Internet-scale Probing of CPS: Inference, Characterization and Orchestration Analysis

Although the security of Cyber-Physical Systems (CPS) has been recently receiving significant attention from the research community, undoubtedly, there still exists a substantial lack of a comprehensive and a holistic understanding of attackers’ malicious strategies, aims and intentions. To this end, this paper uniquely exploits passive monitoring and analysis of a newly deployed network telescope IP address space in a first attempt ever to build broad notions of real CPS maliciousness. Specifically, we approach this problem by inferring, investigating, characterizing and reporting large-scale probing activities that specifically target more than 20 diverse, heavily employed CPS protocols. To permit such analysis, we initially devise and evaluate a novel probabilistic model that aims at filtering noise that is embedded in network telescope traffic. Subsequently, we generate amalgamated statistics, inferences and insights characterizing such inferred scanning activities in terms of their probe types, the distribution of their sources and their packets’ headers, among numerous others, in addition to examining and visualizing the co-occurrence patterns of such events. Further, we propose and empirically evaluate an innovative hybrid approach rooted in time-series analysis and context triggered piecewise hashing to infer, characterize and cluster orchestrated and well-coordinated probing activities targeting CPS protocols, which are generated from Internet-scale unsolicited sources. Our analysis and evaluations, which draw upon extensive network telescope data observed over a recent one month period, demonstrate a staggering 33 thousand probes towards ample of CPS protocols, the lack of interest in UDP-based CPS services, and the prevalence of probes towards the ICCP and Modbus protocols. Additionally, we infer a considerable 74% of CPS probes that were persistent throughout the entire analyzed period targeting prominent protocols such as DNP3 and BACnet. Further, we uncover close to 9 thousand large-scale, stealthy, previously undocumented orchestrated probing events targeting a number of such CPS protocols. We validate the various outcomes through cross-validations against publicly available threat repositories. We concur that the devised approaches, techniques, and methods provide a solid first step towards better comprehending real CPS unsolicited objectives and intents.

[1]  Frank Kargl,et al.  Sequence-aware Intrusion Detection in Industrial Control Systems , 2015, CPSS@ASIACSS.

[2]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[3]  Insup Lee,et al.  Challenges and Research Directions in Medical Cyber–Physical Systems , 2012, Proceedings of the IEEE.

[4]  Vern Paxson,et al.  Semi-automated discovery of application session structure , 2006, IMC '06.

[5]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[6]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[7]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[8]  Marc Dacier,et al.  Insights on the Security and Dependability of Industrial Control Systems , 2014, IEEE Security & Privacy.

[9]  Christof Störmann,et al.  Cyber-Critical Infrastructure Protection Using Real-Time Payload-Based Anomaly Detection , 2009, CRITIS.

[10]  Steven M. Bellovin,et al.  There Be Dragons , 1992, USENIX Summer.

[11]  M. Ford,et al.  Initial Results from an IPv6 Darknet13 , 2006, International Conference on Internet Surveillance and Protection (ICISP’06).

[12]  Wei Gao,et al.  On SCADA control system command and response injection and intrusion detection , 2010, 2010 eCrime Researchers Summit.

[13]  Ivan Stojmenovic,et al.  Machine-to-Machine Communications With In-Network Data Aggregation, Processing, and Actuation for Large-Scale Cyber-Physical Systems , 2014, IEEE Internet of Things Journal.

[14]  Steven M. Bellovin,et al.  Packets found on an internet , 1993, CCRV.

[15]  Hartmut König,et al.  Towards the Protection of Industrial Control Systems - Conclusions of a Vulnerability Analysis of Profinet IO , 2013, DIMVA.

[16]  C. Bellettini,et al.  Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[17]  Paulo Tabuada,et al.  Secure Estimation and Control for Cyber-Physical Systems Under Adversarial Attacks , 2012, IEEE Transactions on Automatic Control.

[18]  André Trudel,et al.  World's first web census , 2007, Int. J. Web Inf. Syst..

[19]  Vern Paxson,et al.  Towards Situational Awareness of Large-Scale Botnet Probing Events , 2011, IEEE Transactions on Information Forensics and Security.

[20]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[21]  Lukas Krämer,et al.  AmpPot: Monitoring and Defending Against Amplification DDoS Attacks , 2015, RAID.

[22]  Florian Dörfler,et al.  Attack Detection and Identification in Cyber-Physical Systems -- Part II: Centralized and Distributed Monitor Design , 2012, ArXiv.

[23]  Volker Roth,et al.  PLC Guard: A practical defense against attacks on cyber-physical systems , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[24]  Emanuele Garone,et al.  False data injection attacks against state estimation in wireless sensor networks , 2010, 49th IEEE Conference on Decision and Control (CDC).

[25]  S. Chiba,et al.  Dynamic programming algorithm optimization for spoken word recognition , 1978 .

[26]  Jesse D. Kornblum Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..

[27]  Luis A. Villa Vargas,et al.  A New Procedure to Detect Low Interaction Honeypots , 2014 .

[28]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[29]  Pieter H. Hartel,et al.  Through the eye of the PLC: semantic security monitoring for industrial processes , 2014, ACSAC.

[30]  Vern Paxson,et al.  Automating analysis of large-scale botnet probing events , 2009, ASIACCS '09.

[31]  R. Real,et al.  The Probabilistic Basis of Jaccard's Index of Similarity , 1996 .

[32]  Panganamala Ramana Kumar,et al.  Cyber–Physical Systems: A Perspective at the Centennial , 2012, Proceedings of the IEEE.

[33]  Alberto Dainotti,et al.  Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet , 2012, CCRV.

[34]  Saman A. Zonouz,et al.  Detecting Industrial Control Malware Using Automated PLC Code Analytics , 2014, IEEE Security & Privacy.

[35]  E. J. Byres,et al.  On shaky ground - A study of security vulnerabilities in control protocols , 2006 .

[36]  A. Treytl,et al.  Security measures for industrial fieldbus systems - state of the art and solutions for IP-based approaches , 2004, IEEE International Workshop on Factory Communication Systems, 2004. Proceedings..

[37]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[38]  David M. Nicol,et al.  Designed-in Security for Cyber-Physical Systems , 2014, IEEE Secur. Priv..

[39]  Shreyas Sundaram,et al.  The Wireless Control Network: A New Approach for Control Over Networks , 2011, IEEE Transactions on Automatic Control.

[40]  Zhi-Li Zhang,et al.  Identifying and tracking suspicious activities through IP gray space analysis , 2007, MineNet '07.

[41]  F. Jahanian,et al.  Practical Darknet Measurement , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[42]  Ram D. Sriram,et al.  A Vision of Cyber-Physical Cloud Computing for Smart Networked Systems , 2013 .

[43]  Stephen E. McLaughlin On Dynamic Malware Payloads Aimed at Programmable Logic Controllers , 2011, HotSec.

[44]  Lui Sha,et al.  S3A: Secure System Simplex Architecture for Enhanced Security of Cyber-Physical Systems , 2012, ArXiv.

[45]  Shreyas Sundaram,et al.  Distributed Function Calculation via Linear Iterative Strategies in the Presence of Malicious Agents , 2011, IEEE Transactions on Automatic Control.

[46]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[47]  Meikang Qiu,et al.  Health-CPS: Healthcare Cyber-Physical System Assisted by Cloud and Big Data , 2017, IEEE Systems Journal.

[48]  Man-Ki Yoon,et al.  Communication Pattern Monitoring: Improving the Utility of Anomaly Detection for Industrial Control Systems , 2014 .

[49]  Salvatore J. Stolfo,et al.  A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan , 2010, ACSAC '10.

[50]  Patrick D. McDaniel,et al.  Programmable Logic Controllers , 2012 .

[51]  K. Limthong,et al.  Wavelet-Based Unwanted Traffic Time Series Analysis , 2008, 2008 International Conference on Computer and Electrical Engineering.

[52]  David Watson,et al.  The Blaster worm: then and now , 2005, IEEE Security & Privacy Magazine.

[53]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[54]  Karl Henrik Johansson,et al.  A secure control framework for resource-limited adversaries , 2012, Autom..

[55]  Xinghuo Yu,et al.  An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems , 2014, Comput. Secur..

[56]  Karl Henrik Johansson,et al.  On Security Indices for State Estimators in Power Networks , 2010 .

[57]  Shouhuai Xu,et al.  A Characterization of Cybersecurity Posture from Network Telescope Data , 2014, INTRUST.

[58]  Meinard Müller,et al.  Information retrieval for music and motion , 2007 .

[59]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[60]  Mourad Debbabi,et al.  Fingerprinting Internet DNS Amplification DDoS Activities , 2014, 2014 6th International Conference on New Technologies, Mobility and Security (NTMS).

[61]  Mourad Debbabi,et al.  Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and Characterization , 2016, IEEE Communications Surveys & Tutorials.

[62]  Helge Janicke,et al.  Runtime-Monitoring for Industrial Control Systems , 2015 .

[63]  Vipin Kumar,et al.  Gray's anatomy: dissecting scanning activities using IP gray space analysis , 2007 .

[64]  Frank Kargl,et al.  Modeling Message Sequences for Intrusion Detection in Industrial Control Systems , 2015, Critical Infrastructure Protection.

[65]  Bruno Sinopoli,et al.  Physical Authentication of Control Systems: Designing Watermarked Control Inputs to Detect Counterfeit Sensor Outputs , 2015, IEEE Control Systems.

[66]  Ramesh Govindan,et al.  Census and survey of the visible internet , 2008, IMC '08.

[67]  Neal Krawetz,et al.  Anti-honeypot technology , 2004, IEEE Security & Privacy Magazine.

[68]  Bruno Sinopoli,et al.  Detecting integrity attacks on control systems using a moving target approach , 2015, 2015 54th IEEE Conference on Decision and Control (CDC).

[69]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[70]  Bruno Sinopoli,et al.  Detecting Integrity Attacks on SCADA Systems , 2014, IEEE Transactions on Control Systems Technology.