Antoine Lemay

ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework

Several alert correlation approaches have been proposed to date to reduce the number of non-relevant alerts and false positives typically generated by Intrusion Detection Systems (IDS). Inspired by the mental process of the contextualisation used by security analysts to weed out less relevant alerts, some of these approaches have tried to incorporate contextual information such as: type of systems, applications, users, and networks into the correlation process. However, these approaches are not flexible as they only perform correlation based on the narrowly defined contexts. information resources available to the security analysts while preserving the maximum flexibility and the power of abstraction in both the definition and the usage of such concepts, we propose ONTIDS, a context-aware and ontology-based alert correlation framework that uses ontologies to represent and store the alerts information, alerts context, vulnerability information, and the attack scenarios. ONTIDS employs simple ontology logic rules written in Semantic Query-enhance Web Rule Language (SQWRL) to correlate and filter out non-relevant alerts. We illustrate the potential usefulness and the flexibility of ONTIDS by employing its reference implementation on two separate case studies, inspired from the DARPA 2000 and UNB ISCX IDS evaluation datasets.

Semantic-based context-aware alert fusion for distributed Intrusion Detection Systems

One of the fundamental challenges in real-world Intrusion Detection Systems (IDS) is the large number of redundant, non-relevant false positive alerts that they generate. In this paper, we propose an alert fusion approach that incorporates contextual information with the goal of leveraging the benefits of multi-sensor detection while reducing false positives. In order to allow for automated reasoning on the information resources available for the fusion process, we design a set of comprehensive and extensible ontologies, and implemented fusion and detection algorithms as simple rules in Ontologic Web Language Description Logic (OWL-DL), using the Semantic Query-Enhance Web Rule Language (SQWRL). To illustrate and evaluate our approach, we use one of the attack scenarios of the DARPA 2000 dataset. The results obtained show that our approach can reduce false positives, while achieving the same detection rates achieved by using the Snort and ISS RealSecure.

A Modbus command and control channel

Since the discovery of Stuxnet, it is no secret that skilled adversaries target industrial control systems. To defend against this threat, defenders increasingly rely on intrusion detection and segmentation. As the security posture improves, it is likely that the attackers will move to stealthier approaches, such as covert channels. This paper presents a command and control (C&C) covert channel over the Modbus/TCP protocol that represents the next logical step for the attackers and evaluates its suitability. The channel stores information in the least significant bits of holding registers to carry information using Modbus read and write methods. This offers an explicit tradeoff between the bandwidth and stealth of the channel that can be set by the attacker.

Survey of publicly available reports on advanced persistent threat actors

Abstract The increase of cyber attacks for the purpose of espionage is a growing threat. Recent examples, such as hacking of the Democratic National Committee and indicting by the FBI of Chinese military personnel for cyber economic espionage, are testaments of the severity of the problem. Unfortunately, research on the topic of Advanced Persistent Threats (APT) is complicated due to the fact that information is fragmented across a large number of Internet resources. This paper aims at providing a comprehensive survey of open source publications related to APT actors and their activities, focusing on the APT activities, rather than research on defensive or detective measures. It is intended to serve as a quick reference on the state of the knowledge of APT actors, where interested researchers can find what primary sources are most relevant to their research. The paper covers publications related to around 40 APT groups from multiple regions across the globe. A short summary of the main findings of each publication is presented.

Follow the traffic: Stopping click fraud by disrupting the value chain

Advertising fraud, particularly click fraud, is a growing concern for the online advertising industry. The use of click bots, malware that automatically clicks on ads to generate fraudulent traffic, has steadily increased over the last years. While the security industry has focused on detecting and removing malicious binaries associated with click bots, a better understanding of how fraudsters operate within the ad ecosystem is needed to be able to disrupt it efficiently. This paper provides a detailed dissection of the advertising fraud scheme employed by Boaxxe, a malware specializing in click fraud. By monitoring its activities during a 7-month longitudinal study, we were able to create of map of the actors involved in the ecosystem enabling this fraudulent activity. We then applied a Social Network Analysis (SNA) technique to identify the key actors of this ecosystem that could be effectively influenced in order to maximize disruption of click-fraud monetization. The results show that it would be possible to efficiently disrupt the ability of click-fraud traffic to enter the legitimate market by pressuring a limited number of these actors. We assert that this approach would produce better long term effects than the use of take downs as it renders the ecosystem unusable for monetization.

Modelling physical impact of cyber attacks

To increase reliability and remote operation capability, automated control based on SCADA systems were introduced in the electrical grid. This exposed the grid to cyber attacks which, due to the cyber-physical nature of the combined system, can cause physical damage such as power outages. This dual nature makes it hard for grid operators to evaluate the physical impacts of cyber attacks. To do so, we introduce a modification of the ICS sandbox architecture to perform impact assessment of cyber attacks. This is done by interfacing the emulated SCADA network with the PyPower electrical simulator which provides global information about the state of the electrical grid. Finally, to demonstrate the effectiveness of the system, a cyber attack based on an optimal disruption experiment is run and its effects in terms of operation cost are graphed in real time.

A timing-based covert channel for SCADA networks

Industrial Control Systems (ICS) networks are an increasingly attractive for attackers. The case of 2015 Ukraine cyber attack where hackers abused the ICS system to create a blackout is a good illustration of this interest. However, to achieve physical effects, it is necessary for attackers to embed themselves deep within the target network. So, attackers must protect this investment by using covert techniques to avoid detection by defenders. This paper explores the problem of highly covert long-lived command and control channels to gain insight into probable evolution paths for attackers in response to increasing defensive capabilities. In particular, it presents a timing-based covert channel for the Modbus using interference. An implementation of the channel using network man-in-the-middle to modulate timing is built as a proof-of-concept of the approach. A performance analysis of the implementation shows that the implementation performs as low bandwidth, but highly covert command and control channel. Furthermore, an analysis of packet captures from a real production network show that the approach would be likely to work in a production environment.

Lightweight Journaling for Scada Systems via Event Correlation

Industrial control systems are not immune to cyber incidents. However, the support for incident responders and forensic investigators is low. In particular, there are limited journaling capabilities for operator actions. Barring the preservation of full packet captures and operator workstation security logs, which can generate unmanageable amounts of data on production networks, it is generally not possible to attribute control events (e.g., opening a valve or operating a breaker) to individual operators. This information can be necessary to perform security investigations, especially in cases involving malicious insider activities. This chapter presents a lightweight journaling system for SCADA networks based on event correlation. By correlating network events and operating system logs, a journal is generated of all Modbus protocol write events along with the usernames of the operators who performed the actions. The journal is much more compact than a full packet capture, achieving compression ratios of around 570 to 1 in conservative conditions and more than 2,000 to 1 in typical operating conditions, allowing for the preservation of valuable information for security investigations.