Collaborative Intelligence Analysis for Industrial Control Systems Threat Profiling

Industrial Control Systems (ICS), as a core role in critical national infrastructure, has faced more and more cyber threats. Efficient analysis of the current cyber threat intelligence is crucial for ICS security, which could provide a new insight into the security strategy through threat profiling. However, determining semantics information with relevant attack data packet to profile threat remains a challenge, largely due to the lack of ICS related attack data and appropriate information processing methods. To solve these issues, we developed dozens of honeypots to collect ICS-related attack data and propose a novel framework to analyze the current threat landscape. Through collaborative analysis of the interaction observed accompanied with open-source intelligence, we present threat landscape from three aspects: (1) attack methods, (2) attack pattern, and (3) attack sources. We evaluate our approach with real-world attacking data collected by 35 honeypots in 22 cities for 10 months. The experiment that conducted on the database show that the proposed method presents a considerable performance in terms of efficiency and effectiveness.

[1]  Hui Xiong,et al.  Understanding of Internal Clustering Validation Measures , 2010, 2010 IEEE International Conference on Data Mining.

[2]  Levente Buttyán,et al.  The Cousins of Stuxnet: Duqu, Flame, and Gauss , 2012, Future Internet.

[3]  Michael Robinson The SCADA Threat Landscape , 2013, ICS-CSR.

[4]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.

[5]  Helena Sandström,et al.  An Evaluation of Different IP Traceback Approaches , 2002, ICICS.

[6]  T. Caliński,et al.  A dendrite method for cluster analysis , 1974 .

[7]  Van-Hau Pham,et al.  The WOMBAT Attack Attribution Method: Some Results , 2009, ICISS.

[8]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[9]  Max Mühlhäuser,et al.  Multi-stage attack detection and signature generation with ICS honeypots , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[10]  Márk Félegyházi,et al.  CryPLH: Protecting Smart Energy Systems from Targeted Attacks with a PLC Honeypot , 2014, SmartGridSec.

[11]  Philip Koopman,et al.  Embedded System Security , 2004, Computer.

[12]  Wei Gao,et al.  Industrial Control System Cyber Attacks , 2013, ICS-CSR.

[13]  Nils Ole Tippenhauer,et al.  Towards High-Interaction Virtual ICS Honeypots-in-a-Box , 2016, CPS-SPC '16.

[14]  Sebastian Obermeier,et al.  ICS Threat Analysis Using a Large-Scale Honeynet , 2015, ICS-CSR.

[15]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[16]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[17]  Michael I. Jordan,et al.  Revisiting k-means: New Algorithms via Bayesian Nonparametrics , 2011, ICML.

[18]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[19]  Rayford B. Vaughn,et al.  Experiences with Honeypot Systems: Development, Deployment, and Analysis , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[20]  Benjamin A. Blakely,et al.  Cyberprints: Identifying cyber attackers by feature analysis , 2012 .

[21]  Theodore J. Williams,et al.  The Purdue Enterprise Reference Architecture , 1992, DIISM.