Carlos Garcia Cordero

Multi-stage attack detection and signature generation with ICS honeypots

New attack surfaces are emerging with the rise of Industrial Control System (ICS) devices exposed on the Internet. ICS devices must be protected in a holistic and efficient manner; especially when these are supporting critical infrastructure. Taking this issue into account, cyber-security research is recently being focused on providing early detection and warning mechanisms for ICSs. In this paper we present a novel honeypot capable of detecting multi-stage attacks targeting ICS networks. Upon detecting a multi-stage attack, our honeypot can generate signatures so that misuse Intrusion Detection Systems (IDSs) can subsequently thwart attacks of the same type. Our experimental results indicate that our honeypot and the signatures it generates provide good detection accuracy and that the Bro IDS can successfully use the signatures to prevent future attacks.

ID2T: A DIY dataset creation toolkit for Intrusion Detection Systems

Intrusion Detection Systems (IDSs) are an important defense tool against the sophisticated and ever-growing network attacks. These systems need to be evaluated against high quality datasets for correctly assessing their usefulness and comparing their performance. We present an Intrusion Detection Dataset Toolkit (ID2T) for the creation of labeled datasets containing user defined synthetic attacks. The architecture of the toolkit is provided for examination and the example of an injected attack, in real network traffic, is visualized and analyzed. We further discuss the ability of the toolkit of creating realistic synthetic attacks of high quality and low bias.

Analyzing flow-based anomaly intrusion detection using Replicator Neural Networks

Defending key network infrastructure, such as Internet backbone links or the communication channels of critical infrastructure, is paramount, yet challenging. The inherently complex nature and quantity of network data impedes detecting attacks in real world settings. In this paper, we utilize features of network flows, characterized by their entropy, together with an extended version of the original Replicator Neural Network (RNN) and deep learning techniques to learn models of normality. This combination allows us to apply anomaly-based intrusion detection on arbitrarily large amounts of data and, consequently, large networks. Our approach is unsupervised and requires no labeled data. It also accurately detects network-wide anomalies without presuming that the training data is completely free of attacks. The evaluation of our intrusion detection method, on top of real network data, indicates that it can accurately detect resource exhaustion attacks and network profiling techniques of varying intensities. The developed method is efficient because a normality model can be learned by training an RNN within a few seconds only.

Community-based Collaborative Intrusion Detection

The IT infrastructure of today needs to be ready to defend against massive cyber-attacks which often originate from distributed attackers such as Botnets. Most Intrusion Detection Systems (IDSs), nonetheless, are still working in isolation and cannot effectively detect distributed attacks. Collaborative IDSs (CIDSs) have been proposed as a collaborative defense against the ever more sophisticated distributed attacks. However, collaboration by exchanging suspicious alarms among all interconnected sensors in CIDSs does not scale with the size of the IT infrastructure; hence, detection performance and communication overhead, required for collaboration, must be traded off. We propose to partition the set of considered sensors into subsets, or communities, as a lever for this trade off. The novelty of our approach is the application of ensemble based learning, a machine learning paradigm suitable for distributed intrusion detection. In our approach, community members exchange data features used to train models of normality, not bare alarms, thereby further reducing the communication overhead of our approach. Our experiments show that we can achieve detection rates close to those based on global information exchange with smaller subsets of collaborating sensors.

Probe-response attacks on collaborative intrusion detection systems: Effectiveness and countermeasures

Over the last years the number of cyber-attacks has been constantly increasing. Since isolated Intrusion Detection Systems (IDSs) cannot cope with the number and sophistication of attacks, collaboration among the defenders is required. Collaborative IDSs (CIDSs) work by exchanging alert traffic to construct a holistic view of the monitored network. However, an adversary can utilize probe-response attacks to successfully detect CIDSs monitoring sensors. We discuss the practicability of such attacks, suggest improvements, and also propose novel techniques to reduce the effects of such attacks. Moreover, we present preliminary results in the applicability of the attacks and hints on performing such attacks in a well known CIDS.

Security Perspectives for Collaborative Data Acquisition in the Internet of Things

The Internet of Things (IoT) is an increasingly important topic, bringing together many different fields of computer science. Nevertheless, beside the advantages (IoT) has to offer, many challenges exist, not at least in terms of security and privacy. In addition, the large number of heterogeneous devices in (IoT) produces a vast amount of data, and therefore efficient mechanisms are required that are capable of handling the data, analyze them and produce meaningful results. In this paper, we discuss the challenges that have to be addressed, when data analytics are applied in the context of the (IoT). For this, we propose a data acquisition architecture, named CoDA, that focuses on bringing together heterogeneous things to create distributed global data models. For each layer of the proposed architecture we discuss the upcoming challenges from the security perspective.

Towards the creation of synthetic, yet realistic, intrusion detection datasets

Intrusion Detection Systems (IDSs) are an important defense tool against the sophisticated and ever-growing network attacks. With this in mind, the research community has been immersed in the field of IDSs over the past years more than before. Still, assessing and comparing performance between different systems and algorithms remains one of the biggest challenges in this research area. IDSs need to be evaluated and compared against high quality datasets; nevertheless, the existing ones have become outdated or lack many essential requirements. We present the Intrusion Detection Dataset Toolkit (ID2T), an approach for creating out-of-the-box labeled datasets that contain user defined attacks. In this paper, we discuss the essential requirements needed to create synthetic, yet realistic, datasets with user defined attacks. We also present typical problems found in synthetic datasets and propose a software architecture for building tools that can cope with the most typical problems. A publicly available prototype, is implemented and evaluated. The evaluation comprises a performance analysis and a quality assessment of the generated datasets. We show that our tool can handle large amounts of network traffic and that it can generate synthetic datasets without the problems or shortcomings we identified in other datasets.

HOLEG: a simulator for evaluating resilient energy networks based on the holon analogy

The process of designing and evaluating distributed Cyber-Physical Systems (CPSs) is not a trivial task. There are many challenges to tackle such as managing distributed resources, enabling communication between components, and choosing performance metrics to evaluate the “goodness” of the system. Smart Grids (SGs) are prominent representatives of CPSs, a particular type of Critical Infrastructure (CI), whose organizational model is becoming more distributed and dynamic. Due to this paradigm shift, new control and management mechanisms need to be identified and tested to guarantee uninterrupted operation. However, novel approaches cannot always be tested against real networks as the economic cost and risk can be high. In contrast, modeling and simulation techniques are viable evaluation mechanisms that support the continuous evolution of CIs. In this paper, we present an Open Source time-discrete simulation software, called HOLEG, that models and evaluates SGs. The software is based on the Holon analogy, a bio-inspired approach that enables systems resilience through flexible reconfiguration mechanisms. The presented software provides features that enable the integration and execution of optimization algorithms along with their evaluation. To demonstrate HOLEG, a case study is presented where a heuristic algorithm is implemented to minimize wasted energy while preventing network destabilization.