An ensemble model to detect packet length covert channels

Covert channel techniques have enriched the way to commit dangerous and unwatched attacks. They exploit ways that are not intended to convey information; therefore, traditional security measures cannot detect them. One class of covert channels that difficult to detect, mitigate, or eliminate is packet length covert channels. This class of covert channels takes advantage of packet length variations to convey covert information. Numerous research articles reflect the useful use of machine learning (ML) classification approaches to discover covert channels. Therefore, this study presented an efficient ensemble classification model to detect such types of attacks. The ensemble model consists of five machine learning algorithms representing the base classifiers. The base classifiers include naive Bayes (NB), decision tree (DT), support vector machine (SVM), k-nearest neighbor (KNN), and random forest (RF). Whereas, the logistic regression (LR) classifier was employed to aggregate the outputs of the base classifiers and thus to generate the ensemble classifier output. The results showed a good performance of our proposed ensemble classifier. It beats all single classification algorithms, with a 99.3% accuracy rate and negligible classification errors

Detection and mitigation of field flooding attacks on oil and gas critical infrastructure communication

Industrial Cyber-Physical Systems (ICPS) are highly dependent on Supervisory Control and Data Acquisition (SCADA) for process monitoring and control. Such SCADA systems are known to communicate using various insecure protocols such as Modbus, DNP3, and Open Platform Communication (OPC) Data Access standards (providing access to real-time automation data), which are vulnerable to a range of attacks. This leads to increased cyber risks faced in critical infrastructures, especially in the Oil and Gas sector. One of the most popular and critical attacks deployed against such infrastructure is Denial of Service (DoS), as it can have severe consequences that range from financial loss to loss of life. Such attacks can disrupt the ability of an operator to control hazardous operations leading to potentially unsafe scenarios. A novel Field Flooding attack is described which takes advantage of the packet memory structure of the Modbus protocol to perform a DoS attack. This attack can cause overflowing of the memory bank allocated in the Programmable Logic Controller (PLC) for Modbus operations. The attack is deployed and evaluated on a real industrial testbed and its impact against the Mitre ATT&CK framework is assessed, in order to identify which tactics an adversary could use to compromise the system. A novel mechanism that utilises supervised machine learning to detect this attack in industrial control system networks is also described. Experimental results show that the proposed mechanism, using the XGBoost algorithm, can identify this attack with 99% accuracy

Covert channels-based stealth attacks in industry 4.0

Industry 4.0 advent opens several cyber-threats scenarios originally designed for classic information technology (IT), drawing the attention to serious risks for the modern industrial control networks. To cope with this problem, in this paper, we address the security issues related to covert channels applied to industrial networks, identifying the new vulnerability points when ITs converge with operational technologies such as edge computing infrastructures. Specifically, we define two signaling strategies where we exploit the Modbus/transmission control protocol (TCP) as target to set up a covert channel. Once the threat channel is established, passive and active offensive methodologies are further exploited by implementing and testing them on a real industrial Internet of Things testbed. The experimental results highlight the potential damage of such specific threats and the easy extrapolation of the attacks to other types of channels in order to show the new risks for the Industry 4.0. Related to this, we discuss some countermeasures offering an overview of possible mitigation and defensive measures

Detection and Mitigation of Steganographic Malware

A new attack trend concerns the use of some form of steganography and information hiding to make malware stealthier and able to elude many standard security mechanisms. Therefore, this Thesis addresses the detection and the mitigation of this class of threats. In particular, it considers malware implementing covert communications within network traffic or cloaking malicious payloads within digital images. The first research contribution of this Thesis is in the detection of network covert channels. Unfortunately, the literature on the topic lacks of real traffic traces or attack samples to perform precise tests or security assessments. Thus, a propaedeutic research activity has been devoted to develop two ad-hoc tools. The first allows to create covert channels targeting the IPv6 protocol by eavesdropping flows, whereas the second allows to embed secret data within arbitrary traffic traces that can be replayed to perform investigations in realistic conditions. This Thesis then starts with a security assessment concerning the impact of hidden network communications in production-quality scenarios. Results have been obtained by considering channels cloaking data in the most popular protocols (e.g., TLS, IPv4/v6, and ICMPv4/v6) and showcased that de-facto standard intrusion detection systems and firewalls (i.e., Snort, Suricata, and Zeek) are unable to spot this class of hazards. Since malware can conceal information (e.g., commands and configuration files) in almost every protocol, traffic feature or network element, configuring or adapting pre-existent security solutions could be not straightforward. Moreover, inspecting multiple protocols, fields or conversations at the same time could lead to performance issues. Thus, a major effort has been devoted to develop a suite based on the extended Berkeley Packet Filter (eBPF) to gain visibility over different network protocols/components and to efficiently collect various performance indicators or statistics by using a unique technology. This part of research allowed to spot the presence of network covert channels targeting the header of the IPv6 protocol or the inter-packet time of generic network conversations. In addition, the approach based on eBPF turned out to be very flexible and also allowed to reveal hidden data transfers between two processes co-located within the same host. Another important contribution of this part of the Thesis concerns the deployment of the suite in realistic scenarios and its comparison with other similar tools. Specifically, a thorough performance evaluation demonstrated that eBPF can be used to inspect traffic and reveal the presence of covert communications also when in the presence of high loads, e.g., it can sustain rates up to 3 Gbit/s with commodity hardware. To further address the problem of revealing network covert channels in realistic environments, this Thesis also investigates malware targeting traffic generated by Internet of Things devices. In this case, an incremental ensemble of autoencoders has been considered to face the ''unknown'' location of the hidden data generated by a threat covertly exchanging commands towards a remote attacker. The second research contribution of this Thesis is in the detection of malicious payloads hidden within digital images. In fact, the majority of real-world malware exploits hiding methods based on Least Significant Bit steganography and some of its variants, such as the Invoke-PSImage mechanism. Therefore, a relevant amount of research has been done to detect the presence of hidden data and classify the payload (e.g., malicious PowerShell scripts or PHP fragments). To this aim, mechanisms leveraging Deep Neural Networks (DNNs) proved to be flexible and effective since they can learn by combining raw low-level data and can be updated or retrained to consider unseen payloads or images with different features. To take into account realistic threat models, this Thesis studies malware targeting different types of images (i.e., favicons and icons) and various payloads (e.g., URLs and Ethereum addresses, as well as webshells). Obtained results showcased that DNNs can be considered a valid tool for spotting the presence of hidden contents since their detection accuracy is always above 90% also when facing ''elusion'' mechanisms such as basic obfuscation techniques or alternative encoding schemes. Lastly, when detection or classification are not possible (e.g., due to resource constraints), approaches enforcing ''sanitization'' can be applied. Thus, this Thesis also considers autoencoders able to disrupt hidden malicious contents without degrading the quality of the image

Optimising Security, Power Consumption and Performance of Embedded Systems

Increased interest in multicore systems has led to significant advancements in computing power, but it has also introduced new security risks due to covert channel communication. These covert channels enable the unauthorized leakage of sensitive information, posing a grave threat to system security. Traditional examples of covert channel attacks involve exploiting subtle variations such as temperature changes and timing differences to clandestinely transmit data through thermal and timing channels, respectively. These methods are particularly alarming because they demand minimal resources for implementation, thus presenting a formidable challenge to system security. Therefore, understanding the different classes of covert channel attacks and their characteristics is imperative for devising effective countermeasures. This thesis proposes two novel countermeasures to mitigate Thermal Covert Channel (TCC) attacks, which are among the most prevalent threats. In the first approach, we introduce the Selective Noise-Based Countermeasure. This novel technique disrupts covert communication by strategically adding a selective noise (extra thread) to the temperature signal to generate more heat and change its pattern. This intervention significantly increases the Bit Error Rate (BER) to 94%, thereby impeding data transmission effectively. Building upon this, the second strategy, termed Fan Speed Control Countermeasure, dynamically adjusts fan speed to reduce system temperature further, consequently decreasing the thermal signal frequency and shutting down any meaningful transmission. This methodology achieves a high BER (98%), thereby enhancing system security. Furthermore, the thesis introduces a new threat scenario termed Multi-Covert Channel Attacks, which demands advanced detection and mitigation techniques. To confront this emerging threat, we propose a comprehensive two-step approach that emphasizes both detection and tailored countermeasures. This approach leverages two distinct methodologies for implementation, with the primary goal of achieving optimal performance characterized by high BER and low power consumption. In the first method, referred to as the double multi-covert channel, we employ two distinct frequency ranges for the timing and thermal covert channels. Through extensive experimentation, we demonstrate that this approach yields a high BER, providing a formidable challenge to various defense strategies. However, it is noteworthy that this method may potentially lead to overheating issues due to the increased operational load. Alternatively, our second method, the single multi-covert channel, employs a single frequency range for data transmission. Notably, this approach addresses the overheating concerns associated with the double multi-covert channel, thereby reducing power consumption and minimizing the risk of system overheating. The experimental results presented in this thesis demonstrate the efficacy of the proposed strategies. By adopting a two-different approach, we not only enhance detection capabilities but also mitigate potential risks such as overheating. Our findings contribute significantly to the ongoing discourse on covert channel attacks and offer valuable insights for developing robust defense mechanisms against evolving threats. By providing insights into both traditional and emerging covert channel threats in multicore systems, this thesis significantly contributes to the field of multi-embedded system security. The proposed countermeasures demonstrate tangible security improvements, while the exploration of multi-covert channel attacks sets the stage for detection and defense strategies

Detection and mitigation strategies for cyber-attacks in offshore oil and gas industrial networks

Industrial Cyber-Physical Systems (ICPS) increasingly rely on insecure protocols, raising security concerns in oil and gas (OG) operations. Replacing these protocols is often too expensive, highlighting the need for efficient cyber-attack detection. This thesis addresses this critical challenge by proposing a novel unsupervised anomaly detection model attack detection in OG environments. Existing Intrusion Detection Systems (IDS) for industrial networks, primarily Machine Learning (ML)-based, often suffer from high false positive rates and limited focus on OG environments. This potentially hinders real-world adoption. To address this gap, we introduce the Sliding Time-window Anomaly Detection (STADe) model – a novel approach that leverages the inherent periodicity of industrial network traffic for anomaly detection. The STADe model segments network packet inter-arrival times into time windows and analyzes periodicity within each window. This approach demonstrably reduces False Discovery Rates (FDR) compared to existing methods. Experiments evaluate existing ML-based IDSs and leverage the findings to develop STADe. A dedicated gas wellhead monitoring testbed was designed to emulate real-world scenarios and facilitate data collection for attack simulations and analysis. Additionally, this research identifies a novel field flooding attack capable of disrupting critical OG processes. This research emphasizes the significance of network traffic periodicity and demonstrates the effectiveness of anomaly detection models that leverage this characteristic