Model-based Intrusion Detection for SCADA Networks Steven Cheung, Bruno Dutertre, Martin Fong, Ulf Lindqvist, Keith Skinner, Alfonso Valdes ([email protected]) This work was produced in part with support from the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed by Dartmouth College, and supported under Award number 2003-TK-TX-0003 from the U.S. Department of Homeland Security, Science and Technology Directorate. Points of view in this document are those of the author(s) and do not necessarily represent the official position of the U.S. Department of Homeland Security, the Science and Technology Directorate, the I3P, or Dartmouth College.
Transcript
Model-based Intrusion Detection for SCADA Networks
Steven Cheung, Bruno Dutertre, Martin Fong, Ulf Lindqvist, Keith Skinner, Alfonso Valdes
([email protected])This work was produced in part with support from the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed by Dartmouth College, and supported under Award number 2003-TK-TX-0003 from the U.S. Department of Homeland Security, Science and Technology Directorate. Points of view in this document are those of the author(s) and do not necessarily represent the official position of the U.S. Department of Homeland Security, the Science and Technology Directorate, the I3P, or Dartmouth College.
Presentation Outline
Background SRI Overview The I3P SCADA Project
Intrusion detection approaches IDS in PCS Defense enabled architecture Model based detection
Detect deviations from Modbus spec Detect invalid communication patterns Detect changes in service usage patterns Detector based on formal model
Conclusion
SRI headquarters, Menlo Park, CA
Sarnoff Corporation, Princeton, NJ
Who we areSRI is a world-leading independent R&D organization
SRI – State College, PA SRI – Washington, D.C.SRI – Tokyo, Japan
• Sarnoff India• SRI Taiwan
Founded by Stanford University in 1946 A nonprofit corporation Independent in 1970; changed name from
Stanford Research Institute to SRI International in 1977
Sarnoff Corporation acquired in 1987 (formerly RCA Laboratories)
2,000 staff members combined 800 with advanced degrees More than 15 offices worldwide
Consolidated 2005 revenue: $390 million
What we doWe create solutions that address your needs
Customer-sponsored R&D From discovery, study, and evaluation to custom solutions on demand
Licenses Innovative technologies ready for use
Ventures Spin-off companies to capitalize on new opportunities
Partnership programs Value creation programs to maximize your success
Our focus areasMultidisciplinary teams leverage developments from SRI’s core
technology and research areas
Engineering and Systems
SRI’s Value
CreationProcess™
Advanced Materials, Microsystems, and Nanotechnology
Information TechnologyBiotechnology
Health, Education, and Economic Policy
1964–1968: SRI’s Doug Engelbart and team invented the computer mouse and demonstrated the foundations of personal computing.
ComputingSRI invented the foundations of personal computing
Today: SRI leads development of CALO, the Cognitive Assistant that Learns and Organizes, to revolutionize how computers support decision makers.
President Bill Clinton presents Doug Engelbart with the 2000 National Medal of Technology
Intelligent roboticsSRI has pioneered robotics for 40 years
Today: SRI’s Centibots, one of the first and largest teams of mobile coordinated robots, can explore, map, and survey unknown environments.
Elected to the Robot Hall of Fame in 2004
1966–1972: SRI’s Shakey was the first mobile robot capable of reasoning about its actions.
Internet and networksSRI was there “before the beginning”
1969: SRI received (from UCLA) the first logon to the ARPANET, predecessor of the Internet.
1970–1992: SRI ran the Network Information Center (NIC), the domain name registration clearinghouse for all Internet computer hosts connecting to the ARPANET and Internet. SRI assigned all .com, .org, and .gov domain names.
Today: SRI administers the Cyber Security R&D Center for the Department of Homeland Security. The Center develops security technology for protection of the U.S. cyber infrastructure through partnerships between government and private industry, the venture capital community, and the research community.
.com.gov.org
The Critical Infrastructure of the United States
What is the I3P?
The Institute for Information Infrastructure Protection, funded by Congress, managed by Dartmouth College with oversight from DHS – www.thei3p.org
Established in 2001 to identify and address critical research problems facing our nation’s information infrastructure
Consortium of over 25 universities, non-profit research institutions, and federal labs
What is this Research Project?
Two-year applied research effort to improve cyber security for control systems/SCADA
Help industry better manage risk by providing risk characterization developing and demonstrating new cyber security
tools and technologies enhancing sustainable security practices for control
systems
Why is this Project Important?
Control systems are critically important to the safe and efficient operation of infrastructure systems but are vulnerable to cyber attacks:
Control systems security problems and remediation approaches are different from IT
Effects of cyber attacks on operations and interdependent infrastructures not well understood
Project Goals
Demonstrated improved cyber security in the oil and gas infrastructure sector New research findings New technologies
Significantly increased awareness of Security challenges and
solutions The capabilities of the I3P
and its members
Intrusion Detection Approaches
Signature: Match traffic to a known pattern of misuse Stateless: String matching, single packet Stateful: Varying degrees of protocol and session
reconstruction Good systems are very specific and accurate Typically does not generalize to new attacks
Anomaly: Alert when something “extremely unusual” is observed Learning based, sometimes statistical profiling In practice, not used much because of false alarms Learning systems are also subject to concept drift
Intrusion Detection Approaches (2)
Probabilistic (Statistical, Bayes): A middle ground, with probabilistically encoded models of misuse Some potential to generalize
Specification based (some group this with anomaly detection): Alert when observed behavior is outside of a specification High potential for generalization and leverage
against new attacks
Our Hypothesis
By comparison to enterprise systems, control systems exhibit comparatively constrained behavior: Fixed topology Regular communication patterns Limited number of protocols Simpler protocols
As such, specification- and model-based IDS approaches may be more feasible
Such an approach nicely complements a signature system
Benefits are a compact, inherently generalized knowledge base and potential to detect zero day attacks
Patterns of categorical-valued features(Counts of) system callsPorts
Observation matches P1 in D and X, P2 in A and D, but X has a low hit count• => P2 is a better match•Observation is assigned the label of P2•Depending on whether P2 is rare or previously labeled malicious, generate an alert•New P2 has a little “X”
A D
New P2
X
A D X
A D
DE X
New ObsLibrary patterns
P1
P2
Bayes Net Algorithms
Describe the world in terms of conditional probabilities Model observables as nodes in a directed graph Children get (prior) messages from parents Parents get (likelihood) messages from children
At leaf nodes, messages correspond to observations Belief state is updated as new evidence is observed
A
B C D
A
D
X Y
X
C
D
A
C
XYY
This diagram illustrates message propagation in a tree fragment
Learning, adaptation
Bayes models have a network structure and node parameters Conditional probability tables, or CPT CPT(i,j)=P(child state = j | parent state = i)
We did not try to learn structure CPT’s can be learned off-line or adaptively
For real world data, no ground truth. We observed “hypothesis capture” on very long runs eBayes has optional capability to generate new hypotheses
if no existing ones fit Stability of learning and hypothesis generation are still
research issues for us
Transition and Update
New sessions start with a default prior over normal and attack hypotheses
Inference results in new belief “In progress” alerts may be generated
This passes through a temporal transition model Tends to decay back to normal But once a session is sufficiently suspicious, it will be
reported New inference
updates belief MailFTP
DICT
MailFTP
DICT
Transition Function
Bayes Inference
Model
New Observations
Approaches Provide Complementary Protection
Approach BasisAttacks
DetectedGeneralization
MisuseSignature, Stateful analysis
Known No
AnomalyLearned models of normal
Must appear anomalous (not all do, FP)
Yes
Probabilistic Model learningMatch patterns of misuse
Some
Spec basedAnalysis of protocol spec
Attacks must violate spec (not all do)
Yes
Models and Detection Approaches
Signature and probabilistic IDS model misuse Anomaly approach empirically models “normal”
system usage and behavior Specification-based approach models what is
allowable under the protocol specification Also models “normal”, but in a different sense from
what is typically meant in anomaly detection Drawbacks of specification-based models:
For general enterprise systems, constructing models is expensive and difficult (system complexity, complexity of user activity)
Inaccurate models can lead to false alarms and/or missed detections
IDS In PCS
Barrier defenses (switches, firewalls, network segmentation) are essential, but
An orthogonal view is essential to detect when these have been bypassed or penetrated
One detection approach may not alert on a critical exploit
Correlation of related events is essential to provide the operator coherent situational awareness
EMERALD IDS for PCS
Multi-algorithm IDS appliance Pattern Anomaly Bayes analysis of TCP headers Stateful protocol eXperts Complemented by custom ruleset SNORT
Alerts (potentially from multiple IDS appliances) forwarded to correlation framework
PCS Enhancements Digital Bond PCS rule set Model Based Detection
Models for Characterizing Acceptable Behavior Protocol level: based on MODBUS protocol
spec, for single field and dependent fields Network access patterns, based on analysis
of topology configuration Service usage patterns, based on learned
valid MODBUS function codes for monitored devices
Protocol Model: Individual fields
MODBUS function codes are one byte 256 possible values, but MSB is used by servers to indicate exception 0 is not valid, so valid range in 1-127
Range is partitioned into public, user-defined, and reserved With no further knowledge, can construct a “weak
specification” Many actual devices support a much more limited set
of codes Permits definition of a stronger, more tailored
specification
Protocol Model: Dependent Fields
Encode acceptable values of a field given the value of another field Example dependent fields include length,
subfunction codes, and arguments For example, “read coils” function implies the
length field is 6 For other function codes, length varies but a
range can be specified Specifications for multiple ADUs: future work
Detecting Unusual Communication Patterns
Specification of network access policies Comm between Admin LAN and PCS LAN is restricted
to that between Admin historian and PCS historian PCS Master may communicate with Modbus PLC
using Modbus-TCP PCS historian may communicate with PCS Master Domain controller may provide services to other hosts
in the PCS LAN Detection of exceptions is via SNORT rules More complex networks (more devices) can be
accommodated via IP address assignment with appropriate subnet masks
Detecting Changes in Server/Service Availability
EMERALD Bayes component includes TCP service monitoring New service discovery (suspicious in a “stable” system) Service up/down/distress Modifies probability models and makes the component more
accurate EMERALD SCADA includes analogous capability for MODBUS
function codes Alerts when a device responds to a new function code
(MODBUS service discovery) Alerts when a function code previously considered valid for a
device results in error replies
Complete Formal Model in PVS
PVS: Prototype Verification System Expressive specification language (higher order logic)
+ powerful theorem prover Other tools available in PVS:
Model checker Compiler and execution environment for a subset of
the PVS language Model-based IDS in PVS:
Full specification of Modbus protocol in PVS Customizable to the actual system (e.g., which
functions/addresses are used).More complete and precise than SNORT-based model
From PVS model to IDS
PVS Model: Specifies correct Modbus requests and valid
responses to requests Defined by two PVS predicates with signature
These predicates are in the executable fragment of the PVS language
IDS: use the model online Compile the predicates into executable code (uses the
PVS compilation/evaluation tools) Check for violations are runtime: intercept
requests/responses and evaluate the predicates.
Testbed Architecture
PCS-Enabled NIDS/Mcorr Appliance
Alerts and Diagnostics • SHARP (PNNL)• SecSS (Tulsa)• APT (UIUC)
Experimental Scenario (1)
Internet attacker achieves privileged access to the corporate network (Admin PC).
The attacker downloads hack tools to the compromised corporate network host, and sets up a tftp server for his tools.
The attacker scans the network (Admin LAN) and discovers the Admin Historian on the corporate network.
The attacker achieves elevated access to the Admin Historian, and learns of a data relationship to a PCS Historian on the other side of a firewall. The Admin Historian is subsequently pushed off the network, and the Admin PC assumes its IP.
The attacker scans the PCS Historian from the Admin PC.
Scenario (2)
The attacker discovers a vulnerable authentication service on the PCS Historian host and visible because of a bad firewall configuration on the PCS FW. It is subsequently exploited to connect with system privilege to the PCS Historian.
The attacker downloads a "rogue master" and other tools to the compromised PCS Historian via tftp from the Admin PC. The PCS Historian now serves as the launching point for subsequent attacks, directed from the Admin PC.
The attacker scans the PCS network (PCS LAN) and discovers a vulnerable PCS Master box.
The attacker launches an attack to take down the PCS Master. The attacker initiates a Modbus device scan on the PCS LAN
and discovers the PLC. Subsequently, a Modbus command is sent to close a contact to the PLC; a light/indicator illuminates
Detections
Scans: Bayes sensor, unusual comms Aggregation presents thousands of probes as
single alert Compromise exploits (UPNP): SNORT
Bleeding Edge tftp: Unusual Comms MODBUS Exploits: New modbus services,
spec based detection,Digital Bond set
Alert Summary
Summary
Barrier protections are essential in PCS DMZ Switches, firewalls, VPN
IDS is an important orthogonal defense Model based approach using protocol specs is a
feasible complement to signature IDS in control systems
Multi-component, multi-approach detection provides complementary views of an attack
Workshop will provide: Overview of threats to PCS Demonstration of vulnerabilities in PCS Technology demonstration Training in risk management, security tools,
and mitigation strategies Opportunity for dialog with industry leaders
Sheraton Brookhollow Houston February 15-16 www.thei3p.org
Backup
Similarity Function
€
X =1
3
1
30 0 0
1
3
⎡
⎣ ⎢ ⎤
⎦ ⎥
Y =1
5
1
5
1
5
1
5
1
50
⎡
⎣ ⎢ ⎤
⎦ ⎥
Patterns overlap in the first two entries.
Y is minimum probability.
⇒ Numerator = 25
X is maximal probability in the first, second,
and sixth entries.
Y is maximal elsewhere.
⇒ Denominator = 33 + 3
5 = 85
Sim X ,Y( ) =2
58
5=
1
4
•Generalizes N(Intersection)/N(Union)•“Intersection” is the sum of the min probabilities where the patterns intersect•“Union” is the maximal probability where either pattern is non-zero
Picking the Winner
€
Algorithm to pick winner :
Find K s.t.
Sim X ,EK( ) ≥ Sim X ,Ek( )∀k
X = observed pattern
Ek = kth pattern exemplar in library
If Sim X ,EK( ) ≥ Tmatch ,EK is the winner
Else insert X into the library of pattern
exemplars
Tmatch = Minimum match threshold
€
EK ←1
nK +1nK EK + X( )
nK = Historical (possibly aged) count
of observances of EK
•Library patterns “compete” for new pattern•Winner is most similar as long as similarity is over a set threshold•Winner is slightly modified to include a little of the new pattern.
Determining “Rare”
€
Pr EK( ) = Historical probability of
pattern K
=nK
nk
k
∑
Tail _Pr EK( ) = Historical tail probability of
pattern K
= Pr E j( )Pr Ek( )≥Pr E j( )
∑
If Tail _Pr EK( ) ≤ Talert , generate alert
Talert = alert threshold
•If large number of patterns is learned, many may be rare
•Alert on tail probability
•Technique does not work for large number of patterns, but tail prob approach does no harm
