A Public Network Trace of a Control and Automation System

The increasing number of attacks against automation systems such as SCADA and their network infrastructure have demonstrated that there is a need to secure those systems. Unfortunately, directly applying existing ICT security mechanisms to automation systems is hard due to constraints of the latter, such as availability requirements or limitations of the hardware. Thus, the solution privileged by researchers is the use of network-based intrusion detection systems (N-IDS). One of the issue that many researchers encounter is how to validate and evaluate their N-IDS. Having access to a real and large automation systems for experimentation is almost impossible as companies are not inclined to give access to their systems due to obvious concerns. The few public traffic datasets that could be used for off-line experiments are either synthetic or collected at small testbeds. In this paper, we will describe and characterize a public traffic dataset collected at the HVAC management system of a university campus. Although the dataset contains only packet headers, we believe that it can help researchers, in particular designers of flow-based IDS, to validate their solutions under more realistic conditions. The traces can be found on https://github.com/gkabasele/HVAC_Traces

Intrusion detection for industrial control systems

Industrial Control Systems (ICS) are computer systems used for monitoring and controlling industrial facilities such as water treatment facilities, power plants, manufacturing factories. . . . Historically those systems were isolated but for business and management purposes, they got connected to other net- works. This connection brought the vulnerabilities of other networks to ICS which resulted in an increasing number of attacks against those systems. Consequently, the security of ICS has become an active research field. To im- prove the resilience of ICS against cyber-attacks, researchers are focusing on designing protection mechanisms such as Intrusion Detection Systems (IDS). In this thesis, we present two IDS solutions for ICS to consider both the cyber aspect and the physical aspect of ICS. The first solution focuses on the detec- tion of attacks targeting the network infrastructure of the ICS and leverages Software-defined Networking (SDN). SDN is a network paradigm that pro- vides a high-level of flexibility in term of network management. We use this property to improve a technique called Flow-Whitelisting. The second solution focuses on process-oriented attacks, meaning attacks that target physical processes. The IDS learns the temporal properties of a physical process to detect the disruptions caused by an attack. It analyzes the variables defining the physical process and monitors their behavior over time. Any deviation from the learned temporal properties triggers an alert. Each IDS is evaluated with several scenarios and gives interesting results. In addition, we provide a network dataset from a real system but also a tool to generate new datasets that can be used for the evaluation of network IDS. To show the usefulness of the dataset, we evaluate several IDS in the literature.(FSA - Sciences de l'ingénieur) -- UCL, 202

A Public Network Trace of a Control and Automation System

The increasing number of attacks against automation systems such as SCADA and their network infrastructure have demonstrated that there is a need to secure those systems. Unfortunately, directly applying existing ICT security mechanisms to automation systems is hard due to constraints of the latter, such as availability requirements or limitations of the hardware. Thus, the solution privileged by researchers is the use of network-based intrusion detection systems (N-IDS). One of the issue that many researchers encounter is how to validate and evaluate their N-IDS. Having access to a real and large automation systems for experimentation is almost impossible as companies are not inclined to give access to their systems due to obvious concerns. The few public traffic datasets that could be used for off-line experiments are either synthetic or collected at small testbeds. In this paper, we will describe and characterize a public traffic dataset collected at the HVAC management system of a university campus. Although the dataset contains only packet headers, we believe that it can help researchers, in particular designers of flow-based IDS, to validate their solutions under more realistic conditions

Exploiting the Temporal Behavior of State Transitions for Intrusion Detection in ICS/SCADA

Industrial Control Systems (ICS) monitor and control physical processes. The security of ICS has drawn the attention of many researchers since successful cyber-attacks against ICS can cause extensive damage in the physical world. Most of the existing literature describes solutions to protect an ICS against attacks directly targeting its underlying IT infrastructure. However, there are comparatively less works that focus on detecting cyber attacks against the physical process itself. Detection mechanisms that do so are said to be process aware. In this paper, we propose a time-based process aware intrusion detection system (IDS) that detects attacks against a physical process by leveraging its regular nature and temporal properties. The IDS learns the temporal behavior of the process variables and uses it to detect attacks. We evaluate the performance of our IDS on a public SCADA dataset and on a simulated SCADA system developed as part of this study, and we compare it with two other process-aware IDS proposed in the literature. The results show that our solution is able to detect attacks that are not detected by IDS that ignore temporal properties

Simulating attacks to evaluate intrusion detection systems in industrial control systems

The number of attacks against industrial control systems and their networking infrastructure has dramatically increased recently. Consequently, research and development of intrusion detection systems (IDS) for such environments has attracted a lot of attention. A typical problem in the design of an IDS is its evaluation. In the ideal case, an IDS should be tested with real attack traffic. We describe a simulator we have implemented to generate such traffic and we test it against two IDSs. Results show that the traces generated can be used to evaluate an IDS.Master [120] en sciences informatiques, Université catholique de Louvain, 201

Network trace generation for flow-based IDS evaluation in control and automation systems

The increasing number of attacks against Industrial Control Systems (ICS) have demonstrated that there is a need to secure such systems. Unfortunately, directly applying existing ICT security mechanisms is hard due to constraints of ICS, such as availability requirements or resource limitations of the field devices. Thus, the solution preferred by researchers is the use of network-based intrusion detection systems (N-IDS). An issue that many researchers encounter is how to validate and evaluate their N-IDS since it is very difficult to get access to real and large ICS for experimentation. The few public traffic datasets that could be used for off-line experiments are either synthetic, collected at small testbeds or not suited for network experimentations. In this paper, we present a tool to generate network traces based on statistical properties that the tool extracts from empirical traces. We demonstrate its usability by applying it to an empirical trace collected at the Heating, Ventilation and Air Conditioning (HVAC) management system of a university campus and using the generated traces to evaluate several IDS published in the literature. We make the original trace available to other researchers. To our knowledge, we are the first to publish a network dataset collected at a real and operational control and automation system

A Survey of Public IoT Datasets for Network Security Research

Publicly available datasets are an indispensable tool for researchers, as they allow testing new algorithms on a wide range of different scenarios and making scientific experiments verifiable and reproducible. Research in IoT security is no exception. In particular, the design of traffic classification and intrusion detection solutions for network security relies on network traces obtained from real networks or realistic testbeds. In this paper, we provide a detailed survey on the existing datasets containing IoT network traffic. We classify them according to several features that help researchers quickly find the datasets that fit their specific needs. In total, we survey 74 datasets that we found by analyzing more than 100 scientific articles. We also discuss the weaknesses of existing datasets, identify challenges, and point to future directions for creating new IoT datasets

A low-delay SDN-based countermeasure to eavesdropping attacks in industrial control systems

Industrial Control Systems (ICS) and their networking infrastructure have been the target of an increasing number of cyber-attacks over the past years. In 2015, researchers proposed to employ SDN techniques to improve the security of ICS networks. To avoid that all packets are forwarded along the same path in such a network, their multipath routing strategy alternates between several paths from a source host to the destination host, such that an eavesdropper cannot capture the entire communication. We show that a basic multipath routing strategy can lead to delay peaks in the ICS network which are, considering the real-time nature of the network traffic in an ICS, highly undesired. We propose the priority multipath routing strategy which avoids such delays. Our approach makes use of rule priorities in OpenFlow to ensure that there is always a matching forwarding rule in a switch. We also propose to consider the path selection process as solving a convex flow problem. We validate our approach by simulation experiments. Our results show that our approach significantly reduces the number of table misses and effectively eliminates delay peaks and that selected paths compromise well between their disjointness and their cost