Software attacks Lorenzo Dematte’ ([email protected]) Software Attacks Buffer Overflow.
Detection of Man-in-the-Middle Attacks on Industrial ... · 05.11.2016 1 Detection of...
Transcript of Detection of Man-in-the-Middle Attacks on Industrial ... · 05.11.2016 1 Detection of...
05.11.2016
1
Detection of Man-in-the-Middle
Attacks on Industrial Control
Systems
Oliver Eigner, Philipp Kreimel, Paul Tavolato
Industrial Control Systems
Security Issues of Industrial Control Systems
Behavioral Monitoring of Industrial Control Systems
Experimental Setting
Normal System Behavior
Man-in-the-Middle Attacks
Results
Further Work
2
Detection of Man-in-the-Middle Attacks
on Industrial Control Systems
05.11.2016
2
Industrial Control System
3
Situation so far:
Control System Administration System
Strictly separated!
05.11.2016
3
Situation now:
Threats
Opening a system makes it vulnerable
After having gained access an intruder may cause harm
S/he may
o steal data
o modify data
o inject false data
o modify the process
o damage the plant
6
05.11.2016
4
Why Do Conventional IT Security
Measures Not Work with ICS?
Update
risks
Security
Updates
available?Long operating
times lead to
outdated
systems
Proprietary
protocols Special
system needs
Project Idea: Behavioral Analysis
For this talk:
Use a simple testing system
Restrict to Man-in-the-Middle attacks
Observe the behavior of the „clean“ ICS
Define patterns of such normal behavior
Do this by using machine learning algorithms
Execute attacks against the ICS and compare behavior
05.11.2016
6
Scenario
11
Data Acquisition
12
Near-real-time data from the PLC should be logged
Modbus TCP-Server was implemented on the PLC
All sensor and actuator data was logged
For one process life cycle (app. 2‘ 20‘‘) 2800 log entries wherecollected
05.11.2016
7
Feature Extraction
13
To reduce the dimensionality a set of 32 features was
extracted, such as minimum values, maximum values,
arithmetic means, and standard deviations of the data.
temp_min temp_max temp_stdev temp_avg
20 60 12.8763119 53.3042922
20 60 13.0828626 53.1369836
20 60 12.6685830 53.6036321
20 60 12.6121858 53.6320333
20 60 12.7710237 53.5021791
20 60 13.2449995 53.0458893
Thresholds of Valid Behavior
14
Using Rapid Miner experiments with various algorithmswhere conducted.
Bregman divergence with k=3 showed the best results
k 3 5 7 3 5 7 3 5 7
Example1 0.1555 0.1956 0.2493 0.0535 0.0829 0.1374 0.0273 0.0426 0.0725
Example2 0.1501 0.1991 0.2623 0.0487 0.0865 0.1555 0.0248 0.0446 0.0834
Example3 0.1645 0.2469 0.3479 0.0644 0.1413 0.2740 0.0331 0.0748 0.1566
Example4 0.2074 0.2955 0.2649 0.1024 0.1952 0.3420 0.0535 0.1053 0.2004
Example5 0.1599 0.1883 0.3811 0.0530 0.0733 0.1601 0.0269 0.0375 0.0865
Example6 0.1814 0.2923 0.2321 0.0721 0.1950 0.3140 0.0369 0.1063 0.1809
Example7 0.1193 0.1870 0.2417 0.0283 0.0812 0.1222 0.0143 0.0420 0.0641
Example8 0.1563 0.1903 0.2374 0.0528 0.0769 0.1295 0.0269 0.0394 0.0684
Example9 0.1430 0.1859 0.3160 0.0447 0.0757 0.1258 0.0227 0.0389 0.0661
Example10 0.1386 0.2349 0.4001 0.0400 0.1312 0.2294 0.0202 0.0697 0.1278
Minimum 0.1193 0.1859 0.2321 0.0283 0.0733 0.1222 0.0143 0.0375 0.0641
Maximum 0.2074 0.2955 0.4001 0.1024 0.1952 0.3420 0.0535 0.1063 0.2004
Average 0.1576 0.2216 0.2933 0.0560 0.1139 0.1990 0.0287 0.0601 0.1107
Euclidean DistanceKernel Euclidean
DistanceBregman Divergences
Outlier Statistics
05.11.2016
8
Man-in-the-Middle Attack
15
A Man-in-the-Middle attack was executed against the PLC and
the Modbus client.
The attack was executed using Ettercap and ARP poisoning.
ModbusLogger
EngineeringWorkstation
AttackerPLC HMI
Results
16
The data captured during the attack was compared to the
thresholds defined for normal behavior.
The outlier score was deviated from the values of normal
behavior in such considerable extent that the detection of
the attack was beyond doubt.
Label Outlier Prediction
Average valid
behaviour
valid 0.028 valid
Man-in-the-
Middle attack
unknown 1.231 anomalous
05.11.2016
9
Other Attacks - Results
17
Typ Label Outlier Prediction
Normal behavior valid 0.028 valid
Man-in-the-Middle Attack unknown 1.231 anomalous
DoS Attack PLC unknown 314.727 anomalous
DoS Attack HMI unknown 0.142 valid
Replay Attack unknown 1.032 anomalous
Reprogram heat rate unknown 0.191 anomalous
Reprogram maximum temperature unknown 44.895 anomalous
Modbus read I/O values unknown 0.019 valid
Modbus write coil unknown 0.380 anomalous
Restrictions of the approach
18
The project was carried out in a lab environment
The scenario was rather simple with a limited number of
sensors and actuators
However:
We used up-to-date hardware and firmware – which is not
the case in many real-life ICS.
05.11.2016
10
Conclusion
19
Man-in-the-Middle attacks can be detected by looking for
anomalies.
Necessary are patterns of normal behavior of the ICS.
These patterns can be derived using machine learning.
Results are clear enough to make the process a candidate
for use in real scenarios.
Further Work
20
Extend the project to other types of attacks, such as
denial of service attacks, false data injections, replay
attacks, and others
Try to use the machine learning on data from real ICS
Apply the procedure to real ICS