Topological Data Analysis for Enhancing Embedded Analytics for Enterprise Cyber Log Analysis and Forensics

Forensic analysis of logs is one responsibility of an enterprise cyber defense team; inherently, this is a big data task with thousands of events possibly logged in minutes of activity. Logged events range from authorized users typing incorrect passwords to malignant threats. Log analysis is necessary to understand current threats, be proactive against emerging threats, and develop new firewall rules. This paper describes embedded analytics for log analysis, which incorporates five mechanisms: numerical, similarity, graph-based, graphical analysis, and interactive feedback. Topological Data Analysis (TDA) is introduced for log analysis with TDA providing novel graph-based similarity understanding of threats which additionally enables a feedback mechanism to further analyze log files. Using real-world firewall log data from an enterprise-level organization, our end-to-end evaluation shows the effective detection and interpretation of log anomalies via the proposed process, many of which would have otherwise been missed by traditional means

On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems

Industrial control system communication networks are vulnerable to reconnaissance, response injection, command injection, and denial of service attacks. Such attacks can lead to an inability to monitor and control industrial control systems and can ultimately lead to system failure. This can result in financial loss for control system operators and economic and safety issues for the citizens who use these services. This paper describes a set of 28 cyber attacks against industrial control systems which use the MODBUS application layer network protocol. The paper also describes a set of standalone and state based intrusion detection system rules which can be used to detect cyber attacks and to store evidence of attacks for post incident analysis. All attacks described in this paper were validated in a laboratory environment. The detection rate of the intrusion detection system rules presented by attack class is also presented

Intrusion Detection System of industrial control networks using network telemetry

Industrial Control Systems (ICSs) are designed, implemented, and deployed in most major spheres of production, business, and entertainment. ICSs are commonly split into two subsystems - Programmable Logic Controllers (PLCs) and Supervisory Control And Data Acquisition (SCADA) systems - to achieve high safety, allow engineers to observe states of an ICS, and perform various configuration updates. Before wide adoption of the Internet, ICSs used air-gap security measures, where the ICS network was isolated from other networks, including the Internet, by a physical disconnect [1]. This level of security allowed ICS protocol designers to concentrate on the availability and safety of operation of physical systems while decreasing the need for many cyber security implementations. As the price of networking devices fell, and the Internet received global adoption, many businesses became interested in the benefits of attaching ICSs to wide and global area networks. However, since ICS network protocols were originally designed for an air-gapped environment, it did not include any of the security measures needed for a proper operation of a critical protocol that exposes its packets to the Internet. This dissertation designs, implements, and evaluates a telemetry based Intrusion Detection System (IDS). The designed IDS utilizes aggregation and analysis of the traffic telemetry features to classify the incoming packets as malicious or benign. An IDS that uses network telemetry was created, and it achieved a high classification accuracy, protecting nodes from malicious traffic. Such an IDS is not vulnerable to address or encryption spoofings, as it does not utilize the content of the packets to differentiate between malicious and benign traffic. The IDS uses features of timing and network sessions to determine whether the machine that sent a particular packet and its software is, in fact, a combination that is benign, as well as whether or not it resides on a network that is benign. The results of the experiments conducted for this dissertation establish that such system is possible to create and use in an environment of ICS networks. Several features are recognized and selected as means for fingerprinting the hardware and software characteristics of the SCADA system that can be used in pair with machine learning algorithms to allow for a high accuracy detection of intrusions into the ICS network. The results showed a classification accuracy of at least 95% is possible, and as the differences between machines increase, the accuracy increases too

Multimodal Intrusion Detection System for Cyber Physical Systems

Cyber-Physical Systems (CPS) are deployed to control critical infrastructure in many fields, including industry and manufacturing. In recent years, CPS have been affected by cyberattacks due to the increased connectivity of these systems to the Internet. This work aims to develop a deep learning-based Intrusion Detection System (IDS) for detecting cyberattacks on CPS using multimodal learning techniques. This thesis reports the design, implementation, and evaluation of two IDS solutions based on different deep learning networks: Convolution Neural Network (CNN) and Recurrent Neural Network (RNN). For the first IDS, Gramian Angular Field (GAF) is used to convert CPS time-series data to images that are fed to a 3D CNN to train the attack detection classifier. The second IDS uses RNN with a multimodal attention approach for training the attack detector. Both solutions utilize CPS process data and network data to improve the attack detection accuracy. The performance of the proposed approaches is evaluated on SWaT datasets collected from a testbed that represents real world CPS. Experimental results demonstrate that both IDSs achieved improved performance and higher detection capability compared to related work

Integrity Verification for SCADA Devices Using Bloom Filters and Deep Packet Inspection

In the past, SCADA networks were made secure through undocumented, proprietary protocols and isolation from other networks. Today, modern information technology (IT) solutions have provided a means to enhance remote access through use of the Internet. Unfortunately, opening SCADA networks to the Internet has provided routes of attack. Cyber attacks on these networks are becoming more common and can inflict considerable damage to critical infrastructure systems. Furthermore, devices on these networks can be infected with malware that causes them to falsify their responses to operators, concealing alternate operation or hiding alarm conditions. Considering their applications, securing these networks translates to improved physical security in the real world. Since modern IT solutions are impractical to deploy in the resource constrained SCADA networks, other solutions must be researched. This research evaluates an integrity verification system implemented on a Xilinx ML507 development board called the SIEVE system. The design incorporates Bloom filters and SCADA-specific intrusion detection techniques to speed identification of invalid commands and current sensing to investigate whether or not a device correctly carried out a given command. Results show that the SIEVE system is able to inspect and correctly identify 100% of network traffic at a 200 command per second frequency. Correct identification of valid MODBUS/TCP traffic begins to fail at 350 commands per second, introducing false positives. Tests of the Bloom filters show that they reduce the time necessary to process and log invalid MODBUS/TCP commands by 4.5% to 2328.06% depending on the number of operations performed by the command

Ethercat tabanlı bir scada sisteminde kural ve makine öğrenmesine dayalı saldırı ve anomali tespiti

06.03.2018 tarihli ve 30352 sayılı Resmi Gazetede yayımlanan “Yükseköğretim Kanunu İle Bazı Kanun Ve Kanun Hükmünde Kararnamelerde Değişiklik Yapılması Hakkında Kanun” ile 18.06.2018 tarihli “Lisansüstü Tezlerin Elektronik Ortamda Toplanması, Düzenlenmesi ve Erişime Açılmasına İlişkin Yönerge” gereğince tam metin erişime açılmıştır.Endüstriyel kontrol sistemleri (EKS) bulundukları konum ve bileşenleri bakımından kritik altyapıya sahip sistemler olup, bilişim teknolojilerinden (BT) bağımsız olarak uygulama alanına göre kendilerine ait kabul ve işleyişleri bulunmaktadır. Bu sistemler, günümüzde otomasyon hiyerarşisinde yer alan seviyeler arası yatay ve dikey entegrasyonun tek bir protokolle sağlanması fikrinden yola çıkılarak Ethernet ile de adapte edilmiş durumdadır. Dolayısıyla EKS'ler hem doğalarından hem de Ethernet üzerinden bilişim teknolojilerinin sunduğu hizmetlerin içerisine dahil edildiklerinden dolayı siber saldırılara karşı tehdit altındadır. Bu durum, çoğunlukla iletişim altyapısı üzerinden gelen saldırıların tespiti için özelinde EKS çözümlerini gerektirir. Bu çalışmada, otomasyon uygulamalarında yaygın bir kullanıma sahip olan, Ethernet tabanlı gerçek zamanlı EtherCAT protokolü için Snort saldırı tespit sistemi üzerinde bilinen ve bilinmeyen saldırıları tespit eden bütüncül bir yapı ve makine öğrenmesi teknikleriyle anomali tespiti olmak üzere ikisi kural biri anomali tespitine dayanan 3 farklı yaklaşım sunulmaktadır. Sistem, geliştirilen önişlemci yardımıyla, bilinen saldırılar için güvenli düğüm yaklaşımı, bilinmeyen saldırılar için ise saha veri yolu tekrar periyodunu tespit ederek istatistiksel tekniklerle ve özgün çözümlerle kural tabanlı olarak saldırı tespitini kapsamaktadır. Tespitler bir günlükleme ve izleme yapısı olan ELK yığını üzerinde kullanıcıya sunulmaktadır. Ayrıca, yine bilinmeyen saldırılar için oluşturulan su seviye kontrol otomasyonu test ortamı üzerinde olaylar gerçeklenerek bir veri seti hazırlanması ve çeşitli öğrenme tekniklerinin veri seti üzerinde anomali tespitini kapsamaktadır. Bilinmeyen saldırıların tespiti kapsamında uygulanan periyot tespitinin %95-%99 doğrulukla yapılabildiği görülmüştür. Önerilen sistem üzerinde ise MAC aldatma, veri enjeksiyonu, DoS, köle saldırıları gibi ataklar gerçeklenmiş, alarm ve günlüklemeler incelendiğinde saldırıların başarıyla tespit edildiği görülmüştür. Ayrıca, k-NN ve SVM GA tekniklerinin olay tespitinde başarılı sonuç verdikleri belirlenmiştir.Industrial control systems (ICS) are critical infrastructures in terms of their location and components. These systems have their own features and operation related to the application field independent from the information technologies (IT). They are also adapted with the Ethernet technologies based on the idea of providing horizontal and vertical integration between the levels in the automation hierarchy with a single protocol. Therefore, ICSs are threatened by cyber attacks, due to both their nature and support of IT services through Ethernet. This risk requires ICS specific solutions to detect and prevent attacks which use communication infrastructure. In this study, two rule based which detect known and unknown attacks on the Snort system and one anomaly based which uses machine learning techniques, in total of three different approaches were presented as a holistic structure for Ethernet based real-time EtherCAT protocol, which is widely used in automation applications. In the case of rule based intrusion detection, the EtherCAT preprocessor was proposed, which applies the trust node approach for known attacks, and identifies the field bus repetition period for unknown attacks, with statistical techniques and novel solutions. The findings were presented to the user on the ELK stack, which is a logging and monitoring structure. For anomaly based intrusion detection, the water level control automation testbed was developed, a dataset was prepared by generating events and various machine learning techniques were applied on the dataset. According to the findings obtained in this research, it was concluded that the period determination which was applied within the scope of unknown attack detection can be made with 95% - 99% accuracy. When the logs and alerts of the realized MAC spoofing, data injection, DoS, slave attacks were investigated, it was seen that the attacks were able to be detected successfully. For anomaly detection part of the study, k-NN and SVM GA techniques were found to be successful in detecting events

ICSrank: A Security Assessment Framework for Industrial Control Systems (ICS)

This thesis joins a lively dialogue in the technological arena on the issue of cybersecurity and specifically, the issue of infrastructure cybersecurity as related to Industrial Control Systems. Infrastructure cybersecurity is concerned with issues on the security of the critical infrastructure that have significant value to the physical infrastructure of a country, and infrastructure that is heavily reliant on IT and the security of such technology. It is an undeniable fact that key infrastructure such as the electricity grid, gas, air and rail transport control, and even water and sewerage services rely heavily on technology. Threats to such infrastructure have never been as serious as they are today. The most sensitive of them is the reliance on infrastructure that requires cybersecurity in the energy sector. The call to smart technology and automation is happening nowadays. The Internet is witnessing an increase number of connected industrial control system (ICS). Many of which don’t follow security guidelines. Privacy and sensitive data are also an issue. Sensitive leaked information is being manipulated by adversaries to accomplish certain agendas. Open Source intelligence (OSINT) is adopted by defenders to improve protection and safeguard data. This research presented in thesis, proposes “ICSrank” a novel security risk assessment for ICS devices based on OSINT. ICSrank ranks the risk level of online and offline ICS devices. This framework categorizes, assesses and ranks OSINT data using ICSrank framework. ICSrank provides an additional layer of defence and mitigation in ICS security, by identification of risky OSINT and devices. Security best practices always begin with identification of risk as a first step prior to security implementation. Risk is evaluated using mathematical algorithms to assess the OSINT data. The subsequent results achieved during the assessment and ranking process were informative and realistic. ICSrank framework proved that security and risk levels were more accurate and informative than traditional existing methods

Intelligent Buildings in Smart Grids: A Survey on Security and Privacy Issues Related to Energy Management

During the last decade, the smart grid (SG) concept has started to become a reality, mainly thanks to the technical progress achieved in telecommunications, informatics and power electronics, among other domains, leading to an evolution of the traditional electrical grid into an intelligent one. Nowadays, the SG can be seen as a system of smart systems that include cyber and physical parts from different technologies that interact with each other. In this context, intelligent buildings (IBs) constitute a paradigm in which such smart systems are able to guarantee the comfort of residents while ensuring an appropriate tradeoff of energy production and consumption by means of an energy management system (EMS). These interconnected EMSs remain the objective of potential cyber-attacks, which is a major concern. Therefore, this paper conducts a survey, from a multidisciplinary point of view, of some of the main security and privacy issues related to IBs as part of the SG, including an overview of EMS, smart meters, and the main communication networks employed to connect IBs to the overall SG. Future research directions towards a security enhancement from both technical and human perspectives are also provided