Transcript ModelBasedIDS_SCADARev4 - The Team for Research in

Model-based Intrusion
Detection for SCADA
Networks
Steven Cheung, Bruno Dutertre,
Martin Fong, Ulf Lindqvist, Keith Skinner,
Alfonso Valdes ([email protected])
This work was produced in part with support from the Institute for Information Infrastructure Protection (I3P) research
program. The I3P is managed by Dartmouth College, and supported under Award number 2003-TK-TX-0003 from the U.S.
Department of Homeland Security, Science and Technology Directorate. Points of view in this document are those of the
author(s) and do not necessarily represent the official position of the U.S. Department of Homeland Security, the Science
and Technology Directorate, the I3P, or Dartmouth College.
Presentation Outline
 Background
 SRI Overview
 The I3P SCADA Project
 Intrusion detection approaches
 IDS in PCS
 Defense enabled architecture
 Model based detection
 Detect deviations from Modbus spec
 Detect invalid communication patterns
 Detect changes in service usage patterns
 Detector based on formal model
 Conclusion
Who we are
SRI is a world-leading independent R&D organization
 Founded by Stanford University in 1946


SRI headquarters, Menlo Park, CA
A nonprofit corporation
Independent in 1970; changed name from
Stanford Research Institute to SRI International in
1977
 Sarnoff Corporation acquired in 1987
(formerly RCA Laboratories)
 2,000 staff members combined


800 with advanced degrees
More than 15 offices worldwide
 Consolidated 2005 revenue: $390 million
Sarnoff Corporation, Princeton, NJ
• Sarnoff India
• SRI Taiwan
SRI – State College, PA
SRI – Tokyo, Japan
SRI – Washington, D.C.
What we do
We create solutions that address your needs
 Customer-sponsored R&D
From discovery, study, and evaluation
to custom solutions on demand
 Licenses
Innovative technologies ready for use
 Ventures
Spin-off companies to capitalize on
new opportunities
 Partnership programs
Value creation programs to maximize
your success
Our focus areas
Multidisciplinary teams leverage developments from SRI’s core
technology and research areas
Advanced Materials,
Microsystems, and Nanotechnology
Engineering
and Systems
Health, Education,
and Economic Policy
SRI’s
Value
Creation
Process™
Biotechnology
Information Technology
Computing
SRI invented the foundations of personal computing
1964–1968: SRI’s Doug Engelbart and team
invented the computer mouse and
demonstrated the foundations of personal
computing.
Today: SRI leads development of CALO, the
Cognitive Assistant that Learns and Organizes,
to revolutionize how computers support
decision makers.
President Bill Clinton presents Doug Engelbart with
the 2000 National Medal of Technology
Intelligent robotics
SRI has pioneered robotics for 40 years
Today: SRI’s Centibots, one of the first and largest
teams of mobile coordinated robots, can explore, map,
and survey unknown environments.
Elected to the Robot Hall of Fame in 2004
1966–1972: SRI’s Shakey was
the first mobile robot capable of
reasoning about its actions.
Internet and networks
SRI was there “before the beginning”
.com
.gov
.org
1969: SRI received (from UCLA) the first logon to the
ARPANET, predecessor of the Internet.
1970–1992: SRI ran the Network Information Center
(NIC), the domain name registration clearinghouse
for all Internet computer hosts connecting to the
ARPANET and Internet. SRI assigned all .com, .org,
and .gov domain names.
1987: SRI’s pioneering network intrusion detection
technology protects against malicious attacks.
Today: SRI administers the Cyber Security R&D
Center for the Department of Homeland Security. The
Center develops security technology for protection of
the U.S. cyber infrastructure through partnerships
between government and private industry, the venture
capital community, and the research community.
The Critical Infrastructure of the
United States
What is the I3P?
 The Institute for Information Infrastructure
Protection, funded by Congress, managed by
Dartmouth College with oversight from DHS –
www.thei3p.org
 Established in 2001 to identify and address critical
research problems facing our nation’s information
infrastructure
 Consortium of over 25 universities, non-profit
research institutions, and federal labs
What is this
Research Project?
 Two-year applied research effort to improve cyber
security for control systems/SCADA
 Help industry better manage risk by



providing risk characterization
developing and demonstrating new cyber security
tools and technologies
enhancing sustainable security practices for control
systems
Why is this
Project Important?
Control systems are critically important
to the safe and efficient operation of
infrastructure systems but are vulnerable
to cyber attacks:


Control systems security problems and
remediation approaches are different
from IT
Effects of cyber attacks on operations
and interdependent infrastructures not
well understood
Project Goals
 Demonstrated improved cyber
security in the oil and gas
infrastructure sector


New research findings
New technologies
 Significantly increased
awareness of


Security challenges and
solutions
The capabilities of the I3P
and its members
Intrusion Detection Approaches
 Signature: Match traffic to a known pattern of misuse
 Stateless: String matching, single packet
 Stateful: Varying degrees of protocol and session
reconstruction
 Good systems are very specific and accurate
 Typically does not generalize to new attacks
 Anomaly: Alert when something “extremely unusual”
is observed



Learning based, sometimes statistical profiling
In practice, not used much because of false alarms
Learning systems are also subject to concept drift
Intrusion Detection Approaches (2)
 Probabilistic (Statistical, Bayes): A middle
ground, with probabilistically encoded models
of misuse

Some potential to generalize
 Specification based (some group this with
anomaly detection): Alert when observed
behavior is outside of a specification

High potential for generalization and leverage
against new attacks
Our Hypothesis
 By comparison to enterprise systems, control
systems exhibit comparatively constrained behavior:




Fixed topology
Regular communication patterns
Limited number of protocols
Simpler protocols
 As such, specification- and model-based IDS
approaches may be more feasible
 Such an approach nicely complements a signature
system
 Benefits are a compact, inherently generalized
knowledge base and potential to detect zero day
attacks
Pattern Anomaly Detection
Library patterns
New Obs
P1
DE
A
D
Binary patterns
Fixed
X
X
P2
length: TCP flags
Variable length
Patterns of categorical-valued features
(Counts of) system calls
Ports
Observation matches P1 in D and X, P2 in A
and D, but X has a low hit count
•
=> P2 is a better match
•Observation is assigned the label of P2
•Depending on whether P2 is rare or previously
labeled malicious, generate an alert
•New P2 has a little “X”
A
D
New P2
A
D
X
Bayes Net Algorithms
 Describe the world in terms of conditional probabilities
 Model observables as nodes in a directed graph
 Children get p (prior) messages from parents
 Parents get l (likelihood) messages from children
At leaf nodes, l messages correspond to observations
 Belief state is updated as new evidence is observed

p(A)
l(A)
A
l(D)
p(B)
l(B) p(C)
B
l(C)
p(D)
C
p(X)
D
l(Y)
l(X) p(Y)
X
Y
This diagram illustrates
message propagation in
a tree fragment
Learning, adaptation
 Bayes models have a network structure and node parameters
Conditional probability tables, or CPT
 CPT(i,j)=P(child state = j | parent state = i)
 We did not try to learn structure
 CPT’s can be learned off-line or adaptively
 For real world data, no ground truth.
 We observed “hypothesis capture” on very long runs
 eBayes has optional capability to generate new hypotheses
if no existing ones fit
 Stability of learning and hypothesis generation are still
research issues for us

Transition and Update
 New sessions start with a default prior over normal
and attack hypotheses
 Inference results in new belief

“In progress” alerts may be generated
 This passes through a temporal transition model
 Tends to decay back to normal
 But once a session is sufficiently suspicious, it will be
reported
 New inference
updates belief
New Observations
Mail
FTP
DICT
Transition
Function
Bayes
Inference
Model
Mail
FTP
DICT
Approaches Provide
Complementary Protection
Attacks
Detected
Approach
Basis
Generalization
Misuse
Signature,
Stateful analysis
Known
No
Anomaly
Learned models
of normal
Must appear
anomalous (not
all do, FP)
Yes
Probabilistic
Model learning
Match patterns
of misuse
Some
Spec based
Analysis of
protocol spec
Attacks must
violate spec (not
all do)
Yes
Models and Detection Approaches
 Signature and probabilistic IDS model misuse
 Anomaly approach empirically models “normal”
system usage and behavior
 Specification-based approach models what is
allowable under the protocol specification

Also models “normal”, but in a different sense from
what is typically meant in anomaly detection
 Drawbacks of specification-based models:
 For general enterprise systems, constructing models is
expensive and difficult (system complexity, complexity
of user activity)
 Inaccurate models can lead to false alarms and/or
missed detections
IDS In PCS
 Barrier defenses (switches, firewalls, network
segmentation) are essential, but
 An orthogonal view is essential to detect
when these have been bypassed or
penetrated
 One detection approach may not alert on a
critical exploit
 Correlation of related events is essential to
provide the operator coherent situational
awareness
EMERALD IDS for PCS
 Multi-algorithm IDS appliance
Pattern Anomaly
 Bayes analysis of TCP headers
 Stateful protocol eXperts
 Complemented by custom ruleset SNORT
 Alerts (potentially from multiple IDS
appliances) forwarded to correlation
framework
 PCS Enhancements
 Digital Bond PCS rule set
 Model Based Detection

Models for Characterizing
Acceptable Behavior
 Protocol level: based on MODBUS protocol
spec, for single field and dependent fields
 Network access patterns, based on analysis
of topology configuration
 Service usage patterns, based on learned
valid MODBUS function codes for monitored
devices
Protocol Model: Individual fields
 MODBUS function codes are one byte
 256 possible values, but
 MSB is used by servers to indicate exception
 0 is not valid, so valid range in 1-127
 Range is partitioned into public, user-defined, and
reserved

With no further knowledge, can construct a “weak
specification”
 Many actual devices support a much more limited set
of codes

Permits definition of a stronger, more tailored
specification
Protocol Model: Dependent Fields
 Encode acceptable values of a field given the
value of another field



Example dependent fields include length,
subfunction codes, and arguments
For example, “read coils” function implies the
length field is 6
For other function codes, length varies but a
range can be specified
 Specifications for multiple ADUs: future work
Detecting Unusual Communication Patterns
 Specification of network access policies
 Comm between Admin LAN and PCS LAN is restricted
to that between Admin historian and PCS historian
 PCS Master may communicate with Modbus PLC
using Modbus-TCP
 PCS historian may communicate with PCS Master
 Domain controller may provide services to other hosts
in the PCS LAN
 Detection of exceptions is via SNORT rules
 More complex networks (more devices) can be
accommodated via IP address assignment with
appropriate subnet masks
Detecting Changes in Server/Service Availability
 EMERALD Bayes component includes TCP service monitoring
New service discovery (suspicious in a “stable” system)
 Service up/down/distress
 Modifies probability models and makes the component more
accurate
 EMERALD SCADA includes analogous capability for MODBUS
function codes
 Alerts when a device responds to a new function code
(MODBUS service discovery)
 Alerts when a function code previously considered valid for a
device results in error replies

Complete Formal Model in PVS
 PVS: Prototype Verification System
 Expressive specification language (higher order logic)
+ powerful theorem prover
 Other tools available in PVS:
 Model checker
 Compiler and execution environment for a subset of
the PVS language
 Model-based IDS in PVS:
 Full specification of Modbus protocol in PVS
 Customizable to the actual system (e.g., which
functions/addresses are used).
More complete and precise than SNORT-based model
From PVS model to IDS
 PVS Model:
 Specifies correct Modbus requests and valid
responses to requests
 Defined by two PVS predicates with signature
acceptable_request: [packet  bool]
valid_response: [request, packet  bool]

These predicates are in the executable fragment of the
PVS language
 IDS: use the model online
 Compile the predicates into executable code (uses the
PVS compilation/evaluation tools)
 Check for violations are runtime: intercept
requests/responses and evaluate the predicates.
Testbed Architecture
PCS-Enabled
NIDS/Mcorr
Appliance
Alerts and Diagnostics
• SHARP (PNNL)
• SecSS (Tulsa)
• APT (UIUC)
Experimental Scenario (1)
 Internet attacker achieves privileged access to the corporate




network (Admin PC).
The attacker downloads hack tools to the compromised
corporate network host, and sets up a tftp server for his tools.
The attacker scans the network (Admin LAN) and discovers the
Admin Historian on the corporate network.
The attacker achieves elevated access to the Admin Historian,
and learns of a data relationship to a PCS Historian on the other
side of a firewall. The Admin Historian is subsequently pushed
off the network, and the Admin PC assumes its IP.
The attacker scans the PCS Historian from the Admin PC.
Scenario (2)
 The attacker discovers a vulnerable authentication service on




the PCS Historian host and visible because of a bad firewall
configuration on the PCS FW. It is subsequently exploited to
connect with system privilege to the PCS Historian.
The attacker downloads a "rogue master" and other tools to the
compromised PCS Historian via tftp from the Admin PC. The
PCS Historian now serves as the launching point for subsequent
attacks, directed from the Admin PC.
The attacker scans the PCS network (PCS LAN) and discovers
a vulnerable PCS Master box.
The attacker launches an attack to take down the PCS Master.
The attacker initiates a Modbus device scan on the PCS LAN
and discovers the PLC. Subsequently, a Modbus command is
sent to close a contact to the PLC; a light/indicator illuminates
Detections
 Scans: Bayes sensor, unusual comms

Aggregation presents thousands of probes as
single alert
 Compromise exploits (UPNP): SNORT
Bleeding Edge
 tftp: Unusual Comms
 MODBUS Exploits: New modbus services,
spec based detection,Digital Bond set
Alert Summary
Summary
 Barrier protections are essential in PCS
 DMZ
 Switches, firewalls, VPN
 IDS is an important orthogonal defense
 Model based approach using protocol specs is a
feasible complement to signature IDS in control
systems
 Multi-component, multi-approach detection provides
complementary views of an attack
 Alert correlation presents actionable situational
awareness picture
I3P Houston Workshop
 Workshop will provide:
 Overview of threats to PCS
 Demonstration of vulnerabilities in PCS
 Technology demonstration
 Training in risk management, security tools,
and mitigation strategies
 Opportunity for dialog with industry leaders
 Sheraton Brookhollow Houston
 February 15-16
 www.thei3p.org
Backup
Similarity Function
•Generalizes
N(Intersection)/N(Union)
•“Intersection” is the sum of the
min probabilities where the
patterns intersect
•“Union” is the maximal
probability where either pattern
is non-zero

1 1
1 
X  
0 0 0
3 3

3
1 1 1 1 1

Y  
0
5 5 5 5 5 
Patterns overlap in the first two entries.
Y is minimum probability.
 Numerator = 2
5
X is maximal probability in the first, second,
and sixth entries.
Y is maximal elsewhere.
 Denominator = 3 3  3 5  8 5
2
1
Sim(X ,Y )  5 
8
4
5
Picking the Winner
•Library patterns
“compete” for new
pattern
•Winner is most similar
as long as similarity is
over a set threshold
•Winner is slightly
modified to include a
little of the new pattern.

Algorithm to pick winner
Find K s.t.
:
Sim(X ,EK )  Sim(X ,Ek )k
X  observed pattern
Ek  kth pattern exemplar in library
If Sim(X ,EK )  Tmatch ,EK is the winner
Else insert X into the library of pattern
exemplars
Tmatch  Minimum match threshold
1
EK 
(nK EK  X )
nK 1
nK  Historical (possibly aged) count
of observances of EK
Determining “Rare”
•If large number of
patterns is learned, many
may be rare
•Alert on tail probability
•Technique does not
work for large number of
patterns, but tail prob
approach does no harm
Pr(E K )  Historical probability of
pattern K
n
 K
 nk
k
Tail _ Pr (E K )  Historical tail probability of
pattern K

 Pr(E )
Pr(E k )Pr(E j )
j
If Tail _ Pr(E K )  Talert, generate alert
Talert  alert threshold