Distributed Network Anomaly Detection on an Event Processing Framework

Network Intrusion Detection Systems (NIDS) are an integral part of modern data centres to ensure high availability and compliance with Service Level Agreements (SLAs). Currently, NIDS are deployed on high-performance, high-cost middleboxes that are responsible for monitoring a limited section of the network. The fast increasing size and aggregate throughput of modern data centre networks have come to challenge the current approach to anomaly detection to satisfy the fast growing compute demand. In this paper, we propose a novel approach to distributed intrusion detection systems based on the architecture of recently proposed event processing frameworks. We have designed and implemented a prototype system using Apache Storm to show the benefits of the proposed approach as well as the architectural differences with traditional systems. Our system distributes modules across the available devices within the network fabric and uses a centralised controller for orchestration, management and correlation. Following the Software Defined Networking (SDN) paradigm, the controller maintains a complete view of the network but distributes the processing logic for quick event processing while performing complex event correlation centrally. We have evaluated the proposed system using publicly available data centre traces and demonstrated that the system can scale with the network topology while providing high performance and minimal impact on packet latency

A log mining approach for process monitoring in SCADA

SCADA (Supervisory Control and Data Acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow

Applications of Machine Learning to Threat Intelligence, Intrusion Detection and Malware

Artificial Intelligence (AI) and Machine Learning (ML) are emerging technologies with applications to many fields. This paper is a survey of use cases of ML for threat intelligence, intrusion detection, and malware analysis and detection. Threat intelligence, especially attack attribution, can benefit from the use of ML classification. False positives from rule-based intrusion detection systems can be reduced with the use of ML models. Malware analysis and classification can be made easier by developing ML frameworks to distill similarities between the malicious programs. Adversarial machine learning will also be discussed, because while ML can be used to solve problems or reduce analyst workload, it also introduces new attack surfaces

Predictive Abuse Detection for a PLC Smart Lighting Network Based on Automatically Created Models of Exponential Smoothing

One of the basic elements of a Smart City is the urban infrastructure management system, in particular, systems of intelligent street lighting control. However, for their reliable operation, they require special care for the safety of their critical communication infrastructure. This article presents solutions for the detection of different kinds of abuses in network traffic of Smart Lighting infrastructure, realized by Power Line Communication technology. Both the structure of the examined Smart Lighting network and its elements are described. The article discusses the key security problems which have a direct impact on the correct performance of the Smart Lighting critical infrastructure. In order to detect an anomaly/attack, we proposed the usage of a statistical model to obtain forecasting intervals. Then, we calculated the value of the differences between the forecast in the estimated traffic model and its real variability so as to detect abnormal behavior (which may be symptomatic of an abuse attempt). Due to the possibility of appearance of significant fluctuations in the real network traffic, we proposed a procedure of statistical models update which is based on the criterion of interquartile spacing. The results obtained during the experiments confirmed the effectiveness of the presented misuse detection method

Behavioral modeling for anomaly detection in industrial control systems

In 1990s, industry demanded the interconnection of corporate and production networks. Thus, Industrial Control Systems (ICSs) evolved from 1970s proprietary and close hardware and software to nowadays Commercial Off-The-Shelf (COTS) devices. Although this transformation carries several advantages, such as simplicity and cost-efficiency, the use of COTS hardware and software implies multiple Information Technology vulnerabilities. Specially tailored worms like Stuxnet, Duqu, Night Dragon or Flame showed their potential to damage and get information about ICSs. Anomaly Detection Systems (ADSs), are considered suitable security mechanisms for ICSs due to the repetitiveness and static architecture of industrial processes. ADSs base their operation in behavioral models that require attack-free training data or an extensive description of the process for their creation. This thesis work proposes a new approach to analyze binary industrial protocols payloads and automatically generate behavioral models synthesized in rules. In the same way, through this work we develop a method to generate realistic network traffic in laboratory conditions without the need for a real ICS installation. This contribution establishes the basis of future ADS as well as it could support experimentation through the recreation of realistic traffic in simulated environments. Furthermore, a new approach to correct delay and jitter issues is proposed. This proposal improves the quality of time-based ADSs by reducing the false positive rate. We experimentally validate the proposed approaches with several statistical methods, ADSs quality measures and comparing the results with traffic taken from a real installation. We show that a payload-based ADS is possible without needing to understand the payload data, that the generation of realistic network traffic in laboratory conditions is feasible and that delay and jitter correction improves the quality of behavioral models. As a conclusion, the presented approaches provide both, an ADS able to work with private industrial protocols, together with a method to create behavioral models for open ICS protocols which does not requite training data.90. hamarkadan industriak sare korporatibo eta industrialen arteko konexioa eskatu zuen. Horrela, Kontrol Sistema Industrialak (KSI) 70. hamarkadako hardware eta software jabedun eta itxitik gaur eguneko gailu estandarretara egin zuten salto. Eraldaketa honek hainbat onura ekarri baditu ere, era berean gailu estandarren erabilerak hainbat Informazio Teknologietako (IT) zaurkortasun ekarri ditu. Espezialki diseinatutako zizareek, Stuxnet, Duque, Night Dragon eta Flame esaterako, ondorio latzak gauzatu eta informazioa lapurtzean beraien potentzia erakutsi dute. Anomalia Detekzio Sistemak (ADS) KSI-etako segurtasun mekanismo egoki bezala kontsideraturik daude, azken hauen errepikakortasun eta arkitektura estatikoa dela eta. ADS-ak erasorik gabeko datu garbietan ikasitako edo prozesuen deskripzio sakona behar duten jarrera modeloetan oinarritzen dira. Tesi honek protokolo industrial binarioak aztertu eta automatikoki jarrera modeloak sortu eta erregeletan sintetizatzen dituen ikuspegia proposatzen du. Era berean lan honen bidez laborategi kondizioetan sare trafiko errealista sortzeko metodo bat aurkezten da, KSI-rik behar ez duena. Ekarpen honek etorkizuneko ADS baten oinarriak finkatzen ditu, baita esperimentazioa bultzatu ere simulazio inguruneetan sare trafiko errealista sortuz. Gainera, atzerapen eta sortasun arazoak hobetzen dituen ekarpen berri bat egiten da. Ekarpen honek denboran oinarritutako ADS-en kalitatea hobetzen du, positibo faltsuen ratioa jaitsiz. Esperimentazio bidez ekarpen ezberdinak balioztatu dira, hainbat metodo estatistiko, ADS-en kalitate neurri eta trafiko erreal eta simulatuak alderatuz. Datu erabilgarriak ulertzeko beharrik gabeko ADS-ak posible direla demostratu dugu, trafiko errealista laborategi kondizioetan sortzea posible dela eta atzerapen eta sortasunaren zuzenketak jarrera modeloen kalitatea hobetzen dutela. Ondorio bezala, protokolo industrial pribatuekin lan egiteko ADS bat eta jarrera modeloa sortzeko entrenamendu daturik behar ez duen eta KSI-en protokolo irekiekin lan egiteko gai den metodoa aurkeztu dira.En los años 90, la industria proclamó la interconexión de las redes corporativas y los de producción. Así, los Sistemas de Control Industrial (SCI) evolucionaron desde el hardware y software propietario de los 70 hasta los dispositivos comunes de hoy en día. Incluso si esta adopción implicó diversas ventajas, como el uso de hardware y software comunes, conlleva múltiples vulnerabilidades. Gusanos especialmente desarrollados como Stuxnet, Duqu, Night Dragon y Flame mostraron su potencial para causar daños y obtener información. Los Sistemas de Detección de Anomalías (SDA) están considerados como mecanismos de seguridad apropiados para los SCI debido a la repetitividad y la arquitectura estática de los procesos industriales. Los SDA basan su operación en modelos de comportamiento que requieren datos libres de ataque o extensas descripciones de proceso para su creación. Esta tesis propone un nuevo enfoque para el análisis de los datos de la carga útil del tráfico de protocolos industriales binarios y la generación automática de modelos de comportamiento sintetizados en reglas. Así mismo, mediante este trabajo se ha desarrollado un método para generar tráfico de red realista en condiciones de laboratorio sin la necesidad de instalaciones SCI reales. Esta contribución establece las bases de un futuro SDA así como el respaldo a la experimentación mediante la recreación de tráfico realista en entornos simulados. Además, se ha propuesto un nuevo enfoque para la corrección de retraso y latencia. Esta propuesta mejora la calidad del SDA basados en tiempo reduciendo el ratio de falsos positivos. Mediante la experimentación se han validado los enfoques propuestos utilizando algunos métodos estadísticos, medidas de calidad de SDA y comparando los resultados con tráfico obtenido a partir de instalaciones reales. Se ha demostrado que son posibles los SDA basados en carga útil sin la necesidad de entender el contenido de la carga, que la generación de tráfico realista en condiciones de laboratorio es posible y que la corrección del retraso y la latencia mejoran la calidad de los modelos de comportamiento. Como conclusión, las propuestas presentadas proporcionan un SDA capaz de trabajar con protocolos privados de control industrial a la vez que un método para la creación de modelos de comportamiento para SCI sin la necesidad de datos de entrenamiento

An Architecture for Securing Communications in Critical Infrastructure

7th International Conference on Data Communication Networking - DCNET 2016, , 26/07/2016-28/07/2016, Lisboa, PortugalThe disruption of communications in critical infrastructures could have a serious impact on the health, safety, security or economic well-being of citizens or even prevent the effective functioning of governments or other agencies. For this reason, in this paper we present a distributed architecture, named CYBERSENS, aimed at preventing, early detecting, and mitigating cyber attacks to critical infrastructure networks. CYBERSENS is an advanced IDS/IPS system specially tailored for securing communications in critical infrastructures. It"s federated architecture, the combination of misuse detection techniques and novel anomaly detection approaches, and the inclusion of mechanisms for self-obfuscation and self-protection, makes our proposal specially suitable for these scenarios.European Commissio

Stealthy Deception Attacks Against SCADA Systems

SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage

ATLANTIDES: Automatic Configuration for Alert Verification in Network Intrusion Detection Systems

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%