specification mining for intrusion detection in networked ... · 8/17/2016 usenix security...
TRANSCRIPT
SPECIFICATION MINING FOR INTRUSION DETECTION IN NETWORKED CONTROL SYSTEMS
Marco Caselli, Emmanuele Zambon, Johanna Amann, Robin Sommer, Frank Kargl
Network Intrusion Detection in a Nutshell
8/17/2016 Usenix Security Symposium 2
• From anomaly-based to specification-based
• Not all infrastructures come with specifications
• Deploying these IDSs requires substantial human effort
Our goal
We aim to ease the deployment of a specification-based IDS by automating the creation of its specification rules
Specification Mining Approach
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
3
8/17/2016 Usenix Security Symposium 4
“Systems whose constituents are sensors, actuators, and controllers distributed over a network”
Industrial Control Systems
Building Automation Systems
In-Vehicular Networks
Networked Control Systems
There's gotta be a better way!
8/17/2016 Usenix Security Symposium 5
Building Automation Threats
Snooping
Denial of Service
Process control subverting
Specification Mining Approach
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
6
BACnet
8/17/2016 Usenix Security Symposium 7
Building Automation and Control network
ISO 8802-3 Ethernet
ARCNET EIA 485 EIA 232
LonTalk
IP Supporting Data link
Zigbee Stack
ISO 8802-2 (IEEE 802.2)Type 1
MS/TP PTP
UDP/IP
BACnet Network Layer
BACnet Application Layer
BVLL
BP/GT
BZLL
BACnet/IP
• ‘Services’ and ‘Objects’
– Every object has got a subset of ‘Properties’
8/17/2016 Usenix Security Symposium 8
BACnet (Application Layer)
BACnet Property Value
Object_Identifier “analog-value, 7”
Present_Value 3.768
Status_Flags Normal, Out-of-Service
Max_Pres_Value 5.0
1 7 …
BACS
BACS
BACnet Object
BACnet Service
Specification Mining Approach
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
9
Building Automation Documentation
8/17/2016 Usenix Security Symposium 10
• Protocol Implementation Conformance Statement (PICS)
Building Automation Documentation
8/17/2016 Usenix Security Symposium 11
• Protocol Implementation Conformance Statement (PICS)
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
12
Specification Mining Approach
Lawrence Berkeley National Laboratory (US)
University of Twente (NL)
Specification Mining Approach
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
13
1) Identify devices communicating on the network
2) Determine role and purpose of each identified device
System Discovery
8/17/2016 Usenix Security Symposium 14
• “BACnet Device Object analysis”
System Discovery
8/17/2016 Usenix Security Symposium 15
• “BACnet Device Object analysis”
• “BACnet Address linking”
System Discovery
8/17/2016 Usenix Security Symposium 16
• Results at the University of Twente:
Specification Mining Approach
8/17/2016 Usenix Security Symposium 17
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
1) Find verified information about the infrastructure's devices
2) Select features and constraints from the retrieved documents and arrange results in a structured form
Feature Lookup
8/17/2016 Usenix Security Symposium 18
• PICS
PICS
BIBBs(Services)
Object
Creatable/Deletable
Property
Writable
Value
n
n
n
n
1
1
“Blue ID S10”
DS_RP_ADS_RP_B…AccumulatorAnalog Input…
No
Object_IdentifierObject_NameObject_TypePresent_Value
RRRR/W
…
Specification Mining Approach
8/17/2016 Usenix Security Symposium 19
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
1) Select identified information from Feature Lookup
2) Translate this information to specification rules
Rule Definition
8/17/2016 Usenix Security Symposium 20
• NCS components (e.g., controllers) share some properties:– Employing a limited set of variables to fulfill their functions
– These variables often have predetermined types
– There limited set of methods to access and manipulate variables
• Three different abstract rules:1) “Type” rule checks if a variable of a specific type is allowed
2) “Value” rule checks which values a variable may assume
3) “Method” rule checks which methods can be used to access a specific variable
Rule Definition
8/17/2016 Usenix Security Symposium 21
Rule Definition
8/17/2016 Usenix Security Symposium 22
PICS
BIBBs(Services)
Object
Creatable/Deletable
Property
Writable
Value
n
n
n
n
1
1
Specification Mining Approach
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
23
Detection Results
8/17/2016 Usenix Security Symposium 24
Detection Results
8/17/2016 Usenix Security Symposium 25
Detection Results
8/17/2016 Usenix Security Symposium 26
Detection Results
8/17/2016 Usenix Security Symposium 27
Discussion
8/17/2016 Usenix Security Symposium 28
• Configuration mismatches vs. Security relevant events
• Attack Coverage
• Generalization beyond BACnet-based BASs
Conclusions
8/17/2016 Usenix Security Symposium 29
Networked control technologies are rapidly spreading
We need security solutions that can quickly scale up to a multitude of heterogeneous devices
Automated specification mining and rule description:
• More efficient deployment of specification-based IDSs
• Automated adaptation to the environment
