nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

Detecting, Fingerprinting and Tracking Reconnaissance Campaigns Targeting Industrial Control Systems

verfasst von : Olivier Cabana, Amr M. Youssef, Mourad Debbabi, Bernard Lebel, Marthe Kassouf, Basile L. Agba

Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Industrial Control Systems (ICS) are attractive targets to attackers because of the significant cyber-physical damage they can inflict. As such, they are often subjected to reconnaissance campaigns aiming at discovering vulnerabilities that can be exploited online. As these campaigns scan large netblocks of the Internet, some of the IP packets are directed to the darknet, routable, allocated and unused IP space. In this paper, we propose a new technique to detect, fingerprint, and track probing campaigns targeting ICS systems by leveraging a /13 darknet traffic. Our proposed technique detects, automatically, and in near-real time such ICS probing campaigns and generates relevant and timely cyber threat intelligence using graph-theoretic methods to compare and aggregate packets into campaigns. Besides, it ascribes to each observed campaign a fingerprint that uniquely characterizes it and allows its tracking over time. Our technique has been tested over 12.85 TB of data, which represents 330 days of darknet network traffic received. The result of our analysis allows for the discovery of not only known legitimate recurrent probing campaigns such as those performed by Shodan and Censys but also uncovers coordinated campaigns launched by other organizations. Furthermore, we give details on a campaign linked to botnet activity targeting the EtherNet/IP protocol.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel On the Perils of Leaking Referrers in Online Collaboration Services

Nächstes Kapitel Overshadow PLC to Detect Remote Control-Logic Injection Attacks

https://www.elastic.co/.

https://www.elastic.co/products/kibana.

https://www.farsightsecurity.com/community.

https://www.shodan.io/.

https://www.maxmind.com/en/home.

https://www.kudelskisecurity.com/.

https://www.rapid7.com/research/project-sonar/.

https://www.virustotal.com/.

https://www.rockwellautomation.com/site-selection.html.

Ban, T., Inoue, D.: Practical darknet traffic analysis: methods and case studies. In: 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), pp. 1–8. IEEE (2017)

Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K.: Detection of botnet activities through the lens of a large-scale darknet. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, E.-S.M. (eds.) ICONIP 2017. LNCS, vol. 10638, pp. 442–451. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70139-4_45CrossRef

Bou-Harb, E.: A probabilistic model to preprocess darknet data for cyber threat intelligence generation. In: 2016 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2016)

Bou-Harb, E., Debbabi, M., Assi, C.: On detecting and clustering distributed cyber scanning. In: 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 926–933. IEEE (2013)

Bou-Harb, E., Debbabi, M., Assi, C.: A statistical approach for fingerprinting probing activities. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 21–30. IEEE (2013)

Bou-Harb, E., Debbabi, M., Assi, C.: Behavioral analytics for inferring large-scale orchestrated probing events. In: 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 506–511. IEEE (2014)

Bou-Harb, E., Debbabi, M., Assi, C.: Cyber scanning: a comprehensive survey. IEEE Commun. Surv. Tutorials 16(3), 1496–1519 (2014)CrossRef

Bou-Harb, E., Debbabi, M., Assi, C.: On fingerprinting probing activities. Comput. Secur. 43, 35–48 (2014)CrossRef

Bou-Harb, E., Debbabi, M., Assi, C.: A time series approach for inferring orchestrated probing campaigns by analyzing darknet traffic. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 180–185. IEEE (2015)

10.

Bou-Harb, E., Scanlon, M.: Behavioral service graphs: a formal data-driven approach for prompt investigation of enterprise and internet-wide infections. Digit. Invest. 20, S47–S55 (2017)CrossRef

11.

Cherepanov, A.: Win32/industroyer: a new threat for industrial control systems. White paper, ESET, June 2017

12.

Coudriau, M., Lahmadi, A., François, J.: Topological analysis and visualisation of network monitoring data: darknet case study. In: 2016 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6. IEEE (2016)

13.

Dragos: TRISIS Malware Analysis of Safety System Targeted Malware. Dragos Inc. (2017). https://dragos.com/blog/trisis/TRISIS-01.pdf

14.

Fachkha, C., Bou-Harb, E., Keliris, A., Memon, N., Ahamad, M.: Internet-scale probing of CPS: inference, characterization and orchestration analysis. In: The Network and Distributed System Security Symposium (NDSS) (2017)

15.

Furutani, N., Kitazono, J., Ozawa, S., Ban, T., Nakazato, J., Shimamura, J.: Adaptive DDoS-event detection from big darknet traffic data. In: Arik, S., Huang, T., Lai, W.K., Liu, Q. (eds.) ICONIP 2015. LNCS, vol. 9492, pp. 376–383. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26561-2_45CrossRef

16.

Garg, S., Singh, A., Batra, S., Kumar, N., Obaidat, M.: Enclass: ensemble-based classification model for network anomaly detection in massive datasets. In: GLOBECOM 2017-2017 IEEE Global Communications Conference. pp. 1–7. IEEE (2017)

17.

Gersho, A., Gray, R.M.: Vector Quantization and Signal Compression, vol. 159. Springer Science & Business Media, Berlin (2012)MATH

18.

Hashimoto, N., Ozawa, S., Ban, T., Nakazato, J., Shimamura, J.: A darknet traffic analysis for IoT malwares using association rule learning. Procedia Comput. Sci. 144, 118–123 (2018)CrossRef

19.

ICS-Cert-US: Rockwell automation controllogix plc vulnerabilities (2018). https://ics-cert.us-cert.gov/advisories/ICSA-13-011-03

20.

Jin, Y., Simon, G., Xu, K., Zhang, Z.L., Kumar, V.: Grays anatomy: dissecting scanning activities using IP gray space analysis. In: Usenix SysML 2007 (2007)

21.

Johnson, B., Caban, D., Krotofil, M., Scali, D., Brubaker, N., Glyer, C.: Attackers deploy new ICS attack framework triton and cause operational disruption to critical infrastructure (2017). https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

22.

Kirubavathi, G., Anitha, R.: Botnet detection via mining of traffic flow characteristics. Comput. Electr. Eng. 50, 91–101 (2016)CrossRef

23.

Lagraa, S., François, J.: Knowledge discovery of port scans from darknet. In: IFIP/IEEE Symposium on Integrated Network and Service Management (IM), 2017, pp. 935–940. IEEE (2017)

24.

Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. IEEE Trans. Inf. Forensics Secur. 6(1), 175–188 (2011)CrossRef

25.

Lipovsky, R.: Back in blackenergy *: 2014 targeted attacks in ukraine and poland (2014). https://www.welivesecurity.com/2014/09/22/back-in-blackenergy-2014/

26.

Lipovsky, R., Cherepanov, A.: Blackenergy trojan strikes again: attacks ukrainian electric power industry (2016). https://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/

27.

Lloyd’s: Business blackout: the insurance implications of a cyber attack on the us powergrid. Technical report, Center for Risk Studies, University of Cambridge (2015)

28.

Lu, Z., Sun, X., Wen, Y., Cao, G., La Porta, T.: Algorithms and applications for community detection in weighted networks. IEEE Trans. Parallel Distrib. Syst. 26(11), 2916–2926 (2015)CrossRef

29.

Lv, Y., Li, Y., Tu, S., Xiang, S., Xia, C.: Coordinated scan detection algorithm based on the global characteristics of time sequence. In: 2014 Ninth International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA), pp. 199–206. IEEE (2014)

30.

Mazel, J., Fontugne, R., Fukuda, K.: Identifying coordination of network scans using probed address structure. In: Traffic Monitoring and Analysis-8th International Workshop, TMA, pp. 7–8 (2016)

31.

Mirian, A., et al.: An internet-wide view of ICS devices. In: 14th Annual Conference on Privacy, Security and Trust (PST), 2016, pp. 96–103. IEEE (2016)

32.

Müllner, D., et al.: Fastcluster: fast hierarchical, agglomerative clustering routines for R and python. J. Stat. Softw. 53(9), 1–18 (2013)CrossRef

33.

Nichols, K., Blake, S., Baker, F., Black, D.: Definition of the differentiated services field (DS field) in the IPv4 and IPv6 Headers (1998). https://tools.ietf.org/pdf/rfc2474.pdf

34.

Ethernet/IP quick start for vendors handbook (2008). https://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00213R0_EtherNetIP_Developers_Guide.pdf

35.

Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: detecting and monitoring fast-flux service networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186–206. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70542-0_10CrossRef

36.

Passive DNS FAQ (2018). https://www.farsightsecurity.com/technical/passive-dns/passive-dns-faq/

37.

Pcap4j (2018). https://github.com/kaitoy/pcap4j

38.

Pedregosa, F., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)MathSciNetMATH

39.

Shannon, C.E.: A mathematical theory of communication. ACM SIGMOBILE Mob. Comput. Commun. Rev. 5(1), 3–55 (2001)MathSciNetCrossRef

40.

(2018). https://www.tcpdump.org

41.

Zakroum, M., et al.: Exploratory data analysis of a network telescope traffic and prediction of port probing rates. In: 2018 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 175–180. IEEE (2018)

42.

Zetter, K., Barrett, B., Lapowsky, I., Newman, L., Greenberg, A.: An unprecedented look at stuxnet, the world’s first digital weapon (2014). https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

Titel: Detecting, Fingerprinting and Tracking Reconnaissance Campaigns Targeting Industrial Control Systems
verfasst von: Olivier Cabana
Amr M. Youssef
Mourad Debbabi
Bernard Lebel
Marthe Kassouf
Basile L. Agba
Verlag: Springer International Publishing
Buch: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_5

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner