N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols

Hadžiosmanović, Dina; Simionato, Lorenzo; Bolzoni, Damiano; Zambon, Emmanuele; Etalle, Sandro

doi:10.1007/978-3-642-33338-5_18

Cited by 72 publications

(60 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…They demonstrated the effectiveness of the detection mechanisms on text protocols, but they did not test them against binary protocols. Industrial control systems mainly use binary protocols and studies such as [7] highlight the problems of using n-gram analysis in industrial control environments.…”

Section: Related Workmentioning

confidence: 99%

Modeling Message Sequences for Intrusion Detection in Industrial Control Systems

Caselli

Zambon

Petit

et al. 2015

IFIP Advances in Information and Communication Technology

Self Cite

View full text Add to dashboard Cite

Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems. Real Modbus, Manufacturing Message Specification and IEC 60870-5-104 traffic samples were used to test sequencing and modeling techniques for describing industrial control system communications. The models were then evaluated to verify the feasibility of identifying sequence attacks. The results create the foundation for developing "sequence-aware" intrusion detection systems.Keywords: Industrial control systems, sequence attacks, intrusion detection IntroductionCritical infrastructure assets such as power plants, electric grids and water treatment facilities have used control systems for many decades; however, until the turn of the century, they were primarily standalone systems. The Internet and network convergence have brought about many changes to critical infrastructure assets, the most important being their transformation from standalone systems to highly interconnected systems. This transformation has introduced advantages and disadvantages. On one hand, it facilitates the remote monitoring and management of industrial processes. On the other hand, traditional information technology attacks can be launched from afar, includ-50 CRITICAL INFRASTRUCTURE PROTECTION IX ing over the Internet, to compromise industrial control systems and the critical infrastructure assets they manage. This is the case of denial-of-service and distributed denial-of-service attacks. These attacks can target a specific device in an industrial control network and flood it with a massive number of packets until it is no longer able to operate normally. This can reduce or eliminate operator situational awareness and eventually impact the coordination and control of infrastructure assets, potentially affecting the larger infrastructure and connected infrastructures, leading to serious consequences to industry, government and society.Another example involves semantic attacks. Unlike standard cyber attacks, semantic attacks exploit knowledge of specific control systems and physical processes to maximize damage. Stuxnet [4,16] is probably the most wellknown attack of this type. Meanwhile, numerous reports from the U.S. ICS-CERT have described exploits on industrial devices, such as programmable logic controllers and SCADA servers, that are triggered by carefully-crafted messages (see, e.g., [9]). Sequence attacks are a type of semantic attack. Instead of using modified message headers or pa...

show abstract

Section: Related Workmentioning

confidence: 99%

Modeling Message Sequences for Intrusion Detection in Industrial Control Systems

Caselli

Zambon

Petit

et al. 2015

IFIP Advances in Information and Communication Technology

Self Cite

View full text Add to dashboard Cite

show abstract

“…The deep integration of software security into the development process and the engineering lessons from software practitioners have no substitute. Hadžiosmanović et al (2012) discovered that vulnerabilities in Industrial Control Systems (ICSs), which include nuclear power plants and oil and gas extraction and distribution facilities, have increased mainly because of poor software development cycles used by several vendors and the "security by obscurity" paradigm used to "protect" legacy devices. Dobariya and Gajjar (2012) noted that one of the challenges in VoIP is that poor software development can lead to various security problems.…”

Section: Software Security and Cbsdmentioning

confidence: 99%

Dependability Attributes for Increased Security in Component-Based Software Development

Kahtan

Bakar²,

Nordin³

2014

Journal of Computer Science

View full text Add to dashboard Cite

Existing software applications become increasingly distributed as their continuity and lifetimes are lengthened; consequently, the users' dependence on these applications is increased. The security of these applications has become a primary concern in their design, construction and evolution. Thus, these applications give rise to major concerns on the capability of the current development approach to develop secure systems. Component-Based Software Development (CBSD) is a software engineering approach. CBSD has been successfully applied in many domains. However, the CBSD capability to develop secure software applications is lacking to date. This study is an extension of the previous study on the challenges of the security features in CBSD models. Therefore, this study proposes a solution to the lack of security in CBSD models by highlighting the attributes that must be embedded into the CBSD process. A thorough analysis of existing studies is conducted to investigate the related software security attributes. The outcome analysis is beneficial for industries, such as software development companies, as well as for academic institutions. The analysis also serves as a baseline reference for companies that develop component-based software.

show abstract

“…An n-gram is a sequence of n consecutive bytes obtained from a longer string. The use of n-grams has been widely explored in the intrusion detection area, although it presents some limitations too [20].…”

Section: Anomaly-based Nidsmentioning

confidence: 99%

Randomized Anagram revisited

Pastrana

Orfila

Tapiador

et al. 2014

Journal of Network and Computer Applications

View full text Add to dashboard Cite

When compared to signature-based Intrusion Detection Systems (IDS), anomaly detectors present the potential advantage of detecting previously unseen attacks, which makes them an attractive solution against zero-day exploits and other attacks for which a signature is unavailable. Most anomaly detectors rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events. Such algorithms, however, are generally susceptible to evasion by means of carefully constructed attacks that are not recognized as anomalous. Different strategies to thwart evasion have been proposed over the last years, including the use of randomization to make somewhat uncertain how each packet will be processed. In this paper we analyze the strength of the randomization strategy suggested for Anagram, a well-known anomaly detector based on n-gram models. We show that an adversary who can interact with the system for a short period of time with inputs of his choosing will be able to recover the secret mask used to process packets. We describe and discuss an efficient algorithm to do this and report our experiences with a prototype implementation. Furthermore, we show that the specific form of randomization suggested for Anagram is a double-edged sword, as knowledge of the mask makes evasion easier than in the non-randomized case. We finally discuss a simple countermeasure to prevent our attacks.

show abstract

N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols

Cited by 72 publications

References 17 publications

Modeling Message Sequences for Intrusion Detection in Industrial Control Systems

Modeling Message Sequences for Intrusion Detection in Industrial Control Systems

Dependability Attributes for Increased Security in Component-Based Software Development

Randomized Anagram revisited

Contact Info

Product

Resources

About