Automated Programmable Logic Controller Memory Forensics Using RGB Image Analysis and Deep Learning

Rima Asmar Awad; Michael Sprayberry; Irfan Ahmed; Michael Rogers; Juan Lopez

doi:10.1007/978-3-031-81888-2_7

Automated Programmable Logic Controller Memory Forensics Using RGB Image Analysis and Deep Learning

Rima Asmar Awad, Michael Sprayberry, Irfan Ahmed, Michael Rogers, Juan Lopez

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

The introduction of Industry 4.0 and Internet-based technologies has enhanced industrial control system operations but have inadvertently increased their vulnerabilities to cyber attacks. When an industrial control system is compromised, security analysts need to identify the root cause quickly to start the recovery process and develop mitigation strategies. Memory forensics is critical in the incident analysis process to ascertain what occurred. Approaches for analyzing the persistent memory in industrial control devices are limited and almost nonexistent for volatile memory. This chapter proposes an automated methodology for programmable logic controller memory dump analysis using computer vision and deep learning techniques. The methodology converts the sequences of bytes in a programmable logic controller memory dump to red-green-blue pixels and employs a deep learning model that learns the underlying patterns and features of pre-labeled forensic artifacts in images and segments them into distinct regions. The trained model is employed to automatically segment new memory images and identify forensic artifacts. Evaluation of the methodology on a Schneider Electric Modicon M221 programmable logic controller under code injection and code modification attacks demonstrates its ability to detect attack artifacts in memory dumps.

Original language	English
Title of host publication	Critical Infrastructure Protection XVIII - 18th IFIP WG 11.10 International Conference, ICCIP 2024, Proceedings
Editors	Jason Staggs, Sujeet Shenoi
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	131-152
Number of pages	22
ISBN (Print)	9783031818875
DOIs	https://doi.org/10.1007/978-3-031-81888-2_7
State	Published - 2025
Event	18th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2024 - Arlington, United States Duration: Mar 18 2024 → Mar 19 2024

Publication series

Name	IFIP Advances in Information and Communication Technology
Volume	725 IFIPAICT
ISSN (Print)	1868-4238
ISSN (Electronic)	1868-422X

Conference

Conference	18th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2024
Country/Territory	United States
City	Arlington
Period	03/18/24 → 03/19/24

Funding

This research was supported by the U.S. Department of Energy under Contract no. DE-AC05-00OR22725.

Keywords

Deep Learning
Image Analysis
Industrial Control Systems
Memory Forensics

Access to Document

10.1007/978-3-031-81888-2_7

Cite this

Awad, R. A., Sprayberry, M., Ahmed, I., Rogers, M., & Lopez, J. (2025). Automated Programmable Logic Controller Memory Forensics Using RGB Image Analysis and Deep Learning. In J. Staggs, & S. Shenoi (Eds.), Critical Infrastructure Protection XVIII - 18th IFIP WG 11.10 International Conference, ICCIP 2024, Proceedings (pp. 131-152). (IFIP Advances in Information and Communication Technology; Vol. 725 IFIPAICT). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-81888-2_7

Awad, Rima Asmar ; Sprayberry, Michael ; Ahmed, Irfan et al. / Automated Programmable Logic Controller Memory Forensics Using RGB Image Analysis and Deep Learning. Critical Infrastructure Protection XVIII - 18th IFIP WG 11.10 International Conference, ICCIP 2024, Proceedings. editor / Jason Staggs ; Sujeet Shenoi. Springer Science and Business Media Deutschland GmbH, 2025. pp. 131-152 (IFIP Advances in Information and Communication Technology).

@inproceedings{d0a2c7663d084bb0a596ee4b714b21a6,

title = "Automated Programmable Logic Controller Memory Forensics Using RGB Image Analysis and Deep Learning",

abstract = " The introduction of Industry 4.0 and Internet-based technologies has enhanced industrial control system operations but have inadvertently increased their vulnerabilities to cyber attacks. When an industrial control system is compromised, security analysts need to identify the root cause quickly to start the recovery process and develop mitigation strategies. Memory forensics is critical in the incident analysis process to ascertain what occurred. Approaches for analyzing the persistent memory in industrial control devices are limited and almost nonexistent for volatile memory. This chapter proposes an automated methodology for programmable logic controller memory dump analysis using computer vision and deep learning techniques. The methodology converts the sequences of bytes in a programmable logic controller memory dump to red-green-blue pixels and employs a deep learning model that learns the underlying patterns and features of pre-labeled forensic artifacts in images and segments them into distinct regions. The trained model is employed to automatically segment new memory images and identify forensic artifacts. Evaluation of the methodology on a Schneider Electric Modicon M221 programmable logic controller under code injection and code modification attacks demonstrates its ability to detect attack artifacts in memory dumps.",

keywords = "Deep Learning, Image Analysis, Industrial Control Systems, Memory Forensics",

author = "Awad, {Rima Asmar} and Michael Sprayberry and Irfan Ahmed and Michael Rogers and Juan Lopez",

note = "Publisher Copyright: {\textcopyright} IFIP International Federation for Information Processing 2025.; 18th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2024 ; Conference date: 18-03-2024 Through 19-03-2024",

year = "2025",

doi = "10.1007/978-3-031-81888-2_7",

language = "English",

isbn = "9783031818875",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "131--152",

editor = "Jason Staggs and Sujeet Shenoi",

booktitle = "Critical Infrastructure Protection XVIII - 18th IFIP WG 11.10 International Conference, ICCIP 2024, Proceedings",

}

Awad, RA , Sprayberry, M, Ahmed, I, Rogers, M & Lopez, J 2025, Automated Programmable Logic Controller Memory Forensics Using RGB Image Analysis and Deep Learning. in J Staggs & S Shenoi (eds), Critical Infrastructure Protection XVIII - 18th IFIP WG 11.10 International Conference, ICCIP 2024, Proceedings. IFIP Advances in Information and Communication Technology, vol. 725 IFIPAICT, Springer Science and Business Media Deutschland GmbH, pp. 131-152, 18th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2024, Arlington, United States, 03/18/24. https://doi.org/10.1007/978-3-031-81888-2_7

Automated Programmable Logic Controller Memory Forensics Using RGB Image Analysis and Deep Learning. / Awad, Rima Asmar ; Sprayberry, Michael; Ahmed, Irfan et al.
Critical Infrastructure Protection XVIII - 18th IFIP WG 11.10 International Conference, ICCIP 2024, Proceedings. ed. / Jason Staggs; Sujeet Shenoi. Springer Science and Business Media Deutschland GmbH, 2025. p. 131-152 (IFIP Advances in Information and Communication Technology; Vol. 725 IFIPAICT).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Automated Programmable Logic Controller Memory Forensics Using RGB Image Analysis and Deep Learning

AU - Awad, Rima Asmar

AU - Sprayberry, Michael

AU - Ahmed, Irfan

AU - Rogers, Michael

AU - Lopez, Juan

N1 - Publisher Copyright: © IFIP International Federation for Information Processing 2025.

PY - 2025

Y1 - 2025

N2 - The introduction of Industry 4.0 and Internet-based technologies has enhanced industrial control system operations but have inadvertently increased their vulnerabilities to cyber attacks. When an industrial control system is compromised, security analysts need to identify the root cause quickly to start the recovery process and develop mitigation strategies. Memory forensics is critical in the incident analysis process to ascertain what occurred. Approaches for analyzing the persistent memory in industrial control devices are limited and almost nonexistent for volatile memory. This chapter proposes an automated methodology for programmable logic controller memory dump analysis using computer vision and deep learning techniques. The methodology converts the sequences of bytes in a programmable logic controller memory dump to red-green-blue pixels and employs a deep learning model that learns the underlying patterns and features of pre-labeled forensic artifacts in images and segments them into distinct regions. The trained model is employed to automatically segment new memory images and identify forensic artifacts. Evaluation of the methodology on a Schneider Electric Modicon M221 programmable logic controller under code injection and code modification attacks demonstrates its ability to detect attack artifacts in memory dumps.

AB - The introduction of Industry 4.0 and Internet-based technologies has enhanced industrial control system operations but have inadvertently increased their vulnerabilities to cyber attacks. When an industrial control system is compromised, security analysts need to identify the root cause quickly to start the recovery process and develop mitigation strategies. Memory forensics is critical in the incident analysis process to ascertain what occurred. Approaches for analyzing the persistent memory in industrial control devices are limited and almost nonexistent for volatile memory. This chapter proposes an automated methodology for programmable logic controller memory dump analysis using computer vision and deep learning techniques. The methodology converts the sequences of bytes in a programmable logic controller memory dump to red-green-blue pixels and employs a deep learning model that learns the underlying patterns and features of pre-labeled forensic artifacts in images and segments them into distinct regions. The trained model is employed to automatically segment new memory images and identify forensic artifacts. Evaluation of the methodology on a Schneider Electric Modicon M221 programmable logic controller under code injection and code modification attacks demonstrates its ability to detect attack artifacts in memory dumps.

KW - Deep Learning

KW - Image Analysis

KW - Industrial Control Systems

KW - Memory Forensics

UR - http://www.scopus.com/inward/record.url?scp=105000230775&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-81888-2_7

DO - 10.1007/978-3-031-81888-2_7

M3 - Conference contribution

AN - SCOPUS:105000230775

SN - 9783031818875

T3 - IFIP Advances in Information and Communication Technology

SP - 131

EP - 152

BT - Critical Infrastructure Protection XVIII - 18th IFIP WG 11.10 International Conference, ICCIP 2024, Proceedings

A2 - Staggs, Jason

A2 - Shenoi, Sujeet

PB - Springer Science and Business Media Deutschland GmbH

T2 - 18th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2024

Y2 - 18 March 2024 through 19 March 2024

ER -

Awad RA , Sprayberry M, Ahmed I, Rogers M, Lopez J. Automated Programmable Logic Controller Memory Forensics Using RGB Image Analysis and Deep Learning. In Staggs J, Shenoi S, editors, Critical Infrastructure Protection XVIII - 18th IFIP WG 11.10 International Conference, ICCIP 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 131-152. (IFIP Advances in Information and Communication Technology). doi: 10.1007/978-3-031-81888-2_7