Kenneth Radke

Ceremony Analysis: Strengths and Weaknesses

We investigate known security flaws in the context of security ceremonies to gain an understanding of the ceremony analysis process. The term security ceremonies is used to describe a system of protocols and humans which interact for a specific purpose. Security ceremonies and ceremony analysis is an area of research in its infancy, and we explore the basic principles involved to better understand the issues involved. We analyse three ceremonies, HTTPS, EMV and Opera Mini, and use the information gained from the experience to establish a list of typical flaws in ceremonies. Finally, we use that list to analyse a protocol proven secure for human use. This leads to a realisation of the strengths and weaknesses of ceremony analysis.

A Survey and Analysis of the GNSS Spoofing Threat and Countermeasures

Detection and prevention of global navigation satellite system (GNSS) “spoofing” attacks, or the broadcast of false global navigation satellite system services, has recently attracted much research interest. This survey aims to fill three gaps in the literature: first, to assess in detail the exact nature of threat scenarios posed by spoofing against the most commonly cited targets; second, to investigate the many practical impediments, often underplayed, to carrying out GNSS spoofing attacks in the field; and third, to survey and assess the effectiveness of a wide range of proposed defences against GNSS spoofing. Our conclusion lists promising areas of future research.

Interaction, privacy and profiling considerations in local mobile social software: a prototype agile ride share system

Agile ridesharing aims to utilise the capability of social networks and mobile phones to facilitate people to share vehicles and travel in real time. However the application of social networking technologies in local communities to address issues of personal transport faces significant design challenges. In this paper we describe an iterative design-based approach to exploring this problem and discuss findings from the use of an early prototype. The findings focus upon interaction, privacy and profiling. Our early results suggest that explicitly entering information such as ride data and personal profile data into formal fields for explicit computation of matches, as is done in many systems, may not be the best strategy. It might be preferable to support informal communication and negotiation with text search techniques.

DNP3 network scanning and reconnaissance for critical infrastructure

The Distributed Network Protocol v3.0 (DNP3) is one of the most widely used protocols to control national infrastructure. The move from point-to-point serial connections to Ethernet-based network architectures, allowing for large and complex critical infrastructure networks. However, networks and configurations change, thus auditing tools are needed to aid in critical infrastructure network discovery. In this paper we present a series of intrusive techniques used for reconnaissance on DNP3 critical infrastructure. Our algorithms will discover DNP3 outstation slaves along with their DNP3 addresses, their corresponding master, and class object configurations. To validate our presented DNP3 reconnaissance algorithms and demonstrate its practicality, we present an implementation of a software tool using a DNP3 plug-in for Scapy. Our implementation validates the utility of our DNP3 reconnaissance technique. Our presented techniques will be useful for penetration testing, vulnerability assessments and DNP3 network discovery.

Process Control Cyber-Attacks and Labelled Datasets on S7Comm Critical Infrastructure

Cyber-security of their critical infrastructure is the current grand challenge facing nation-states. Development and research of cyber-security solutions for operational technology environments of critical infrastructure is being inhibited by the lack of publically available datasets. This paper provides a collection of labelled datasets containing attacks on the widely used STEP 7 (S7) protocol. To achieve this goal, we designed and executed a series of process-control attacks, using our physical critical infrastructure test-bed. The created labelled datasets, and the associated process logs, will directly aid in the development and assessment of intrusion detection systems (IDSs). We validate our dataset using Snort, configured with openly available S7 rule-sets.

Framework for SCADA cyber-attack dataset creation

Cyber-security research and development for SCADA is being inhibited by the lack of available SCADA attack datasets. This paper presents a modular dataset generation framework for SCADA cyber-attacks, to aid the development of attack datasets. The presented framework is based on requirements derived from related prior research, and is applicable to any standardised or proprietary SCADA protocol. We instantiate our framework and validate the requirements using a Python implementation. This paper provides experiments of the frameworks usage on a state-of-the-art DNP3 critical infrastructure test-bed, thus proving frameworks ability to generate SCADA cyber-attack datasets.

CHURNs: Freshness Assurance for Humans

We present CHURNs, a method for providing freshness and authentication assurances to human users. In computer-to-computer protocols, it has long been accepted that assurances of freshness such as random nonces are required to prevent replay attacks. Typically, no such assurance of freshness is presented to a human in a human-and-computer protocol. A Computer–HUman Recognisable Nonce (CHURN) is a computer-aided random sequence that the human has a measure of control over and input into. Our approach overcomes limitations such as ‘humans cannot do random’ and that humans will follow the easiest path. Our findings show that CHURNs are significantly more random than values produced by unaided humans; that humans may be used as a second source of randomness, and we give measurements as to how much randomness can be gained from humans using our approach; and that our CHURN-generator makes the user feel more in control, thus removing the need for complete trust in devices and underlying protocols. We give an example of how a CHURN may be used to provide assurances of freshness and authentication for humans in a widely used protocol.

Applying domain-specific knowledge to construct features for detecting distributed denial-of-service attacks on the GOOSE and MMS protocols

Abstract Electric substation automation systems based on the IEC 61850 standard predominantly employ the GOOSE and MMS protocols. Because GOOSE and MMS messages are not encrypted, an attacker can observe packet header information in protocol messages and inject large numbers of spoofed messages that can flood a substation automation system. Sophisticated machine-learning-based intrusion detection systems are required to detect these types of distributed denial-of-service attacks. However, the performance of machine-learning-based classifiers is hindered by the relative lack of features that express GOOSE and MMS protocol behavior. This paper evaluates a number of features described in the literature that may be used to detect distributed denial-of-service attacks on the GOOSE and MMS protocols. However, these features do not include advanced features that capture the periodic transmission behavior of SCADA protocols. Three SCADA-protocol-specific steps are specified for constructing new GOOSE and MMS advanced features by leveraging domain knowledge and adopting a time-window-based feature construction method. The resulting feature set, which comprises seventeen new GOOSE and MMS advanced features, outperforms the feature sets described in previous research when used with the popular decision tree, neural network and support vector machine classifiers. The evaluations also reveal that the decision tree classifier is superior to the neural network and support vector machine classifiers. A key contribution of this research is the application of SCADA-protocol-based domain knowledge to develop high-performance intrusion detection systems that require reduced training and testing times.

Process discovery for industrial control system cyber attack detection

Industrial Control Systems (ICSs) are moving from dedicated communications to Ethernet-based interconnected networks, placing them at risk of cyber attack. ICS networks are typically monitored by an Intrusion Detection System (IDS), however traditional IDSs do not detect attacks which disrupt the control flow of an ICS. ICSs are unique in the repetition and restricted number of tasks that are undertaken. Thus there is the opportunity to use Process Mining, a series of techniques focused on discovering, monitoring and improving business processes, to detect ICS control flow anomalies. In this paper we investigate the suitability of various process mining discovery algorithms for the task of detecting cyber attacks on ICSs by examining logs from control devices. Firstly, we identify the requirements of this unique environment, and then evaluate the appropriateness of several commonly used process discovery algorithms to satisfy these requirements. Secondly, the comparison was performed and validated using ICS logs derived from a case study, containing successful attacks on industrial control systems. Our research shows that the Inductive Miner process discovery method, without the use of noise filtering, is the most suitable for discovering a process model that is effective in detecting cyber-attacks on industrial control systems, both in time spent and accuracy.

Finding anomalies in SCADA logs using rare sequential pattern mining

Pattern mining is a branch of data mining used to discover hidden patterns or correlations among data. We use rare sequential pattern mining to find anomalies in critical infrastructure control networks such as supervisory control and data acquisition (SCADA) networks. As anomalous events occur rarely in a system and SCADA systems’ topology and actions do not change often, we argue that some anomalies can be detected using rare sequential pattern mining. This anomaly detection would be useful for intrusion detection or erroneous behaviour of a system. Although research into rare itemsets mining previously exists, neither research into rare sequential pattern mining nor its applicability to SCADA system anomaly detection has previously been completed. Moreover, since there is no consideration to events order, the applicability to intrusion detection in SCADA is minimal. By ensuring the events’ order is maintained, in this paper, we propose a novel Rare Sequential Pattern Mining (RSPM) technique which is a useful anomaly detection system for SCADA. We compared our algorithm with a rare itemset mining algorithm and found anomalous events in SCADA logs.