Abstract
With the development of the Internet, many industrial control system (ICS) remote management devices for key infrastructure, such as solar power plants, sewage treatment, and buildings, are easily exposed to the Internet through network connections. Existing studies on ICS detection can not detect these remote management devices, which are not open to specific industrial control protocol services. Effectively identifying exposed real-world ICS remote management devices while minimizing the attack surface remains an enormous challenge. To address this challenge, we propose a Multi-level fEature fusioN DiscovEry fRamework (MENDER) for discovering neglected ICS remote management devices. First, we conduct a comprehensive and multi-level data collection in the detection process, including the traffic generated by website access, web resource files and HTML. We build an efficient and comprehensive data detection and acquisition module. Second, we design a novel multi-level feature extraction and fusion model to mine key features from raw data. We perform hierarchical clustering based on HTML features and combine the extracted multi-layered key features to filter potential ICS remote management devices. Third, we use the Random Forest model to classify and predict ICS devices based on the extracted multi-level features, aiming to learn inherent features profoundly for enhanced detection of these remote management devices. In a month, we detect 1, 069 devices in Japan, some of devices are insecure, i.e. allowing access to the status or even the control industrial devices without proper authentication. Compared with existing method, MENDER’s time spent on device discovery has been reduced by 94.1%, the number of device discovery is increased by 20.1%, and 26 different types of devices are found. Our MENDER’s device discover ability is superior to it both in time and quantity.