Rafael Ramos Regis Barbosa

A directional data dissemination protocol for vehicular environments

This paper presents a simple and robust dissemination protocol that efficiently deals with data dissemination in both dense and sparse vehicular networks. Our goal is to address highway scenarios where vehicles equipped with sensors detect an event, e.g., a hazard and broadcast an event message to a specific direction of interest. In order to deal with broadcast communication under diverse network densities, we design a dissemination protocol in such a way that: (i) it prevents the so-called broadcast storm problem in dense networks by employing an optimized broadcast suppression technique; and (ii) it efficiently deals with disconnected networks by relying on the store-carry-forward communication model. The novelty of the protocol lies in its simplicity and robustness. Simplicity is achieved by only considering two states (i.e., cluster tail and non-tail) for vehicles. Furthermore, vehicles in both directions help disseminating messages in a seamlessly manner, without resorting to different operation modes for each direction. Robustness is achieved by assigning message delivery responsibility to multiple vehicles in sparse networks. Our simulation results show that our protocol achieves higher delivery ratio and higher robustness when compared with DV-CAST under diverse road scenarios.

Intrusion detection in SCADA networks

Supervisory Control and Data Acquisition (SCADA) systems are a critical part of large industrial facilities, such as water distribution infrastructures. With the goal of reducing costs and increasing efficiency, these systems are becoming increasingly interconnected. However, this has also exposed them to a wide range of network security problems. Our research focus on the development of a novel flow-based intrusion detection system. Based on the assumption that SCADA networks are well-behaved, we believe that it is possible to model the normal traffic by establishing relations between network flows. To improve accuracy and provide more information on the anomalous traffic, we will also research methods to derive a flow-based model for anomalous flows.

Difficulties in modeling SCADA traffic: a comparative analysis

Modern critical infrastructures, such as water distribution and power generation, are large facilities that are distributed over large geographical areas. Supervisory Control and Data Acquisition (SCADA) networks are deployed to guarantee the correct operation and safety of these infrastructures. In this paper, we describe key characteristics of SCADA traffic, verifying if models developed for traffic in traditional IT networks are applicable. Our results show that SCADA traffic largely differs from traditional IT traffic, more noticeably not presenting diurnal patters or self-similar correlations in the time series.

Flow whitelisting in SCADA networks

Supervisory Control And Data Acquisition (SCADA) networks are commonly deployed to aid the operation of large industrial facilities. Modern SCADA networks are becoming more vulnerable to network attacks, due to the now common use of standard communication protocols and increased interconnection to corporate networks and the Internet. In this work, we propose an approach to improve the security of these networks based on flow whitelisting. A flow whitelist describes the legitimate traffic solely using four properties of network packets: the client address, the server address, the server-side port, and the transport protocol. The proposed approach consists in learning a flow whitelist by capturing network traffic and aggregating it into flows for a given period of time. After this learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. We demonstrate the applicability of the approach using real-world traffic traces, captured in two water treatment plants and a gas and electric utility.

A Simple and Robust Dissemination protocol for VANETs

Several promising applications for Vehicular Ad-hoc Networks (VANETs) exist. For most of these applications, the communication among vehicles is envisioned to be based on the broadcasting of messages. This is due to the inherent highly mobile environment and importance of these messages to vehicles nearby. To deal with broadcast communication, dissemination protocols must be defined in such a way as to (i) prevent the so-called broadcast storm problem in dense networks and (ii) deal with disconnected networks in sparse topologies. In this paper, we present a Simple and Robust Dissemination (SRD) protocol that deals with these requirements in both sparse and dense networks. Its novelty lies in its simplicity and robustness. Simplicity is achieved by considering only two states (cluster tail and non-tail) for a vehicle. Robustness is achieved by assigning message delivery responsibility to multiple vehicles in sparse networks. Our simulation results show that SRD achieves high delivery ratio and low end-to-end delay under diverse traffic conditions.

Towards periodicity based anomaly detection in SCADA networks

Supervisory Control and Data Acquisition (SCADA) networks are commonly deployed to aid the operation of large industrial facilities. The polling mechanism used to retrieve data from field devices causes the data transmission to be highly periodic. In this paper, we propose an approach that exploits traffic periodicity to detect traffic anomalies, which represent potential intrusion attempts. We present a proof of concept to show the feasibility of our approach.

Exploiting traffic periodicity in industrial control networks

Industrial control systems play a major role in the operation of critical infrastructure assets. Due to the polling mechanisms typically used to retrieve data from field devices, industrial control network traffic exhibits strong periodic patterns. This paper presents a novel approach that uses message repetition and timing information to automatically learn traffic models that capture the periodic patterns. The feasibility of the approach is demonstrated using three traffic traces collected from real-world industrial networks. Two practical applications for the learned models are presented. The first is their use in intrusion detection systems; the learned models represent whitelists of valid commands and the frequencies at which they are sent; thus, the models may be used to detect data injection and denial-of-service attacks. The second application is to generate synthetic traffic traces, which can be used to test intrusion detection systems and evaluate the performance of industrial control devices.