Generating Datasets Through the Introduction of an Attack Agent in A

Total Page:16

File Type:pdf, Size:1020Kb

Generating Datasets Through the Introduction of an Attack Agent in A Linköping University | Department of Computer and Information Science Master’s thesis, 30 ECTS | Datateknik 2021 | LIU-IDA/LITH-EX-A--2021/013--SE Generating Datasets Through the Introduction of an Attack Agent in a SCADA Testbed – A methodology of creating datasets for intrusion detection re- search in a SCADA system using IEC-60870-5-104 Hur en SCADA testmiljö med IEC-60870-5-104 protokollet un- der attack kan skapa data att använda för nätverksbaserade in- trångdetekteringssystem August Fundin Supervisor : Chih-Yuan Lin Examiner : Simin Nadjm-Tehrani Linköpings universitet SE–581 83 Linköping +46 13 28 10 00 , www.liu.se Upphovsrätt Detta dokument hålls tillgängligt på Internet - eller dess framtida ersättare - under 25 år från publicer- ingsdatum under förutsättning att inga extraordinära omständigheter uppstår. Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner, skriva ut enstaka kopior för enskilt bruk och att använda det oförändrat för ickekommersiell forskning och för undervisning. Över- föring av upphovsrätten vid en senare tidpunkt kan inte upphäva detta tillstånd. All annan användning av dokumentet kräver upphovsmannens medgivande. För att garantera äktheten, säkerheten och till- gängligheten finns lösningar av teknisk och administrativ art. Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i den omfattning som god sed kräver vid användning av dokumentet på ovan beskrivna sätt samt skydd mot att dokumentet än- dras eller presenteras i sådan form eller i sådant sammanhang som är kränkande för upphovsmannens litterära eller konstnärliga anseende eller egenart. För ytterligare information om Linköping University Electronic Press se förlagets hemsida http://www.ep.liu.se/. Copyright The publishers will keep this document online on the Internet - or its possible replacement - for a period of 25 years starting from the date of publication barring exceptional circumstances. The online availability of the document implies permanent permission for anyone to read, to down- load, or to print out single copies for his/hers own use and to use it unchanged for non-commercial research and educational purpose. Subsequent transfers of copyright cannot revoke this permission. All other uses of the document are conditional upon the consent of the copyright owner. The publisher has taken technical and administrative measures to assure authenticity, security and accessibility. According to intellectual property law the author has the right to be mentioned when his/her work is accessed as described above and to be protected against infringement. For additional information about the Linköping University Electronic Press and its procedures for publication and for assurance of document integrity, please refer to its www home page: http://www.ep.liu.se/. © August Fundin Abstract In December 2015 a power outage was caused by a hacking attack in Ukraine. This further highlighted the ongoing increase of attacks on critical infrastructure and the vulnerabilities of the aging industrial control systems governing it. Supervisory Control and Data Acqui- sition (SCADA) is an example of such a system. Studying the intrusion of adversaries and anomalies in SCADA systems is no easy feat. Administrators of SCADA systems rarely share data as they risk getting their weaknesses detected. Hence, datasets containing this data need to be acquired through other means. In this study, a SCADA testbed simulating a real-world counterpart was used to create datasets for intrusion detection. As the testbed had no previously documented attacks, this study also investigated how the testbed reacted to generated attacks. This study focused on attacks on the communication protocol IEC-60870-5-104. The chosen approach to obtain datasets was to construct a so-called attack-bot, generating attacks during scenarios where network traffic was recorded. After a scenario, a user has access to labeled network traffic, ready to be used when training intrusion detection systems. This kind of data is traditionally challenging to create. There are few publicly available qualitative testbeds and generating data without a testbed comes with a whole set of dif- ficulties. The results illustrate how this study’s approach can generate high quality data with a rather small effort. Acknowledgments I would like to thank Chih-Yuan Lin and Simin Nadjm-Tehrani, my supervisor and my ex- aminer. For the guidance as well as the valuable feedback and discussions for the duration of my work. I would like to follow that up with a hearty thanks to Erik Westring, Peter Andersson and Tommy Gustafsson at FOI for aiding me with RICS-el. And finally, thanks to all of you who gave me much needed encouragement when I needed it! iv Contents Abstract iii Acknowledgments iv Contents v List of Figures vii List of Tables viii Abbreviations ix 1 Introduction 1 1.1 Motivation . 2 1.2 Aim............................................ 2 1.3 Research Questions . 3 1.4 Delimitations . 3 1.5 Thesis Outline . 3 2 Background 4 2.1 SCADA . 4 2.2 IEC-60870-5-104 . 6 2.3 SCADA Vulnerabilities . 10 2.4 SCADA Exploits . 11 2.5 RICS-el . 13 3 Related Work 16 3.1 Dataset Generation . 16 3.2 Attack Types and Attack Evaluation . 19 4 Methodology of Dataset Generation 22 4.1 Attack-Bot Implementation . 23 4.2 Experiment Setup . 23 4.3 Dataset Generation Workflow . 25 5 Attack Generation in RICS-el 30 5.1 Attack Model . 30 5.2 Attack Scenario Implementation . 31 6 Method of Evaluation 36 6.1 Dataset Requirements . 36 6.2 Evaluation of Datasets Requirements . 37 6.3 Attack Impact Evaluation . 38 v 7 Results and Evaluations 39 7.1 Impact of Attacks . 39 7.2 Created Datasets . 43 7.3 Review of Requirements . 44 8 Discussion 46 8.1 Results . 46 8.2 Method . 48 8.3 Sources . 50 8.4 The Work in a Wider Context . 50 9 Conclusion 52 9.1 Dataset Creation in RICS-el . 52 9.2 Attack Generation in RICS-el . 53 9.3 Future Work . 54 A Appendix Attack-Bot Configurations 56 A.1 List of Flags . 56 A.2 Configfile Options . 57 B Appendix Attack-Code Template 58 Bibliography 59 vi List of Figures 2.1 An overview of SCADA . 5 2.2 APDU with fixed and variable length . 7 2.3 APCI control field formats . 8 2.4 Information contained in an ASDU . 9 2.5 Overview of RICS-el . 13 2.6 Interactions between bots and SCADA in RICS-el . 14 4.1 Network configuration in the experiment setup . 23 4.2 The attack-bot in RICS-el’s dataflow . 24 4.3 The dataset generation workflow . 25 4.4 Running scheduled attack scenarios . 27 4.5 Flowchart of iterative dataset evaluation . 29 vii List of Tables 2.1 Common ASDU functions in RICS-el . 8 5.1 Overview of implemented attack-scenarios . 31 5.2 IP addresses of IEC-104 devices . 32 6.1 Attack success criteria . 38 7.1 Result of the scanning attack . 40 7.2 Results of the DoS attacks . 40 7.3 Results of the sequence attack . 41 7.4 Results of the MitM attacks . 41 7.5 Result of the replay attack . 42 7.6 Results of the injection attacks . 43 7.7 Recorded datasets . 44 7.8 Operator actions in each scenario . 44 A.1 List of flags . 56 viii Abbreviations APCI Application Protocol Control Information. APDU Application Protocol Data Unit. ARP Address Resolution Protocol. ASDU Application Service Data Unit. CoT Cause of Transmission. CSV Comma Separated Values. DMZ Demilitarized Zone. DoS Denial-of-Service. FOI Swedish Defence Research Agency. HMI Human-Machine-Interface. ICMP Internet Control Message Protocol. ID Identity. IDS Intrusion Detection System. IE Information Element. IEC International Electrotechnical Commission. IEC-104 IEC-60870-5-104. IO Information Object. IOA Information Object Address. IP Internet Protocol. IT Information Technology. ITF Invalid Time Flag. LAN Local Area Network. MitM Man-in-the-Middle. NIDS Network Intrusion Detection System. ix NSTB National SCADA Test Bed. NTP Network Time Protocol. ORG Originator Address. OT Operation Technology. pcap Packet Capture. PLC Programmable Logic Controllers. RICS Resilient Information and Control Systems. RTT Round-Trip Time. RTU Remote Terminal Units. S3 SUTD Security Showdown. SCADA Supervisory Control and Data Acquisition. SQ Structure Qualifier. SSH Secure Shell. STARTDT Start Data Transfer. STOPDT Stop Data Transfer. SUTD Singapore University of Technology and Design. TCP Transmission Control Protocol. TCP/IP Internet protocol suite. TESTFR Test Frame. TTL Time To Live. VM Virtual Machine. VPN Virtual Private Network. WAN Wide Area Network. 1 Introduction SCADA is a control system that encompasses both devices interfacing with physical machin- ery and computers of geographically distributed critical infrastructure, such as power grids. Organizations managing power grids need SCADA systems to control and monitor safe and reliable operations [10]. SCADA systems and their protocols were previously used in isolated networks with propri- etary solutions. However, this has changed over the last decades. Components are now stan- dardized instead of specialized, to improve maintainability. Instead of proprietary software, more publicly known software is used to ease the integration of systems. Connections be- tween SCADA networks and the organization’s corporate networks have been added. These changes have made SCADA systems easier to operate. But at the same time, the changes have also made SCADA systems more vulnerable. The connections to the corporate network open up for intruders to penetrate the system in new ways. Devices and protocols that then become exposed often have known vulnerabilities [10]. Cyberattacks targeting SCADA systems are undeniably happening in today’s society. The power grid cyberattack in Ukraine, December 2015, is believed to be the first example of a power outage deliberately caused by a hacking attack [25]. Since then, there has been an increase in reports of attacks on SCADA systems with malicious intent [41, 29]. Security re- searchers need to find ways of detecting anomalies and intrusions in SCADA systems.
Recommended publications
  • Introduction to RAW-Sockets Jens Heuschkel, Tobias Hofmann, Thorsten Hollstein, Joel Kuepper
    Introduction to RAW-sockets Jens Heuschkel, Tobias Hofmann, Thorsten Hollstein, Joel Kuepper 16.05.2017 Technical Report No. TUD-CS-2017-0111 Technische Universität Darmstadt Telecooperation Report No. TR-19, The Technical Reports Series of the TK Research Division, TU Darmstadt ISSN 1864-0516 http://www.tk.informatik.tu-darmstadt.de/de/publications/ Introduction to RAW-sockets by Heuschkel, Jens Hofmann, Tobias Hollstein, Thorsten Kuepper, Joel May 17, 2017 Abstract This document is intended to give an introduction into the programming with RAW-sockets and the related PACKET-sockets. RAW-sockets are an additional type of Internet socket available in addition to the well known DATAGRAM- and STREAM-sockets. They do allow the user to see and manipulate the information used for transmitting the data instead of hiding these details, like it is the case with the usually used STREAM- or DATAGRAM sockets. To give the reader an introduction into the subject we will first give an overview about the different APIs provided by Windows, Linux and Unix (FreeBSD, Mac OS X) and additional libraries that can be used OS-independent. In the next section we show general problems that have to be addressed by the programmer when working with RAW-sockets. We will then provide an introduction into the steps necessary to use the APIs or libraries, which functionality the different concepts provide to the programmer and what they provide to simplify using RAW and PACKET-sockets. This section includes examples of how to use the different functions provided by the APIs. Finally in the additional material we will give some complete examples that show the concepts and can be used as a basis to write own programs.
    [Show full text]
  • Detecting Packet Injection a Guide to Observing Packet Spoofing by Isps
    Detecting Packet Injection A GUidE TO OBSERVING PACKET SPOOFING BY ISPs By Seth Schoen [email protected] ELECTRONIC FRONTIER FOUNDATION eff.org Version .0 November 28, 2007 Detecting Packet Injection: A Guide To Observing Packet Spoofing by ISPs Introduction Certain Internet service providers have begun to interfere with their users’ communications by injecting forged or spoofed packets – data that appears to come from the other end but was actually generated by an Internet service provider (ISP) in the middle. This spoofing is one means (although not the only means) of blocking, jamming, or degrading users’ ability to use particular applications, services, or protocols. One important means of holding ISPs account- able for this interference is the ability of some subscribers to detect and document it reliably. We have to learn what ISPs are doing before we can try to do something about it. Internet users can often detect interference by comparing data sent at one end with data received at the other end of a connection. Techniques like these were used by EFF and the Associated Press to produce clear evidence that Comcast was deliberately interfering with file sharing applications; they have also been used to document censorship by the Great Firewall of China.1 In each of these cases, an in- termediary was caught injecting TCP reset packets that caused a communication to hang up – even though the communicating parties actually wanted to continue talking to one another. In this document, we describe how to use a network analyzer like Wireshark to run an experi- ment with a friend and detect behavior like this.
    [Show full text]
  • Security Monitoring for Network Protocols and Applications Vinh Hoa La
    Security monitoring for network protocols and applications Vinh Hoa La To cite this version: Vinh Hoa La. Security monitoring for network protocols and applications. Networking and Internet Architecture [cs.NI]. Université Paris-Saclay, 2016. English. NNT : 2016SACLL006. tel-01782396 HAL Id: tel-01782396 https://tel.archives-ouvertes.fr/tel-01782396 Submitted on 2 May 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. 1176$&// 7+(6('('2&725$7 '( /¶81,9(56,7(3$5,66$&/$< 35(3$5(($ 7(/(&2068'3$5,6 e&2/('2&725$/(1 6FLHQFHVHW7HFKQRORJLHVGHO ,QIRUPDWLRQHWGHOD&RPPXQLFDWLRQ 67,& 6SpFLDOLWpGHGRFWRUDW,QIRUPDWLTXH 3DU 09LQK+RD/D 6HFXULW\0RQLWRULQJIRU1HWZRUN3URWRFROVDQG $SSOLFDWLRQV 7KqVHSUpVHQWpHHWVRXWHQXHj(YU\OHRFWREUH &RPSRVLWLRQGX-XU\ 0)DULG1$,7$%'(66(/$03URIHVVHXU8QLYHUVLWp3DULV'HVFDUWHV 3DULV9 5DSSRUWHXU 00DUFHOR',$6'($025,0'LUHFWHXUGHUHFKHUFKH&156/,3830&5DSSRUWHXU 03DWULFN6(1$&3URIHVVHXU(1$&±7RXORXVH([DPLQDWHXU 0PH)DWLKD=$,',0DvWUHGH&RQIpUHQFHV+'58QLYHUVLWp3DULV6XG([DPLQDWULFH 0$GULHQ%(&8+HDGRI5HVHDUFK 7HFKQRORJ\$LUEXV'6&\EHUVHFXULW\([DPLQDWHXU 0:LVVDP0$//28/,'U,QJpQLHXUGHUHFKHUFKH0RQWLPDJH([DPLQDWHXU 0PH$QD5RVD&$9$//,3URIHVVHXU7HOHFRP6XG3DULV'LUHFWHXUGHWKqVH Titre : Monitorage des Aspects Sécuritaires pour les Protocoles de Réseaux et Applications. Mots clés : sécurité, détection d'intrusion, surveillance de sécurité, supervision de réseaux Résumé : La sécurité informatique, aussi applications.
    [Show full text]
  • Steelcentral Packet Analyzer Reference Manual, Personal Edition
    SteelCentral Packet Analyzer Reference Manual Personal Edition Version 10.9 October 2015 © 2015 Riverbed Technology. All rights reserved. Riverbed®, SteelApp™, SteelCentral™, SteelFusion™, SteelHead™, SteelScript™, SteelStore™, Steelhead®, Cloud Steelhead®, Virtual Steelhead®, Granite™, Interceptor®, Stingray™, Whitewater®, WWOS™, RiOS®, Think Fast®, AirPcap®, BlockStream™, FlyScript™, SkipWare®, TrafficScript®, TurboCap®, WinPcap®, Mazu®, OPNET®, and Cascade® are all trademarks or registered trademarks of Riverbed Technology, Inc. (Riverbed) in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed or their respective owners. F5, the F5 logo, iControl, iRules, and BIG-IP are registered trademarks or trademarks of F5 Networks, Inc. in the U.S. and certain other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries. Portions of SteelCentral™ products contain copyrighted information of third parties. Title thereto is retained, and all rights therein are reserved, by the respective copyright owner. PostgreSQL is (1) Copyright © 1996-2009 The PostgreSQL Development Group, and (2) Copyright © 1994-1996 the Regents of the University
    [Show full text]
  • Ethical Hacking of a Smart Plug
    DEGREE PROJECT IN TECHNOLOGY, FIRST CYCLE, 15 CREDITS Stockholm, Sweden 2021 Ethical Hacking of a Smart Plug RAMI ACHKOUDIR ZAINAB ALSAADI 2 Ethical Hacking of a Smart Plug RAMI ACHKOUDIR ZAINAB ALSAADI Bachelor in Computer Science First Cycle, 15 Credits Supervisor: Pontus Johnson Examiner: Robert Lagerström School of Electrical Engineering and Computer Science 3 4 Abstract The number of Internet of Things (IoT) devices is growing rapidly which introduces plenty of new challenges concerning the security of these devices. This thesis aims to contribute to a more sustainable IoT environment by evaluating the security of a smart plug. The DREAD and STRIDE methods were used to assess the potential threats and the threats with the highest potential impact were penetration tested in order to test if there were any security preventions in place. The results from the penetration tests presented no major vulnerabilities which bring us to the conclusion that the Nedis Smart Plug has implemented enough security measures. Keywords - Internet of Things, IoT, penetration test, ethical hacking, IoT ​ ​ security, threat model 5 Sammanfattning Antalet Internet of Things (IoT) -enheter växer snabbt vilket medför många nya utmaningar när det gäller säkerheten för dessa enheter. Denna avhandling syftar till att bidra till en mer hållbar IoT-miljö genom att utvärdera säkerheten för en smart plug. Metoderna DREAD och STRIDE användes för att bedöma de potentiella hoten och hoten med störst potentiell påverkan penetrerades för att testa om det fanns några säkerhetsförebyggande åtgärder. Resultaten från penetrationstesterna presenterade inga större sårbarheter som ledde oss till slutsatsen att Nedis Smart Plug har genomfört tillräckliga säkerhetsåtgärder.
    [Show full text]
  • Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation
    Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation Mathy Vanhoef New York University Abu Dhabi [email protected] Abstract These issues were discovered by analyzing open source Wi-Fi In this paper, we present three design flaws in the 802.11 stacks and systematically inspecting the 802.11 standard. Our standard that underpins Wi-Fi. One design flaw is in the frame results affect all protected Wi-Fi networks, including old net- aggregation functionality, and another two are in the frame works using Wired Equivalent Privacy (WEP), up to and in- fragmentation functionality. These design flaws enable an cluding the latest Wi-Fi Protected Access 3 (WPA3). Since adversary to forge encrypted frames in various ways, which in even WEP is affected, this implies the root cause of several turn enables exfiltration of sensitive data. We also discovered design flaws has been part of Wi-Fi since its release in 1997. common implementation flaws related to aggregation and Equally worrisome is that every single device we tested was fragmentation, which further worsen the impact of our attacks. vulnerable to at least one of our attacks. Our results affect all protected Wi-Fi networks, ranging from The most trivial design flaw is in 802.11’s frame aggrega- WEP all the way to WPA3, meaning the discovered flaws tion functionality: by flipping an unauthenticated flag in the have been part of Wi-Fi since its release in 1997. In our header of a frame, the encrypted payload will be parsed as experiments, all devices were vulnerable to one or more of our containing one or more aggregated frames instead of a nor- attacks, confirming that all Wi-Fi devices are likely affected.
    [Show full text]
  • Lecture 16: TCP/IP Vulnerabilities and Dos Attacks: IP Spoofing, SYN Flooding, and the Shrew Dos Attack
    Lecture 16: TCP/IP Vulnerabilities and DoS Attacks: IP Spoofing, SYN Flooding, and The Shrew DoS Attack Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) March 16, 2021 5:43pm ©2021 Avinash Kak, Purdue University Goals: • To review the IP and TCP packet headers • Controlling TCP Traffic Congestion and the Shrew DoS Attack • The TCP SYN Flood Attack for Denial of Service • IP Source Address Spoofing Attacks • BCP 38 for Thwarting IP Address Spoofing for DoS Attacks • Python and Perl Scripts for Mounting DoS Attacks with IP Address Spoofing and SYN Flooding • Troubleshooting Networks with the Netstat Utility CONTENTS Section Title Page 16.1 TCP and IP 3 16.2 The TCP/IP Protocol Stack 5 16.3 The Network Layer (also known as the Internet 14 Layer or the IP Layer) 16.4 TCP, The Transport Layer Protocol for Reliable 25 Communications 16.5 TCP versus IP 34 16.6 How TCP Breaks Up a Byte Stream That 36 Needs to be Sent to a Receiver 16.7 The TCP State Transition Diagram 38 16.8 A Demonstration of the 3-Way Handshake 44 16.9 Splitting the Handshake for Establishing 52 a TCP Connection 16.10 TCP Timers 58 16.11 TCP Congestion Control and the Shrew DoS Attack 60 16.12 SYN Flooding 68 16.13 IP Source Address Spoofing for SYN Flood 71 DoS Attacks 16.14 Thwarting IP Source Address Spoofing With BCP 38 84 16.15 Demonstrating DoS through IP Address Spoofing and 89 SYN Flooding When The Attacking and The Attacked Hosts Are in The Same LAN 16.16 Using the Netstat Utility for Troubleshooting 103 Networks 16.17 Homework Problems 113 Computer and Network Security by Avi Kak Lecture 16 Back to TOC 16.1 TCP and IP • We now live in a world in which the acronyms TCP and IP are almost as familiar as some other computer-related words like bits, bytes, megabytes, etc.
    [Show full text]
  • Hack Instagram Using John the Ripper Hack Instagram Using John the Ripper
    hack instagram using john the ripper Hack instagram using john the ripper. - The Best Working Methods of 2020. On this page you will find the other methods except InstaRipper which are used to hack Instagram accounts. Of course, InstaRipper is not the only way to make access inside an Instagram profile successfully. And today we are going to explain the each of working methods in detailed step by step tutorial. The methods are gathered from leading & most reliable hacking related blogs and forums. All are checked and tested before we decided to add them to the list. So, make yourself comfortable and focused for reading because here we go! Method #1 - Using a Keylogger (The Best Method) Since Instagram is visited by users in 99% cases from smartphones & tablets (comparing to desktop computers), we are going to talk about a mobile keylogger here. What is a keylogger? It's an application made to monitor keystrokes on a certain device and store it inside a logs documents or automatically send it to a server or email address of the keylogger's administrator. This means that if you install a keylogger app on someone’s mobile phone, you can spy on everything they typed on their keyboard when they are texting with someone from any messaging app (Facebook, Instagram, SMS, WhatsApp, any other!). Everything what they typed anywhere inside their cellphone from the moment a keylogger is installed on their device will be sent to your keylogger's account or your email address. But the THING with a keylogger is, How to Install it on someone’s phone without being noticed? After a keylogger is installed and running on device, it can't be noticed because its process is running in a background of operating system, and it will auto-run itself every time a device is turned on.
    [Show full text]
  • Intrusion Detection System of Industrial Control Networks Using Network Telemetry Stanislav Ponomarev Louisiana Tech University
    Louisiana Tech University Louisiana Tech Digital Commons Doctoral Dissertations Graduate School Summer 2015 Intrusion Detection System of industrial control networks using network telemetry Stanislav Ponomarev Louisiana Tech University Follow this and additional works at: https://digitalcommons.latech.edu/dissertations Part of the Computer Sciences Commons, Electrical and Computer Engineering Commons, and the Language and Literacy Education Commons Recommended Citation Ponomarev, Stanislav, "" (2015). Dissertation. 199. https://digitalcommons.latech.edu/dissertations/199 This Dissertation is brought to you for free and open access by the Graduate School at Louisiana Tech Digital Commons. It has been accepted for inclusion in Doctoral Dissertations by an authorized administrator of Louisiana Tech Digital Commons. For more information, please contact [email protected]. INTRUSION DETECTION SYSTEM OF INDUSTRIAL CONTROL NETWORKS USING NETWORK TELEMETRY. by Stanislav Ponomarev, B.S., M.S. A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy COLLEGE OF ENGINEERING AND SCIENCE LOUISIANA TECH UNIVERSITY August 2015 ProQuest Number: 3664531 All rights reserved INFORMATION TO ALL USERS The quality of this reproduction is dependent upon the quality of the copy submitted. In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if material had to be removed, a note will indicate the deletion. ProQuestQue ProQuest 3664531 Published by ProQuest LLC(2015). Copyright of the Dissertation is held by the Author. All rights reserved. This work is protected against unauthorized copying under Title 17, United States Code. Microform Edition © ProQuest LLC. ProQuest LLC 789 East Eisenhower Parkway P.O.
    [Show full text]
  • Recent Advances in Reliable Transport Protocols∗
    Recent Advances in Reliable Transport Protocols∗ Costin Raiciu, Janardhan Iyengar, Olivier Bonaventure Abstract Transport protocols play a critical role in today’s Internet. This chapter first looks at the recent of the reliable transport protocols. It then explains the growing impact of middleboxes on the evolvability of these protocols. Two recent protocol extensions, Multipath TCP and Minion, which were both designed to extend the current Transport Layer in the Internet are then described. 1 Introduction The first computer networks often used ad-hoc and proprietary protocols to interconnect different hosts. During the 1970s and 1980s, the architecture of many of these networks evolved towards a layered architec- ture. The two most popular ones are the seven-layer OSI reference model [119] and the five-layer Internet architecture [27]. In these architectures, the transport layer plays a key role. It enables applications to re- liably exchange data. A transport protocol can be characterized by the service that it provides to the upper layer (usually the application). Several transport services have been defined: • a connectionless service • a connection-oriented bytestream service • a connection-oriented message-oriented service • a message-oriented request-response service • an unreliable delivery service for multimedia applications The connectionless service is the simplest service that can be provided by a transport layer protocol. The User Datagram Protocol (UDP) [87] is an example of a protocol that provides this service. Over the years, the connection-oriented bytestream service has proven to be the transport layer service used by most applications. This service is currently provided by the Transmission Control Protocol (TCP) [89] in the Internet.
    [Show full text]
  • Bypassing Firewalls and Nats by Exploiting Packet-In-Packet Attacks in Ethernet
    Bypassing Firewalls and NATs By Exploiting Packet-in-Packet Attacks in Ethernet Ben Seri, Gregory Vishnepolsky and Yevgeny Yusepovsky Introduction 4 Who we are 5 Motivation for bypassing NATs/Firewalls 6 Packet-in-Packet attacks in wireless protocols 6 Packet-in-Packet attack in Ethernet 8 Ethernet PHYs 8 Ethernet PHY/MAC Interface (MII) 9 MAC layer framing 9 Packet-in-Packet data flow 10 Calculating the CRC complement 12 Possible attack payloads 12 IPv6 Router Advertisement 13 IPv6 mapped IPv4 addresses 14 Search domain and WPAD on windows 14 Bit errors in Ethernet cables? 15 Bit-error-rate in Ethernet cables - Survey results 15 Querying Ethernet statistics from Cisco switches 16 1-click Attack Scenario 16 Physical layer of Ethernet 18 Shielding 18 Types of Ethernet cables 19 Differential noise margin 20 Possible reasons for bit errors in an Ethernet cable 20 Excessive attenuation 21 Impedance mismatch influence on the signal propagation 21 EMI susceptibility 21 Crosstalk 22 Excessive EMI 22 Cable measurements setup 22 Detecting cabling faults with a tester 23 Lab reproduction of cabling faults 24 The crosstalk model 25 EtherOops – ©2020 ARMIS, INC. – 2 TECHNICAL WHITE PAPER ​ ​ ​ ​ ​ The short model 26 Model scenario for cables connected in series 28 Primitives for a 0-click attack 29 Spoofing IPv4 source addresses on the Internet 29 Google DNS 4-tuples 30 Alternative method: ICMP errors 31 Finding MAC addresses 32 Discovering MACs from Wi-Fi monitor mode 33 Discovering allowed traffic through the firewall using WiFi sniffing 34 Proximity attack using an EMP device 35 Prior research on “EMP simulation” devices 35 Wideband interference generation using a spark-gap radio transmitter 36 Attack model and experimental setup 39 EMP pulse measurements 41 Conclusion 44 EtherOops – ©2020 ARMIS, INC.
    [Show full text]
  • Analysis of Web Protocols Evolution on Internet Traffic
    UNIVERSIDADE DA BEIRA INTERIOR Engenharia Analysis of Web Protocols Evolution on Internet Traffic Karikari Abina Mary Dissertação para obtenção do Grau de Mestre em Engenharia Informática (2º ciclo de estudos)) Orientador: Prof. Nuno M. Garcia Covilhã, Junho de 2014 Analysis of web protocols evolution on Internet traffic ii Analysis of web protocols evolution on Internet traffic Acknowledgements First and foremost, I want to express my sincere gratitude to the Almighty God, for his protection, strength and support. Him alone has been the brain behind my success during the period of this study. I am greatly indebted to my supervisor Professor NUNO. M. GARCIA for his advice, guidance, corrections and useful suggestion during the various stages of this research work. His scholarly criticism and interest in this research has been very rewarding, his promptness and sense of duty during my consultation with him has been highly commendable and which has made great impact in my life. My profound gratitude goes to him. My special appreciation goes to Mr Oluwafemi Olawale, Mr William Okorukwu Okey, Mr Diallo Ousmane and all my colleage in ALLAB (Assistance Living and Telecommunication Laboratory) for their assistance and support in one way or the other towards the success of this research work. My profound gratitude also goes to my Pastor Mrs Funmi Olanrewaju and her husband Mr Tola Olanrewaju for their prayer and word of encouragement towards the success of this research work. My profound gratitude also goes to my beloved parent Mr Kingsley Karikari and Mrs Comfort Karikari, Mr Nosa Osasere and my beloved uncles Mr Clement Conno, Mr Kingsley Oridomo for their prayer, moral and financial support towards the success of this project.
    [Show full text]