ppt

runmidgeΤεχνίτη Νοημοσύνη και Ρομποτική

20 Οκτ 2013 (πριν από 4 χρόνια και 24 μέρες)

86 εμφανίσεις

N
-
GRAM ANALYSIS

I
NTRUSION

D
ETECTION

W
ITHIN

N
ETWORKS

AND

ICS

LITTLE REVIEW


SCADA (S
UPERVISORY

C
ONTROL

AND

D
ATA

A
CQUISITION
)
IS

A

TYPE

OF

I
NDUSTRIAL

C
ONTROL

S
YSTEM
(ICS)
THAT

IS

USED

TO

MONITOR

AND

CONTROL

VARIOUS

INDUSTRIAL

PROCESSES

THAT

EXIST

IN

THE

PHYSICAL

WORLD


S
EEN

IN

OUR

S
MART

G
RIDS

ATTACKS ON SCADA NETWORKS

INTRUSION DETECTION SYSTEMS

LOG MINING APPROACH FOR PROCESS
MONITORING IN SCADA


A
CCESSING

USER

RIGHTS

TO

DO

ACTIONS

THAT

LOOK

LEGITIMATE



PHEA
-

P
REDICTIVE

H
UMAN

E
RROR

A
NALYSIS

(T
ASK

A
NALYSIS

T
REE

-

POSSIBLE

USER

ACTIONS
)


HAZOP
-

H
AZARD

AND

O
PERABILITY

S
TUDY


M
AIN

ISSUE
: D
EALING

WITH

THE

ATTACK

AFTER

THE

FACT
?

SMART DEVICE PROFILING


D
EVICE

F
INGERPRINT


C
ONNECTIVITY

P
ATTERN


P
SEUDO
-
P
ROTOCOL

P
ATTERN


P
ACKET

C
ONTENT

S
TATISTICS


F
IRST

L
EVEL

-

N
ETWORK

A
CCESS

C
ONTROL

M
ECHANISMS


S
ECOND

L
EVEL

-

I
NTRUSION

D
ETECTION

S
YSTEMS

N
-
GRAM AGAINST THE MACHINE

N
-
G
RAM

N
ETWORK

A
NALYSIS

FOR

B
INARY

P
ROTOCOL

TERMS TO KNOW


N
ETWORK

I
NTRUSION

D
ETECTION

S
YSTEMS

(NIDS)


S
IGNATURE
-
B
ASED


A
NOMALY
-
B
ASED


Z
ERO
-
D
AY

AND

T
ARGETED

A
TTACKS

(S
TUXNET
)


ANOMALY
-
BASED NIDS/BINARY PROTOCOLS


N
ETWORK
-
B
ASED

A
PPROACH

(M
ONITORING

IN

TRANSPARENT

WAY
)


A
NALYZE

N
ETWORK

F
LOW


A
NALYZE

A
CTUAL

P
AYLOAD


B
INARY

P
ROTOCOLS

(SMB/CIFS/RPC/M
ODBUS
)

N
-
GRAM ANALYSIS


M
ONITORING

S
YSTEM

C
ALLS


T
EXT

A
NALYSIS


P
ACKET

P
AYLOAD

A
NALYSIS

NETWORK PAYLOAD ANALYSIS


U
SING

N
-
G
RAMS

IN

DIFFERENT

WAYS


T
WO

P
ARTICULAR

A
SPECTS
:

1.
T
HE

WAY

N
-
G
RAM

BUILDS

FEATURE

SPACES

2.
T
HE

ACCURACY

OF

PAYLOAD

REPRESENTATION

THE ALGORITHMS

PAYL, POSEIDON, A
NAGRAM
, M
C
P
AD

THE ALGORITHMS

PAYL


1
-
GRAM
-
BASED

PAYLOAD

ANOMALY

DETECTOR


U
SE

OF

MODELS

1.
M
EAN

B
YTE

F
REQUENCY

2.
B
YTE

F
REQUENCY

S
TANDARD

D
EVIATION


S
AME

VALUES

COMPUTED

FOR

INCOMING

PACKETS

--
>
COMPARED

TO

MODEL

VALUES



POSEIDON


B
UILT

ON

THE

PAYL
ARCHITECTURE


E
MPLOYS

A

N
EURAL

N
ETWORK

TO

CLASSIFY

PACKETS


S
ELF
-
O
RGANIZING

M
APS

THE ALGORITHMS

PAYL
-

F
AIL


V
ULNERABLE

TO

MIMICRY

ATTACKS

(O
NLY

MODELS

1
-
GRAM

BYTE

DISTRIBUTION
)


A
DDITIONAL

BYTES

ADDED

TO

MATCH

MODELS

POSEIDON
-

F
AIL


M
ORE

RESILIENT

TO

MIMICRY

ATTACKS

(SOM
AND

PAYL
TOGETHER
)


A
TTACK

PORTION

OF

PAYLOAD

SMALL

ENOUGH

--
>
ASSIGNED

TO

A

CLUSTER

WITH

MODELS

OF

REGULAR

TRAFFIC

(
SIMILAR

BYTE

FREQUENCY
)

THE ALGORITHMS

A
NAGRAM


H
IGHER
-
ORDER

N
-
GRAMS

USED

(N > 1)


B
INARY
-
B
ASED

N
-
G
RAM

ANALYSIS


U
SE

OF

B
LOOM

F
ILTERS


L
ESS

MEMORY

USED

= U
SE

OF

HIGER
-
ORDER

N
-
GRAMS


M
ORE

PRECISE

THAN

FREQUENCY
-
BASED

ANALYSIS

(PAYL)

M
C
PAD


"M
ULTIPLE
-
CLASSIFIER

P
AYLOAD
-
BASED

A
NOMALY

D
ETECTOR
"


2
-
G
RAM

A
NALYSIS


S
UPPORT

V
ECTOR

M
ACHINE

(SVM)
CLASSIFIERS

THE ALGORITHMS

A
NAGRAM

-

F
AIL


B
LOOM

F
ILTER

S
ATURATES

DURING

TRAINING


A
TTACK

LEVERAGES

SEQUENCE

OF

N
-
GRAMS

THAT

HAVE

BEEN

OBSERVED

DURING

TESTING

M
C
PAD
-

F
AIL


T
RIES

TO

GIVE

WIDE

REPRESENTATION

OF

THE

PAYLOAD

1.
A
PPROXIMATE

REPRESENTATION

2.
U
SE

OF

DIFFERENT

CLASSIFIERS


APPROACH

V
ERIFYING

THE

EFFECTIVENESS

OF

THE

DIFFERENT

ALGORITHMS

APPROACH


C
OLLECT

N
ETWORK

D
ATA


C
OLLECT

A
TTACK

D
ATA


O
BTAIN

W
ORKING

I
MPLEMENTATION

OF

A
LGORITHMS


R
UN

A
LGORITHMS

AND

A
NALYZE

R
ESULTS

OBTAINING NETWORK DATA


R
EAL
-
LIFE

DATA

FROM

DIFFERENT

NETWORK

ENVIRONMENTS

(
CURRENTLY

OPERATING
)


F
OCUS

ON

ANALYSIS

OF

BINARY

PROTOCOLS

1.
T
YPICAL

L
AN

(W
INDOWS
-
BASED

NETWORK

SERVICES
)

2.
P
ROTOCOLS

FOUND

IN

ICS

OBTAINING THE IMPLEMENTATIONS


POSEIDON
AND

M
C
PAD
OBTAINED

FROM

AUTHORS


A
NAGRAM

AND

PAYL
--
> I
MPLEMENTATIONS

WRITTEN

FROM

SCRATCH

EVALUATION CRITERIA


D
ETECTION

R
ATE


F
ALSE

P
OSITIVE

R
ATE

EVALUATION CRITERIA

D
ETECTION

R
ATE


N
UMBER

OF

CORRECTLY

DETECTED

PACKETS

WITHIN

THE

ATTACK

SET


N
UMBER

OF

DETECTED

ATTACK

INSTANCES


A
LARM

=
TRUE

POSITIVE

IF

ALGORITHM

TRIGGERS

AT

LEAST

ONE

ALERT

PACKET

PER

ATTACK

INSTANCE

F
ALSE

P
OSITIVE

R
ATE


R
ELATE

TO

DETECTION

RATE


I
NSTEAD

OF

PERCENTAGE
,
USE

NUMBER

OF

FALSE

POSITIVES

PER

TIME

UNIT


T
WO

T
HRESHOLDS
:


1.
10 F
ALSE

POSITIVES

PER

DAY

2.
1 F
ALSE

P
OSITIVE

PER

MINUTE

EVALUATION CRITERIA
-

SNORT


S
IGNATURE
-
BASED

IDS



U
SED

TO

VERIFY

ALERTS

ARE

FALSE

POSITIVES


DATA SETS AND ATTACK SETS

WEB DATA SET

D
ARPA

(DS)


U
SED

TO

VERIFY

IMPLEMENTATIONS


PAYL


A
NAGRAM

HTTP (AS)


U
SED

FOR

BENCHMARKS

WITH

M
C
PAD


66 D
IVERSE

ATTACKS


11 S
HELLCODES

LAN DATA SETS

SMB (DS)


N
ETWORK

TRACES

FROM

U
NIVERSITY

NETWORK


A
VG
. D
ATA

R
ATE
: ~40M
BPS


F
OCUS

ON

SMB/CIFS
PROTOCOL

MESSAGES

WHICH

ENCAPSULATE

RPC
MESSAGES


A
VG
. P
ACKET

R
ATE
: ~22/
SEC

SMB (AS)


S
EVEN

A
TTACK

I
NSTANCES


E
XPLOIT

4
DIFFERENT

VULNERABILITIES
:

1.
MS
04
-
011

2.
MS
06
-
040

3.
MS
08
-
067

4.
MS
10
-
061

ICS DATA SET

M
ODBUS

(DS)


D
ATA

S
ET

TRACES

FROM

ICS
OF

REAL
-
WORLD

PLANT
: 30 D
AYS

OF

OBSERVATION


A
VG
. T
HROUGHPUT

ON

NET
: ~800K
BPS


M
AX

S
IZE

OF

M
ODBUS
/TCP
MESSAGE
: 256
BYTES


A
VG
. S
IZE

OF

M
ODBUS
/TCP
MESSAGE
:
12.02
BYTES


A
VG
. P
ACKET

R
ATE
: ~96/
SEC

M
ODBUS

(AS)


163 A
TTACK

I
NSTANCES


E
XPLOIT

A

MULTITUDE

OF

VULNERABILITIES

OF

THE

M
ODBUS
/TCP
IMPLEMENTATION


T
WO

FAMILIES

OF

EXPLOITED

VULNERABILITIES
:

1.
U
NAUTHORIZED

U
SE

2.
P
ROTOCOL

E
RRORS

IMPLEMENTATION VERIFICATION

IMPLEMENTATION VERIFICATION


DARPA (DS)
USED

FOR

INITIAL

TESTS


HTTP (AS)
USED

FOR

OTHER

TESTS

1.
O
RIGINAL

ATTACK

SET

OF

DARPA
DOES

NOT

REFLECT

SOME

MODERN

ATTACKS

2.
N
OT

ALL

ALGORITHMS

BENCHMARKED

AGAINST

THE

DARPA (AS)

TESTS WITH LAN DATA SET


F
IRST

TESTS

PERFORMED

ON

SMB (DS)



A
LL

SMB/CIFS
PACKETS

DIRECTED

TO

TCP
PORTS

139
OR

445


P
OOR

PERFORMANCE

BY

ALL

ALGORITHMS


H
IGH

VARIABILITY

OF

THE

ANALYZED

PAYLOAD


F
ILTERED

DATA

SET

USED



SMB/CIFS M
ESSAGES

THAT

CARRY

RPC D
ATA

RESULTS: TESTS WITH LAN DATA SETS


A
NAGRAM

-

0.00%
FALSE

POSITIVE

RATE

AND

LOWEST

FALSE

POSITIVE

RATE

OF

ALL

TESTED

ALGORITHMS


M
C
PAD
-

HIGHEST

FALSE

POSITIVE

RATE

AND

IS

IMPOSSIBLE

TO

LOWER


A
LL

FALSE

POSITIVES

VERIFIED

THROUGH

SNORT
(
NONE

ARE

TRUE

POSITIVES
)

ANALYSIS (DETECTED AND UNDETECTED
ATTACKS): TESTS WITH LAN DATASETS


A
LL

ALGORITHMS

DETECT

ATTACK

INSTANCE

EXPLOITING

THE

MS
04
-
011

VULNERABILITY


N
EVER

A

SEQUENCE

OF

3
BYTES

WITH

0
X
90

--
>
A
NAGRAM


A
NOMALOUS

BYTE

FREQUENCY

DISTRIBUTION

ABOVE

ALL

OTHERS

--
> PAYL
AND

POSEIDON


P
EAK

IN

FREQUENCY

OF

2
-
GRAMS

--
> M
C
PAD

ANALYSIS (DETECTED AND UNDETECTED
ATTACKS): TESTS WITH LAN DATASETS


PAYL
AND

POSEIDON
FAIL

TO

DETECT

ATTACK

THAT

EXPLOITS

MS
06
-
040



W
HEN

FALSE

POSITIVE

BELOW

2%

TESTS WITH ICS DATA SET


N
O

ISSUES

WITH

INITIAL

TESTS

(
AS

SUPPOSED

TO

LAN
TESTS

WITH

SMB)


A
NAGRAM

HAS

OUTSTANDING

RESULTS


M
C
PAD
PERFORMS

WELL

W
.
R
.
T
.
FALSE

POSITIVE


PAYL
BETTER

PACKET
-
RATE

DETECTION

THAN

POSEIDON

VERIFICATION PROCESS: ICS DATA SET


N
O

RAISED

ALERT

TURNED

OUT

TO

BE

A

TRUE

POSITIVE

WHEN

PROCCESSED

WITH

SNORT

1.
S
IGNATURES

FOR

THE

M
ODBUS

PROTOCOL

2.
H
IGHLY

ISOLATED

ICS

ANALYSIS (DETECTED AND UNDETECTED
ATTACKS): TESTS WITH ICS DATA SETS


W
HY

A
NAGRAM

WORKS

SO

WELL
?

1.
V
ALID

READ

REQUEST

2.
A
TTACK

INSTANCE

3.
S
MALLEST

POSSIBLE

M
ODBUS

MESSAGE

ALLOWED

BY

PROTOCOL

SPECIFICATION

CONCLUSION

CONCLUSION

SMB/CIFS


A
TTACKS

CORRECTLY

DETECTED


H
IGH

RATE

OF

FALSE

POSITIVES


H
IGH

COST

TO

INDEPENDENTLY

DEPLOY

ON

REAL

ENVIRONMENT

M
ODBUS


A
NAGRAM

INDEPENDENTLY

DETECTS

ALMOST

EVERY

ATTACK

INSTANCE


F
ALSE

POSITIVE

RATE

LOWER

THAN

THE

10
ALERTS

PER

DAY

THRESHOLD



C
AN

BE

DEPLOYED

IN

REAL

ENVIRONMENT

CONCLUSION ON ALGORITHMS


N
O

ABSOLUTE

BEST

ALGORITHM



A
NAGRAM

WORKING

BETTER

THAN

MOST

ON

SMB/CIFS
WHEN

FILTERED


M
OST

WORK

WELL

WITH

M
ODBUS


P
ROBLEM

ALLEVIATED

WITH

DETECTION

SYSTEM

AND

SENSOR

TO

VERIFY

ALERTS


O
NE

OTHER

OPEN

ISSUE
:
HOW

TO

MEASURE

TRAFFIC

VARIABILITY

THANK YOU. QUESTIONS?