specification mining for intrusion detection in networked ... · 8/17/2016 usenix security...
TRANSCRIPT
![Page 1: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/1.jpg)
SPECIFICATION MINING FOR INTRUSION DETECTION IN NETWORKED CONTROL SYSTEMS
Marco Caselli, Emmanuele Zambon, Johanna Amann, Robin Sommer, Frank Kargl
![Page 2: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/2.jpg)
Network Intrusion Detection in a Nutshell
8/17/2016 Usenix Security Symposium 2
• From anomaly-based to specification-based
• Not all infrastructures come with specifications
• Deploying these IDSs requires substantial human effort
Our goal
We aim to ease the deployment of a specification-based IDS by automating the creation of its specification rules
![Page 3: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/3.jpg)
Specification Mining Approach
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
3
![Page 4: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/4.jpg)
8/17/2016 Usenix Security Symposium 4
“Systems whose constituents are sensors, actuators, and controllers distributed over a network”
Industrial Control Systems
Building Automation Systems
In-Vehicular Networks
Networked Control Systems
![Page 5: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/5.jpg)
There's gotta be a better way!
8/17/2016 Usenix Security Symposium 5
Building Automation Threats
Snooping
Denial of Service
Process control subverting
![Page 6: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/6.jpg)
Specification Mining Approach
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
6
![Page 7: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/7.jpg)
BACnet
8/17/2016 Usenix Security Symposium 7
Building Automation and Control network
ISO 8802-3 Ethernet
ARCNET EIA 485 EIA 232
LonTalk
IP Supporting Data link
Zigbee Stack
ISO 8802-2 (IEEE 802.2)Type 1
MS/TP PTP
UDP/IP
BACnet Network Layer
BACnet Application Layer
BVLL
BP/GT
BZLL
BACnet/IP
![Page 8: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/8.jpg)
• ‘Services’ and ‘Objects’
– Every object has got a subset of ‘Properties’
8/17/2016 Usenix Security Symposium 8
BACnet (Application Layer)
BACnet Property Value
Object_Identifier “analog-value, 7”
Present_Value 3.768
Status_Flags Normal, Out-of-Service
Max_Pres_Value 5.0
1 7 …
BACS
BACS
BACnet Object
BACnet Service
![Page 9: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/9.jpg)
Specification Mining Approach
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
9
![Page 10: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/10.jpg)
Building Automation Documentation
8/17/2016 Usenix Security Symposium 10
• Protocol Implementation Conformance Statement (PICS)
![Page 11: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/11.jpg)
Building Automation Documentation
8/17/2016 Usenix Security Symposium 11
• Protocol Implementation Conformance Statement (PICS)
![Page 12: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/12.jpg)
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
12
Specification Mining Approach
Lawrence Berkeley National Laboratory (US)
University of Twente (NL)
![Page 13: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/13.jpg)
Specification Mining Approach
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
13
1) Identify devices communicating on the network
2) Determine role and purpose of each identified device
![Page 14: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/14.jpg)
System Discovery
8/17/2016 Usenix Security Symposium 14
• “BACnet Device Object analysis”
![Page 15: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/15.jpg)
System Discovery
8/17/2016 Usenix Security Symposium 15
• “BACnet Device Object analysis”
• “BACnet Address linking”
![Page 16: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/16.jpg)
System Discovery
8/17/2016 Usenix Security Symposium 16
• Results at the University of Twente:
![Page 17: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/17.jpg)
Specification Mining Approach
8/17/2016 Usenix Security Symposium 17
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
1) Find verified information about the infrastructure's devices
2) Select features and constraints from the retrieved documents and arrange results in a structured form
![Page 18: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/18.jpg)
Feature Lookup
8/17/2016 Usenix Security Symposium 18
• PICS
PICS
BIBBs(Services)
Object
Creatable/Deletable
Property
Writable
Value
n
n
n
n
1
1
“Blue ID S10”
DS_RP_ADS_RP_B…AccumulatorAnalog Input…
No
Object_IdentifierObject_NameObject_TypePresent_Value
RRRR/W
…
![Page 19: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/19.jpg)
Specification Mining Approach
8/17/2016 Usenix Security Symposium 19
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
1) Select identified information from Feature Lookup
2) Translate this information to specification rules
![Page 20: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/20.jpg)
Rule Definition
8/17/2016 Usenix Security Symposium 20
• NCS components (e.g., controllers) share some properties:– Employing a limited set of variables to fulfill their functions
– These variables often have predetermined types
– There limited set of methods to access and manipulate variables
• Three different abstract rules:1) “Type” rule checks if a variable of a specific type is allowed
2) “Value” rule checks which values a variable may assume
3) “Method” rule checks which methods can be used to access a specific variable
![Page 21: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/21.jpg)
Rule Definition
8/17/2016 Usenix Security Symposium 21
![Page 22: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/22.jpg)
Rule Definition
8/17/2016 Usenix Security Symposium 22
PICS
BIBBs(Services)
Object
Creatable/Deletable
Property
Writable
Value
n
n
n
n
1
1
![Page 23: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/23.jpg)
Specification Mining Approach
8/17/2016 Usenix Security Symposium
System Discovery
Network Traffic
Source of Information (e.g., specs, config. files, …)
Feature Lookup
Rule Definition
Detection Alerts
1 2 3
23
![Page 24: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/24.jpg)
Detection Results
8/17/2016 Usenix Security Symposium 24
![Page 25: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/25.jpg)
Detection Results
8/17/2016 Usenix Security Symposium 25
![Page 26: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/26.jpg)
Detection Results
8/17/2016 Usenix Security Symposium 26
![Page 27: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/27.jpg)
Detection Results
8/17/2016 Usenix Security Symposium 27
![Page 28: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/28.jpg)
Discussion
8/17/2016 Usenix Security Symposium 28
• Configuration mismatches vs. Security relevant events
• Attack Coverage
• Generalization beyond BACnet-based BASs
![Page 29: Specification Mining for Intrusion Detection in Networked ... · 8/17/2016 Usenix Security Symposium 17 System Discovery Network Traffic Source of Information (e.g., specs, config](https://reader033.vdocuments.us/reader033/viewer/2022050323/5f7cf58db2cf2233d734b80f/html5/thumbnails/29.jpg)
Conclusions
8/17/2016 Usenix Security Symposium 29
Networked control technologies are rapidly spreading
We need security solutions that can quickly scale up to a multitude of heterogeneous devices
Automated specification mining and rule description:
• More efficient deployment of specification-based IDSs
• Automated adaptation to the environment