Network Monitoring on Large Networks

Wei, Chuan-pi

06 July 2004

There seems to be more security events happening on the network nowadays, so the administrators have to be able to find the malicious activities in progress as soon as possible in order to launch effective and efficient countermeasures. The Network administrators need to monitor the networks through collecting real time traffic measurement data on their networks, but they might find that the data gathered seems to be too little or too much detail. SNMP-based tools traditionally adopted most often give too little. However, packet sniffing tools investigate too much, so that the performance is sacrificed, especially on a large network with heavy traffic. Flows are defined as a series of packets traveling between the two communicating end hosts. Flow profiling functionality is built into most networking devices today, which efficiently provide the information required to record network and application resource utilization. Flow strikes a balance between detail and summary. NetFlow is the de facto standard in flow profiling. We introduce¡A describe¡Aand investigate its features, advantages, and strengths. Many useful flow-related tools are freely available on the Internet. A mechanism is proposed to make use of the flow logs to monitor the network effectively and efficiently. Through verification, it is believed that using flow logs can benefit the network administrator so much. The administrators can use them for timely monitoring, DoS and worm propagation detection, forensics et al.

NetFlow

worm propagation

flow profiling

network monitoring

DoS

security forensics

Identifying and analysing forensic artefacts of specific attacks on a Programmable Logic Controller / Identifiera och analysera kriminaltekniska artefakter för specifika attacker på en Programmerbar Logisk Styrenhet

Forsberg, Rebecka

January 2022

In Industrial Computer Systems, Programmable Logic Controllers (PLCs) are essential components since they control physical processes. Altering these could have enormous consequences as they can control processes in nuclear plants, gas pipelines and water supplies. Over the years, PLCs have become more and more connected since it facilitates their configuration and programming remotely. More connected does also means that they could be more vulnerable to attacks. Therefore, it would be desirable to be able to do a forensic investigation and interpret the artefacts if an incident happens, especially since PLCs control such vital functions. There exists little research about this area, but it does not discuss how to evaluate or interpret possible artefacts forensic investigation could reveal. This thesis aims to answer what artefacts are left in the system after two specific attacks. The result showed that some artefacts is left. One of the attacks does not leave so much specific artefacts that one could conclude how the attack happened, but for the other one, it was possible to conclude how they got remote access to the system. However, these artefacts were possible to cover up by deleting the IP address that was added in order to get remote access to the system. In other words, the only persistent artefacts left in the system after the attacks and cover-ups was metadata about created, modified, and removed files. Future work would be to expand and include more attacks to get a better overview of the overall forensic abilities of the PLC. / I industriella datorsystem är PLC (Programmable Logic Controllers) viktiga komponenter eftersom de styr fysiska processer. Att ändra dessa kan få enorma konsekvenser eftersom de kan styra processer i kärnkraftverk, gasledningar och vattenförsörjning. Under årens lopp har PLC:er blivit mer och mer uppkopplade eftersom det underlättar deras konfiguration och programmering på distans. Mer uppkopplade betyder också att de kan vara mer sårbara för attacker. Därför vore det önskvärt att kunna göra en kriminalteknisk undersökning och tolka bevisningen om en incident inträffar, särskilt eftersom PLC:er kontrollerar sådana vitala funktioner. Det finns lite forskning om detta område, men den diskuterar inte hur man ska utvärdera eller tolka eventuella bevis som den kriminalteknisk undersökningen kan avslöja. Denna avhandling syftar till att svara på vilka artefakter som finns kvar i systemet efter två specifika attacker. Resultatet visade att en del bevis finns kvar. En av attackerna lämnar inte så mycket specifika bevis att man kunde dra slutsatsen hur attacken gick till, men för den andra gick det att dra slutsatsen hur de fick fjärråtkomst till systemet. Dessa artefakter var dock möjliga att dölja genom att radera IP-adressen som lades till för att få fjärråtkomst till systemet. Med andra ord, det enda ihållande bevisningen som fanns kvar i systemet efter attackerna och mörkläggningarna var metadata om skapade, modifierade och borttagna filer. Framtida arbete skulle vara att expandera och inkludera fler attacker för att få en bättre överblick över PLC:s övergripande forensiska förmågor.

Industrial Cyber Security forensics

Programmable Logic Controller

Forensic analysis

Artefacts

Forensic readiness

Industriell cybersäkerhet forensik

Programmerbar logikkontroller

Forensik analys

Artefakter

Forensisk mogenhet

Computer Sciences

Datavetenskap (datalogi)