DETECTING, FINGERPRINTING AND TRACKING RECONNAISSANCE CAMPAIGNS TARGETING INDUSTRIAL CONTROL SYSTEMS By Olivier Cabana, Amr M. Youssef, Mourad Debbabi, Bernard Lebel, Marthe Kassouf & Basile L. Agba
June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 2 Outline Introduction Methodology Results Conclusion
June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 3 INTRODUCTION 3
June 17, 2019 Introduction 4 Motivation Industrial Control Systems (ICS) are vital pieces of our infrastructure • Used in the smart grid, smart city, smart devices, building automation • Sharp rise in the number of internet-connected devices • Internet is a huge attack surface against ICS and IoT ICS are attractive and vulnerable targets • Huge financial cost to any successful attack against ICS • Consequences in the physical world: blackouts, destroyed equipment, … Rise in the use of sophisticated attacks • Industroyer, BlackEnergy , Triton, … • These attacks require sophisticated knowhow and knowledge of their targets
June 17, 2019 Introduction 5 Problem statement With the onset of Internet-driven cyber As reconnaissance campaigns are attacks… precursors to cyber attacks… • Need for accurate , timely & reliable • Need for a tool to identify campaigns intelligence on incoming cyber attacks accurately and in near real-time • To mitigate & prevent attacks before they • Identifying sources, targeted ICS devices & occur scanning techniques
June 17, 2019 Introduction 6 Contributions Near real-time detection of ICS probing campaigns Tracking, characterization & identification of campaigns Intelligence on campaigns sources & targeted ICS infrastructure
June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 7 METHODOLOGY 7
June 17, 2019 Methodology 8 Overview
June 17, 2019 Methodology 9 Network telescope (darknet) data • Originates from a /13 network telescope ▪ 11 subnets from 12 countries ▪ About ½ million IP addresses ▪ Live stream of network traffic: over 28 GB per day • Packets batched in PCAP-formatted files arrive in real-time • Contains traffic from ICS/IoT devices • Monitors 27 ICS/IoT protocols
June 17, 2019 Methodology 10 Features • Extracts primary features from packets, ▪ Header fields & payload • Extracts secondary features from groups of packets Primary Features Total Length Payload IHL Fragment Offset IPv4 Flags TTL ToS IPv4 Options Identification TCP Flags TCP Options Urgent Pointer Offset Window Size Sequence # Acknowledgement # Secondary Features Destination Overlap Packet to Destination Ratio Packet Interval
June 17, 2019 Methodology 11 Classification • Core component of the campaign identification process Packet Aggregation Campaign Identification Using Source IP and Protocol Using Temporal Features Matching Storing packet information in Removing outliers from node data structures cluster Cluster Formation Using Graph Theory Metrics Partitioning weighted graph based on edge weights Signature Generation Graph Generation Using Header Features Matching Based on Characteristic Features Pairwise node comparison Using common packet using stored packet information shared with all information nodes in the cluster
June 17, 2019 Methodology 12 Calculating the weights • Weight calculation used for graph generation −𝑏 𝑘 𝑏 𝑘 𝑂 ) 𝑒 𝑥 𝑗 = ( 𝑂 log 𝐵 𝑏 𝑘 ∈ 𝐵 ▪ 𝑥 𝑗 : the weight of the i th feature ▪ A : set of values representing the number of times all values of the i th feature appear ▪ 𝑏 𝑘 : represents the number of occurrences of the j th value of the i th feature 𝑜 ▪ 𝑂 = σ 𝑗=1 𝑏 𝑗 : the sum of all values in A ▪ d : exponent in the range [0, 1]
June 17, 2019 Methodology 13 Feature weight calculation
June 17, 2019 Methodology 14 Similarity score • Compares: “32” : 3 ▪ The features in the packets from each source IP “64” : 10 ttl “128”: 2 o Features represented as vectors of probabilities “256”: 5 “80” : 1 o Calculating distance between vectors “102” : 2 “502” : 1 source port ▪ Adding the scores for each feature together “8080”: 1 … … “100000” : 5 “110000” : 2 tcp_flags “000000” : 1 …
June 17, 2019 Methodology 15 Calculating the similarity score 2 𝑜 1𝑘 𝑜 2𝑘 𝑛𝑗𝑜 𝑊 1 ,𝑊 1 𝑉 2 σ 𝑘=1 𝑡 𝑗 = 𝑥 𝑗 × (1 − 2 × 2 × 1 − ) 𝑛𝑏𝑦 𝑊 1 ,𝑊 𝑊 𝑊 2 • Similarity score between two nodes for a feature i ▪ s i : similarity score for feature i ▪ w i : weight of the i th feature |𝑂 𝑦 | 𝑜 𝑘 , (i.e. the total number of packets in node x ) ▪ 𝑊 𝑦 = σ 𝑘=1 ▪ N x : set of all different values for feature i in node x ▪ n xj : number of occurrences of the value j in node x ▪ 𝑉 = 𝑂 1 ∪ 𝑂 2
June 17, 2019 Methodology 16 Calculating the similarity score • Similarity score between the payloads of two nodes 𝑛𝑗𝑜(|𝑄 1 |,|𝑄 2 |) (𝑐 1𝑗 == 𝑐 2𝑗 ) 𝑡 𝑞𝑏𝑧𝑚𝑝𝑏𝑒 = 𝑥 𝑞𝑏𝑧𝑚𝑝𝑏𝑒 × 𝑛𝑏𝑦(|𝑄 1 |, |𝑄 2 |) 𝑗=1 ▪ s payload : similarity score for the payload feature ▪ w payload : weight of the payload feature ▪ | P x | : size of payload x ▪ b xi : the i th byte in P x
June 17, 2019 Methodology 17 Graph generation
June 17, 2019 Methodology 18 Belonging degree & conductance 𝛤 𝑣, 𝐷 = σ 𝑤∈𝐷 𝑥 𝑣𝑤 σ 𝑢∈𝑂 𝑣 𝑥 𝑣𝑢 ▪ 𝛤 𝑣, 𝐷 : belonging degree between u and C ▪ C : set of nodes in the cluster ▪ u : node adjacent to C ▪ N u : set of nodes neighboring u ▪ w ux : weight of the edge between nodes u and x 𝛸 𝐷 = 𝑑𝑣𝑢(𝐷, 𝐻/𝐷) 𝑥 𝐷 ▪ 𝛸 𝐷 : conductance of C ▪ 𝑑𝑣𝑢(𝐷, 𝐻/𝐷) : sum of the weights of edges between nodes in C and outside of C ▪ w c : sum of the weights of all edges in C
June 17, 2019 Methodology 19 Cluster formation
June 17, 2019 Methodology 20 Campaign Formation • Pairwise comparison of nodes inside the cluster ▪ Calculating similarity score using secondary features (temporal characteristics) ▪ Removing outliers
June 17, 2019 Methodology 21 Signature Generation • Building identifying signature ▪ Listing of all primary features ▪ Vector quantization of secondary features o Using hierarchical agglomerative clustering
June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 22 RESULTS 22
June 17, 2019 Results 23 ICS & IoT Protocols Protocol Port(s) Protocol Port(s) FL-net 55000 to 55003 Modbus 502, 802 PROFINET 34962 to 34964 OMRON FINS 9600 • Categorizes packets by DNP3 19999, 20000 PCWorx 1962 source IP & protocol GE-STRP 18245, 18246 CoAP 5683, 5684 • Retains traffic from ICS/IoT MELSEC-Q 5006, 5007 EtherNet/IP 2036, 2221, 2222, protocols 44818 Niagara Fox 1911, 4911 BACnet 47808 to 47823 CODESYS 2455 Emerson ROC 4000 Red lion 789 EtherCAT 34980 ProConOS 20547 Hart-IP 5094 Zigbee 17754 to 17756 ICCP Emerson ecmp 6160 102 Siemens S7 Foundation Fieldbus 1090, 1091, 3622 IEC 60870-5-104 2404, 19998 OPC UA 4840, 4843 Johnson Controls 11001 MQ Telemetry 1883
June 17, 2019 Results 24 Organization Protocol Packets Legitimate organizations Kudelski security MQTT 3,176,785 Modbus 3,225,764 • 3 legitimate research organizations Niagara Fox 3,338,688 ▪ Well-known research objective BACnet 3,186,966 ▪ No effort to obfuscate their scans Project sonar BACnet 1,408,866 MQTT 1,365,953 EtherNet/IP 749,032 CoAP 673,405 Censys Modbus 14,546,546 DNP3 8,674,021 BACnet 14,472,089 Niagara Fox 11,027,247 S7 Comm 6,001,835 EtherNet/IP 41
June 17, 2019 Results 25 Legitimate campaign signature • Against the BACnet protocol ▪ Includes the entire darknet Stats Transport protocol UDP # of destinations Entire darknet ▪ Conducted multiple times Protocol BACnet # of packets 5,562,890 o Over a period of 9 months Destination port 47808 Start 05-08-18, 20:59:52 ▪ 242 source IPs involved # of sources 242 End 02-19-19, 20:56:33 Signature Source port 47808 Identification 54321 ToS 72 Fragment offset 0 TTL 254 Packet interval 87ms IHL 5 Packet/destination ratio 1.0 Total length 77 Destination overlap 0.0 IPv4 options None Flags None Payload 810a002301040005000e0c023fffff1e094b09780979092c090c09 4d0946091c093a1f
June 17, 2019 Results 26 Legitimate ampaign date histogram • Regular (weekly) traffic • Several missing spikes of data, when the algorithm returned a false negative
Recommend
More recommend