Improving SIEM for critical SCADA water infrastructures using machine learning

Network Control Systems (NAC) have been used in many industrial processes. They aim to reduce the human factor burden and efficiently handle the complex process and communication of those systems. Supervisory control and data acquisition (SCADA) systems are used in industrial, infrastructure and facility processes (e.g. manufacturing, fabrication, oil and water pipelines, building ventilation, etc.) Like other Internet of Things (IoT) implementations, SCADA systems are vulnerable to cyber-attacks, therefore, a robust anomaly detection is a major requirement. However, having an accurate anomaly detection system is not an easy task, due to the difficulty to differentiate between cyber-attacks and system internal failures (e.g. hardware failures). In this paper, we present a model that detects anomaly events in a water system controlled by SCADA. Six Machine Learning techniques have been used in building and evaluating the model. The model classifies different anomaly events including hardware failures (e.g. sensor failures), sabotage and cyber-attacks (e.g. DoS and Spoofing). Unlike other detection systems, our proposed work helps in accelerating the mitigation process by notifying the operator with additional information when an anomaly occurs. This additional information includes the probability and confidence level of event(s) occurring. The model is trained and tested using a real-world dataset

Quarantine region scheme to mitigate spam attacks in wireless sensor networks

The Quarantine Region Scheme (QRS) is introduced to defend against spam attacks in wireless sensor networks where malicious antinodes frequently generate dummy spam messages to be relayed toward the sink. The aim of the attacker is the exhaustion of the sensor node batteries and the extra delay caused by processing the spam messages. Network-wide message authentication may solve this problem with a cost of cryptographic operations to be performed over all messages. QRS is designed to reduce this cost by applying authentication only whenever and wherever necessary. In QRS, the nodes that detect a nearby spam attack assume themselves to be in a quarantine region. This detection is performed by intermittent authentication checks. Once quarantined, a node continuously applies authentication measures until the spam attack ceases. In the QRS scheme, there is a tradeoff between the resilience against spam attacks and the number of authentications. Our experiments show that, in the worst-case scenario that we considered, a not quarantined node catches 80 percent of the spam messages by authenticating only 50 percent of all messages that it processe

USING A K-NEAREST NEIGHBORS MACHINE LEARNING APPROACH TO DETECT CYBERATTACKS ON THE NAVY SMART GRID

In 2019, the Naval Facilities Engineering Command (NAVFAC) deployed the Navy smart grid across multiple bases in the United States. The smart grid can improve the reliability, availability, and efficiency of electricity supply. While this brings about immense benefit, placing the grid on a network connected to the internet increases the threat of cyberattacks aimed at intelligence collection, disruption, and destruction. In this thesis, we propose an Intrusion Detection System (IDS) for the NAVFAC smart grid. This IDS comprises a feature extractor, classifier, anomaly detector, and response manager. We use the K-Nearest Neighbors machine learning algorithm to show that various attacks (web attacks, FTP/SSH attacks, DOS, DDOS and port scanning) can be grouped into broader attack classes of Active, Denial, and Probe for appropriate response management. We also show that in order to reduce the load on the security operations center (SOC), the accuracy of the classifier can be maximized by optimizing the value of k, which is the number of data points nearest to the sample under consideration that decides the class assigned.http://archive.org/details/usingaknearestne1094566054Outstanding ThesisCommander, Republic of Singapore NavyApproved for public release. distribution is unlimite

A NETWORK INTRUSION DETECTION SYSTEM USING DECISION TREE MACHINE LEARNING ON AN ISTN ARCHITECTURE

In recent years, the Navy has shown interest in an integrated satellite-terrestrial networking (ISTN) architecture for unmanned systems. With the development of satellite networks and growing numbers of unmanned system networks being connected, security and privacy are major concerns in an ISTN. In this thesis, we develop a network intrusion detection system (NIDS) specifically for an ISTN. We identify the critical location of the NIDS within the ISTN architecture and use the decision tree machine learning algorithm to perform cyber-attack detection against various threat vectors, including distributed denial of service. The decision tree algorithm is used to classify and segregate attack traffic from benign traffic. We use an open source ISTN data set available in the literature to train our algorithm. The decision tree is implemented using different split criteria, varying number of splits, and the use of principal component analysis (PCA). We manipulate the size of the training data and the number of data features to achieve reasonable false positive rates. We show that our NIDS framework based on decision tree learning can effectively detect and segregate different attack data classes.Civilian, DSO National Labs, SingaporeApproved for public release. Distribution is unlimited

Cyber indicators of compromise: a domain ontology for security information and event management

It has been said that cyber attackers are attacking at wire speed (very fast), while cyber defenders are defending at human speed (very slow). Researchers have been working to improve this asymmetry by automating a greater portion of what has traditionally been very labor-intensive work. This work is involved in both the monitoring of live system events (to detect attacks), and the review of historical system events (to investigate attacks). One technology that is helping to automate this work is Security Information and Event Management (SIEM). In short, SIEM technology works by aggregating log information, and then sifting through this information looking for event correlations that are highly indicative of attack activity. For example: Administrator successful local logon and (concurrently) Administrator successful remote logon. Such correlations are sometimes referred to as indicators of compromise (IOCs). Though IOCs for network-based data (i.e., packet headers and payload) are fairly mature (e.g., Snort's large rule-base), the field of end-device IOCs is still evolving and lacks any well-defined go-to standard accepted by all. This report addresses ontological issues pertaining to end-device IOCs development, including what they are, how they are defined, and what dominant early standards already exist.http://archive.org/details/cyberindicatorso1094553041Lieutenant, United States NavyApproved for public release; distribution is unlimited

TESTING DECEPTION WITH A COMMERCIAL TOOL SIMULATING CYBERSPACE

Deception methods have been applied to the traditional domains of war (air, land, sea, and space). In the newest domain of cyber, deception can be studied to see how it can be best used. Cyberspace operations are an essential warfighting domain within the Department of Defense (DOD). Many training exercises and courses have been developed to aid leadership with planning and to execute cyberspace effects that support operations. However, only a few simulations train cyber operators about how to respond to cyberspace threats. This work tested a commercial product from Soar Technologies (Soar Tech) that simulates conflict in cyberspace. The Cyberspace Course of Action Tool (CCAT) is a decision-support tool that evaluates defensive deception in a wargame simulating a local-area network being attacked. Results showed that defensive deception methods of decoys and bait could be effective in cyberspace. This could help military cyber defenses since their digital infrastructure is threatened daily with cyberattacks.Marine Forces Cyberspace CommandChief Petty Officer, United States NavyChief Petty Officer, United States NavyApproved for public release. Distribution is unlimited

Event-Driven Network Programming

Software-defined networking (SDN) programs must simultaneously describe static forwarding behavior and dynamic updates in response to events. Event-driven updates are critical to get right, but difficult to implement correctly due to the high degree of concurrency in networks. Existing SDN platforms offer weak guarantees that can break application invariants, leading to problems such as dropped packets, degraded performance, security violations, etc. This paper introduces EVENT-DRIVEN CONSISTENT UPDATES that are guaranteed to preserve well-defined behaviors when transitioning between configurations in response to events. We propose NETWORK EVENT STRUCTURES (NESs) to model constraints on updates, such as which events can be enabled simultaneously and causal dependencies between events. We define an extension of the NetKAT language with mutable state, give semantics to stateful programs using NESs, and discuss provably-correct strategies for implementing NESs in SDNs. Finally, we evaluate our approach empirically, demonstrating that it gives well-defined consistency guarantees while avoiding expensive synchronization and packet buffering

Defining a Covert Analysis Detection (CAD) System and its Stealthy Date Capture, Control and Analysis Capabilities

A Covert Analysis Detection (CAD) system is an operationalized honeypot or honeynet that is designed to covertly capture, control and provide analysis capabilities of all traffic that flows through it. It was found that the covert data capture capability not only revealed the attackers tools ( captured as source code) and tactics ( collection of compromised systems), but also over time it revealed that that attacker's actual motive was the creation of a distributed denial of service (DDoS) network. The discovery of this lethal network tool and all the signatures of its creation and maintenance, proved the validity of the CAD's capabilities to aid in the enhancement of our information protection resources.Captain, United States Marine CorpsApproved for public release; distribution is unlimited