Results 1 -
6 of
6
A real time OCSVM Intrusion Detection module with low overhead for SCADA systems
"... Abstract—In this paper we present a intrusion detection mod-ule capable of detecting malicious network traffic in a SCADA (Supervisory Control and Data Acquisition) system. Malicious data in a SCADA system disrupt its correct functioning and tamper with its normal operation. OCSVM (One-Class Support ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Abstract—In this paper we present a intrusion detection mod-ule capable of detecting malicious network traffic in a SCADA (Supervisory Control and Data Acquisition) system. Malicious data in a SCADA system disrupt its correct functioning and tamper with its normal operation. OCSVM (One-Class Support Vector Machine) is an intrusion detection mechanism that does not need any labeled data for training or any information about the kind of anomaly is expecting for the detection process. This feature makes it ideal for processing SCADA environment data and automate SCADA performance monitoring. The OCSVM module developed is trained by network traces off line and detect anomalies in the system real time. In order to decrease the overhead induced by communi-cated alarms we propose a new detection mechanism that is based on the combination of OCSVM with a recursive k-means clustering procedure. The proposed intrusion detection module K−OCSVM is capable to distinguish severe alarms from possible attacks regardless of the values of parameters σ and ν, making it ideal for real-time intrusion detection mechanisms for SCADA systems. The most severe alarms are then communicated with the use of IDMEF files to an IDSIDS (Intrusion Detection System) system that is developed under CockpitCI project. Alarm messages carry information about the source of the incident, the time of the intrusion and a classification of the alarm. Keywords—SCADA systems; OCSVM; intrusion detection I.
PROSPECT Peripheral Proxying Supported Embedded Code Testing
"... Embedded systems are an integral part of almost every elec-tronic product today. From consumer electronics to indus-trial components in SCADA systems, their possible fields of application are manifold. While especially in industrial and critical infrastructures the security requirements are high, re ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Embedded systems are an integral part of almost every elec-tronic product today. From consumer electronics to indus-trial components in SCADA systems, their possible fields of application are manifold. While especially in industrial and critical infrastructures the security requirements are high, recent publications have shown that embedded systems do not cope well with this demand. One of the reasons is that embedded systems are being less scrutinized as embedded security analysis is considered to be more time consuming and challenging in comparison to PC systems. One of the key challenges on proprietary, resource constrained embed-ded devices is dynamic code analysis. The devices typically do not have the capabilities for a full-scale dynamic secu-rity evaluation. Likewise, the analyst cannot execute the software implementation inside a virtual machine due to the missing peripheral hardware that is required by the software to run. In this paper, we present PROSPECT, a system that can overcome these shortcomings and enables dynamic code analysis of embedded binary code inside arbitrary anal-ysis environments. By transparently forwarding peripheral hardware accesses from the original host system into a vir-tual machine, PROSPECT allows security analysts to run the embedded software implementation without the need to know which and how embedded peripheral hardware compo-nents are accessed. We evaluated PROSPECT with respect to the performance impact and conducted a case study by doing a full-scale security audit of a widely used commercial fire alarm system in the building automation domain. Our results show that PROSPECT is both practical and usable for real-world application.
Malware Detection Method Focusing on Anti-Debugging Functions
"... Abstract-Malware has received much attention in recent years. Antivirus software is widely used as a countermeasure against malware. However, some kinds of malware can evade detection by antivirus software; hence, a new detection method is required. In this paper, we propose a malware detection met ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract-Malware has received much attention in recent years. Antivirus software is widely used as a countermeasure against malware. However, some kinds of malware can evade detection by antivirus software; hence, a new detection method is required. In this paper, we propose a malware detection method that focuses on Anti-Debugging functions. An AntiDebugging function is a method that prevents malware analysts from analyzing an application program (AP). The function can form part of benign as well as malicious APs. Our method focuses on a behavioral difference between benign and malicious APs and detects malware by comparing the two behavioral patterns. Evaluation results with malware confirmed our method to be capable of successfully detecting malware.
Risk Propagation Analysis and Visualization using Percolation Theory
"... Abstract—This article presents a percolation-based approach for the analysis of risk propagation, using malware spreading as a showcase example. Conventional risk management is often driven by human (subjective) assessment of how one risk influences the other, respectively, how security incidents ca ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—This article presents a percolation-based approach for the analysis of risk propagation, using malware spreading as a showcase example. Conventional risk management is often driven by human (subjective) assessment of how one risk influences the other, respectively, how security incidents can affect subsequent problems in interconnected (sub)systems of an infrastructure. Using percolation theory, a well-established methodology in the fields of epidemiology and disease spreading, a simple simulation-based method is described to assess risk propagation system-atically. This simulation is formally analyzed using percolation theory, to obtain closed form criteria that help predicting a pandemic incident propagation (or a propagation with average-case bounded implications). The method is designed as a security decision support tool, e.g., to be used in security operation centers. For that matter, a flexible visualization technique is devised, which is naturally induced by the percolation model and the simulation algorithm that derives from it. The main output of the model is a graphical visualization of the infrastructure (physical or logical topology). This representation uses color codes to indicate the likelihood of problems to arise from a security incident that initially occurs at a given point in the system. Large likelihoods for problems thus indicate “hotspots”, where additional action should be taken. Keywords—security operation center; malware infection; perco-lation; BYOD; risk propagation; visualization I.
Peach Improvement on Profinet-DCP for Industrial Control System Vulnerability Detection
"... Abstract. With the development of ICS, PLC and SCADA systems are interconnected with Ethernet and directly connected to internet, which greatly improve the efficiency of data sharing and introduced in security threats at the same time. Once crack fault occurrence of critical infrastructure will resu ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. With the development of ICS, PLC and SCADA systems are interconnected with Ethernet and directly connected to internet, which greatly improve the efficiency of data sharing and introduced in security threats at the same time. Once crack fault occurrence of critical infrastructure will result in casualties and great economic loss. Peach Fuzzer is an advanced and extensible fuzzing platform and is restricted to those with TCP/UDP-based protocols on Windows Platform, the PN-DCP would not be supported without publisher to send PDU correctly. So it is urgent to develop an additional publisher for PN-DCP. In this paper, we propose a novel Peach improvement on Profinet-DCP for industrial control system vulnerability detection. We analyze the importance of vulnerability detecting for PN-DCP with Peach Fuzzer. Then, introducing the Peach Framework, the hierarchy of Profinet-DCP and the PitFile of Profinet-DCP. We also evaluate our approach through experiments, the results can fully satisfy the requirement of vulnerability detecting of PN-DCP on Peach platform.
