected hidden channel instances are output.
It achieves accurate identification of concealed channels, significantly improves the detection rate, reduces false alarm and false negative rates, has cross-protocol detection capabilities, adapts to changes in industrial environments, and ensures the stability and applicability of the detection system.
Smart Images

Figure CN122160448A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of industrial control network security monitoring technology, and in particular to a method and system for detecting covert channels in industrial control protocols. Background Technology
[0002] The number of cyberattacks against industrial control systems continues to rise. Attackers often embed malicious commands and data into conventional communication channels to steal data, illegally control systems, and tamper with commands. Among these attacks, using covert channels within industrial control protocols for information hiding and illegal communication has become a highly concealed and dangerous emerging attack method. These covert channels conceal malicious communication within legitimate protocol traffic by modifying non-standard protocol fields, adjusting message transmission timing, altering data packet order, and utilizing redundant field encoding. This allows them to bypass conventional security detection mechanisms, enabling unauthorized data transmission and control command injection, posing a serious threat to industrial production safety and the stable operation of critical infrastructure.
[0003] Current technologies for detecting covert channels in industrial control protocols mainly employ feature matching, abnormal behavior analysis, and protocol consistency verification. While these methods are effective in identifying known types of covert channels, they suffer from significant technical limitations when facing complex scenarios characterized by the diversification of industrial control protocols, the proliferation of covert methods, and the prevalence of zero-day attacks. (1) It is poorly adapted to fine-grained variations of protocols and new covert methods, making it difficult to detect low-rate, highly disguised variant covert channels; (2) The detection model relies too much on expert experience and prior rules, the rule base is updated late, and the configuration and maintenance costs are high; (3) The false alarm rate and the false alarm rate are too high, which makes it easy to misjudge normal industrial business fluctuations as abnormalities and affect the continuity of production; (4) Insufficient real-time and high-concurrency processing capabilities make it difficult to meet the needs of large-scale, high-real-time flow monitoring in industrial sites, thus limiting actual deployment.
[0004] In summary, existing detection technologies have significant shortcomings in terms of detection accuracy, generalization ability, real-time performance, and operation and maintenance costs. They cannot effectively address the security risks posed by hidden channels in industrial control networks and cannot meet the needs of critical infrastructure for highly reliable, adaptive, and intelligent security protection. Summary of the Invention
[0005] To overcome the problems existing in related technologies, one of the objectives of this invention is to provide a method for detecting concealed channels in industrial control protocols. This method can accurately identify the weak statistical feature shifts caused by concealed channels, thereby improving the detection rate. Furthermore, by introducing multidimensional feature clustering and logical consistency verification, it can effectively filter out occasional noise and abnormal points that do not conform to the behavior of industrial control systems, output high-confidence suspected concealed channel instances, and significantly reduce false alarms and missed alarms.
[0006] A method for detecting covert channels in industrial control protocols, comprising: Acquire Ethernet and higher-level data link signals from multiple physical location acquisition points in an industrial control network to obtain raw communication stream data containing different service flows and protocol types; The original communication stream data is subjected to protocol identification and hierarchical parsing, and the communication stream is decomposed into session stream, command stream and field-level attribute change sequence, and semantic behavior units are extracted. Based on the business cycle, session length, and logical transaction boundary of the protocol traffic, the session flow and command flow are divided into three types of multi-scale behavior analysis windows: fixed duration window, session length window, and logical transaction window. Within each window, at least one communication event is extracted from message direction, parameter change frequency, number of times redundant fields are modified, and interaction response latency to form a multi-granularity behavior event sequence. Based on the multi-granularity behavioral event sequence, at least one of the entropy features among information entropy, transfer entropy and structural entropy is calculated, and the entropy features are normalized for the same protocol type, session background and historical normal communication scenarios to construct a dynamic baseline entropy profile. During system operation, the dynamic baseline entropy profile is continuously updated. By comparing the entropy value of the current window with the entropy value of the previous window, it is detected whether the entropy change difference between adjacent windows exceeds the sliding entropy change threshold. If it exceeds the threshold, it is determined that entropy change drift has occurred and is marked as a potential abnormal interval. The sliding entropy change threshold is adaptively adjusted based on the mean and standard deviation of recent normal entropy values. For the marked entropy change drift events, cluster analysis is performed based on multidimensional features such as entropy change pattern, protocol type, session role, time distribution and window scale type. Combined with logical consistency verification rules and occasional anomaly exclusion strategy, high-confidence suspected hidden channel instances are output.
[0007] In a preferred embodiment of the present invention, a source analysis report is generated that includes a sequence of protocol behavior events during anomalies, an entropy evolution trajectory, and key field modification records. The report is then used as feedback input to fine-tune the entropy drift threshold, feature selection conditions, and baseline model parameters, thereby achieving online optimization of the detection model.
[0008] In the step of acquiring industrial control network communication signals, hardware probes are deployed on PLC controllers, SCADA servers, core switch mirror ports, or engineering station hosts to capture full-duplex communication data in a promiscuous mode and retain microsecond-level timestamps.
[0009] In a preferred embodiment of the present invention, in the steps of protocol identification and layered parsing, deep packet inspection technology is used in combination with protocol feature fingerprint database matching to identify the protocol type, and layered decoding is performed on at least one of the Modbus / TCP, Profinet IO, Ethernet / IP, OPC UA or DNP3 protocols according to the semantic structure defined by the IEC 61158 or IEC 61784 standards to restore the interpretable behavioral units of reading registers, writing coils or state update cycles.
[0010] In a preferred embodiment of the present invention, the division of the multi-scale behavior window further includes: using a fixed-time sliding window slice for control flows with strong periodicity, taking a complete session as an independent analysis unit for non-periodic tasks, and dividing request-response interactions into pairs of application layer transactions as the smallest unit.
[0011] In a preferred embodiment of the present invention, information entropy is used to measure the uncertainty of the value distribution of a specific field within a window, transition entropy is used to characterize the state transition dependency between commands, and structural entropy is used to characterize the communication topology complexity composed of command types and their transition relationships.
[0012] In a preferred embodiment of the present invention, the normalization process employs the Z-score standardization method, which uses the mean and standard deviation of entropy values of similar protocols under historical normal operating conditions to standardize the current entropy value, thereby making the entropy values of different protocols comparable.
[0013] In a preferred embodiment of the present invention, the sensitivity adjustment coefficient is set to 2.5 by default in the adaptive mechanism of the sliding entropy change threshold, and can be dynamically adjusted according to the false alarm rate or the missed alarm rate to balance detection sensitivity and stability.
[0014] In a preferred embodiment of the present invention, multidimensional feature clustering uses the DBSCAN density clustering algorithm to classify abnormal events, identify abnormal clusters with similar behavioral patterns, and eliminate false alarms that do not conform to the behavior rules of industrial control by combining the logical consistency rule that "the same device should not frequently switch master and slave roles".
[0015] In a preferred embodiment of the present invention, the source tracing analysis report includes information encoding path inference; and the source tracing analysis report is used to drive the retraining process of the detection model, adding confirmed abnormal samples to the training set to recalibrate the entropy baseline distribution of various protocols.
[0016] The second objective of this invention is to provide an industrial control protocol covert channel detection system for implementing the industrial control protocol covert channel detection method described above.
[0017] The beneficial effects of this invention are as follows: This invention provides a method for detecting hidden channels in industrial control protocols. The method includes: acquiring multi-source industrial control network communication data; obtaining session flow, command flow, and field-level change sequences through protocol identification and hierarchical parsing; dividing the data into three behavior windows: fixed duration, session length, and logical transaction; extracting communication events to form multi-granularity behavior sequences; calculating and normalizing information entropy, transfer entropy, or structural entropy to construct a dynamic baseline entropy profile; detecting entropy drift based on an adaptive sliding threshold and marking abnormal intervals; performing multi-dimensional feature clustering on entropy change events and combining it with logical verification to output suspected hidden channel instances; generating a source tracing report and providing feedback to optimize detection model parameters. This method, by constructing a multi-scale behavior analysis mechanism combining a fixed duration window, a session length window, and a logical transaction window, can simultaneously capture protocol behavior features from three dimensions: temporal continuity, session integrity, and semantic logic. This effectively solves the problem that traditional single-window methods struggle to simultaneously handle both short-term sudden anomalies and long-term behavior shifts. Building upon this foundation, the method integrates three statistical features—information entropy, transition entropy, and structural entropy—to comprehensively characterize field value distribution, command state transition dependencies, and communication topology complexity. This enables accurate identification of subtle statistical disturbances caused by concealed channels, significantly improving the detection rate. Furthermore, the entropy features are normalized for the same protocol type, session background, and historical normal communication scenarios, eliminating interference from differences in statistical characteristics between different protocols and ensuring comparability for cross-protocol anomaly detection. The sliding entropy threshold is adaptively adjusted based on the mean and standard deviation of recent normal entropy values, overcoming the limitation of static thresholds in adapting to environmental fluctuations. Simultaneously, by combining multi-dimensional feature clustering with logical consistency verification, it effectively filters out occasional noise and false alarms that do not conform to industrial control behavior patterns, outputting high-confidence suspected concealed channel instances and significantly improving the reliability of detection results. This method also collects raw communication data from multiple physical locations, retaining microsecond-level timestamps and spatial tags, enabling cross-regional behavior comparison and collaborative analysis capabilities, and can identify distributed or skip-type concealed channels. The dynamic baseline entropy profile can be continuously updated during operation and supports loading preset templates under different working conditions. It can also automatically trigger model retraining when new equipment is launched or the protocol is upgraded, enabling the detection system to adapt to changes in the industrial environment and ensuring long-term stability and applicability.
[0018] This application also provides a system that implements the concealed passage detection method of the above-mentioned industrial control protocol. In the process of implementing the above-mentioned method, the system can accurately identify the weak statistical disturbances caused by concealed passages, greatly improve the detection rate, and effectively reduce the false alarm rate and the false negative rate. Attached Figure Description
[0019] Figure 1 This is a flowchart of the industrial control protocol covert channel detection method provided in Embodiment 1 of the present invention. Detailed Implementation
[0020] Preferred embodiments of the invention will now be described in more detail with reference to the accompanying drawings. While preferred embodiments of the invention are shown in the drawings, it should be understood that the invention may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that the invention will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
[0021] Current technologies for detecting covert channels in industrial control protocols mainly employ feature matching, abnormal behavior analysis, and protocol consistency verification. While these methods are effective in identifying known types of covert channels, they suffer from significant technical limitations when facing complex scenarios characterized by the diversification of industrial control protocols, the proliferation of covert methods, and the prevalence of zero-day attacks. (1) It is poorly adapted to fine-grained variations of protocols and new covert methods, making it difficult to detect low-rate, highly disguised variant covert channels; (2) The detection model relies too much on expert experience and prior rules, the rule base is updated late, and the configuration and maintenance costs are high; (3) The false alarm rate and the false alarm rate are too high, which makes it easy to misjudge normal industrial business fluctuations as abnormalities and affect the continuity of production; (4) Insufficient real-time and high-concurrency processing capabilities make it difficult to meet the needs of large-scale, high-real-time flow monitoring in industrial sites, thus limiting actual deployment.
[0022] Therefore, this application provides a method for detecting concealed channels in industrial control protocols to overcome the shortcomings of existing technologies.
[0023] Example 1 like Figure 1 As shown in the figure, this embodiment provides a method for detecting concealed channels in industrial control protocols, which includes the following steps: S1: Acquire industrial control network communication signals.
[0024] Distributed data acquisition nodes are deployed in industrial control systems, covering physical locations such as key production equipment, PLC controllers, SCADA servers, and network switch ports. Mirrored ports (SPAN) or optical splitters are used to capture data link layer communication signals at Ethernet and higher layers, obtaining a set of raw communication stream data packets containing a mixture of industrial protocols such as Modbus / TCP, Profinet, and OPC UA. The acquired data includes message timestamps, source / destination IP and MAC addresses, protocol type identifiers, payload content, and its length, providing a multi-dimensional input foundation for subsequent cross-protocol and cross-regional collaborative analysis.
[0025] S2: Execution Protocol Identification and Layered Resolution.
[0026] Based on the raw communication flow data, deep packet inspection (DPI) technology combined with protocol feature fingerprint database matching is used to automatically identify the industrial control protocol category to which each communication flow belongs. Then, according to the semantic structure defined in the protocol specification document, layered parsing is performed on each protocol category, decoding the raw binary message level by level into session layer session flow, application layer command flow, and field-level attribute change sequence. Interpretable behavioral units such as "read register", "write coil", and "status update cycle" are extracted, and a structured behavioral log database indexed by session ID and transaction ID is established.
[0027] S3: Generate multi-scale protocol behavior windows.
[0028] Based on the business cycle characteristics, typical session duration, and logical transaction boundaries of different protocol traffic, session flow and command flow are divided into three types of analysis windows: fixed-duration windows (e.g., one window every 10 seconds), session length windows (each complete session is considered an analysis unit), and logical transaction windows (based on request-response pair partitioning). Within each window, a series of communication behavior events are extracted, including message direction (uplink / downlink), parameter change frequency, number of modifications to specific redundant fields, field value jump amplitude, and interaction response latency fluctuations, forming a multi-granularity behavior event sequence for subsequent entropy calculation.
[0029] S4: Calculate the entropy features of the multi-scale behavior window.
[0030] Using event sequences within a multi-scale protocol behavior window as input for statistical modeling, three types of entropy indices—information entropy, transfer entropy, and structural entropy—are calculated. Information entropy reflects the uncertainty of field value distribution, transfer entropy characterizes the asymmetric dependencies in state transitions between commands, and structural entropy represents the topological complexity of the communication pattern. For each type of entropy value, normalization is performed within the same protocol type, similar session background, and historical normal operation intervals to construct a dynamic baseline entropy profile matrix, which describes the behavioral fingerprint characteristics of various protocols under normal conditions.
[0031] S5: Implement real-time entropy change drift detection.
[0032] During system operation, the dynamic baseline entropy profile is continuously updated, and differential analysis is performed on the actual entropy value sequence in the current sliding window to calculate the entropy difference between adjacent windows. An adaptive sliding entropy threshold mechanism is introduced, which dynamically adjusts the threshold based on the standard deviation and moving average of historical normal samples: ; in, This represents the recent average normal entropy value. Its standard deviation, This is the sensitivity adjustment factor (default value is 2.5). When When an entropy shift occurs, the time period is marked as a potential abnormal interval.
[0033] S6: Perform multidimensional feature clustering and anomaly filtering.
[0034] For all tagged entropy change drift events, multi-dimensional feature vectors are extracted, including: entropy change pattern (rising / falling / oscillating), corresponding protocol type, session role (master / slave), time distribution (whether concentrated in non-working hours), and window scale type. The DBSCAN density clustering algorithm is used to classify abnormal events and identify abnormal clusters with similar behavioral patterns. Simultaneously, combined with logical consistency verification rules (such as "the same device should not frequently switch master / slave roles") and occasional noise elimination strategies (such as single transient disturbances not triggering alarms), false alarms are eliminated, and a high-confidence list of suspected covert channel instances is output.
[0035] S7: Generate source tracing analysis results and model fine-tuning feedback.
[0036] For confirmed suspected covert channel instances, the system automatically generates a communication behavior backtracking report, which includes a complete sequence of protocol behavior events during the anomaly period, an entropy evolution trajectory diagram, key field modification records, and possible information encoding path inferences. This report serves as feedback input, driving fine-tuning of model parameters: on the one hand, the confirmed anomaly samples are added to the training set to recalibrate the entropy baseline distribution of various protocols; on the other hand, clustering weights and threshold sensitivity parameters are adjusted based on false alarm cases to achieve online iterative optimization of the detection model.
[0037] S8: Integrated operation and maintenance alarm interface and scenario adaptation optimization.
[0038] This detection method can be embedded into industrial firewalls or security monitoring platforms, and linked with SIEM systems and monitoring host alarm modules through standardized API interfaces to achieve automatic alarm push and work order generation. Simultaneously, the system supports dynamically loading preset entropy profile templates based on the actual operating conditions of different production workshops (such as production cycle speed and differences in protocol usage ratios), and can automatically trigger model retraining processes based on environmental changes (such as new equipment deployment or protocol upgrades), thus achieving adaptive optimization for diverse industrial control scenarios.
[0039] Step S1: Acquire industrial control network communication signals. Specifically, this includes the following steps: Acquire communication signals from multiple physical location acquisition points.
[0040] Hardware probes are deployed at key network nodes, including edge acquisition units located next to the PLC control cabinet, mirrored ports of the core switch, and network interface cards of the engineering workstation host, to ensure coverage of the main communication paths between the control layer, monitoring layer, and management layer. The acquisition devices capture packets in promiscuous mode, capturing full-duplex communication data and preserving the original frame structure and time accuracy to the microsecond level.
[0041] Acquire data link signals at Ethernet and higher levels.
[0042] The data collection scope is limited to OSI model layer 2 (data link layer) and above, focusing on acquiring Ethernet frames with VLAN tags, parsing the IEEE 802.1Q encapsulation structure, extracting IP headers and transport layer protocol fields (TCP / UDP), and stripping the underlying preamble and CRC check parts, retaining the payload part that can be used for higher-layer protocol analysis.
[0043] Obtain raw communication flow data containing different service flows and protocol types.
[0044] The raw data stream contains various concurrent services, such as real-time control command streams (high-frequency small packets), device status reporting streams (medium-frequency periodicity), configuration management operation streams (low-frequency bursts), and potential anomaly detection traffic. Independent communication streams are distinguished by a five-tuple (source IP, destination IP, source port, destination port, protocol number) and stored according to protocol type.
[0045] Build a multidimensional signal foundation to support cross-regional analysis.
[0046] Data from different geographical locations are uniformly tagged with spatial tags and synchronized with high-precision NTP timestamps, enabling spatiotemporal alignment of data from each node and supporting subsequent cross-regional behavior comparison and collaborative detection.
[0047] Enhanced ability to perceive differences in spatial dimensions.
[0048] By comparing data from multiple collection points horizontally, we can identify local anomalies (deviation at only one point) and global anomalies (synchronous offset at multiple points), thereby improving our ability to detect distributed hidden channels (such as leapfrog data leakage).
[0049] Provides the necessary time continuity and integrity for subsequent analysis.
[0050] Set up a local caching mechanism and breakpoint resume function to prevent data loss due to network congestion; at the same time, enable data compression and encrypted transmission to ensure the secure aggregation of massive communication streams and long-term storage availability.
[0051] Step S2: Perform protocol identification and layered parsing. Specifically, it includes the following steps: Automatic identification of industrial protocol types based on communication stream data.
[0052] A method combining rule matching and machine learning is adopted: First, well-known ports (such as 502→Modbus / TCP, 44818→CIP) are used for preliminary classification; then, payload feature extraction (such as function code distribution, message length pattern) is input into a lightweight neural network (such as MLP) to complete fine-grained recognition, with an accuracy of over 98%.
[0053] Layered parsing of various protocols is performed to extract semantic behavioral units.
[0054] Based on international standard documents such as IEC 61158 and IEC 61784, we constructed parsing engine plugin libraries for various protocols. For example, we sequentially parse the MBAP header, function code, and data area of Modbus / TCP packets to reconstruct specific operational semantics such as "read holding register" and "write multiple coils".
[0055] The original communication stream is decomposed into a session stream, a command stream, and a field-level change sequence.
[0056] Using the IP quintuple and session ID as keys, continuous communication is aggregated to form a session stream; each function call is extracted to form a command stream; further, the numerical change history of specific fields (such as a register address in Modbus) is tracked to form a field-level attribute change sequence.
[0057] Differentiate between different business cycles and session structures.
[0058] Determine whether the command stream is a periodic task (such as status polling every 50ms) or an event-driven interaction (such as manual start / stop commands) based on the time interval characteristics, and mark the session start and end flags.
[0059] Supports compatibility analysis for multiple mainstream industrial protocols.
[0060] The system has built-in modules for parsing various protocols, including Modbus / TCP, Profinet IO, Ethernet / IP, OPC UA, and DNP3. It can be extended to support new proprietary protocols or customized variants through plug-ins.
[0061] Output a structured behavior log database for subsequent modeling.
[0062] Write the parsing results to a time-series database (such as InfluxDB) or a columnar storage system (such as Parquet files), and establish an index structure with "timestamp + device ID + protocol type + behavior type" as the primary key to facilitate efficient querying and batch processing.
[0063] Step S3: Generate a multi-scale protocol behavior window. Specifically, this includes the following steps: Set a fixed duration behavior window based on the business cycle.
[0064] For control flows with strong periodicity (such as motion control commands being sent every 10ms), a fixed-time sliding window (such as 10 seconds) is used for slicing to ensure that each window contains enough periodic samples to support statistical modeling.
[0065] Divide the session-level behavior window according to the session length.
[0066] For non-periodic or long-cycle tasks (such as batch production startup processes), a complete session (from connection establishment to release) will be treated as an independent analysis unit to avoid cross-session aliasing interference.
[0067] Define transaction-level behavior windows based on logical transaction boundaries.
[0068] Identify application-layer transactions that occur in pairs of requests and responses (such as "read input register request" and its corresponding "return data response"), and combine them into the smallest transaction unit. This is suitable for analyzing the semantic coherence of commands and the compliance of responses.
[0069] Extract the sequence of communication events within each window.
[0070] The extracted events include, but are not limited to: message flow (client → server), command type frequency, number of times a specific field is modified (e.g., reserved fields are frequently assigned values), field value change rate, response latency jitter, message retransmission rate, etc.
[0071] A three-dimensional sliding window mechanism is introduced to enhance anomaly detection capabilities.
[0072] By running three window strategies in parallel, it is possible to simultaneously detect short-term burst disturbances (captured by the fixed window), long-term behavioral deviations (discovered by the session window), and semantic-level logical tampering (revealed by the transaction window).
[0073] A multi-granularity sequence of behavioral events is formed for subsequent entropy calculation.
[0074] The events within each window are encoded as discrete symbol sequences (e.g., A = read operation, B = write operation, C = abnormal field modification), which serve as the input sequences for calculating information entropy and transfer entropy, while preserving the temporal order of the original behaviors.
[0075] Step S4: Calculate the entropy features of the multi-scale behavior window. This specifically includes the following steps: Calculate information entropy to measure the uncertainty of the distribution of field values.
[0076] Suppose a certain field appears in the window The probability distribution of _n_ different values is as follows: Information entropy is defined as: ; in, value Frequency estimation. High entropy indicates highly random field values, which may be a manifestation of noise injection in covert channels.
[0077] Calculate the transition entropy to characterize the state transition dependencies between commands.
[0078] Transfer entropy is used to evaluate the transition from the previous command. To the current command The information flow intensity is given by the following formula: ; A significantly higher transfer entropy than the baseline may indicate the presence of implicit control flow-guided data transfer.
[0079] Calculate structural entropy to characterize the topological complexity of communication patterns.
[0080] The communication behavior is abstracted as a directed graph model, where nodes represent command types, edges represent transition relationships, and structural entropy is defined as the Shannon entropy of the degree distribution of nodes in the graph: ; in For degree The percentage of nodes. Hidden channels often lead to abnormally complex topologies.
[0081] The entropy value characteristics are normalized to eliminate the impact of protocol differences.
[0082] The Z-score normalization method is used to normalize various entropy values: ; in and These are the historical mean and standard deviation of similar protocols under normal conditions, making the entropy values of different protocols comparable.
[0083] Modeling is performed separately for different protocol types and session contexts.
[0084] We maintain independent entropy baseline models for different types of protocols such as Modbus and Profinet, and further subdivide them into master-side and slave-side behavior profiles to improve detection targeting.
[0085] Construct dynamic baseline entropy profiles to form behavioral fingerprint models.
[0086] The normalized multidimensional entropy features (information entropy, transfer entropy, and structural entropy) are combined into a feature vector, which accumulates over time to form a "three-dimensional heat map" of "entropy profile," intuitively showing the stable regions and variation trends of protocol behavior.
[0087] Step S5 involves real-time entropy change drift detection, specifically including: (1) Get the current window entropy value During system operation, the entropy value characteristics of the current sliding window (including fixed-duration windows, session-length windows, or logical transaction windows) are acquired in real time. For each type of entropy value (information entropy, transition entropy, and structural entropy), the entropy value of the current window is recorded. ,in This indicates the sequence number of the current window. The entropy value of each window is calculated based on the multi-granularity behavioral event sequence extracted within that window, reflecting the statistical characteristics of the protocol behavior during that time period.
[0088] (2) Calculate the entropy difference between adjacent windows For the current window entropy value Compared with the previous window entropy value Perform differential analysis to calculate the entropy variation difference: ; This difference value reflects the magnitude and direction of the change in entropy value of protocol behavior between adjacent windows. When A positive value indicates increased behavioral uncertainty; a negative value indicates decreased behavioral uncertainty. For the three entropy values (information entropy, transfer entropy, and structural entropy), their entropy variation differences are calculated independently to form a multidimensional entropy variation vector.
[0089] (3) Dynamically update the sliding entropy threshold An adaptive sliding entropy threshold mechanism is introduced, which dynamically adjusts the threshold based on historical statistics of recent normal entropy values. For each type of entropy value, a threshold of length is maintained. (In this embodiment, a sliding window of recent normal entropy values is used, taking 100 as the value, to record the most recent...) The entropy value of each window is determined as normal. After each window is inspected, the sample set in that sliding window is updated, and its mean is calculated. with standard deviation .
[0090] Current window's sliding entropy change threshold Calculate using the following formula: ; in: This represents the average of a recent sliding window of normal entropy values; The standard deviation of the recent normal entropy value sliding window; This is the sensitivity adjustment factor, with a default value of 2.5.
[0091] This threshold can be adaptively adjusted during operation: when the network environment is stable and normal behavior fluctuations are small. Smaller threshold, tighter threshold, and improved detection sensitivity; however, when the network environment fluctuates significantly... Increase the threshold, and the threshold will be automatically widened to avoid false alarms triggered by normal fluctuations.
[0092] (4) Determine entropy change drift and abnormal interval marking The absolute value of the entropy difference of the current window. With the sliding entropy threshold Comparison: like If so, it is determined that the current window has experienced entropy change drift, and this time period is marked as a potential abnormal interval; like If the current window behavior is normal, its entropy value is added to the recent normal entropy value sliding window for updating subsequent thresholds.
[0093] For the three types of entropy (information entropy, transfer entropy, and structural entropy), as long as the absolute value of the entropy change difference of any entropy value exceeds its corresponding dynamic threshold, it is determined that entropy change drift has occurred.
[0094] (5) Record abnormal interval information When entropy shift is detected, the system records the following information for subsequent analysis: Timestamps of the abnormal interval (start window time, end window time); Types of entropy values that undergo entropy shift (one or more of information entropy, transfer entropy, and structural entropy); Entropy change pattern (increasing or decreasing); Entropy change magnitude ; The corresponding window's protocol type, session role, and window size type; Key equipment identifiers involved (such as source IP, destination IP, PLC identifier).
[0095] (6) Multi-entropy value collaborative determination To improve detection reliability, step S5 further supports a multi-entropy value collaborative determination mechanism: If only a single entropy value drifts (such as only the information entropy exceeds the threshold while the transfer entropy and structural entropy are normal), the system marks it as a "weak anomaly" and puts it into a low-priority observation queue. If two or more entropy values drift simultaneously, the system marks them as "strong anomalies" and directly proceeds to the subsequent S6 multidimensional feature clustering and anomaly filtering stage. If all three entropy values drift, the system automatically increases the confidence weight of the abnormal interval.
[0096] (7) Dynamic optimization of threshold parameters Sensitivity adjustment coefficient It can be dynamically adjusted based on system operation feedback: When the false alarm rate increases recently (exceeding the preset limit, such as 5%), the system automatically increases the threshold. The value is increased by 0.1 each time, relaxing the threshold and reducing false alarms; When the false negative rate increases recently (discovered through subsequent manual verification or simulated attack testing), the system automatically reduces it. The value is decreased by 0.1 each time, tightening the threshold and improving sensitivity; The adjustment range is limited to Between these thresholds, avoid excessive threshold shifts that could cause detection performance to crash.
[0097] Through the above steps, S5 achieves real-time, adaptive detection of entropy shifts in protocol behavior, accurately capturing subtle statistical feature shifts caused by hidden channels. At the same time, it effectively resists interference caused by normal environmental fluctuations through a dynamic threshold mechanism, providing highly reliable abnormal event inputs for subsequent clustering analysis and anomaly filtering.
[0098] Example 2 This embodiment provides an industrial control protocol covert channel detection system for implementing the industrial control protocol covert channel detection method described above.
[0099] The system includes a data acquisition module, a protocol parsing module, a behavior window construction module, an entropy feature calculation module, a drift detection module, a clustering filtering module, a source tracing feedback module, and an alarm output module.
[0100] The working process of the system for which this application is claimed is described by deploying the detection system of this application in the industrial control network of an automobile manufacturing workshop.
[0101] The industrial control network environment includes multiple PLC controllers (Siemens S7-1200), a SCADA server, a core switch, and an engineering workstation host. Hardware probes are deployed at the mirror port of the core switch, the edge acquisition node next to the PLC control cabinet, and the network card interface of the engineering workstation host to capture full-duplex communication data in promiscuous mode and synchronize microsecond-level timestamps using an NTP server.
[0102] The data acquisition module captures data link signals at Ethernet and higher layers in real time, obtaining a set of raw communication stream data packets containing mixed transmissions of various industrial protocols such as Modbus / TCP, Profinet IO, and OPC UA. The acquired data includes: message timestamps, source / destination IP and MAC addresses, protocol type identifiers, payload content and its length. Independent communication streams are distinguished using a five-tuple (source IP, destination IP, source port, destination port, protocol number), and stored according to protocol type. All data is uniformly tagged with a location tag to identify the physical location of the data source, providing a spatiotemporal alignment basis for subsequent cross-regional collaborative analysis.
[0103] The protocol parsing module employs Deep Packet Inspection (DPI) technology combined with protocol feature fingerprint database matching to automatically identify the industrial control protocol category to which each communication flow belongs. Specifically, it first performs preliminary classification using well-known ports (such as 502 → Modbus / TCP, 44818 → CIP), and then completes fine-grained identification by extracting payload features (such as function code distribution and message length patterns) and inputting them into a lightweight neural network.
[0104] Based on international standards such as IEC 61158 and IEC 61784, layered parsing is implemented for each type of protocol. For example, Modbus / TCP messages are parsed sequentially, including the MBAP header, function code, and data area, to reconstruct specific operational semantics such as "reading holding registers" and "writing multiple coils." Profinet IO messages are parsed, including their periodic and non-periodic data portions, to extract behavioral units such as "status update cycle" and "parameter configuration." The parsing results form a session stream (aggregated using IP 5-tuple + session ID as the key), a command stream (each function call constitutes a command), and a field-level attribute change sequence (tracking the numerical change history of specific register addresses), which is then written to a time-series database using "timestamp + device ID + protocol type + behavior type" as the primary key.
[0105] The behavior window building module divides the session flow and command flow into three types of analysis windows based on the business cycle, session length, and logical transaction boundaries of the protocol traffic: Fixed-duration window: For control flows with strong periodicity (such as motion control commands being sent every 10ms), a fixed-time sliding window (such as 10 seconds) is used for slicing to ensure that each window contains enough periodic samples to support statistical modeling.
[0106] Session length window: For non-periodic or long-cycle tasks (such as batch production startup processes), a complete session (from connection establishment to release) is treated as an independent analysis unit to avoid cross-session aliasing interference.
[0107] Logical Transaction Window: Identifies application-layer transactions that occur in pairs of requests and responses (such as "read input register request" and its corresponding "return data response"), and combines them into the smallest transaction unit. It is suitable for analyzing the semantic coherence of commands and the compliance of responses.
[0108] Within each window, extract the following communication event sequences: message flow direction (uplink / downlink), command type frequency, number of times a specific field is modified (e.g., frequently assigned values to reserved fields in the Modbus protocol), field value change rate, response latency jitter, message retransmission ratio, etc., to form a multi-granularity behavioral event sequence.
[0109] The entropy feature calculation module calculates three types of entropy features for each event sequence within a window: (1) Information entropy: measures the uncertainty of the distribution of values of a specific field within a window. Suppose that a certain field has n different values within a window, and its probability distribution is p(x_i), then the information entropy is defined as: ; High entropy indicates that field values are highly random, which may be a manifestation of noise injection in covert channels.
[0110] (2) Transition entropy: Characterizes the state transition dependency between commands and evaluates the information flow intensity from the previous command X_{t-1} to the current command Y_t. ; (3) Structural entropy: The communication behavior is abstracted into a directed graph model, where nodes are command types and edges are transition relationships. The structural entropy is defined as the Shannon entropy of the degree distribution of nodes in the graph: ; Where P(k) represents the proportion of nodes with degree k. Hidden channels often lead to abnormally complex topologies.
[0111] For each type of entropy value, Z-score normalization is used for normalization: z = (x - μ) / σ, where μ and σ are the mean and standard deviation of the same type of protocol under historical normal operation, respectively, making the entropy values of different protocols comparable. Independent entropy baseline models are maintained for different types of protocols such as Modbus and Profinet, and further subdivided into master-side and slave-side behavioral profiles to form a dynamic baseline entropy profile matrix, which describes the behavioral fingerprint characteristics of various protocols under normal conditions.
[0112] The drift detection module continuously updates the dynamic baseline entropy profile during system operation. For the actual entropy value sequence in the current sliding window, the entropy difference between adjacent windows is calculated as ΔH(t) = H(t) - H(t-1). An adaptive sliding entropy threshold mechanism is introduced, which is dynamically adjusted based on the standard deviation and moving average of historical normal samples. ; Where μ_hist is the recent mean of normal entropy values, σ_hist is its standard deviation, and k is the sensitivity adjustment coefficient. In this embodiment, k is set to 2.5 by default and can be dynamically adjusted according to the false alarm rate or false negative rate. When |ΔH(t)|>θ(t), entropy drift is determined to have occurred, and this time period is marked as a potential abnormal interval.
[0113] The clustering filtering module extracts multi-dimensional feature vectors for all labeled entropy change drift events, including: entropy change pattern (rising / falling / oscillating), corresponding protocol type, session role (master / slave), time distribution (whether it is concentrated in non-working hours), window scale type, etc.
[0114] The DBSCAN density clustering algorithm is used to classify abnormal events, setting a neighborhood radius ε and a minimum sample size MinPts to identify abnormal clusters with similar behavioral patterns. Simultaneously, logical consistency verification rules, such as "the same device should not frequently switch master-slave roles," "the ratio of write operations to read operations should conform to the normal behavior of the device," and "reserved fields should be constant values during normal communication," are used to eliminate false alarms that do not conform to the industrial control behavior patterns. Combined with an occasional noise elimination strategy (e.g., a single transient disturbance does not trigger an alarm; multiple consecutive or cumulative disturbances are required to reach a certain number), a high-confidence list of suspected hidden channel instances is output.
[0115] For confirmed suspected covert channel instances, the source tracing feedback module automatically generates a communication behavior backtracking report, which includes: The complete sequence of protocol behavior events during the abnormal period; Entropy evolution trajectory diagram (including time-series change curves of information entropy, transfer entropy, and structural entropy); Key field modification records (such as the modified register address, modification time, and modified value); Possible information encoding path speculation (such as through redundant field encoding, time-series encoding, etc.).
[0116] This report serves as feedback input, driving fine-tuning of model parameters: The identified anomalous samples were added to the training set to recalibrate the entropy baseline distribution of various protocols. Adjust the DBSCAN clustering weights and sensitivity coefficient k based on false alarm cases; For the newly discovered hidden channel pattern, update the logical consistency verification rule base.
[0117] Achieve online iterative optimization of the detection model.
[0118] The alarm output module integrates with industrial firewalls, SIEM systems, and monitoring host alarm modules via standardized API interfaces to achieve automatic alarm push and work order generation. The system supports dynamically loading preset entropy profile templates based on the actual operating conditions of different production workshops (such as production cycle speed and differences in protocol usage ratios), and can automatically trigger model retraining processes based on environmental changes (such as new equipment going online or protocol upgrades) to achieve adaptive optimization for diverse industrial control scenarios.
[0119] This system employs a multi-scale behavioral analysis mechanism combining fixed-duration windows, session length windows, and logical transaction windows to simultaneously capture protocol behavioral characteristics across three dimensions: temporal continuity, session integrity, and semantic logic. In a real-world automotive manufacturing environment, this mechanism successfully detected a covert channel where attackers exploited reserved fields in the Modbus protocol to leak data, while traditional fixed-window-based detection methods missed detections due to misalignment between window boundaries and the attack cycle. Furthermore, the joint modeling of information entropy, transition entropy, and structural entropy accurately identified covert channel characteristics such as abnormal field value distributions, abrupt changes in command state transition dependencies, and complex communication topologies, significantly improving the detection rate compared to traditional methods.
[0120] By normalizing entropy characteristics based on protocol type and session background, misjudgments caused by statistical differences between different protocols such as Modbus and Profinet are eliminated. The sliding entropy threshold is adaptively adjusted based on the mean and standard deviation of recent normal entropy values. During a normal process adjustment on the production line (causing temporary fluctuations in protocol behavior), the static threshold scheme generated a large number of false alarms, while the adaptive threshold mechanism of this invention successfully distinguished between normal process fluctuations and attack behavior. Combining DBSCAN clustering and logical consistency verification further filters out occasional noise caused by instantaneous network jitter, reducing the final false alarm rate.
[0121] It should be noted that the use of terms such as "first" and "second" to define components is merely for the purpose of distinguishing the corresponding components. Unless otherwise stated, these terms have no special meaning and therefore should not be construed as limiting the scope of protection of this application. The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. For those skilled in the art, the present invention can have various modifications and variations. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.
Claims
1. A method for detecting concealed channels in industrial control protocols, characterized in that, include: Acquire Ethernet and higher-level data link signals from multiple physical location acquisition points in an industrial control network to obtain raw communication stream data containing different service flows and protocol types; The original communication stream data is subjected to protocol identification and hierarchical parsing, and the communication stream is decomposed into session stream, command stream and field-level attribute change sequence, and semantic behavioral units are extracted. Based on the business cycle, session length, and logical transaction boundary of the protocol traffic, the session flow and command flow are divided into three types of multi-scale behavior analysis windows: fixed duration window, session length window, and logical transaction window. Within each window, at least one communication event is extracted from message direction, parameter change frequency, number of times redundant fields are modified, and interaction response latency to form a multi-granularity behavior event sequence. Based on multi-granularity behavioral event sequences, at least one of the entropy features among information entropy, transfer entropy and structural entropy is calculated, and the entropy features are normalized for the same protocol type, session background and historical normal communication scenarios to construct a dynamic baseline entropy profile. During system operation, the dynamic baseline entropy profile is continuously updated. By comparing the entropy value of the current window with the entropy value of the previous window, it is detected whether the entropy change difference between adjacent windows exceeds the sliding entropy change threshold. If it exceeds the threshold, it is determined that entropy change drift has occurred and is marked as a potential abnormal interval. The sliding entropy change threshold is adaptively adjusted based on the mean and standard deviation of recent normal entropy values. For the marked entropy change drift events, cluster analysis is performed based on multidimensional features such as entropy change pattern, protocol type, session role, time distribution and window scale type. Combined with logical consistency verification rules and occasional anomaly exclusion strategy, high-confidence suspected hidden channel instances are output.
2. The method for detecting concealed channels in industrial control protocols according to claim 1, characterized in that: After outputting high-confidence suspected covert channel instances, the following is also included: Generate a source analysis report containing the sequence of protocol behavior events during the abnormal period, the entropy evolution trajectory, and the key field modification records. Use the report as feedback input to fine-tune the entropy drift threshold, feature selection conditions, and baseline model parameters to achieve online optimization of the detection model. The steps for acquiring industrial control network communication signals include: deploying hardware probes on PLC controllers, SCADA servers, core switch mirror ports, or engineering station hosts to capture full-duplex communication data in promiscuous mode and retain microsecond-level timestamps.
3. The method for detecting concealed channels in industrial control protocols according to claim 2, characterized in that: In the protocol identification and layered parsing steps, deep packet inspection technology is used in combination with protocol feature fingerprint database matching to identify the protocol type. Based on the semantic structure defined by the IEC 61158 or IEC 61784 standard, at least one of the Modbus / TCP, ProfinetIO, Ethernet / IP, OPC UA or DNP3 protocols is layered and decoded to restore the interpretable behavioral units of reading registers, writing coils or status update cycles.
4. The method for detecting concealed channels in industrial control protocols according to claim 1, characterized in that: The division of multi-scale behavior windows further includes: using fixed-time sliding window slicing for control flows with strong periodicity, taking a complete session as an independent analysis unit for non-periodic tasks, and dividing request-response interactions into pairs of application layer transactions as the smallest unit.
5. The method for detecting concealed channels in industrial control protocols according to claim 1, characterized in that: Information entropy is used to measure the uncertainty of the value distribution of a specific field within a window; transition entropy is used to characterize the state transition dependency between commands; and structural entropy is used to characterize the communication topology complexity composed of command types and their transition relationships.
6. The method for detecting concealed channels in industrial control protocols according to any one of claims 1-5, characterized in that: The normalization process employs the Z-score standardization method, which uses the mean and standard deviation of entropy values of similar protocols under historical normal operating conditions to standardize the current entropy value, making the entropy values of different protocols comparable.
7. The method for detecting concealed channels in industrial control protocols according to any one of claims 1-5, characterized in that: In the adaptive mechanism of the sliding entropy change threshold, the sensitivity adjustment coefficient is set to 2.5 by default and can be dynamically adjusted according to the false alarm rate or false negative rate to balance detection sensitivity and stability.
8. The method for detecting concealed channels in industrial control protocols according to any one of claims 1-5, characterized in that: Multidimensional feature clustering uses the DBSCAN density clustering algorithm to classify abnormal events, identify abnormal clusters with similar behavioral patterns, and combine the logical consistency rule of "the same device should not frequently switch master and slave roles" to eliminate false alarms that do not conform to the behavior rules of industrial control.
9. The method for detecting concealed channels in industrial control protocols according to claim 1, characterized in that: The source analysis report includes information encoding path inference; and the source analysis report is used to drive the retraining process of the detection model, adding confirmed abnormal samples to the training set to recalibrate the entropy baseline distribution of various protocols.
10. An industrial control protocol concealed channel detection system, characterized in that: Used to implement the concealed channel detection method for industrial control protocols as described in any one of claims 1-9.