Passive inference of attacks on CPS communication protocols

Abstract The security of Cyber-Physical Systems (CPS) has been recently receiving significant attention from the research community. While the majority of such attention originates from the control theory domain, few approaches have addressed the problem from the practical perspective. In this work, we do not claim that we propose a particular solution to a specific problem related to CPS security, but rather present a first look into what can help shape these solutions in the future. Indeed, our vision and ultimate goal is to attempt to merge or at least diminish the gap between highly theoretical solutions and practical approaches derived from insightful empirical experimentation, for securing CPS. Motivated by the scarcity of malicious empirical data that can be captured, inferred and analyzed from within operational CPS settings, this paper adopts a unique approach to derive notions of CPS maliciousness based on passive measurements and analysis. Indeed, by scrutinizing unsolicited real traffic targeting routable, allocated but unused Internet Protocol (IP) addresses (i.e., darknet traffic), we shed the light on attackers’ intentions and actual attacks targeting ample of CPS communication and control protocols. To permit such analysis, we initially devise and evaluate a novel probabilistic model that aims at filtering noise (i.e., misconfiguration traffic) that is embedded in darknet traffic. Subsequently, a near real-time inference algorithm is designed and implemented to detect CPS probing and denial of service activities. To this end, we characterize such misdemeanors in terms of their types, their frequency, their target protocols and possible orchestration behavior. The outcome demonstrate a staggering 16 thousand scanning attempts and close to 8 thousand denial of service attacks on various CPS protocols. Further, the results uncover stealthy probing activities targeting proprietary CPS protocols and clusters of coordinated unsolicited activities. We concur that the devised approaches, techniques, and methods provide a solid first step towards better comprehending real CPS unsolicited objectives and intents. As such, we hope that this paper motivates the literature to design secure and tailored CPS models that leverage tangible attacks and vulnerabilities inferred from empirical measurements, to achieve truly reliable and secure CPS.

[1]  David B. Dunson,et al.  Bayesian Data Analysis , 2010 .

[2]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[3]  Mourad Debbabi,et al.  Investigating the dark cyberspace: Profiling, threat-based analysis and correlation , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[4]  Bruno Sinopoli,et al.  Detecting Integrity Attacks on SCADA Systems , 2014, IEEE Transactions on Control Systems Technology.

[5]  C. Bellettini,et al.  Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[6]  Paulo Tabuada,et al.  Secure Estimation and Control for Cyber-Physical Systems Under Adversarial Attacks , 2012, IEEE Transactions on Automatic Control.

[7]  Heejo Lee,et al.  This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. INVITED PAPER Cyber–Physical Security of a Smart Grid Infrastructure , 2022 .

[8]  Florian Dörfler,et al.  Attack Detection and Identification in Cyber-Physical Systems -- Part II: Centralized and Distributed Monitor Design , 2012, ArXiv.

[9]  Ivan Stojmenovic,et al.  Machine-to-Machine Communications With In-Network Data Aggregation, Processing, and Actuation for Large-Scale Cyber-Physical Systems , 2014, IEEE Internet of Things Journal.

[10]  Volker Roth,et al.  PLC Guard: A practical defense against attacks on cyber-physical systems , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[11]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[12]  Saman A. Zonouz,et al.  Detecting Industrial Control Malware Using Automated PLC Code Analytics , 2014, IEEE Security & Privacy.

[13]  E. J. Byres,et al.  On shaky ground - A study of security vulnerabilities in control protocols , 2006 .

[14]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[15]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[16]  Mourad Debbabi,et al.  Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[17]  Karl Henrik Johansson,et al.  A secure control framework for resource-limited adversaries , 2012, Autom..

[18]  Bruno Sinopoli,et al.  Detecting integrity attacks on control systems using a moving target approach , 2015, 2015 54th IEEE Conference on Decision and Control (CDC).

[19]  Sumio Watanabe,et al.  A widely applicable Bayesian information criterion , 2012, J. Mach. Learn. Res..

[20]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2011, TSEC.

[21]  Franco Zambonelli,et al.  Looking ahead in pervasive computing: Challenges and opportunities in the era of cyber-physical convergence , 2012, Pervasive Mob. Comput..

[22]  Elias Bou-Harb Passive inference of attacks on SCADA communication protocols , 2016, 2016 IEEE International Conference on Communications (ICC).

[23]  Hartmut König,et al.  Towards the Protection of Industrial Control Systems - Conclusions of a Vulnerability Analysis of Profinet IO , 2013, DIMVA.

[24]  Randy H. Katz,et al.  Defining CPS Challenges in a Sustainable Electricity Grid , 2012, 2012 IEEE/ACM Third International Conference on Cyber-Physical Systems.

[25]  Insup Lee,et al.  Challenges and Research Directions in Medical Cyber–Physical Systems , 2012, Proceedings of the IEEE.

[26]  Vern Paxson,et al.  Semi-automated discovery of application session structure , 2006, IMC '06.

[27]  Jiming Chen,et al.  Smart community: an internet of things application , 2011, IEEE Communications Magazine.

[28]  Ing-Ray Chen,et al.  On Survivability of Mobile Cyber Physical Systems with Intrusion Detection , 2012, Wireless Personal Communications.

[29]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[30]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[31]  Vangelis Metsis,et al.  Abnormal human behavioral pattern detection in assisted living environments , 2010, PETRA '10.

[32]  Wei Gao,et al.  On SCADA control system command and response injection and intrusion detection , 2010, 2010 eCrime Researchers Summit.

[33]  Taekyoung Kwon,et al.  An Experimental Study of Hierarchical Intrusion Detection for Wireless Industrial Sensor Networks , 2010, IEEE Transactions on Industrial Informatics.

[34]  Mourad Debbabi,et al.  Towards a Forecasting Model for Distributed Denial of Service Activities , 2013, 2013 IEEE 12th International Symposium on Network Computing and Applications.

[35]  M. Milvich,et al.  Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System (SCADA IDS) , 2008, 2008 IEEE Conference on Technologies for Homeland Security.

[36]  Emanuele Garone,et al.  False data injection attacks against state estimation in wireless sensor networks , 2010, 49th IEEE Conference on Decision and Control (CDC).

[37]  Andrew J. Clark,et al.  Data preprocessing for anomaly based network intrusion detection: A review , 2011, Comput. Secur..

[38]  A. Treytl,et al.  Security measures for industrial fieldbus systems - state of the art and solutions for IP-based approaches , 2004, IEEE International Workshop on Factory Communication Systems, 2004. Proceedings..

[39]  Shreyas Sundaram,et al.  Distributed Function Calculation via Linear Iterative Strategies in the Presence of Malicious Agents , 2011, IEEE Transactions on Automatic Control.

[40]  Sandro Etalle,et al.  N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols , 2012, RAID.

[41]  Aleksandar Kuzmanovic,et al.  Measurement and Diagnosis of Address Misconfigured P2P Traffic , 2010, 2010 Proceedings IEEE INFOCOM.

[42]  Patrick D. McDaniel,et al.  Programmable Logic Controllers , 2012 .

[43]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[44]  Panos J. Antsaklis,et al.  Goals and Challenges in Cyber-Physical Systems Research Editorial of the Editor in Chief , 2014, IEEE Trans. Autom. Control..

[45]  Mourad Debbabi,et al.  Multidimensional investigation of source port 0 probing , 2014, Digit. Investig..

[46]  Elias Bou-Harb A probabilistic model to preprocess darknet data for cyber threat intelligence generation , 2016, 2016 IEEE International Conference on Communications (ICC).

[47]  Bruno Sinopoli,et al.  Physical Authentication of Control Systems: Designing Watermarked Control Inputs to Detect Counterfeit Sensor Outputs , 2015, IEEE Control Systems.

[48]  Xinghuo Yu,et al.  An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems , 2014, Comput. Secur..

[49]  Karl Henrik Johansson,et al.  On Security Indices for State Estimators in Power Networks , 2010 .

[50]  Helge Janicke,et al.  Runtime-Monitoring for Industrial Control Systems , 2015 .

[51]  Frank Kargl,et al.  Modeling Message Sequences for Intrusion Detection in Industrial Control Systems , 2015, Critical Infrastructure Protection.

[52]  Jagath Samarabandu,et al.  An Intrusion Detection System for IEC61850 Automated Substations , 2010, IEEE Transactions on Power Delivery.

[53]  Ram D. Sriram,et al.  A Vision of Cyber-Physical Cloud Computing for Smart Networked Systems , 2013 .

[54]  Jiafu Wan,et al.  A survey of Cyber-Physical Systems , 2011, 2011 International Conference on Wireless Communications and Signal Processing (WCSP).

[55]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[56]  Lukas Krämer,et al.  AmpPot: Monitoring and Defending Against Amplification DDoS Attacks , 2015, RAID.

[57]  Christof Störmann,et al.  Cyber-Critical Infrastructure Protection Using Real-Time Payload-Based Anomaly Detection , 2009, CRITIS.

[58]  Frank Kargl,et al.  Sequence-aware Intrusion Detection in Industrial Control Systems , 2015, CPSS@ASIACSS.

[59]  Pieter H. Hartel,et al.  Through the eye of the PLC: semantic security monitoring for industrial processes , 2014, ACSAC.

[60]  Panganamala Ramana Kumar,et al.  Cyber–Physical Systems: A Perspective at the Centennial , 2012, Proceedings of the IEEE.

[61]  Ing-Ray Chen,et al.  Specification based intrusion detection for unmanned aircraft systems , 2012, Airborne '12.

[62]  Insup Lee,et al.  Cyber-physical systems: The next computing revolution , 2010, Design Automation Conference.

[63]  Mourad Debbabi,et al.  Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and Characterization , 2016, IEEE Communications Surveys & Tutorials.

[64]  Shreyas Sundaram,et al.  The Wireless Control Network: A New Approach for Control Over Networks , 2011, IEEE Transactions on Automatic Control.

[65]  Edward A. Lee The Past, Present and Future of Cyber-Physical Systems: A Focus on Models , 2015, Sensors.

[66]  M. Ford,et al.  Initial Results from an IPv6 Darknet13 , 2006, International Conference on Internet Surveillance and Protection (ICISP’06).

[67]  Rafal Rohozinski,et al.  Stuxnet and the Future of Cyber War , 2011 .

[68]  Mourad Debbabi,et al.  Inferring distributed reflection denial of service attacks from darknet , 2015, Comput. Commun..

[69]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[70]  Stephen E. McLaughlin On Dynamic Malware Payloads Aimed at Programmable Logic Controllers , 2011, HotSec.

[71]  Meikang Qiu,et al.  Health-CPS: Healthcare Cyber-Physical System Assisted by Cloud and Big Data , 2017, IEEE Systems Journal.

[72]  Man-Ki Yoon,et al.  Communication Pattern Monitoring: Improving the Utility of Anomaly Detection for Industrial Control Systems , 2014 .