Multi-stage attack detection and signature generation with ICS honeypots

Vasilomanolakis, Emmanouil; Srinivasa, Shreyas; Cordero, Carlos García; Mühlhäuser, Max

doi:10.1109/noms.2016.7502992

Cited by 45 publications

(19 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…At the process level, faults are going to have the same characteristics as an attack as both are violating the normal procedure of the process. Labeled data can also be collected by simulating attacks using methods such as honeypots [39], simulations [40,41], or deep learning attack generation techniques [42]. While these are simulations of working ICS, they offer data that can be used to build an extra layer of protection for these systems.…”

Section: Discussionmentioning

confidence: 99%

FALCON: Framework for Anomaly Detection in Industrial Control Systems

et al. 2020

View full text Add to dashboard Cite

Industrial Control Systems (ICS) are used to control physical processes in critical infrastructure. These systems are used in a wide variety of operations such as water treatment, power generation and distribution, and manufacturing. While the safety and security of these systems are of serious concern, recent reports have shown an increase in targeted attacks aimed at manipulating physical processes to cause catastrophic consequences. This trend emphasizes the need for algorithms and tools that provide resilient and smart attack detection mechanisms to protect ICS. In this paper, we propose an anomaly detection framework for ICS based on a deep neural network. The proposed methodology uses dilated convolution and long short-term memory (LSTM) layers to learn temporal as well as long term dependencies within sensor and actuator data in an ICS. The sensor/actuator data are passed through a unique feature engineering pipeline where wavelet transformation is applied to the sensor signals to extract features that are fed into the model. Additionally, this paper explores four variations of supervised deep learning models, as well as an unsupervised support vector machine (SVM) model for this problem. The proposed framework is validated on Secure Water Treatment testbed results. This framework detects more attacks in a shorter period of time than previously published methods.

show abstract

Section: Discussionmentioning

confidence: 99%

FALCON: Framework for Anomaly Detection in Industrial Control Systems

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Vasilomanolakis et al [5] used bespoke ICS (Industrial Control System) honeypots in order to generate signatures of multi stage attacks by modeling each disparate protocol from the same host as a separate stage in the attack. For each of these stages, a signature is generated based upon characteristics of the network packet involved in the attack which is then used by Bro IDS 1 to evaluate the detection capabilities.…”

Section: Related Work a Threat Intelligencementioning

confidence: 99%

“…Recent literature [2]- [5] has identified the benefits of extracting attack characteristics from honeypots and generating signatures such that attacks in the same vein are prevented. While providing effective signatures for NIDSs (Network Intrusion Systems), this research does not consider events which transpire at a host level, and only provides signatures suitable for network based defense mechanisms.…”

Section: Introductionmentioning

confidence: 99%

Citrus: Orchestrating Security Mechanisms via Adversarial Deception

Mills

Race

Broadbent

2020

NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

“…A mobile ICS honeypot dubbed as HosTaGe, as demonstrated by Vasilomanolakis et al [28], is capable of emulating nuclear power plants, water distribution plants, etc. It is not unusual to set up a large and detailed decoy infrastructure to attract attackers and generate attack signatures [27]. Similar research and development efforts were conducted in the IoT realm.…”

Section: Related Workmentioning

confidence: 99%

Assessing Internet-wide Cyber Situational Awareness of Critical Sectors

Husák

Neshenko

Pour

et al. 2018

Proceedings of the 13th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

In this short paper, we take a first step towards empirically assessing Internet-wide malicious activities generated from and targeted towards Internet-scale business sectors (i.e., financial, health, education, etc.) and critical infrastructure (i.e., utilities, manufacturing, government, etc.). Facilitated by an innovative and a collaborative large-scale effort, we have conducted discussions with numerous Internet entities to obtain rare and private information related to allocated IP blocks pertaining to the aforementioned sectors and critical infrastructure. To this end, we employ such information to attribute Internet-scale maliciousness to such sectors and realms, in an attempt to provide an in-depth analysis of the global cyber situational posture. We draw upon close to 16.8 TB of darknet data to infer probing activities (typically generated by malicious/infected hosts) and DDoS backscatter, from which we distill IP addresses of victims. By executing week-long measurements, we observed an alarming number of more than 11,000 probing machines and 300 DDoS attack victims hosted by critical sectors. We also generate rare insights related to the maliciousness of various business sectors, including financial, which typically do not report their hosted and targeted illicit activities for reputation-preservation purposes. While we treat the obtained results with strict confidence due to obvious sensitivity reasons, we postulate that such generated cyber threat intelligence could be shared with sector/critical infrastructure operators, backbone networks and Internet service providers to contribute to the overall threat remediation objective. CCS CONCEPTS• Security and privacy → Network security; Intrusion/anomaly detection and malware mitigation; Denial-of-service attacks; KEYWORDS network security, network scanning, DDoS, critical infrastructure ARES

show abstract

Multi-stage attack detection and signature generation with ICS honeypots

Cited by 45 publications

References 11 publications

FALCON: Framework for Anomaly Detection in Industrial Control Systems

FALCON: Framework for Anomaly Detection in Industrial Control Systems

Citrus: Orchestrating Security Mechanisms via Adversarial Deception

Assessing Internet-wide Cyber Situational Awareness of Critical Sectors

Contact Info

Product

Resources

About