Intrusion Detection System using Honey Token ... - Semantic Scholar

2014 IEEE International Conference on Systems, Man, and Cybernetics October 5-8, 2014, San Diego, CA, USA

Intrusion Detection System using Honey Token based Encrypted Pointers to Mitigate Cyber Threats for Critical Infrastructure Networks Muhammad Kamran Asif

Yahya Subhi Al-Harthi

Department of Electrical Engineering King Saud University Riyadh, Kingdom of Saudi Arabia [email protected]

Abstract - Recent advancements in cyberspace impose a greater threat to the security of critical infrastructure than ever before. The scale of damage that could be done on these infrastructures by well-planned cyber-attacks is enormous. Most of the research work done for the security of these critical infrastructures focuses on conventional security measures. In this paper, we designed an Intrusion Detection System (IDS) that is based on the novel approach of Honey Token based Encrypted Pointers to prevent critical infrastructure networks from cyber-attacks particularly from zero day cyber threats. These honey tokens inside the frame will serve as a trap for the attacker. All nodes operating within the working domain of critical infrastructure network are divided into four different pools. This division is based according to their computational power and level of vulnerability. These pools are provided with different levels of security measures within the network. IDS use different number of Honey Tokens (HT) per frame for every different pool. Moreover every pool uses different types of encryption schemes (AES-128,192,256) etc. We use critical infrastructure network of 64 nodes for our simulations. We analyzed the performance of IDS in terms of True Positive and False Negative Alarms. Finally we test this IDS through Network Penetration Testing (NPT). This NPT is accomplished by putting the critical infrastructure network of 64 nodes directly under the zero day cyber-attacks and then we analyze the behavior of the IDS under such realistic conditions. The IDS is designed in such a way that it not only detects the intrusions but also recovers the entire zero day attack using reverse engineering approach. Keywords— Intrusion Detection System; Cyber Threats; Zero Day Attacks; Critical Infrastructure Networks; Information Security; Honey Token; Encrypted Pointers; Industrial Networks; Distributed Sensor Networks; Industrial Communication Protocol; DNP3; Cyber Security; Cyber Space; SCADA Command and Control System; Cyber Warfare; Intelligence Infrastructure; Information Infrastructure.

I. INTRODUCTION In today’s world we are much more dependent on cyberspace than ever before. During last two decades internet has grown exponentially and now it becomes the part of our everyday life. Our national critical infrastructure networks use cyberspace for running their operations successfully and efficiently. Electric power grid networks, water supply systems, nuclear power

978-1-4799-3840-7/14/$31.00 ©2014 IEEE

Department of Electrical Engineering King Saud University Riyadh, Kingdom of Saudi Arabia [email protected]

plants, air traffic control systems and other critical infrastructures are continuously facing the threat of cyberattacks that are well planned and sometimes backed by other nation states. So for the protection of these networks which are very high value national assets require new standards of cyber security [1]. In last few years we saw major cyber-attacks which were well planned and specifically designed to target critical infrastructure sensor networks, most well-known among these attacks is the “Stuxnet”. It is known as first cyber weapon which is designed to target Iranian nuclear facilities and its impact was massive. Other than stuxnet, one of the biggest challenges is the zero day attacks, those attacks which can easily bypass the traditional signature based Intrusion detection systems and if penetrated successfully they will damage our networks to the huge extent. Today we are facing enormous challenges in cyber security particularly in critical infrastructure networks and Cyber Physical Systems (CPS); we need new approach to improve our existing detection capabilities [2-4]. Our approach towards IDS is novel and simple, we use honey token based encrypted pointers for the detection of zero-day attacks. We embed these honey tokens inside a frame and an encrypted pointer keeps record of locations of all these honey tokens. This encrypted pointer is sent to the destination within the same frame where honey token packets were embedded earlier. At the receiver side we extract all the honey tokens from the frame with the help of encrypted pointer and correlate them with the database of honey tokens already present at every Remote Terminal Unit (RTU) for verification of changes made in it. II. CRITICAL INFRASTRUCTURE NETWORKS Critical infrastructure is the term mostly used for those national assets which are very important for operational stability of economy and society, and without them there is no concept of running nation state successfully in 21st century. In today’s modern times all these critical infrastructure operations run using smart and sophisticated networks called critical infrastructure networks. There are large numbers of these critical infrastructures but few most common are as follows. • •

1266

Electric Power Grid. Oil and Gas Sector.

• • • • • •

bytes, variation bytes, qualifier bytes, range bytes, data object bytes, CRC bytes.

Nuclear Power Plants. Water Supply Systems. Air Traffic Control Systems. Water Treatment Plants. Railway Traffic Systems. Industrial Manufacturing.

DataLink Layer

Critical infrastructure networks commonly have command and control system for smooth and efficient running of their operations. Supervisory Control and Data Acquisition (SCADA) is mostly used for these purposes. It collects data from all systems using wide range of sensors and then issues commands from its Master Terminal Station (MTU) for conducting proper operators [5-9]. The common topology of critical infrastructure sensor network is shown in Figure 1. SCADA MTU

Transport Layer

Application Layer

Data Area

Object Header

Data

Fig. 2. DNP3 Packet Structure

Although DNP3 was designed as reliable protocol but it was not designed as a secure protocol. It is vulnerable against attacks which are designed to disrupt control system operations to disable critical infrastructure networks. So enhanced level of security must be required in the form of IDS to protect such important assets as critical infrastructure networks. Honey tokens used by IDS are normal DNP3 packets generated using the same synthetic traffic generator. These honey token packets are similar as compared to real DNP3 packet. IV. HONEYTOKEN BASED ENCRYPTED POINTERS

IDS = RTU = Sensors, Actuators etc Fig. 1. Critical Infrastructure Network Topology

SCADA system is connected with a network of routing nodes commonly known as Remote Terminal Unit (RTU), and sensors are connected with RTU’s. IDS shown in Figure 1 is Network based Intrusion Detection System (NIDS) and thus serves the entire critical infrastructure sensor network with its security services. III. DNP3 - SYNTHETIC TRAFFIC GENERATOR Distributed Network Protocol-3 (DNP3) is a set of communications protocols used between components in process automation systems. It is the backbone protocol for SCADA systems and used by almost all the vendors as their primary protocol for SCADA command and control software [10]. Our adopted approach for solving the problem is very simple, we generate DNP3 synthetic traffic, and we designed DNP3 traffic generator capable of producing millions of DNP3 packets. The frame structure of DNP3 packet is shown in Figure 2. In the start of the packet we have data link layer information that includes start bytes, length bytes, control bytes, destination address, source address and CRC (Cyclic Redundancy Check) bytes for data link layer, and after this we have transport layer and application layer headers. In the end we have data area where we have actual data (payload) and object header which carries control information associated with this data area. Object header contains the fields of function control bytes, internal information bytes, object type

Our approach for IDS used a technique called Honey Token based Encrypted Pointers. Honey tokens are artificial digital data items planted deliberately into a genuine system resource in order to detect unauthorized attempts to use or disrupt original information [11-15]. The honey tokens are characterized by properties which make them appear as genuine data items. Honey tokens used by IDS are normal DNP3 packets planted deliberately into a frame in order to detect cyber-attack. We generate these honey tokens once at the start of simulation and make their encrypted database. All the Remote Terminal Units (RTUs) in the critical infrastructure network hold a copy of this encrypted honey token database which they later use for comparison and correlation of honey tokens at RTU for the detection of any changes made in the frame by the attacker during transmission from Master Terminal Unit (MTU) to RTU. The transmission frame consists of a total of ܰ number of packets; the IDS will use the length of ܰ െ ͳ packets as process length. In other words, IDS will embed honey tokens in real traffic at random locations and make the strings of lengthܰ െ ͳ. The process length of the frame is as shown in Figure 3.

1

2

3

.

.

.

.

.

.

N-1

Fig. 3. Process Length for Transmission Frame

The last ܰ ௧௛ packet contains the locations of all these honey tokens which were embedded earlier in the process length of the frame by IDS. This last ܰ ௧௛ packet is known as the pointer of the frame and after encryption it becomes an Encrypted Pointer (EP). The pointer itself is also a normal DNP3 packet and all these locations of honey tokens are stored inside the payload area of this ܰ ௧௛ packet, where all empty space in the payload area (if any) are filled using zero padding technique. It is shown in Figure 4 that after inserting the locations of all the

1267

honey tokens inside the payload area of ܰ ௧௛ packet, empty spaces are filled using zero padding.

START Location

Location

Location

Location

HT-1

HT-2

HT-3

HT-4

0

0

0

Traffic Generator

Zero Padding

HT Generator

Transmission

Fig. 4. Pointer Structure

V. INTRUSION DETECTION SYSTEM Pool-D

Pool-A An Intrusion Detection System (IDS) is a hardware device or software program/application that is used to monitor network or individual system activities against malicious attacks or policy violations and regularly produces logs and reports for the management stations. Traditionally, IDS were developed with two major approaches •

Signature based Intrusion Detection Approach.

•

Anomaly based Intrusion Detection Approach.

Pool-B

Pool-C

Attach EP

Transmit

The advantage of signature based intrusion detection approach is very simple, it is efficient in terms of speed and detection of known attacks but at the same time it completely fails to detect zero day attacks or those attacks for which we don’t have specific signature in IDS database [16-20]. Anomaly based detection is successful to some extent in detecting novel attacks but it commonly has a disadvantage that it generates a large number of false alarms. Moreover in the past IDS were designed on a generic approach. To the best of our knowledge very few researchers tried to design intrusion detection systems that work within specific domains of defined protocols. We divide critical infrastructure sensor network in four different categories or pools as shown in Figure 5.

Fig. 6. IDS working principle at MTU (Master Terminal Unit)

The working principle of IDS at Master Terminal Unit (MTU) is shown in Figure 6, and working principle of IDS at Remote Terminal Unit (RTU) is shown in Figure 7. Extract EP Pool-D

Pool-A Pool-B

Pool-C

Extract HT

3HT/Frame [AES-192]

4HT/Frame [AES-256]

Match HT Database

Pool - A

No Attack

Scanning

Pool - B

Mismatch Attack Pool - D

1HT/Frame [AES-128]

Pool - C

Reverse Engineering

2HT/Frame [AES-192]

END

Fig. 7. IDS working principle at RTU (Remote Terminal Unit)

Fig. 5. Segmentation of Pools in Critical Infrastructure Network

This division is based according to the computational power and level of vulnerability of systems which are working in this critical infrastructure sensor network.

In Figure 6 the IDS embed honey tokens in the real traffic and encrypt the pointer, both actions are performed according to the pool in which destination RTU falls, then the frame is transmitted towards RTU after attaching encrypted pointer with it. At receiving end, in Figure 7 the IDS extract encrypted

1268

pointer from the frame, decrypt it according to the pool in which RTU falls and after that it extracts all honey tokens from the frame and correlate them with HT Database which is already present on RTU. If any mismatch occurs an attack is detected, the IDS will perform reverse engineering approach and recover entire signature of zero day attack. Pool-A contains those systems having greater computational power and higher vulnerability levels, it uses 4 honey tokens per frame and use encryption of AES-256 e.g. - Data Centers etc. whereas Pool-D contain those systems having least computational power, it uses one honey token per frame and use encryption of AES-128 e.g. - Tsunami warning system for open ocean etc. Other two Pools (B and C) contain systems that fall between above defined categories, Pool-B uses 3 honey tokens per frame and use encryption of AES-192 e.g. Oil rigs and Pool-C uses 2 honey tokens per frame and use encryption of AES-192 e.g.- Remote operating station etc. All the encryption schemes assigned to the different pools are basically used for two basic tasks, firstly encryption of pointer and secondly encryption of honey token database (present at RTU) for that particular pool. Different encryption schemes uses different key lengths, larger the key means more is the required computational power, so key length is directly proportional to the required computational resources of the system. All three encryption schemes along with their key lengths which are used for proposed IDS are mentioned in the Table 1. TABLE I.

KEY LENGTHS FOR ENCRYPTION SCHEMES

Encryption Type

Key Length

AES-256

32 bytes

AES-192

24 bytes

AES-128

16 bytes

Fig. 8. DNP3 synthetic traffic generator output

On the other hand least amount of security is provided to poolD because these systems are constrained in computation power and other valuable resources, so the false negative percentage is almost 12% for Pool-D. From graphical results in Figure 9 which are tabulated in Table 2 shows different pools with their True Positive (TP) and False Negative (FN) alarm percentages, all these results are average values. Encryption schemes are also listed along with different pools in Table 2.

VI. SIMULATION RESULTS In Figure 8 shown result is the output of DNP3 synthetic traffic generator in matlab, this traffic generator is capable of generating millions of packets of DNP3 (synthetic traffic). The start two bytes of every DNP3 packet is always 0564 (defined standard for DNP3 packet) is clearly highlighted in the Figure 8. In Figure 9 shown result is the output of system alarms. “True Positive” means when attack occurs and system successfully detects that attack and “False Negative” means when attack occurs but system fails to detect that attack. On yaxis we have the scale of alarm percentage and on x-axis we have four different pools [A-B-C-D]. Maximum security is given to Pool-A because these systems possess high computational power therefore it has very small percentage of false negative, and from the results in Figure 9 it is shown that on average false negative alarms are less than 2% for Pool-A.

Fig. 9. IDS Performance (Alarm Analysis)

From Figure 9 and Table 2 it is clear that Pool-A has 98% TP alarms and 2% FN alarms, it uses 4HT/frame with AES-256 encryption scheme. Pool-B has 97% TP alarms and less than 3% FN alarms, it uses 3HT/frame with AES-192 encryption scheme, Pool-C has 93% TP alarms and 7% FN alarms, it uses 2HT/frame with AES-192 encryption scheme and finally Pool-

1269

D has 88% TP alarms and 12% FN alarms, it uses only one HT/frame with AES-128 encryption scheme. TABLE II.

IDS ALARM ANALYSIS COMPARISION TABLE

Pool

Honeytokens per Frame

Encryption Scheme

TP Alarm

FN Alarm

A

4

AES-256

98%

2%

B

3

AES-192

97%

3%

C

2

AES-192

93%

7%

D

1

AES-128

88%

12%

better than the existing system, the use of encryption in IDS makes it more difficult for attacks to launch a successful attack. IDS successfully recover the zero day cyber-attack signatures using reverse engineering and in this way it assists conventional signature based IDS in improving their efficiency. References [1]

[2]

[3]

VII. NETWORK PENETRATION TESTING (NPT) [4]

In order to test and verify our designed IDS we use NPT. Alongside our IDS we place another conventional signature based IDS which contain signature database for some known attacks for the security of 64 node critical infrastructure test network and then using matlab we generate zero day attacks and some known attacks which are already present in the database of conventional IDS. Finally we launch all these attacks on test network. Known attacks are immediately stopped by conventional IDS but all zero day attacks successfully penetrated in the network. In response our IDS successfully detected these attacks and recovered them completely using reverse engineering approach. Snapshot of IDS scanning process result is shown in Figure 10, where cyber-attacks are detected by the IDS on node 22, 24 and 32.

[5] [6] [7]

[8] [9] [10] [11] [12] [13] [14] [15] [16]

[17]

Fig. 10. IDS scanning process

VIII. CONCLUSION

[18]

In this paper we design an IDS that works on a technique known as honey token based encrypted pointers against zero day cyber threats, this IDS is specifically designed for critical infrastructure sensor networks. We analyzed the performance of IDS model on security and stability issues. We found that proposed IDS improved three key issues in existing systems, the capability of detecting zero day cyber-attacks is much

1270

[19] [20]

Madjid Merabti, Michael Kennedy, William Hurst, “Critical Infrastructure Protection: A 21st Century Challenge” International Conference on Communications and Information Technology. Ragunathan (Raj) Rajkumar, Insup Lee, Lui Sha, John Stankovic, “Cyber-Physical Systems: The Next Computing Revolution” Design Automation Conference 2010. Jing Lin, Sahra Sedigh and Ann Miller, “A General Framework for Quantitative Modeling of Dependability in Cyber-Physical Systems”: A Proposal for Doctoral Research” 33rd Annual IEEE International Computer Software and Applications Conference. N. HadjSaid, C. Tranchita, B. Rozel, M. Viziteu, R. Caire,” Modeling Cyber and Physical Interdependencies– Application in ICT and Power Grids” IEEE 2009. Edward Chikuni, Maxwell Dondo, “Investigating the Security of Electrical Power Systems SCADA” IEEE 2007. Nai Fovino, A. Carcano, M. Masera “A Secure and Survivable Architecture for SCADA Systems” pp.34-39, Second International Conference on Dependability 2009. Eugene Babeshko, Vyacheslav Kharchenko, Anatoliy Gorbenko “Applying F(I)MEA-technique for SCADA-based Industrial Control Systems Dependability Assessment and Ensuring”, Third International Conference on Dependability of Computer Systems. Athar Mahboob, Junaid Zubairi “Intrusion Avoidance for SCADA Security in Industrial Plants”, pp.447-452, IEEE 2010. “Securing SCADA Infrastructure” Fortnet – Securing SCADA Infrastructure White Paper. Gordon Clarke, Deon Reynders, Edwin Wright, “Practical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems” 2004, IDC Technologies. Craig M. McRae, Rayford B. Vaughn, “Phighting the Phisher: Using Web Bugs and Honeytokens to Investigate the Source of Phishing Attacks” 2007. Colon & E. Peldaez, John Bowles “Computer Viruses”, pp. 513517, IEEE 1991. Maya Bercovitch, Meir Renford, Lior Hasson, Asaf Shabtai, Lior Rokach, Yuval Elovici “HoneyGen: an Automated Honey tokens Generator” pp:131-136, IEEE 2011. Jonathan White and Brajendra Panda “Implementing PII Honeytokens to Mitigate Against the Threat of Malicous Insiders”,ISI 2009, June 8-11, IEEE 2009. Anoosha Prathapani, Lakshmi Santhananr and Dharma P. Agrawal “Intelligent Honeypot Agent for Blackhole Attack Detection in Wireless Mesh Networks” pp.753-758, IEEE 2009. Luigi Coppolino, Salvatore D’Antonio, Luigi Romano and Gianluigi Spagnuolo “An Intrusion Detection System for Critical Information Infrastructures Using Wireless Sensor Network Technologies” pp.1-8, IEEE 2010. Guangcheng Huo , Xiaodong Wang, “DIDS: A Dynamic Model of Intrusion Detection System in Wireless Sensor Networks” International Conference on Information and Automation, pp.374378, published in 2008. Muhammad Kamran Asif, Talha A. Khan, Talha A. Taj, Umar Naeem, Sufyan Yakoob, “Network Intrusion Detection and its Strategic Importance” IEEE Business Engineering and Industrial Applications Colloquium, 2013. Leonard J. LaPadula “Intrusion Detection for Air Force Networks”, MITRE Technical Report, October 1997. Daniel C. Hurley, James F.X. Payne, Mary T. Anderson, “Critical Infrastructure: Electric Power Subcommittee Risk Mitigation in the Electric Power Sector: Serious Attention Needed”, Armed Forces Communication and Electronics Association Cyber Committee.