Biblio

Industrial Control System (ICS) communication transmits monitoring and control data between industrial processes and the control station. ICS systems cover various domains of critical infrastructure such as the power plants, water and gas distribution, or aerospace traffic control. Security of ICS systems is usually implemented on the perimeter of the network using ICS enabled firewalls or Intrusion Detection Systems (IDSs). These techniques are helpful against external attacks, however, they are not able to effectively detect internal threats originating from a compromised device with malicious software. In order to mitigate or eliminate internal threats against the ICS system, we need to monitor ICS traffic and detect suspicious data transmissions that differ from common operational communication. In our research, we obtain ICS monitoring data using standardized IPFIX flows extended with meta data extracted from ICS protocol headers. Unlike other anomaly detection approaches, we focus on modelling the semantics of ICS communication obtained from the IPFIX flows that describes typical conversational patterns. This paper presents a technique for modelling ICS conversations using frequency prefix trees and Deterministic Probabilistic Automata (DPA). As demonstrated on the attack scenarios, these models are efficient to detect common cyber attacks like the command injection, packet manipulation, network scanning, or lost connection. An important advantage of our approach is that the proposed technique can be easily integrated into common security information and event management (SIEM) systems with Netflow/IPFIX support. Our experiments are performed on IEC 60870-5-104 (aka IEC 104) control communication that is widely used for the substation control in smart grids.

Security refers to precautions designed to shield the availability and integrity of information exchanged among the digital global community. Information safety measure typically protects the virtual facts from unauthorized sources to get a right of entry to, disclosure, manipulation, alteration or destruction on both hardware and software technologies. According to an evaluation through experts operating in the place of information safety, some of the new cyber-attacks are keep on emerging in all the business processes. As a stop result of the analyses done, it's been determined that although the level of risk is not excessive in maximum of the attacks, it's far a severe risk for important data and the severity of those attacks is prolonged. Prior safety structures has been established to monitor various cyber-threats, predominantly using a gadget processed data or alerts for showing each deterministic and stochastic styles. The principal finding for deterministic patterns in cyber- attacks is that they're neither unbiased nor random over the years. Consequently, the quantity of assaults in the past helps to monitor the range of destiny attacks. The deterministic styles can often be leveraged to generate moderately correct monitoring.

Large-scale failures in communication networks due to natural disasters or malicious attacks can severely affect critical communications and threaten lives of people in the affected area. In the absence of a proper communication infrastructure, rescue operation becomes extremely difficult. Progressive and timely network recovery is, therefore, a key to minimizing losses and facilitating rescue missions. To this end, we focus on network recovery assuming partial and uncertain knowledge of the failure locations. We proposed a progressive multi-stage recovery approach that uses the incomplete knowledge of failure to find a feasible recovery schedule. Next, we focused on failure recovery of multiple interconnected networks. In particular, we focused on the interaction between a power grid and a communication network. Then, we focused on network monitoring techniques that can be used for diagnosing the performance of individual links for localizing soft failures (e.g. highly congested links) in a communication network. We studied the optimal selection of the monitoring paths to balance identifiability and probing cost. Finally, we addressed, a minimum disruptive routing framework in software defined networks. Extensive experimental and simulation results show that our proposed recovery approaches have a lower disruption cost compared to the state-of-the-art while we can configure our choice of trade-off between the identifiability, execution time, the repair/probing cost, congestion and the demand loss.

The growing trend toward information technology increases the amount of data travelling over the network links. The problem of detecting anomalies in data streams has increased with the growth of internet connectivity. Software-Defined Networking (SDN) is a new concept of computer networking that can adapt and support these growing trends. However, the centralized nature of the SDN design is challenged by the need for an efficient method for traffic monitoring against traffic anomalies caused by misconfigured devices or ongoing attacks. In this paper, we propose a new model for traffic behavior monitoring that aims to ensure trusted communication links between the network devices. The main objective of this model is to confirm that the behavior of the traffic streams matches the instructions provided by the SDN controller, which can help to increase the trust between the SDN controller and its covered infrastructure components. According to our preliminary implementation, the behavior monitoring unit is able to read all traffic information and perform a validation process that reports any mismatching traffic to the controller.

This paper describes the work done to design a SoC platform for real-time on-line pattern search in TCP packets for Deep Packet Inspection (DPI) applications. The platform is based on a Xilinx Zynq programmable SoC and includes an accelerator that implements a pattern search engine that extends the original Boyer-Moore algorithm with timing and logical rules, that produces a very complex set of rules. Also, the platform implements different modes of operation, including SIMD and MISD parallelism, which can be configured on-line. The platform is scalable depending of the analysis requirement up to 8 Gbps. High-Level synthesis and platform based design methodologies have been used to reduce the time to market of the completed system.

Deep packet inspection (DPI) is a basic monitoring technology, which realizes network traffic control based on application payload. The technology is used to prevent threats (e.g., intrusion detection systems, firewalls) and extract information (e.g., content filtering systems). Moreover, transport layer security (TLS) monitoring is required because of the increasing use of the TLS protocol, particularly by hypertext transfer protocol secure (HTTPS). TLS monitoring is different from TCP monitoring in two aspects. First, monitoring systems cannot inspect the content in TLS communication, which is encrypted. Second, TLS communication is a session unit composed of one or more TCP connections. In enterprise networks, dedicated TLS proxies are deployed to perform TLS monitoring. However, the proxies cannot be used when monitored devices are unable to use a custom certificate. Additionally, these networks contain problems of scale and complexity that affect the monitoring. Therefore, the DPI processing using another method requires high-speed processing and various protocol analyses across TCP connections in TLS monitoring. However, it is difficult to realize both simultaneously. We propose GINTATE, which decrypts TLS communication using shared keys and monitors the results. GINTATE is a scalable architecture that uses distributed computing and considers relational sessions across multiple TCP connections in TLS communication. Additionally, GINTATE achieves DPI processing by adding an extensible analysis module. By comparing GINTATE against other systems, we show that it can perform DPI processing by managing relational sessions via distributed computing and that it is scalable.

A technique and algorithms for early detection of the started attack and subsequent blocking of malicious traffic are proposed. The primary separation of mixed traffic into trustworthy and malicious traffic was carried out using cluster analysis. Classification of newly arrived requests was done using different classifiers with the help of received training samples and developed success criteria.

Network monitoring is vital to the administration and operation of networks, but it requires privileged access that only highly trusted parties are granted. This severely limits the opportunity for external parties, such as service or equipment providers, auditors, or even clients, to measure the health or operation of a network in which they are stakeholders, but do not have access to its internal structure. In this position paper we propose the use of middleboxes to open up network monitoring to external parties using privacy-preserving technology. This will allow distrusted parties to make more inferences about the network state than currently possible, without learning any precise information about the network or the data that crosses it. Thus the state of the network will be more transparent to external stakeholders, who will be empowered to verify claims made by network operators. Network operators will be able to provide more information about their network without compromising security or privacy.

Identifying threats contained within encrypted network traffic poses a unique set of challenges. It is important to monitor this traffic for threats and malware, but do so in a way that maintains the integrity of the encryption. Because pattern matching cannot operate on encrypted data, previous approaches have leveraged observable metadata gathered from the flow, e.g., the flow's packet lengths and inter-arrival times. In this work, we extend the current state-of-the-art by considering a data omnia approach. To this end, we develop supervised machine learning models that take advantage of a unique and diverse set of network flow data features. These data features include TLS handshake metadata, DNS contextual flows linked to the encrypted flow, and the HTTP headers of HTTP contextual flows from the same source IP address within a 5 minute window. We begin by exhibiting the differences between malicious and benign traffic's use of TLS, DNS, and HTTP on millions of unique flows. This study is used to design the feature sets that have the most discriminatory power. We then show that incorporating this contextual information into a supervised learning system significantly increases performance at a 0.00% false discovery rate for the problem of classifying encrypted, malicious flows. We further validate our false positive rate on an independent, real-world dataset.