Travis Atkison

Industrial Control System Network Intrusion Detection by Telemetry Analysis

Until recently, industrial control systems (ICSs) used “air-gap” security measures, where every node of the ICS network was isolated from other networks, including the Internet, by a physical disconnect. Attaching ICS networks to the Internet benefits companies and engineers who use them. However, as these systems were designed for use in the air-gapped security environment, protocols used by ICSs contain little to no security features and are vulnerable to various attacks. This paper proposes an approach to detect the intrusions into network attached ICSs by measuring and verifying data that is transmitted through the network but is not inherently the data used by the transmission protocol-network telemetry. Using simulated PLC units, the developed IDS was able to achieve 94.3 percent accuracy when differentiating between machines of an attacker and engineer on the same network, and 99.5 percent accuracy when differentiating between attacker and engineer on the Internet.

Case study: visualization and information retrieval techniques for network intrusion detection

We describe our efforts to analyze network intrusion detection data using information retrieval and visualization tools. By regarding Telnet sessions as documents, which may or may not include attacks, a session that contains a certain type of attack can be used as a query, allowing us to search the data for other instances of that same type of attack. The use of information visualization techniques allows us to quickly and clearly find the attacks and also find similar, potentially new types of attacks.

Detection of SSH host spoofing in control systems through network telemetry analysis

Modern networking architecture is designed with high scalability in mind. Different protocols can be encapsulated to support different systems. Machine identifiers (IP and MAC addresses) in network packets can be modified easily. This modification prevents servers from determining whether the connecting machines are allowed to communicate. Cryptographic functions have been used in protocols such as Secure Shell (SSH) to establish network node authenticity, but they can be circumvented by social engineering and brute force attacks. This research effort created a new classifier that processes network telemetry to determine authenticity of SSH clients in a control systems network. The developed classifier, within the control systems network, was able to differentiate with a 100% accuracy SSH connections from machines that were transmitting identical MAC and IP addresses, and had the same RSA key for authentication.

Evolution of traditional digital forensics in virtualization

Computer virtualization is not new; however, it has become increasingly important because of the many advantages it offers businesses and individuals to reduce costs. A company can reduce maintenance, hardware, and energy costs by running virtualized servers on a single physical machine. Although virtualization offers these advantages, it introduces new challenges to current computer forensic techniques as well as computer system defense tools. As this technology continues to be adopted by more and more companies every year, malware and hacker attacks are potentially going to affect virtualized systems as they have been affecting physical systems in the past. Therefore, the increasing growth of virtualization has created the need for a new generation of computer system defenses as well as computer forensic techniques to effectively defend these systems before or after they have been attacked. Because of the nature of how virtualization operates, new techniques to interact with these systems have become available. These techniques allow us to increase the effectiveness of current forensic and system defense tools to create new tools to defend or analyze virtualized systems. Virtual Machine Introspection (VMI) is one of these techniques that have formed the basis of a number of novel approaches in the field of Digital Forensics and Cybersecurity. In this paper, we present what VMI has offered to Digital Forensics and the new challenges it brings. Likewise, we discuss why traditional Digital Forensic techniques are not reliable to analyze virtual machines once they have been attacked.

Combining lexical and structural information for static bug localisation

In bug localisation a developer uses information about a bug present in a software system to locate the source code elements that must be modified to correct the bug. Researchers have developed static bug localisation techniques using Information Retrieval techniques such as Latent Semantic Indexing (LSI) to model lexical information from source code. In this paper we present a new technique, LSICG, that combines LSI to model lexical information and call graphs to model structural information. A case study of 21 bugs in Rhino demonstrates that our technique provides improved performance compared to LSI alone.

Web-Based High Performance Remote Visualization

This work describes a web browser-based remote visualization capability for large datasets. We discuss recent enhancements including access to databases and remote resources, as well as the addition of two image compression algorithms and their effect on performance. Results indicate that the existing sequential unified- channel image run transmission (SQUIRT) image compression algorithm performs best for large bandwidth situations while the new binary set splitting with k-d trees (BISK) algorithm works better than the previous JPEG compression scheme. The results from a study on encryption effects on the data stream show that encryption does not add a significant amount of overhead.

Evolution of digital forensics in virtualization by using virtual machine introspection

Computer virtualization is not a new technology, it has become increasingly important because of the many advantages it offers to businesses and individuals to reduce costs, while introducing new challenges to the field of digital forensics. As virtualization continues to be adopted by more and more companies every year, malware and hacker attacks are going to have an increasing effect on virtualized systems. Therefore, the increasing growth of virtualization has created the need for a new generation of computer forensic tools and techniques to analyze these compromised systems. Because of the rapid growth of virtualization, new techniques to interact with virtual systems have been developed. Some of these techniques reduce the limitations of traditional forensics tools abilities to analyze the virtual system. Virtual Machine Introspection (VMI) is one of these techniques that have formed the basis for a number of novel approaches in the fields of cyber security and digital forensics. This paper explores how VMI improves traditional digital forensics to overcome its downfalls when used to investigate virtual machines, especially during a live analysis of the machine.

Observing industrial control system attacks launched via metasploit framework

Industrial Control Systems (ICS) are present across many industries ranging from automotive to utilities. These systems have been found to be connected to corporate enterprise servers and can communicate over unencrypted communication channels. Interconnections of this type provide an attack vector for people with malicious intent and therefore are a critical cyber security risk. To better understand these risks and possible security measures, this research presents as proof of concept several attacks against a programmable logic controller along with observations made during the attacks. Our results indicate a time sequence difference between legitimate and spoofed command and control packets. Attacks are launched using the Metasploit Framework against a simulated control scenario. Using the observations made in this paper it is then suggested that several features can be extracted and then utilized in next generation mitigation and detection techniques for the industrial control environment.

Applying random projection to the classification of malicious applications using data mining algorithms

This research is part of a continuing effort to show the viability of using random projection as a feature extraction and reduction technique in the classification of malware to produce more accurate classifiers. In this paper, we use a vector space model with n-gram analysis to produce weighted feature vectors from binary executables, which we then reduce to a smaller feature set using the random projection method proposed by Achlioptas, and the feature selection method of mutual information to produce two separate data sets. We then apply several popular machine learning algorithms including J48 decision tree, naïve Bayes, support vector machines, and an instance-based learner to the data sets to produce classifiers for the detection of malicious executables. We evaluate the performance of the different classifiers and discover that using a data set reduced by random projection can improve the performance of support vector machine and instance-based learner classifiers.

Using randomized projection techniques to aid in detecting high-dimensional malicious applications

This work is part of an on-going effort in using randomized projection as a feature extraction and reduction method to improve a cosine similarity, information retrieval technique to enhance the detection of known malicious applications and their variations. We follow a standard information retrieval methodology that allows software to be regarded as documents in the corpus. This provides the ability to search the corpus with a query, malicious software, and retrieve/identify potentially malicious software and other instances of the same type of vulnerability. In our experiments, we compare Gaussian-distributed random matrix randomized projection to two alternative methods of randomized projection, sparse matrix randomized projection and Linial-London-Rabinovich random set randomized projection, and assess their performance when applied to features of malicious applications extracted via the information retrieval technique of n-gram analysis. In our results, the Gaussian distributed random matrix approach outperformed the other methods with generally higher values for each observed performance metric, however, each algorithm showed promise in selected scenarios. These results support the hypothesis that applying the technique of random matrix projection as a dimensionality reduction method for the cosine similarity metric has merit in determining if an application may contain a malicious application.