Monitoring Controller's "DNA Sequence" For System Security

This paper presents research results on the detection of network security attacks in computer and control systems through the identification and monitoring of a synthetic "DNA sequence". Just as DNA characterizes the make up of the human body, and abnormal functioning of tissues can be traced to an altered DNA sequence, a "DNA sequence" of a computer system has similar functions. Changes in behavioral patterns of a computer system, such as virus attacks, are reflected in changes in the DNA sequence and appropriate actions can be taken. The security problem thus becomes one of defining what a DNA sequence should look like and how to monitor its evolution. The research aims at defining a DNA sequence for specific activities (e.g. TCP/IP traffic) and monitoring of its evolution. The paper describes schemes for handling changes in the DNA sequence which may result from legitimate operations or malicious attacks. We will also report on how the technology can be applied to a process control environment where industrial controllers are now equipped with HTTP servers for data access. Such an environment is