Network
intrusion detection System (NIDS)
According to the taxonomy of intrusion detection systems defined by Debar and its working group, the
most suitable System is shown in the
following figure:
The detection
method should not be based on signatures since it should be frequently updated
and it does not offer protection against 0-day vulnerabilities, making
detection behavior as the most appropriate choice.
The behavior
detection should be passive to be as non-intrusive as possible in the network
and not interfere with the commands and actions that are exchanged over the
network.
Given the importance
of the transitions have been in the
control of industrial processes, the NIDS should consider this type of
paradigm, and finally should be monitored continuously since these networks are
operating in 24x7x365 basis.
Regarding
detection technology for behavioral anomalies, there are several alternatives:
inspection message headers (headers) detection, inspection message payload
(Payload) detection or a combination of both. In the present note we will use
the last option as it is the only one capable of detecting this type of
semantic attacks and is used by the deep protocol behavior inspection
technology we propose as network intrusion detection in critical
infrastructure.
NIDS
based on deep protocol behavior inspection
Once selected
detection technology we will explain how to implement it in such environments.
Since its operation is based on detecting events that differ from the normal
behavior (anomalies), we must first build the pattern (behavioral blueprint).
The construction
of this pattern can be performed on a specific-based manner (introducing the
topological and operational information network) or unattended using learning-based
technology. The first option is rarely useful as the knowledge of low-level
details in the implementation of control networks organizations own is in many
cases dating back to the FAT (Factory Acceptance Test) or the SAT (Site
Acceptance Test), so usually very old information being outdated and not
maintained systematically through change management procedures in line with
best practices.
Selecting
unattended construction method by learning, we must remember that it is very
important that this normal behavior pattern is built in an environment as
similar as possible to the production environment on which detecting anomalous
behavior is performed.
The scheme of
operation of this type of intrusion detection sensors is as follows:
Although
learning is automatic it must always be adjusted by control engineers who are
familiar with the process to eliminate any undesired operation generated by
unscheduled interventions once verified by the control personnel. Additionally,
in the phase detection such events should be able to be included in the pattern
of behavior (Blueprint) to avoid
unwanted alerts (false positives).
The
behavioral blueprint obtained after the learning and customization phase
includes the following elements:
Control Network
Communication profile
At this time the
NIDS knows every possible tuple in the control network (traffic matrix):
Src
IP,Src Port -> Dest. IP,Dest Port
From this
moment, we can be alerted by:
• New devices on
the network
• Devices trying
to connect to our network that are not in our Model
• Devices
sending information out of our network to devices out of the model.
Protocols, messages and values matrix
In order to
detect advanced operation issues or attack to processes we need to use the
technology of deep protocol behavior inspection (DPBI), since with this we will
know:
·
The control protocols operating
in the network
·
Messages that are used within
each protocol
·
The distribution of values
within each message field of actual network control protocols.
All this
information must be organized in a logical manner in order to obtain the
pattern of behavior which subsequently compares all messages obtained from the
network. The DPBI NIDS is responsible for generating this model during the
learning phase using its advanced technology on behavior modelling.
From this point
we can start the detection phase and be alerted of any communication diverge
from the newly built behavioral blueprint.
Operational
Correlation
Despite the
power detection technology DPBI control environments, we need to be able to
generate alerts to detect cyber attacks on physical process (operations that
are within the behavior pattern and executed from the control network stations
also found in the pattern.).
A clear example
of this would be a kind Aurora attack and run from a SCADA server to transmit
orders for opening and closing of switches out of phase to a remote unit (RTU)
in a substation, using the IEC 104 protocol.
To detect this cyber
attack, we should be able to store all IEC 104 opening and closing aimed at RTU
we found in the control network and estimate the time difference on the
immediately preceding command sent to the RTU messages.
To do this the
network intrusion detector DPBI also be able to provide the functionality
described above. (Operational correlation).
In the case of
the NIDS DPBI solution for SCADA SCAB (Security Awareness Control Box for
SCADA), this correlation is implemented by deploying additional logic (script
type program) that makes this correlation.
An example of a
function of this script is as follows:
function
new_connection_data(conn, data, is_upstream)
local record = find_flow(conn)
if record ~= nil then
record.up_bytes =
conn:upstream_num_bytes()
record.down_bytes = conn:downstream_num_bytes()
record.up_pkts =
conn:upstream_num_pkts()
record.down_pkts =
conn:downstream_num_pkts()
record.payload_up_bytes =
conn:upstream_num_payload_bytes()
record.payload_down_bytes =
conn:downstream_num_payload_bytes()
end
end
Future
trends: S-IDS
The combination
of detection technology based on control protocol behavioral anomalies,
together with the operational correlation allows us to detect cyber-physical
attacks on critical infrastructure processes, yet are somewhat craft in regard
to the implementation operational and temporal correlations.
To solve this
problem it is being investigated in new detection technologies that includes
this information in the behavioral pattern automatically.
One of this
technology is called Sequence-aware Intrusion Detection System and raises a number of
novel approaches in generating a behavior pattern, such as control of the order
in which messages are sent and received to the Control elements from the servers,
the time between state transitions and sending messages and standard deviation
of the time.
The block
architecture of a system of this type would be:
In the learning
phase information from sources model input (control network protocols messages,
log file entries and values of the commands of the process) would be collected
and would feed the sequencer to maintain timing trace, before passing to
process model generator.
As in the case
of NIDS DPBI based, once the learning phase is finished would enter in
detection mode. First experimental results for SCADA Waters sector have been
achieved and work is in progress to decrease false positive rate (FPR) and
noise reduction for the detection phase.
This is just one
of today research paths on intrusion detection for industrial control system,
but still is under development and validation.
