Julian Rrushi

Detecting Industrial Control Malware Using Automated PLC Code Analytics

The authors discuss their research on programmable logic controller (PLC) code analytics, which leverages safety engineering to detect and characterize PLC infections that target physical destruction of power plants. Their approach also draws on control theory, namely the field of engineering and mathematics that deals with the behavior of dynamical systems, to reverse-engineer safety-critical code to identify complex and highly dynamic safety properties for use in the hybrid code analytics approach.

NIC displays to thwart malware attacks mounted from within the OS

This paper describes an OS-resident defensive deception approach, which can neutralize malware that has managed to infect a target machine. Such attacks account for most of the spying operations detected to date, and include malware, insider code, and Trojans that originate from compromises of the computer supply chain. The central idea that underpins this work is to display the existence of I/O devices in a computer system. While those I/O devices would not exist for real, their projection will make them appear as valid targets of interception and malicious modification, or as valid means of propagation to other target computers. We experiment with the implementation of a low-level network driver for the Windows operating system. The network driver emulates the operation of a network interface controller (NIC), and thus reports to higher-level drivers in the network stack as if the NIC were existent, fully functional, and with access to an existing computer network. We tested and evaluated NIC displays against a large sample of live malware, and thus discuss our findings in the paper.

A Field Study of Digital Forensics of Intrusions in the Electrical Power Grid

The paper describes the findings of a field study that we conducted to practically determine the digital forensics processes, tools, and technical considerations that apply to investigations of computer intrusions into the electrical power grid. Our findings are based on technical interactions with industry and law enforcement, as well as on actual applied research in the lab. In the paper, we discuss the most widespread vulnerabilities of industrial control systems, and thus build on those preliminaries to describe the inner workings of control system forensics in the real world. Several advanced works on control systems forensics abstract from low-level fundamentals, assuming that those are easily doable. The main contribution made by this paper is the focus on those fundamentals, with the goal of laying the foundation for further developments of practical and hence usable digital forensics in the electrical power grid.

Introduction to Cyberdeception

This book is an introduction to both offensive and defensive techniques of cyberdeception. Unlike most books on cyberdeception, this book focuses on methods rather than detection. It treats cyberdeception techniques that are current, novel, and practical, and that go well beyond traditional honeypots. It contains features friendly for classroom use: (1) minimal use of programming details and mathematics, (2) modular chapters that can be covered in many orders, (3) exercises with each chapter, and (4) an extensive reference list. Cyberattacks have grown serious enough that understanding and using deception is essential to safe operation in cyberspace. The deception techniques covered are impersonation, delays, fakes, camouflage, false excuses, and social engineering. Special attention is devoted to cyberdeception in industrial control systems and within operating systems. This material is supported by a detailed discussion of how to plan deceptions and calculate their detectability and effectiveness. Some of the chapters provide further technical details of specific deception techniques and their application. Cyberdeception can be conducted ethically and efficiently when necessary by following a few basic principles. This book is intended for advanced undergraduate students and graduate students, as well as computer professionals learning on their own. It will be especially useful for anyone who helps run important and essential computer systems such as critical-infrastructure and military systems.

NETWORK FORENSIC ANALYSIS OF ELECTRICAL SUBSTATION AUTOMATION TRAFFIC

The computations and input/output values of intelligent electronic devices that monitor and operate an electrical substation depend strongly on the state of the power system. This chapter presents an approach that correlates the physical parameters of an electrical substation with the network traffic that intelligent electronic devices send over a substation automation network. Normal network traffic in a substation automation network is modeled as a directed, weighted graph, yielding what is referred to as a model graph. Similar graph modeling is performed on unknown network traffic. The research problem of determining whether or not unknown network traffic is normal involves a subgraph isomorphism search algorithm. Normal network packets in unknown network traffic form a graph that is a subgraph of the model graph. In contrast, malware-generated network packets present in unknown network traffic produce a graph that is not a subgraph of the model graph. Time series analysis of network traffic is performed to estimate the weights of the edges in the graphs. This analysis enables the subgraph isomorphism search algorithm to find structural matches with portions of the model graph as well matches with the timing characteristics of normal network traffic. The approach is validated using samples drawn from recent industrial control system malware campaigns.

Timing Performance Profiling of Substation Control Code for IED Malware Detection

We present a binary static analysis approach to detect intelligent electronic device (IED) malware based on the time requirements of electrical substations. We explore graph theory techniques to model the timing performance of an IED executable. Timing performance is subsequently used as a metric for IED malware detection. More specifically, we perform a series of steps to reduce a part of the IED malware detection problem into a classical problem of graph theory, namely finding single-source shortest paths on a weighted directed acyclic graph (DAG). Shortest paths represent execution flows that take the longest time to compute. Their clock cycles are examined to determine if they violate the real-time nature of substation monitoring and control, in which case IED malware detection is attained. We did this work with particular reference to implementations of protection and control algorithms that use the IEC 61850 standard for substation data representation and network communication. We tested our approach against IED exploits and malware, network scanning code, and numerous malware samples involved in recent ICS malware campaigns.

Plaintext side channels in TLS Chiphertex

This paper describes several techniques that can exploit plaintext side-channels, namely the length of ciphertext along with human factors. Those side-channels are explored in this work to recover secret strings such as authentication cookies, and possibly passwords, from Hypertext Transfer Protocol (HTTP) traffic protected by Transport Layer Security (TLS). Other applications of those attacks allow for evading the SiteKey anti-fishing mechanism, recovering the answers to user-configured challenge questions, and tracking a user’s operations on the web applications of a web site. Previous research has demonstrated the danger of using data compression in conjunction with encryption. There are highly publicized attacks that exploit compression side-channels to recover authentication cookies from TLS protected HTTP traffic. Since then, data compression is disabled at web servers, and recent versions of web browsers have it disabled by default. TLS version 1.3 has entirely removed support for data compression. With all those countermeasures in place, the techniques that are described in this paper can cause a comparable level of compromise. The overall work was done as an ethical security assessment to analyze and validate the danger of plaintext side-channels without any particular connection to data compression.

Keylogger Detection Using a Decoy Keyboard

Commercial anti-malware systems currently rely on signatures or patterns learned from samples of known malware, and are unable to detect zero-day malware, rendering computers unprotected. In this paper we present a novel kernel-level technique of detecting keyloggers. Our approach operates through the use of a decoy keyboard. It uses a low-level driver to emulate and expose keystrokes modeled after actual users. We developed a statistical model of the typing profiles of real users, which regulates the times of delivery of emulated keystrokes. A kernel filter driver enables the decoy keyboard to shadow the physical keyboard, such as one single keyboard appears on the device tree at all times. That keyboard is the physical keyboard when the actual user types on it, and the decoy keyboard during time windows of user inactivity. Malware are detected in a second order fashion when data leaked by the decoy keyboard are used to access resources on the compromised machine. We tested our approach against live malware samples that we obtained from public repositories, and report the findings in the paper. The decoy keyboard is able to detect 0-day malware, and can co-exist with a real keyboard on a computer in production without causing any disruptions to the user’s work.

Deception for the Electrical Power Industry

“Industrial Mirage” is a defensive deception approach to disrupt and investigate cyberattacks on critical infrastructure and industrial control systems in particular. The main thrust is to create a decoy (“mirage”) system that cyberattacks can target harmlessly. The idea is to adapt the concept of decoy data (honeytokens) to an industrial-control context. The honeytokens represent dynamics, configuration, operation, and location of systems that attackers want to manipulate. The decoy data resides in phantom I/O devices like those in Chap. 14 and on computers that perform control-systems tasks.

Planning Cyberspace Deception

With so many possible ways to deceive, we can be more effective if we plan systematically. Several methods can be used to plan deceptions ranging from informal to formal. Planning can be either strategic, broad in scope (Heckman et al. 2015), or tactical, focused in scope. We will focus on the latter here.