DpGuard: A Lightweight Attack Detection Method for an Industrial Bus Network

Round 1

Reviewer 1 Report

The paper is well written. The topic and the state of the art of the protocol and the vulnerabilities are well described. Moreover, the software implementations that are used for packet inspection and analysis are cited. The methodology of the proposed solution defines the critical pillars of the strategy and summarizes through an example how the implementation will work.

The use case that is proposed is quite simple but relevant to the case that was described in the chapter below. Preferably an extra paragraph that will present how a different architecture can work with the proposed algorithm could be helpful.

I believe the paper is good enough and as complementary notes, I would like to state that a) I am not sure how the proposed solution can overcome the DDoS attacks b) How sensitive the algorithm is to power failures/instabilities and token resets or reinitialization of the token frame and c) the same applies to adversary attacks which can destroy the learning model of the algorithm.  

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

The manuscript describes the implementation and use of an attack detection method for the industrial control bus PROFIBUS-DP. The authors compare their presented method DpGuard with already established methods and underline the high efficiency of DpGuard of 99,80% detection accuracy for semantic attacks with their work.

The manuscript is written well readable and understandable, but I found the following notes to improve understanding and some confusing inconsistencies that may be errors.

 My remarks:

Provide the long form by abbreviations

Line 8: PROFIBUS-DP (Decentralised Peripherals)

Line 21: PLC (Programmable Logic Controller)

Line 28: SCADA (Supervisory Control and Data Acquisition)

Line 28: DCS (Distributed Control System)

Line 130: SD1 (SD=Start Delimiter)

Line133: SC (Short confirmation)

 

Line 38: Not clear what is meant:

To detect ICS attacks, statistical analyses such as “quintets” of ICS network traffic [8-10] are effective for noisy attacks ... What are “quintets”?

Do you mean: ... such as message injections with “quintuple” speed ...

Recommend: rephrase the sentence!

 

Line 122: Rephrase the sentence!

Actual: Typical PROFIBUS-DP systems, as shown 122 in Figure 1.

Recommendation: Figure 1 shows a typical PROFIBUS-DP application.

 

Figure 1:

The Actuator 1 represents an oscilloscope. Confusing, how an oscilloscope is supposed to be an actuator!

Recommendation: Use actor 2 twice, also as actor 1.

 

Line 132: Possible Typo

... the function of the SD2 message is the transmission of fixed data ...

Is not SD3 intended for this?

 

Line 224: GSD files

Recommendation: For more clearness, add the sentence: GSD files contain information about the basic capabilities of the slave device.

 

Line 224: DO modules

What are DO modules? What does DO stand for?

 

Line 276: Sigma Σ

Recommendation: (si, ti, Σ) – Explain the use of Σ 

 

Line 291: Do not introduce new variables names when best suited variables names exist.

Recommendation: Instead of message information <st,dr, sr,fc, pdu, checksum, et> use <sd,da, sa,fc, du, fcs, ed>. These variable names are already defined in the PROFIBUS frame definitions in Figure 2. This makes the association clearer. Change all occurrences in the manuscript.

 

Line 298 to line 314

Recommendation: Move the frame definitions after line 324. The explanations of the frames begin at line 325.

 

Line 340: Improve readability

Actual: The slave station replied to s packet (9) ...

Recommendation: The slave station replied to master packet (9) ...

 

Figure 4: Does the figure is correct one?

The figure is exactly the same as Figure 3.

Recommendation: Exchange the figure for another one or remove Figure 4.

 

Line 362: Confusing mathematical symbol

Does the￠means “not in” which is also expressed by ∉.

 

Line 374: More details

Recommendation: Provide more details to improve the readability:

... the master device is a Siemens S7-300 PLC, the slave device is a Siemens ET200 peripheral controller (PC), ...

 

Line 384: Less is more

What is meant with RFC document? (Request for Comments ?)

Recommendation: Write simple PROFIBUS standard document.

 

Line386: Wrong sum of injection packages

In line 386 there is reported from 1.200 fault injection packets, while summing up the frame number in Table 2 for Fault attack gives 2.150 fault injection packets.

Please check it.

 

Line 471

Recommendation: Write:

... with a Siemens S7-300 PLC and a Siemens ET200 PC ...

 

References are checked only randomly. All tested references were found.

From my point of view, the manuscript can be released for publication after minor revision.

 

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 3 Report

The paper has some drawbacks:

1. lack novelty. The comparion with 4 similar methods, 3 of them are not clearly cited, one of them seems not good enough.

2. not well-written. The data is not well prepared, the figures are rough.

3. lacks efficient discussion. The experiment design is poor. It is not clear for the questions. Why it is lightweight? What's cost for the good performance? What is the difficulty of the problem?

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 3 Report

This revision is better than the original one. Some suggestions:

(1) Are there some relations between the const values listed in Line 322-338  and the items listed in Table 1? If there are, please make them clear.

(2) I encourage the authors to list the reference to define/declare these const values to help the readers if they are interested.

(3) make the fonts consistent in all figures.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf