Machine Learning Methods for Industrial Protocol Security Analysis: Issues, Taxonomy, and Directions

Machine learning has been widely studied in the security analysis of Industrial Control Systems (ICSs). However, in industrial scenarios, the amount of data as well as the speed of data generation are very different from standard machine learning data sets. Using these heterogeneous data and finding meaningful insights for practical security applications in ICSs is a big challenge. In addition, ICSs have been built for quite a long time. Security has not been seriously taken into account when ICSs were built. Security assessment or attack prevention cannot always be done in real time, as an ICS requires to be online all the time, especially when it comes to systems that affect critical infrastructure. In this work, we are motivated to a provide a clear and comprehensive survey of the state-of-the-art work that employs machine learning in security applications in ICSs, including vulnerability analysis, vulnerability detection and exploitation, anomaly detection and security assessment. Based on our in-depth survey, we highlight the issues of industrial protocol analysis with machine learning methods, provide the security applications with machine learning in ICSs and indicate the future directions.


I. INTRODUCTION
Industrial control systems have been widely used in various control domains, such as energy, municipal, water conservancy, railway, petroleum and petrochemical, etc., which are indispensable for the stable operation of the current industry. ICS protocols are the channels for the control system to transmit information, whose security are closely related to the safe and stable operation of the entire system. Therefore, this paper analyzes the security vulnerabilities of the ICS protocol and gives examples of exploits, aiming to attract the attention of industrial security researchers and take appropriate security measures in a timely manner before it is too late.
There are currently various ICS protocols in industrial control systems, while specific industries typically The associate editor coordinating the review of this manuscript and approving it for publication was Min Xia . use only one or several specific protocols. Of course, for industries with complex processes, such as manufacturing, multiple protocols may be used, which makes the matter complicated. SCADA protocols include a series of fieldbus protocols that use serial link communication and several Ethernet protocols based Ethernet communication, including some application layer protocols over the TCP/IP protocol.
At the beginning of the development of industrial control systems, the protocols used were basically fieldbus protocols based on serial links, which mainly solved the digital communication between field devices such as intelligent instrumentation, controllers and actuators in industrial fields and information transmission issues between these field control devices and advanced control systems. Due to the outstanding advantages of fieldbus, such as easy-to-use, reliable, and economical, it has been highly valued by many standards bodies and computer manufacturers, which lead to a prosperous development era.
Due to the wide variety of fieldbus and different standards, many people hope that Ethernet technology can intervene in the lower layers of the device and widely replace the existing fieldbus technology. Schneider is an active advocate and practitioner of this idea. A number of industrial products and practical applications have been available. With the advent and development of Ethernet technology and the advancement of Internet technology, early serial link-based fieldbus protocols gradually evolved to Ethernetbased. For example, Modbus protocol cluster has serial link based MODBUS RTU, MODBUS ASCII, MODBUS PLUS and Ethernet based MODBUS TCP; Profibus protocol cluster has serial link based PROFIBUS FMS, PROFIBUS DP, PROFIBUS PA and Ethernet based PROFINET CBA, PROFINET IO; IEC60870 protocol cluster has serial link based DNP3 and Ethernet based DNP3/UDP, DNP/TCP; IEC 60870-5-101 based on serial link and IEC60870-5-104 based on Ethernet. In addition to the above-mentioned several traditional general protocols, protocols widely used by ICS in the power industry include protocols such as ICCP (IEC 60870-6, TASE.2) and IEC 61850.
Due to the limitations of technology and the interests of various manufacturers, such a variety of industrial bus technologies coexist. The status of Ethernet technology will continue to penetrate for a while, but in any case, the Ethernetbased ICS protocol is still the trend of future development.
Enhancing the security of the ICS protocols is one of the important ways to enhance the overall security of the industrial control system. A basic analysis of the protocol will help expose the security issues that exist in the protocol, which in turn will guide the development of the security mechanism and eventually be incorporated into the protocol description. Due to the diversity of industrial control protocols and the existence of a large number of proprietary protocols, the security analysis of industrial protocols is relatively difficult task. Therefore, the traditional methods cannot be adopted directly. Fortunately, there is a large amount of research work using machine learning algorithms for security analysis, exploitation detection and security assessment of industrial protocols.
We make the following contributions: • We demonstrate the reasons for the formation of vulnerabilities and combines experiments to achieve exploits for a number of protocols. It aims to provide a guide to the security enhancement of existing protocols or the design of new high security protocols by analyzing the security of the protocol and fully exposing the existing security risks.
• We provide the applications of machine learning algorithms on industrial protocols for security analysis, vulnerability exploitation detection, and security assessment. We also provide four methods to perform the assessment of the ICS protocols and make a comparative analysis of these methods.
• Based on our in-depth analysis of machine learning methods for industrial protocol security analysis, we summarize their issues and taxonomy, and provide a comprehensive perspective for future research work.
The structure of this paper is as follows. Section II sorts and categorizes relevant research work, Section III analyzes the causes of two types of vulnerabilities in ICS protocols and machine learning algorithms respectively, and Section IV analyzes possible attacks of ICS protocols, giving the attack implementation examples, and classifies the exploitation detection algorithms. Section V introduces some methods on how to make risk assessment on ICS protocols and gives a comparative analysis of different machine learning algorithms. Section VI concludes this paper.

II. RELATED WORK
Many researchers have conducted research on the security of ICS protocols, mainly focused on the following aspects: ICS protocols security analysis, ICS protocols vulnerability mining and protocols security hardening.

A. ICS PROTCOLS SECURITY ANALYSIS
Luswata et al. [1] conducted a penetration test on Modbus TCP and tested existing security countermeasures unique to ICS systems, giving some recommendations for improving ICS security. Grandgenett et al. [2] conducted exploit experiments on the CIP protocol, including exploits for authentication and privileged I/O in a CIP implementation, where CIP is an application-level protocol used by ICS components for communicating with each other. ANSI C12.22 specifies the communication interfaces for data communication networks in smart grids. Rrushi et al. [3] have identified several design vulnerabilities in the ANSI C12.22 protocol specification that can be exploited to cause denial of service attacks and service interruptions. They presented some revisions to the ANSI C12.22 protocol specification to mitigate the effects of these vulnerabilities. Yoo and Shon [4] developed a grammar-based fuzzing tool for extracting dynamic information from target program execution and experimenting it with two applications using the Modbus protocol, which is widely used in ICS systems. Samtani et al. [5] applied Shodan to search for ICS devices and evaluated their vulnerability by using Nessus tools against the National Vulnerability Database(NVD). Singh et al. [6] believed that DNP3 has exhaustive specification and is complex to implement, so they have specifically studied the attack on function code to help detect the security of protocol implementation.
Kim [7] discussed various forms of threats and vulnerabilities faced by IP-based wireless sensor networks and proposed a proper security management approach. Pidikiti et al. [8] analyzed the vulnerabilities of the IEC60870-5-101 & 104 communication protocols, which are widely used in power utilities sector, and conducted experiments on the vulnerability exploitation. They proposed an experimental model by using standard IEC62351 to mitigate attacks. By analyzing the Modbus packets, Carcano et al. [9] inferred the correct behaviors of the ICS and discovered the critical state of the ICS, thus designing a state-based network intrusion detection system (NIDS). Liu et al. [10] pointed out that there are a large number of IP-based communication networks in substations, which are geographically dispersed, resulting in large attack surface for substations. They evaluated the threats facing ICS and gave some mitigation measures. Formby et al. [11] analyzed the security of TCP protocol, which used by many devices in the power grid as the transport layer of its application, and conducted experiments of TCP sequence number prediction attacks in the power grid. Cardenas et al. [12] conducted an attack on the process control system and discussed the risk assessment, detection and response of the industrial control system. Kalluri et al. [13] explained the possible vulnerabilities in the power grid, implemented a denial-of-service attack against the power grid, and gave an analysis of the impact of this attack. Bellettini and Rrushi [14] represented memory access taintedness as a decision tree to perform vulnerability analysis of ICS protocol binaries, aiming to mining memory corruption vulnerabilities in implementations. Cagalaban and Kim [15] employed the attack tree to model ICS and performed vulnerability analysis, and proposed a security framework to improve the security of ICS.

B. ICS PROTOCOLS VULNERABILITY MINING
Bratus et al. [16] designed an inline fuzzing test tool named LZFuzz, through the man-in-the-middle attack method, the two-way fuzzing test of ICS protocols was performed and achieved good results on ICS protocols that are proprietary or poorly documented. In our previous work [17], we designed a fuzzing tool called EUFuzz, aiming to solve the dilemma of poorly documented private protocols and low efficiency of fuzzing. EUFuzz can quickly identify the packet structure and guide the fuzzing process, which has achieved good performance. Choi et al. [18] proposed a multivariate static method to extract the protocol specification from the binary protocols used in ICS systems, thus using the protocol specification to guide fuzz testing.

C. ICS PROTOCOLS SECURITY HARDENING
Bagaria et al. [19] pointed out that the ICS legacy systems are inherently insecure, which utilize a large number of proprietary protocols, making the entire system extremely vulnerable to attacks. Therefore, they proposed a security-enhanced protocol version for DNP3, called Flexi-DNP3 (short for Flexible Distributed Network Protocol), which exchanges keys for data encryption during communication. By analyzing the DNP3 protocol, Graham and Patel [20] identified the threats and effective mitigation measures faced by ICS, and proposed the implementation of cost-effective countermeasures, including SSL/TLS, IPsec, encryption, and message authentication. Zhang et al. [21] proposed a series of lightweight anonymous mutual authentication with key agreement protocol on ECC and ARM Cortex-M0. There were also other research work related to ICS protocols. Lin et al. [22] applies Bro to the ICS system, constructs an intrusion detection system based on the DNP3 protocol, and defines the network events related to the protocol semantics. Xu et al. [23] provided a overview of recent advances in PLC attacks and protection technology, detailing some attacks scenarios. Zhou et al. [24] summarized the ICS security strategies of different countries from the perspective of ICS security standards. Related to software or system security, their exist work on the detection or analysis of anomalies or malware with static [25]- [33] or dynamic analysis [34]- [39] or with network traffic [40]- [51]. There also exist work on privacy analysis in smart devices [52], on secure protocols [53], [54] for authentication, or on IoT [55]. However, none of these work focuses on vulnerability analysis.

III. ICS PROTOCOL VULNERABILITY ANALYSIS
Identifying the causes of the protocol vulnerability is a prerequisite for our analysis of the vulnerability. After reviewing considerable literature, we have concluded that the industrial protocol vulnerabilities mainly due to two factors. First, the defects caused by the protocol designer [3], such as not considering the security dimension problem at the beginning of the design, or the logic flaw of the protocol specification itself, etc. Second, vulnerabilities introduced in the development process [2], [6], such as cross-border checks on some boundaries due to the skill level of the programmer.

A. VULNERABILITIES IN DESIGN
There exist big differences between industrial control systems and traditional IT systems shown in Fig. 1. ICS pays more attention to system availability and business continuity. Moreover, the early ICS is generally in a physical isolation situation, and the production environment is relatively closed, and people lacking professional knowledge generally cannot obtain the corresponding ICS attack and defense research environment and related system information. Therefore, at the beginning of the design of the ICS protocols, more consideration was given to the real-time, efficiency and convenience of the protocol, and designers did not consider the related network security risks. They believed that all network communication and communication subjects within the ICS were legal, thus ignoring the basic security attributes of network communication(as shown in Fig. 2). However, as ICS heavily used IP-based control protocols, or migrated legacy serial-based protocols to the application layer of TCP/IP, ICS began to be exposed to the Internet. The outbreak of the 2010 Stuxnet [56] attack marked the beginning of hackers' interest in ICS.
In terms of machine learning in protocol design vulnerabilities analysis, Comparetti et al. [57] used a variety of machine learning algorithms, including sequence alignment algorithm(the NeedlemanWunsch algorithm precisely), partitioning around medoids (PAM) clustering algorithm, Exbar algorithm, sk-strings algorithm, beams algorithm etc., to automatically infer the state machine of a protocol, which is a major improvement on the protocol reverse engineering. Furthermore, the authors themselves designed a state machine extraction algorithm, can extract messages of different types and generate a protocol specification containing a protocol state machine. Finally, the extracted protocol specification can be used as an input to a stateful fuzzing tool to discover security vulnerabilities of the specific protocol. Rrushi et al. [3]studied the design vulnerabilities of the ANSI C12.22 protocol used in smart grid, analyzed the architecture of the protocol, providing details of the vulnerabilities they identified, and conducted a series of exploit experiments to verify those vulnerabilities, and finally provided mitigation measures for these vulnerabilities. Caselli et al. [58] employed machine learning algorithms to automatically extract the BACnet protocol specification documents and convert them into intrusion detection rules to monitor network traffic, which can identify process control errors and potentially dangerous misconfigurations. Zhang et al. [59] carried out in-depth mining of the precise state machine of the protocol, and designed a protocol state machine space mining algorithm based on data packet queries. Through interactive syntax inference technology, it automatically learned to generate the protocol state machine. Shim et al. [60] studied the specification extraction of unknown protocols, using the  Apriori-based CSP(Contiguous Sequence Pattern) machine learning algorithm to extract the protocol common strings, and using the tree structure-based CSP algorithm to extract the static fields of the protocol. It can extract all the static fields that are not used often but are possible. Lin et al. [22] designed and implemented an intrusion detection framework based on protocol specification, developed a new parser that supported the DNP3 protocol, analyzed the industrial control system traffic at runtime, extracted data from network packets, and verified compliance with the protocol specification.

B. VULNERABILITY IN IMPLEMENTATION
According to the vulnerability information reported by VLUHUB [61], the number of vulnerabilities in the ICS system is on the rise (Fig.3). Among them, according to the type of vulnerability, it is obvious that vulnerability in the design takes up only a small part, while the vulnerability introduced by the protocol implementation accounts for a large proportion (Fig.4).
Below we list some common insecure function calls and their solutions in C language, so that programmers can take proper checks on protocol implementation according to the protocol specification, so as to avoid making the same mistakes (Table 4).
Since the implementation of a specific protocol contains a lot of engineering details, which may not be completely consistent with the protocol specifications. It may lead to the occurrence of vulnerabilities. Shu and Lee [62] tested the security of the protocol implementation using supervised machine learning methods, using Symbolic Parameterized Extended Finite State Machine (SP-EFSM) model to extract specific protocol, and then investigated the message confidentiality of the protocol implementation under the general Dolev-Yao attacker model [63]. Kim et al. [64] proposed a new fuzzing test case generation algorithm for the security test of protocol implementation in smart grid . According to the characteristics of the fuzzing test, the protocol fields were divided into three types, which can realize cross-domain and cross-layers test case generation. Zhao et al. [65] proposed a fuzzing test framework called SeqFuzzer, which used a deep learning model to automatically learn the protocol frame structure from communication traffic, processing the temporal features of the stateful protocol, and generating manipulated but seemingly reasonable messages as test cases. The EtherCAT protocol was tested and several vulnerabilities were detected. Niedermaier et al. [66] employed machine learning algorithms to learn the structure of proprietary protocols in industrial control system, and proposed a PropFuzz fuzzing test framework specifically for proprietary protocols. Huang et al. [67] used the improved differential evolution algorithm to improve the efficiency of fuzzing test of protocols in industrial control systems.
This Section analyzes the causes of vulnerabilities in the ICS protocol, including two main factors-vulnerability in design and vulnerability in implementation. A large number of machine learning algorithms are used to analyze these two types of problems, which have been introduced in the previous article. Table 3 provides the summary of this section. This table provides a concise overview of what the focus of the available literature is. The next section is an experiment on the exploitation of some typical vulnerabilities.

IV. VULNERABILITY EXPLOITATION AND ANOMALY DETECTION
Rrushi [68] analyzed the vulnerabilities of the IEC61850 and Modbus protocols and showed how to exploit these vulnerabilities and maximize physical damage. Our work has big difference from his experiments. First, we enumerate the attack surface due to the ICS protocol vulnerability, that is, the possible attack entries and attack scenarios; then we exploit some of the typical vulnerabilities.

A. POTENTIAL ATTACK SCENARIOS
Agostin [69] gave a detailed description of potential points of entry, which is shown in Fig.5 The potential attack scenarios include external networks, infected remote support, modems, diagnostic networks, infected laptops/PCs, unauthorized connections, infected office network, denial of service, print/copy/fax machines, package vendors and 3rd party networks. All of these potential attack scenarios have a lot to do with the protocols' vulnerabilities. As long as attackers can communicate with the ICS network, they can easily implement an attack.

B. PROOF OF CONCEPT
Now, let's conduct exploitation on ICS protocol vulnerabilities. Green et al. [70] employed the testbed environment to conduct man-in-the-middle attack experiments against ICS systems, showing the importance of understanding the process when conducting targeted ICS attacks. However, what if we have little knowledge of the operating mechanism of ICS, and we just employ the ICS protocol vulnerabilities, can we successfully implement a attack? The answer is 'yes'. Now we take Modbus as an example.

1) EXPERIMENT ENVIRONMENT
In order to minimize the destructiveness caused by actual attacks, we use Modbus simulation software [71] instead of real equipment, to conduct attack experiments to explain the existence and severity of vulnerabilities. The simulation suite includes two software-Modbus Poll and Modbus Slave. The experimental framework is shown in Fig.6. Home Version In normal operation, Modbus Slave acts as a server for network communication, listening to port 502 and responding to data requests of Modbus Poll. Modbus Poll's port is randomly assigned by the operating system, in this experiment it is 24547. The initial status is Modbus Poll sending command to read the coil state, and Modbus Slave responding to it. As shown in Fig.7 & Fig.8, the polling cycle is 1000ms.

2) ATTACK PRACTICES
In this section, we launch four attack experiments in order to provide a detail information of communication information exposure, data tampering, illegal function code, and denial of service attack.

No.1. Communication Information Exposure:
Since the protocol does not have an encryption mechanism, all data communication processes can be monitored by a third party to infer some key information of the ICS system communication, such as the port used by the Master, the requested function code, the content of the response, and each coil's actual control state. In this experiment, Wireshark [72] is used to capture network traffic. We can easily find out through the intercepted hands-shake packets(1578-1580) (Fig.9) that the port used by Modbus Master is 24547, whose ip address is 10.10.28.176, and the ip address of Modbus Slave is 10.10.258.122. Through the response packet(No.2333)(10) we can find that the function requested by Modbus Master is 'Read Coils', whose function code is 01H, and the base address of the request is 0, the requested number of the coils is 10, and the unit identifier of the peer Modbus Slave is 1. According to the response packet (No.2334)(11), we can find that the value of bit1, bit3, bit5, bit7, bit9 are all 1, and the rest coils' value is 0. Attackers can use these information to perform targeted strikes in a relatively precise manner, resulting in maximum physical damage.

No.2. Data Tampering Attack:
Since the Modbus protocol does not encrypt and authorize the function codes, we use the laptop to hijack the communication process and send 'Write Multi Coils' command, whose function code is 0FH, causing multi coils' states to change from 0 to 1. If it is in an actual ICS environment, this will cause a couple of switches to be in a closed state and even cause the entire ICS system to crash (Fig. 12).

No.3. Illegal Function Code:
Since the Mdbus protocol does not authorize the function code, we can easily forge the data requests. When the master and the Slave are communicating normally, we can use the laptop to send fake data packets containing illegal function code, causing the real Modbus Master to receive an erroneous response (Fig. 13).

No.4. DoS Attack:
Because Modbus lacks authentication, any machine can communicate with Modubs Slave via port 502. We use the laptop to continuously send data requests to 502 with a shorter polling time, 50ms for example, causing normal Modbus Master service interruption and receive nothing from the Slave (Fig. 14).

C. EXPLOITATION DETECTION
A lot of research has utilized machine learning algorithms to detect the vulnerability exploitation of ICS protocols. Schuster et al. [73] combined protocol-related knowledge and two unsupervised learning algorithms to complete attacks and fault detection in process control communication, to achieve self-learning anomaly detection. Beaver et al. [74] studied the application of multiple machine learning algorithms in detecting command and data injection attack scenarios, detected commands and controls in critical infrastructure facilities, and built models of benign and malicious command traffic to identify potential attack events. Anton et al. [75] employed anomaly detection algorithms based on machine learning and time series, and analyzed the traffic of industrial control networks using two different data sets to find the attack events, and compared the performance of SVM and random forest algorithms. Anton et al. [76] designed a time series-based anomaly detection method, i.e. the Matrix Profiles, to detect attacks in process data in an industrial environment, and compared the performance of the Matrix Profiles and one-class classifiers One-Class Support Vector Machines and Isolation Forest. Bernieri et al. [77] compared and evaluated the performance of anomaly detection machine learning algorithms in industrial control networks, and analyzed the advantages and limitations of two machine learning industrial network anomaly detection methods. Anton et al. [78] used machine learning-based anomaly detection algorithms to detect malicious traffic in Modbus/ TCP communication traffic in virtual industrial scenarios. Supervised learning algorithms including support vector machines (SVMs), random forests, k-nearest neighbors (KNN), and k-means clustering were adopted. Through comparative analysis, SVM and KNN performed better on different data sets. Zolanvari et al. [79] introduced the application of machine learning based models in the Industrial Internet of Things Intrusion Detection System (IDS), and evaluated the performance of machine learning-based anomaly detection system in detecting these attacks against system deployment backdoors, command injection, and structured query language (SQL) injection etc. In response to the difficulty of anomaly detection in industrial control systems, Sokolov et al. [80] supplemented traditional anomaly detection methods and used machine learning-based anomaly detection methods, including the most common techniques for machine learning (decision trees, linear algorithms, support vector machines) and deep learning models (neural networks) and made comparative analysis of different performances Schuster et al. [81] utilized one-class SVM(OCSVM) to industrial control systems to detect anomalies in network traffic, which can be applied to the real-time environment with good performance. Wang et al. [82] reviewed the anomaly detection applications of machine learning in  industrial networks, analyzed the advantages and disadvantages of different machine learning algorithms, and gave the future research trends of machine learning algorithms in the field of anomaly detection in industrial control system. Mantere et al. [83] analyzed the characteristics of network traffic in industrial control systems, and used machine learning-based methods to perform anomaly detection on network traffic in confined environments with good performance.

V. RISK ASSESSMENT
Attacks on ICS protocols are high-impact low-frequency (HILF) events [84], which means that we should make a detailed assessment instead of describing risk as ''probability times consequence''. Fortunately, there are some methods can be exploited to qualitatively or quantitatively make a risk assessment.
The risk assessment of the ICS protocols mainly includes three aspects [85]: the basic security elements, the analysis of threats, and the failure impact, as depicted in Fig.15.

1) FAULT TREE ANALYSIS
Fault Tree Analysis(FTA) [86] takes a top event failure of a system as the analysis target, finds the direct cause of failure, and decomposes from top to bottom, layer by layer, analyzes VOLUME 8, 2020     The fault tree is composed of many different event symbols and logic gates, and the logical relationship between events is represented by logic gates. These symbols can be divided into logical symbols, event symbols, and the like.

a: QUALITATIVE ANALYSIS OF FTA
Qualitative analysis aims to find failure modes that are possible and can cause the top event to occur, and to find all the minimum cut sets (MCS) of the fault [86], as shown in Fig.16. The simplified FTA provides a valuable basis for the designers and analysts to perform a qualitative analysis of the system. Even if the probability of the bottom event is not clear, the analysis of the MCS clearly tells administrator which areas are the weakest part of the system reliability.

b: QUANTITATIVE ANALYSIS OF FTA
Quantitative analysis is based on the probability of occurrence of the bottom event, with a certain degree of confidence to estimate the probability of occurrence of the top event, providing a quantitative basis for reliability design and analysis [86], as shown in Fig.17 and Fig.18.
In general, complex systems are very difficult to achieve the solution and usually requires simplification, so we use independent approximation, taking of all events as  independent, and calculate the probability of the top event occurring from this assumption. There are two models, series model and parallel model. Fig.17 shows a series reliability model consisting of two components, A and B. The probability of success is R = AB, and the probability of system

2) MARKOV MODEL
Markov Model [87] is a statistical model based on stochastic process theory. Its original model is the Markov Chain, which is used to study the state space migration of discrete event in dynamic systems. Markov chain is a Markov process whose time and state are both discrete, abbreviated as X n = X (n), n = 0, 1, 2 . . .
In the process, given the current knowledge or information, the past is irrelevant for predicting the future. At each step of the Markov chain, the system can change from one state  to another according to the probability distribution, and can also maintain the current state. The state change is called a transfer.
The Markov chain is a sequence of random variables X 1 , X 2 , X 3 . . .. The range of these variables, that is, the set of all their possible values, is called the "state space", and the value of Xn is the state of time n. If the conditional probability distribution of Xn + 1 for past states is only a function of X n , then P(X n+1 = x | X 0 , X , 1 , X 2 , . . . , X n ) = P(X n+1 = x | X n ) Here x is a state in the process. The above identity can be seen as a Markov property [88].
As shown in Fig.19, the circle indicates different states, the source of the state transition indicated by the arrow's starting point, the circle pointed by the arrow indicates the destination of the state transition, and the number on each arrow represents the probability of the state transitioning between states. A first-order process with M states has a squared state transition of M. The probability of each transition is called the state transition probability, which is the probability of moving from one state to another. The squared probability of all of these M can be represented by a state transition matrix as following: Using the Markov State Transfer Matrix, we can perform a quantitative risk assessment of the ICS protocols and the whole system.

3) BAYESIAN NETWORK
As mentioned above, the Markov chain describes a sequence of states. However, in many cases, the relationship between things cannot be chained together. At this time, the Bayesian network [89] is used: each state is only related to the state directly connected to it, and is not related to those indirectly connected to it. The topology of the Bayesian network is more flexible than the Markov chain, and is not constrained by the chain structure, which more accurately describes the correlation between events. The Markov chain is a special case of the Bayesian network, and the Bayesian network is a generalization of the Markov chain.
The Bayesian network, also known as the Belief Network, or the directed acyclic graphical model, which is one type of probability graph model. It is an uncertainty processing model that simulates causality in human reasoning. Its network topology is a directed acyclic graph (DAG). Let G = (I , E) denote a DAG, where I represents a set of all nodes in the graph, and E represents a set of directed connected line segments, and let X = (X i ), i ∈ I , For a random variable represented by a node i in a DAG, if the joint probability of node X can be expressed as: Then X is called a Bayesian network relative to a directed acyclic graph G, where pa(i) indicates the ''cause'' of node i, or the parent of node i.
For any random variable, the joint probability can be obtained by multiplying the respective local conditional probability: In fact, the Bayesian network can be seen as a nonlinear extension of the Markov chain. The significance of this feature is to clarify that the Bayesian network can easily calculate the joint probability distribution.

4) ATTACK TREE
The above three methods are concerned about failure scenarios, while attack tree [90], [91] is more concerned about malicious attempts to manipulate a system. The attack tree uses a tree structure to represent the attacks faced by the system, where the root node represents the target being attacked and  the leaf node represents the method of achieving the attack target.
The attack tree has multiple levels of nodes, including root and leaf nodes. The lower level of the root node is the leaf node, and the lower level of the leaf node is still the leaf node. For a leaf node, the lower-level leaf node directly drawn by it is its child node. Naturally, the leaf node is the parent node of its lower-level child node. For example, in Fig.20 below, we can see that the child nodes of leaf node C are leaf node D and leaf node F, then leaf node c is the parent node of leaf node D and leaf node F. In the attack tree, the child node must satisfy the condition that its parent node is true (i.e., node D can cause node C to be true).
Eric J. Byres [92] has utilized attack trees in assessing vulnerabilities in ICS system, which can be depicted in Figure 21.

B. METHODS COMPARISON
Different risk assessment methods have their own advantages and disadvantages and are applicable to different scenarios. Current mainstream risk assessment methods can be divided into two categories: methods based on knowledge reasoning and methods based on pattern recognition. Methods based on knowledge reasoning are the focus of current research and have achieved a lot of research results, which reduce the impact of the researchers' subjectivity on the risk assessment to a certain extent. However, this type of methods are less intelligent and are also limited by the formulation of inference rules and the acquisition of prior probabilities. VOLUME 8, 2020  On the contrary, methods based on pattern recognition are more intelligent, but require a lot of training data to obtain the parameters of the model. A comparative analysis of the listed methods is performed below (See Table 4).
The current risk assessment methods have been applied in the actual security assessment process and have achieved good results. However, With the increasing complexity of the industrial control system and the continuous development of artificial intelligence technology, risk assessment need to be performed in a more intelligent way. The future trend is to use deep learning methods to build a knowledge map and perform correlation analysis based on the protocol vulnerabilities, so as to obtain global security situation awareness of the whole system.

VI. CONCLUSION
In this paper, we analyzed the causes of ICS protocol vulnerability and summarized the two main categories of vulnerabilities-vulnerability in design and vulnerability in implementation. We analyzed some potential attack scenarios and conducted experiments to exploit several vulnerabilities. In addition, we provided the applications of machine learning algorithms on industrial protocols for security analysis, vulnerability exploitation detection, and security assessment. We also provide four methods to perform the assessment of the ICS protocols and make a comparative analysis of these methods. Based on the research work presented in this paper, we conclude that in order to improve the security of the whole ICS system, protocol designers should consider security attributes when design an ICS protocol, whether it is public or proprietary; and protocol developers should conduct sufficient tests such as fuzzing-test before its implementation in practice; and system maintenance personnel should perform comprehensive risk assessment and take appropriate security measures timely. All these aspects of research work, machine learning methods can play a great role, and will play an increasingly important role in the field of industrial protocol security.
XIAOJUN ZHOU received the Ph.D. degree in cyberspace security from the University of Chinese Academy of Sciences, in 2018. He is currently responsible for or participated in several industrial security projects, including a series of major scientific research projects such as the National Natural Science Foundation Projects, the National Key Research and Development Plan, and the Key Research and Development Projects of the Chinese Academy of Sciences. His research interests include the industrial control protocol security analysis, industrial Internet security, and the Internet of Things security.
ZHEN HAN received the Ph.D. degree from the China Academy of Engineering Physics, in 1991. He is currently a Professor with the School of Computer and Information Technology, Beijing Jiaotong University. He has authored or coauthored over 100 papers in various journals and international conferences. His main research interests include information security architecture and trusted computing.
HEQUN XIAN received the Ph.D. degree from the Institute of Software, Chinese Academy of Sciences, in 2009. He was a Visiting Scholar with the College of Information Science and Technology, The Pennsylvania State University. His research interests include cryptography, cloud computing security, and network security.
YA-NAN SONG is currently an Associate Professor with the School of Business, Macau University of Science and Technology, and the Coordinator of International Business Major. Her research has embraced international economics and relations, with a special emphasis on Sino-Lusophone countries economic and trade cooperations. She has actively organized international symposiums on Sino-Brazil Relations and BRICS Institutionalization and planned and managed Business Investment Environments in Lusophone Countries series of lectures and projects. VOLUME 8, 2020