Online intrusion detection design and implementation for SCADA networks

Wang, Hongrui

25 April 2017

The standardization and interconnection of supervisory control and data acquisition (SCADA) systems has exposed the systems to cyber attacks. To improve the security of the SCADA systems, intrusion detection system (IDS) design is an effective method. However, traditional IDS design in the industrial networks mainly exploits the prede fined rules, which needs to be complemented and developed to adapt to the big data scenario. Therefore, this thesis aims to design an anomaly-based novel hierarchical online intrusion detection system (HOIDS) for SCADA networks based on machine learning algorithms theoretically and implement the theoretical idea of the anomaly-based intrusion detection on a testbed. The theoretical design of HOIDS by utilizing the server-client topology while keeping clients distributed for global protection, high detection rate is achieved with minimum network impact. We implement accurate models of normal-abnormal binary detection and multi-attack identification based on logistic regression and quasi-Newton optimization algorithm using the Broyden-Fletcher-Goldfarb-Shanno approach. The detection system is capable of accelerating detection by information gain based feature selection or principle component analysis based dimension reduction. By evaluating our system using the KDD99 dataset and the industrial control system datasets, we demonstrate that our design is highly scalable, e fficient and cost effective for securing SCADA infrastructures. Besides the theoretical IDS design, a testbed is modi ed and implemented for SCADA network security research. It simulates the working environment of SCADA systems with the functions of data collection and analysis for intrusion detection. The testbed is implemented to be more flexible and extensible compared to the existing related work on the testbeds. In the testbed, Bro network analyzer is introduced to support the research of anomaly-based intrusion detection. The procedures of both signature-based intrusion detection and anomaly-based intrusion detection using Bro analyzer are also presented. Besides, a generic Linux-based host is used as the container of different network functions and a human machine interface (HMI) together with the supervising network is set up to simulate the control center. The testbed does not implement a large number of traffic generation methods, but still provides useful examples of generating normal and abnormal traffic. Besides, the testbed can be modi ed or expanded in the future work about SCADA network security. / Graduate

Intrusion detection

SCADA networks

Machine learning

Wireless Intrusion Detection Sytem

Vigo, John Louis, Jr.

17 December 2004

The decrease in price and the ease of use of wireless network devices make them an attractive alternative to standard wired networks. However, the intrinsic insecurity of wireless media and weaknesses in the standards for use of wireless media leave wireless networks vulnerable to attacks from unauthorized users. The intrinsic insecurity of wireless media results from radio signals extending beyond the networks intended coverage area and the weaknesses in the standards result from the methods used for authorization and privacy. These insecurities restrict the use of wireless networks by entities that need a high level of security. This paper describes a Wireless Intrusion Detection System (WIDS) that provides additional security for 802.11b wireless networks. WIDS provides intrusion detection that can react to potential threats and locate an intruder through the use of intelligent access points equipped with rotating directional antennas.

Wireless

802.11

802.11b

intrusion detection

security

Forecasting seasonal drawdowns in Whangamata town supply wells

Jelley, Neil

January 2007

The coastal township of Whangamata's reticulated water supply is provided by a number of groundwater bores, extracting water from local fractured rhyolite and andesite aquifers. A need has arisen to create a greater understanding of the aquifers, because of an increased demand for water abstraction. Water demand in Whangamata increases dramatically during the summer vacation period. Occupant numbers increase from 4,000 up to 50,000 during peak times, resulting in increased water demand. Over the past five years an increase in groundwater abstraction has produced an evident downward trend in bore water levels. Electrical conductivity is also increasing in several aquifers, posing a realistic threat of sea water intrusion and questioning the sustainability of current abstraction volumes. Multiple linear regression and an artificial neural network model were investigated as simple empirical forecasting tools for well drawdowns to predict the effect of future increases in groundwater demand. This approach was adopted as opposed to a groundwater numerical model because of poor time resolution of available data and the complex, fractured nature of the aquifer. By using pumping volumes as variables, seasonal bore water level variations and long term trends were predicted. The models were evaluated with independent validation data sets. The actual ability of a model to predict bore water level seasonal variation and long term trends was assessed using a comparison with a moving average of the validation data set. Multiple linear regression proved superior to the neural network in almost every bore modelled. Although neural networks proved capable of modelling seasonal bore water level variations it was not to the same degree of accuracy as the regression approach. The regression approach yielded a modified index of agreement of 0.6-0.74 when comparing a moving average of observed data with the validation data sets. The developed models were used to forecast well water levels with varying abstraction volumes aiming to prevent further long term decline in bore water levels.

groundwater

coastal

sea water intrusion

Coromandel

Intrusion detection in mobile ad hoc networks

Sun, Bo

29 August 2005

Most existent protocols, applications and services for Mobile Ad Hoc NET-works (MANETs) assume a cooperative and friendly network environment and do not accommodate security. Therefore, Intrusion Detection Systems (IDSs), serving as the second line of defense for information systems, are indispensable for MANETs with high security requirements. Central to the research described in this dissertation is the proposed two-level nonoverlapping Zone-Based Intrusion Detection System (ZBIDS) which fit the unique requirement of MANETs. First, in the low-level of ZBIDS, I propose an intrusion detection agent model and present a Markov Chain based anomaly detection algorithm. Local and trusted communication activities such as routing table related features are periodically selected and formatted with minimum errors from raw data. A Markov Chain based normal profile is then constructed to capture the temporal dependency among network activities and accommodate the dynamic nature of raw data. A local detection model aggregating abnormal behaviors is constructed to reflect recent subject activities in order to achieve low false positive ratio and high detection ratio. A set of criteria to tune parameters is developed and the performance trade-off is discussed. Second, I present a nonoverlapping Zone-based framework to manage locally generated alerts from a wider area. An alert data model conformed to the Intrusion Detection Message Exchange Format (IDMEF) is presented to suit the needs of MANETs. Furthermore, an aggregation algorithm utilizing attribute similarity from alert messages is proposed to integrate security related information from a wider area. In this way, the gateway nodes of ZBIDS can reduce false positive ratio, improve detection ratio, and present more diagnostic information about the attack. Third, MANET IDSs need to consider mobility impact and adjust their behavior dynamically. I first demonstrate that nodes?? moving speed, a commonly used parameter in tuning IDS performance, is not an effective metric for the performance measurement of MANET IDSs. A new feature -link change rate -is then proposed as a unified metric for local MANET IDSs to adaptively select normal profiles . Different mobility models are utilized to evaluate the performance of the adaptive mechanisms.

Intrusion Detection

Mobile Ad Hoc Networks

Buried fiber optic intrusion sensor

Maier, Eric William

30 September 2004

A distributed fiber optic intrusion sensor capable of detecting intruders from the pressure of their weight on the earth's surface was investigated in the laboratory and in field tests. The presence of an intruder above or in proximity to the buried sensor induces a phase shift in light propagating along the fiber which allows for the detection and localization of intrusions. Through the use of an ultra-stable erbium-doped fiber laser and phase sensitive optical time domain reflectometry, disturbances were monitored in long (several km) lengths of optical fiber. Narrow linewidth and low frequency drift in the laser were achieved through a combination of optical feedback and insulation of the laser cavity against environmental effects. The frequency drift of the laser, characterized using an all-fiber Mach Zehnder interferometer, was found to be less than 1 MHz/min, as required for operation of the intrusion detection system. Intrusions were simulated in a laboratory setting using a piezoelectric transducer to produce a controllable optical phase shift at the 2 km point of a 12 km path length. Interrogation of the distributed sensor was accomplished by repetitively gating light pulses from the stable laser into the sensing fiber. By monitoring the Rayleigh backscattered light with a photodetector and comparing traces with and without an induced phase shift, the phase disturbances were detected and located. Once the feasibility of such a sensor was proven in the laboratory, the experimental set up was transferred to Texas A&M's Riverside Campus. At the test site, approximately 40 meters of fiber optic cable were buried in a triangle perimeter and then spliced into the 12 km path length which was housed inside the test facility. Field tests were conducted producing results comparable to those found in the laboratory. Intrusions over this buried fiber were detectable on the φ-OTDR trace and could be localized to the intrusion point. This type of sensor has the potential benefits of heightened sensitivity, covertness, and greatly reduced cost over the conventional seismic, acoustic, infrared, magnetic, and fiber optic sensors for monitoring long (multi-km) perimeters.

intrusion

fiber optic

interferometer

phase OTDR

Leveling of the Curve of Spee in Deep Overbite Cases Treated with the IncognitoTM Lingual Orthodontic Appliance System: A Cephalometric Study

Nardone, Jessica

26 November 2012

An excessive curve of Spee (COS) is a common orthodontic finding, particularly in patients with a deep overbite (OB). The purpose of this analysis was to evaluate COS leveling and OB correction in patients treated with IncognitoTM, a customized lingual appliance system. Pre- and post-treatment cephalometric radiographs were compared for 34 patients with a deep OB and excessive COS treated with IncognitoTM. The mean pre- and post-treatment COS was 1.78 mm (SD: 0.36 mm) and 0.37 mm (SD: 0.41 mm) respectively, indicating a significant amount of leveling (-1.41 mm, SD: 0.49 mm, p<0.001). The mean pre- and post-treatment OB was 5.80 mm (SD: 1.26 mm) and 2.91 mm (SD: 0.86 mm) respectively, demonstrating a significant reduction in OB (-2.89 mm, SD 1.27 mm, p<0.001). COS and OB correction was accomplished by incisor proclination, and a greater (but not significantly different) amount of mandibular incisor intrusion versus premolar and molar extrusion.

curve of Spee

overbite

Incognito

intrusion

0567

Misconfiguration Analysis of Network Access Control Policies

Tran, Tung

16 February 2009

Network access control (NAC) systems have a very important role in network security. However, NAC policy configuration is an extremely complicated and error-prone task due to the semantic complexity of NAC policies and the large number of rules that could exist. This significantly increases the possibility of policy misconfigurations and network vulnerabilities. NAC policy misconfigurations jeopardize network security and can result in a severe consequence such as reachability and denial of service problems. In this thesis, we choose to study and analyze the NAC policy configuration of two significant network security devices, namely, firewall and IDS/IPS. In the first part of the thesis, a visualization technique is proposed to visualize firewall rules and policies to efficiently enhance the understanding and inspection of firewall configuration. This is implemented in a tool called PolicyVis. Our tool helps the user to answer general questions such as ‘‘Does this policy satisfy my connection/security requirements’’. If not, the user can detect all misconfigurations in the firewall policy. In the second part of the thesis, we study various policy misconfigurations of Snort, a very popular IDS/IPS. We focus on the misconfigurations of the flowbits option which is one of the most important features to offers a stateful signature-based NIDS. We particularly concentrate on a class of flowbits misconfiguration that makes Snort susceptible to false negatives. We propose a method to detect the flowbits misconfiguration, suggest practical solutions with controllable false positives to fix the misconfiguration and formally prove that the solutions are complete and sound.

firewall

intrusion detection system

Computer Science

A Collaborative Architecture for Distributed Intrusion Detection System based on Lightweight Modules

Zaman, Safaa

02 July 2009

A variety of intrusion prevention techniques, such as user authentication (e.g.: using passwords), avoidance of programming errors, and information protection, have been used to protect computer systems. However, intrusion prevention alone is not sufficient to protect our systems, as those systems become ever more complex with the rapid growth and expansion of Internet technology and local network systems. Moreover, programming errors, firewall configuration errors, and ambiguous or undefined security policies add to the system’s complexity. An Intrusion Detection System (IDS) is therefore needed as another layer to protect computer systems. The IDS is one of the most important techniques of information dynamic security technology. It is defined as a process of monitoring the events occurring in a computer system or network and analyzing them to differentiate between normal activities of the system and behaviours that can be classified as suspicious or intrusive. Current Intrusion Detection Systems have several known shortcomings, such as: low accuracy (registering high False Positives and False Negatives); low real-time performance (processing a large amount of traffic in real time); limited scalability (storing a large number of user profiles and attack signatures); an inability to detect new attacks (recognizing new attacks when they are launched for the first time); and weak system-reactive capabilities (efficiency of response). This makes the area of IDS an attractive research field. In recent years, researchers have investigated techniques such as artificial intelligence, autonomous agents, and distributed systems for detecting intrusion in network environments. This thesis presents a novel IDS distributed architecture – Collaborative Distributed Intrusion Detection System (C-dIDS), based on lightweight IDS modules – that integrates two main concepts in order to improve IDS performance and the scalability: lightweight IDS and collaborative architecture. To accomplish the first concept, lightweight IDS, we apply two different approaches: a features selection approach and an IDS classification scheme. In the first approach, each detector (IDS module) uses smaller amounts of data in the detection process by applying a novel features selection approach called the Fuzzy Enhanced Support Vector Decision Function (Fuzzy ESVDF). This approach improves the system scalability in terms of reducing the number of needed features without degrading the overall system performance. The second approach uses a new IDS classification scheme. The proposed IDS classification scheme employs multiple specialized detectors in each layer of the TCP/IP network model. This helps collecting efficient and useful information for dIDS, increasing the system’s ability to detect different attack types and reducing the system’s scalability. The second concept uses a novel architecture for dIDS called Collaborative Distributed Intrusion Detection System (C-dIDS) to integrate these different specialized detectors (IDS modules) that are distributed on different points in the network. This architecture is a single-level hierarchy dIDS with a non-central analyzer. To make the detection decision for a specific IDS module in the system, this module must collaborate with the previous IDS module (host) in the lower level of the hierarchy only. Collaborating with other IDS modules improves the overall system accuracy without creating a heavy system overload. Also, this architecture avoids both single point of failure and scalability bottleneck problems. Integration of the two main concepts, lightweight IDS and a distributed collaborative architecture, has shown very good results and has addressed many IDS limitations.

Intrusion Detection Systems

Electrical and Computer Engineering

Algorizmi: A Configurable Virtual Testbed to Generate Datasets for Offline Evaluation of Intrusion Detection Systems

Ali, Karim

January 2010

Intrusion detection systems (IDSes) are an important security measure that network administrators adopt to defend computer networks against malicious attacks and intrusions. The field of IDS research includes many challenges. However, one open problem remains orthogonal to the others: IDS evaluation. In other words, researchers have not yet succeeded to agree on a general systematic methodology and/or a set of metrics to fairly evaluate different IDS algorithms. This leads to another problem: the lack of an appropriate IDS evaluation dataset that satisfies the common research needs. One major contribution in this area is the DARPA dataset offered by the Massachusetts Institute of Technology Lincoln Lab (MIT/LL), which has been extensively used to evaluate a number of IDS algorithms proposed in the literature. Despite this, the DARPA dataset received a lot of criticism concerning the way it was designed, especially concerning its obsoleteness and inability to incorporate new sorts of network attacks. In this thesis, we survey previous research projects that attempted to provide a system for IDS offline evaluation. From the survey, we identify a set of design requirements for such a system based on the research community needs. We, then, propose Algorizmi as an open-source configurable virtual testbed for generating datasets for offline IDS evaluation. We provide an architectural overview of Algorizmi and its software and hardware components. Algorizmi provides its users with tools that allow them to create their own experimental testbed using the concepts of virtualization and cloud computing. Algorizmi users can configure the virtual machine instances running in their experiments, select what background traffic those instances will generate and what attacks will be launched against them. At any point in time, an Algorizmi user can generate a dataset (network traffic trace) for any of her experiments so that she can use this dataset afterwards to evaluate an IDS the same way the DARPA dataset is used. Our analysis shows that Algorizmi satisfies more requirements than previous research projects that target the same research problem of generating datasets for IDS offline evaluation. Finally, we prove the utility of Algorizmi by building a sample network of machines, generate both background and attack traffic within that network. We then download a snapshot of the dataset for that experiment and run it against Snort IDS. Snort successfully detected the attacks we launched against the sample network. Additionally, we evaluate the performance of Algorizmi while processing some of the common usages of a typical user based on 5 metrics: CPU time, CPU usage, memory usage, network traffic sent/received and the execution time.

intrusion detection systems

security

networks

Computer Science

Misconfiguration Analysis of Network Access Control Policies

Tran, Tung

16 February 2009

Network access control (NAC) systems have a very important role in network security. However, NAC policy configuration is an extremely complicated and error-prone task due to the semantic complexity of NAC policies and the large number of rules that could exist. This significantly increases the possibility of policy misconfigurations and network vulnerabilities. NAC policy misconfigurations jeopardize network security and can result in a severe consequence such as reachability and denial of service problems. In this thesis, we choose to study and analyze the NAC policy configuration of two significant network security devices, namely, firewall and IDS/IPS. In the first part of the thesis, a visualization technique is proposed to visualize firewall rules and policies to efficiently enhance the understanding and inspection of firewall configuration. This is implemented in a tool called PolicyVis. Our tool helps the user to answer general questions such as ‘‘Does this policy satisfy my connection/security requirements’’. If not, the user can detect all misconfigurations in the firewall policy. In the second part of the thesis, we study various policy misconfigurations of Snort, a very popular IDS/IPS. We focus on the misconfigurations of the flowbits option which is one of the most important features to offers a stateful signature-based NIDS. We particularly concentrate on a class of flowbits misconfiguration that makes Snort susceptible to false negatives. We propose a method to detect the flowbits misconfiguration, suggest practical solutions with controllable false positives to fix the misconfiguration and formally prove that the solutions are complete and sound.

firewall

intrusion detection system

Computer Science