TIDF: Timing-Based Device Fingerprinting for PLCs
摘要
Industrial Control Systems (ICS) often lack device-level authentication, making them vulnerable to unauthorized access to Programmable Logic Controllers (PLCs). To address this challenge, we propose a lightweight hybrid fingerprinting method, Timing-based Device Fingerprinting (TIDF), for detecting unauthorized PLCs based on communication processing time and clock pulse period. TIDF leverages stable ICS network conditions and inherent PLC hardware characteristics, and integrates these features into a unified system consisting of filtering, training, and anomaly detection modules. By employing Density-Based Spatial Clustering of Applications with Noise (DBSCAN) and One-Class Support Vector Machine (OCSVM), TIDF achieves accurate and efficient classification with low overhead. We evaluate TIDF on real-world data from 13 PLCs, including Siemens and Xinje, and further test its robustness against basic forgery attempts. The results show an anomaly detection rate of 96%, demonstrating the effectiveness of TIDF in detecting unauthorized device access attacks and enhancing ICS security.