Paulo S. Motta Pires

Security Aspects of SCADA and Corporate Network Interconnection: An Overview

SCADA (supervisory control and data acquisition) systems play an important role in industrial process. In the past, these used to be stand-alone models, with closed architecture, proprietary protocols and no external connectivity. Nowadays, SCADA rely on wide connectivity and open systems and are connected to corporate intranets and to the Internet for improve efficiency and productivity. SCADA networks connected to corporate networks brought some new security related challenges. This paper presents an overview of the security aspects of this interconnection

An effective TCP/IP fingerprinting technique based on strange attractors classification

We propose a new technique to perform TCP/IP (Transmission Control Protocol/Internet Protocol) stack fingerprinting. Our technique relies on chaotic dynamics theory and artificial neural networks applied to TCP ISN (Initial Sequence Number) samples making possible to associate strange attractors to operating systems. We show that it is possible to recognize operating systems using only an open TCP port on the target machine. Also, we present results which shows that our technique cannot be fooled by Honeyd or affected by PAT (Port Address Translation) environments.

A new method for recognizing operating systems of automation devices

TCP/IP fingerprinting is the task of identify a machine operating system according to its TCP/IP protocol stack implementation. It can be used to help automation technology professionals to perform security tests against a device before put it into production. Current tools that perform TCP/IP fingerprinting can damage automation devices operation because of the specially crafted TCP/IP packets that are sent to the probed devices. Instead of these packets, this paper proposes a technique that uses a simple TCP SYN message to collect TCP ISN (initial sequence number) samples. Signal processing tools are used to classify the operating systems based on these samples. We conclude that it is possible to recognize operating systems using only one open TCP port on the target machine without compromise the device operation.

A Data Mining Based Analysis of Nmap Operating System Fingerprint Database

An Operating System (OS) fingerprint database is used by Nmap to identify OSes performing TCP/IP (Transmission Control Protocol/Internet Protocol) stack identification. Each entry in Nmap OS fingerprint database (nmap-os-db) represents an OS. Using data mining techniques, we propose three new forms of representation of nmap-os-db that can express how operating systems are similar among them according to their TCP/IP stack implementation. This approach can improve the capability of identifying devices running unknown OSes. Other applications are also presented.

Application of kohonen maps to improve security tests on automation devices

We propose a new method to improve the effectiveness of security tests on industrial automation devices. Using a self-organizing neural network, we are able to build a Kohonen map that organizes operating systems according to similarities of their TCP/IP fingerprints. Our technique enables us to associate specific security tests to regions of the Kohonen map and to use this information to improve protection of automation devices.

Analysis of Malicious Traffic in Modbus/TCP Communications

This paper presents the results of our analysis about the influence of Information Technology (IT) malicious traffic on an IP-based automation environment. We utilized a traffic generator, called MACE (Malicious trAffic Composition Environment), to inject malicious traffic in a Modbus/TCP communication system and a sniffer to capture and analyze network traffic. The realized tests show that malicious traffic represents a serious risk to critical information infrastructures. We show that this kind of traffic can increase latency of Modbus/TCP communication and that, in some cases, can put Modbus/TCP devices out of communication.

Advances in network topology security visualisation

The pervasive aspect of the internet increases the demand for tools that support both monitoring and auditing of security aspects in computer networks. Ideally, these tools should provide a clear and objective presentation of security data in such a way as to let network administrators detect or even predict network security breaches. However, most of these data are still presented only in raw text form or through inadequate data presentation techniques. Our work addresses this problem by designing and developing a tool that aims at integrating several information visualisation techniques in an effective and expressive visualisation. We also present a novel method that detects OpenBSD PF SYN Proxy and Honeyd. This detection of Honeyd improve the visualisation content assuring that the presented data is not fake and the OpenBSD PF SYN Proxy detection shows which nodes are safe from TCP SYN flooding attacks and improve firewall detection. We have tested our tool in the context of network security, presenting two case studies that demonstrate important features such as scalability and detection of critical network security issues.

A qualitative survey of active TCP/IP fingerprinting tools and techniques for operating systems identification

TCP/IP fingerprinting is the process of identifying the Operating System (OS) of a remote machine through a TCP/IP based computer network. This process has applications close related to network security and both intrusion and defense procedures may use this process to achieve their objectives. There are a large set of methods that performs this process in favorable scenarios. Nowadays there are many adversities that reduce the identification performance. This work compares the characteristics of four active fingerprint tools (Nmap, Xprobe2, SinFP and Zion) and how they deal with test environments under adverse conditions. The results show that Zion outperforms the other tools for all test environments and it is suitable even for use in sensible systems.

Application filters for TCP/IP industrial automation protocols

The use of firewalls is a common approach usually meant to secure Automation Technology (AT) from Information Technology (TI) networks. This work proposes a filtering system for TCP/IP-based automation networks in which only certain kind of industrial traffic is permitted. All network traffic which does not conform with a proper industrial protocol pattern or with specific rules for its actions is supposed to be abnormal and must be blocked. As a case study, we developed a seventh layer firewall application with the ability of blocking spurious traffic, using an IP packet queueing engine and a regular expression library.

Minimization and Placement of Sensors in Structurally Observable Networks

This work concerns with the inference of the network state by monitoring a subset of its nodes. These nodes, which serve as network sensors, can be used to build a distributed monitoring system based on a new network tomography model. First, we present the model in which we can represent the network structure as a linear discrete time invariant dynamical system. Using this model, we define the concept of network structural observability and present an efficient algorithm to minimize the cardinality of the subset of monitoring sensors. As a case study, we use topological data from IPv6 Internet to present some properties of this minimum monitoring subset. To the best of our knowledge, this is the first work to (i) present general properties of sensors placement, (ii) use the proposed model to design distributed monitoring systems, and (iii) illustrate the feasibility of computer networks observability. Moreover, we believe that the theory of network structural observability presented in this paper could significantly benefit the field of network tomography.