Advertisement

Multi-stage Cyber-Attacks Detection in the Industrial Control Systems

  • Tomáš Bajtoš
  • Pavol SokolEmail author
  • Terézia Mézešová
Chapter
Part of the Studies in Systems, Decision and Control book series (SSDC, volume 255)

Abstract

Industrial Control Systems are a prestigious target for attackers and the attacks are becoming more sophisticated. Intrusion detection systems can uncover suspicious activity and point towards steps of attacks. Detection systems raise an overwhelming number of alerts, so their aggregation and correlation are necessary. It is important for the security analysts to correlate the alerts raised by detection systems and project the next steps of the attack to better protect critical resources. In this chapter, we search for attack patterns in the correlated alerts from industrial control systems network. Our correlation approach is similarity-based according to IP addresses and ports. We construct a directed graph that describes all possible attack paths between multiple attack stages. Several interesting patterns are discussed.

Keywords

Alert Aggregation Correlation Multi-stage Attack patterns 

Notes

Acknowledgements

We would like to thank our colleagues from the Czech chapter of The Honeynet Project for their comments and valuable input. This paper is funded by the Slovak APVV project under contract No. APVV-14-0598 and the Slovak APVV project under contract No. APVV-APVV-17-0561.

References

  1. 1.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9, 49–51 (2011).  https://doi.org/10.1109/MSP.2011.67CrossRefGoogle Scholar
  2. 2.
    Andreeva, O., Gordeychik, S., Gritsai, G., Kochetova, O., Potseluevskaya, E., Sidorov, S.I., Timorin, A.A.: Industrial Control Systems Vulnerabilities Statistics (2016) Google Scholar
  3. 3.
    Debar, H., Dacier, M., Wespi, A.: A revised taxonomy for intrusion-detection systems. Ann. Télécommun. 55, 361–378 (2000).  https://doi.org/10.1007/bf02994844
  4. 4.
    Husak, M., Komarkova, J., Bou-Harb, E., Celeda, P.: Survey of attack projection, prediction, and forecasting in cyber security. IEEE Commun. Surv. Tutor. 1–21 (2018).  https://doi.org/10.1109/comst.2018.2871866
  5. 5.
    de Alvarenga, S.C., Barbon, S., Miani, R.S., Cukier, M., Zarpelão, B.B.: Process mining and hierarchical clustering to help intrusion alert visualization. Comput. Secur. 73, 474–491 (2018).  https://doi.org/10.1016/j.cose.2017.11.021CrossRefGoogle Scholar
  6. 6.
    Al-Mamory, S.O., Zhang, H.L.: A Survey on IDS Alerts Processing Techniques (2007)Google Scholar
  7. 7.
    Davis, J.J., Clark, A.J.: Data preprocessing for anomaly based network intrusion detection: a review. Comput. Secur. 30, 353–375 (2011).  https://doi.org/10.1016/J.COSE.2011.05.008CrossRefGoogle Scholar
  8. 8.
    Salah, S., Maciá-Fernández, G., Díaz-Verdejo, J.E.: A model-based survey of alert correlation techniques. Comput. Netw. 57, 1289–1317 (2013).  https://doi.org/10.1016/J.COMNET.2012.10.022CrossRefGoogle Scholar
  9. 9.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF). https://www.ietf.org/rfc/rfc4765.txt (2007)
  10. 10.
    Arvidsson, J., Cormack, A., Demchenko, Y., Meijer, J.: Incident Object Description and Exchange Format Requirements. https://www.ietf.org/rfc/rfc3067.txt (2001)
  11. 11.
    Intrusion Detection Extensible Alert. https://idea.cesnet.cz/en/index (2018)
  12. 12.
    Cipriano, C., Zand, A., Houmansadr, A., Kruegel, C., Vigna, G.: Nexat: a history-based approach to predict attacker actions. In: ACSAC’11 Proceedings of the 27th Annual Computer Security Applications Conference, p. 383. ACM Press, New York, USA (2011)Google Scholar
  13. 13.
    Lee, S., Chung, B., Kim, H., Lee, Y., Park, C., Yoon, H.: Real-time analysis of intrusion detection alerts via correlation. Comput. Secur. 25, 169–183 (2006).  https://doi.org/10.1016/J.COSE.2005.09.004CrossRefGoogle Scholar
  14. 14.
    Soleimani, M., Ghorbani, A.A.: Multi-layer episode filtering for the multi-step attack detection. Comput. Commun. 35, 1368–1379 (2012).  https://doi.org/10.1016/j.comcom.2012.04.001CrossRefGoogle Scholar
  15. 15.
    Heigl, M., Doerr, L., Almaini, A., Fiala, D., Schram, M.: Incident reaction based on intrusion detections’ alert analysis. In: 2018 International Conference on Applied Electronics (AE), pp. 1–6. IEEE (2018)Google Scholar
  16. 16.
    Saad, S., Traore, I.: Semantic aware attack scenarios reconstruction. J. Inf. Secur. Appl. 18, 53–67 (2013).  https://doi.org/10.1016/j.jisa.2013.08.002CrossRefGoogle Scholar
  17. 17.
    Ramaki, A.A., Rasoolzadegan, A., Bafghi, A.G.: A systematic mapping study on intrusion alert analysis in intrusion detection systems. ACM Comput. Surv. 51, 1–41 (2018).  https://doi.org/10.1145/3184898CrossRefGoogle Scholar
  18. 18.
    Shittu, R., Healing, A., Ghanea-Hercock, R., Bloomfield, R., Rajarajan, M.: Intrusion alert prioritisation and attack detection using post-correlation analysis. Comput. Secur. 50, 1–15 (2015).  https://doi.org/10.1016/J.COSE.2014.12.003CrossRefGoogle Scholar
  19. 19.
    Ramaki, A.A., Amini, M., Ebrahimi Atani, R.: RTECA: real time episode correlation algorithm for multi-step attack scenarios detection. Comput. Secur. (2015).  https://doi.org/10.1016/j.cose.2014.10.006CrossRefGoogle Scholar
  20. 20.
    Ahmadinejad, S.H., Jalili, S., Abadi, M.: A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs. Comput. Netw. 55, 2221–2240 (2011).  https://doi.org/10.1016/j.comnet.2011.03.005CrossRefGoogle Scholar
  21. 21.
    Wang, Q., Jiang, J., Shi, Z., Wang, W., Lv, B., Qi, B., Yin, Q.: A novel multi-source fusion model for known and unknown attack scenarios. In: Proceedings of 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE), pp. 727–736 (2018).  https://doi.org/10.1109/trustcom/bigdatase.2018.00106
  22. 22.
    Wang, C.-H., Chiou, Y.-C.: Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights. Int. J. Comput. Commun. Eng. 5, 1–10 (2015).  https://doi.org/10.17706/ijcce.2016.5.1.1-10CrossRefGoogle Scholar
  23. 23.
    Liang, L.: Abnormal detection of electric security data based on scenario modeling. Procedia Comput. Sci. 139, 578–582 (2018).  https://doi.org/10.1016/j.procs.2018.10.207CrossRefGoogle Scholar
  24. 24.
    Barzegar, M., Shajari, M.: Attack scenario reconstruction using intrusion semantics. Expert Syst. Appl. 108, 119–133 (2018).  https://doi.org/10.1016/j.eswa.2018.04.030CrossRefGoogle Scholar
  25. 25.
    Kavousi, F., Akbari, B.: Automatic learning of attack behavior patterns using Bayesian networks. In: 2012 6th International Symposium on Telecommunications (IST), pp. 999–1004 (2012).  https://doi.org/10.1109/istel.2012.6483132
  26. 26.
    Bahareth, F.A., Bamasak, O.O.: Constructing attack scenario using sequential pattern mining with correlated candidate sequences. II (2013)Google Scholar
  27. 27.
    Pierazzi, F., Casolari, S., Colajanni, M., Marchetti, M.: Exploratory security analytics for anomaly detection. Comput. Secur. 56, 28–49 (2016).  https://doi.org/10.1016/j.cose.2015.10.003CrossRefGoogle Scholar
  28. 28.
    Lu, X., Han, J., Ren, Q., Dai, H., Li, J., Ou, J.: Network threat detection based on correlation analysis of multi-platform multi-source alert data. Multimed. Tools Appl. (2018).  https://doi.org/10.1007/s11042-018-6689-7CrossRefGoogle Scholar
  29. 29.
    Suarez-Tangil, G., Palomar, E., Ribagorda, A., Sanz, I.: Providing SIEM systems with self-adaptation. Inf. Fusion 21, 145–158 (2015).  https://doi.org/10.1016/j.inffus.2013.04.009CrossRefGoogle Scholar
  30. 30.
    SICS Geek Lounge: SCADA/ICS PCAP Files From 4SICS. https://www.netresec.com/?page=PCAP4SICS (2019)
  31. 31.
    Choi, S., Yun, J.-H., Kim, S.-K.: A Comparison of ICS Datasets for Security Research Based on Attack Paths, Sept 2019Google Scholar
  32. 32.
    Lin, C.-Y., Nadjm-Tehrani, S., Asplund, M.: Timing-Based Anomaly Detection in SCADA Networks, Oct 2018Google Scholar
  33. 33.
    Hansch, G., Schneider, P., Plaga, S.: Packet-wise compression and forwarding of industrial network captures. In: 2017 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), pp. 66–70. IEEE (2017)Google Scholar
  34. 34.
    Muller, S., Lancrenon, J., Harpes, C., Le Traon, Y., Gombault, S., Bonnin, J.-M.: A training-resistant anomaly detection system. Comput. Secur. 76, 1–11 (2018).  https://doi.org/10.1016/J.COSE.2018.02.015CrossRefGoogle Scholar
  35. 35.
    Hansson, L.: Scada SNORT Rules. https://networkforensic.dk/SNORT/ (2019)

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Tomáš Bajtoš
    • 1
  • Pavol Sokol
    • 1
    Email author
  • Terézia Mézešová
    • 1
  1. 1.Faculty of Science, Institute of Computer SciencePavol Jozef Šafárik University in KošiceKošiceSlovakia

Personalised recommendations