![. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Whitelisting
• Recommended security measure by the industry.
• Barbosa et al. [1] demostrated its efficiency to detect flow
anomalies.
8](https://image.slidesharecdn.com/ivappslides-160303080748/85/Visualizing-Network-Flows-and-Related-Anomalies-in-Industrial-Networks-using-Chord-Diagrams-and-Whitelisting-8-320.jpg)
![. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Chord diagrams
• Conceived initially for genomics
• Previous usage on security visualizations
• ADS visual comparison [4]
• Relationships between Phishing websites [3]
• Relationships between IT subnets [2]
10](https://image.slidesharecdn.com/ivappslides-160303080748/85/Visualizing-Network-Flows-and-Related-Anomalies-in-Industrial-Networks-using-Chord-Diagrams-and-Whitelisting-10-320.jpg)
Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting
- 1. Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting M. Iturbe, I. Garitano, U. Zurutuza, R. Uribeetxeberria Electronics & Computing Department Faculty of Engineering Mondragon University IVAPP 2016, Rome, Italy
- 2. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Agenda 1. Introduction 2. System Description 3. Results 4. Conclusions 2
- 4. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Industrial Control Systems CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz 4
- 5. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Fieldbus Network Control Network Demilitarized Zone Corporate Network Internet PLC PLCPLC HMI Control Server Engineering Workstation HistorianData Server Field equipment Workstations Corporate Servers FieldDevicesFieldControllersSupervisoryDevices 5
- 6. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions ICS vs. IT Industrial Networks IT Networks Main Purpose Control of Physical equip- ment Data processing and trans- mission Failure Severity High Low Reliability Required High Moderate Determinism High Low Data Composition Small packets of periodic and aperiodic traffic Large, aperiodic packets Average Node Complexity Low (simple devices, sensors, actuators) High (large servers/file sys- tems/databases) 6
- 7. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Whitelisting Refers to the practice of registering the set of network flows that are allowed in a network, raising an alarm or disallowing connections that have not been explicitly allowed. 7
- 8. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Whitelisting • Recommended security measure by the industry. • Barbosa et al. [1] demostrated its efficiency to detect flow anomalies. 8
- 9. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Chord diagrams 9
- 10. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Chord diagrams • Conceived initially for genomics • Previous usage on security visualizations • ADS visual comparison [4] • Relationships between Phishing websites [3] • Relationships between IT subnets [2] 10
- 11. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Objectives • Gaps in related literature • No security visualizations for Industrial Networks • Previous works based on whitelisting only detect forbidden connections • Objectives • Provide situational awareness through flow visualizations • Design a visual flow anomaly detection system • Detect flow anomalies through temporal whitelists • Visually highlight detected anomalies 11
- 13. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Overview Industrial Network Flow Collector Network Flows Tagged Flows Whitelists Chord Diagrams Flow packets Learning phase Flow data Detection phase Visualization phase Online Offline 13
- 14. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Learning Phase • Whitelists are formed with the detected network traffic. • Source/Destination IP, Server port, IP protocol and packet number • Whitelists of variable time length. 14
- 15. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Detection Phase • The system evaluates and tags incoming flows comparing them to the whitelists • Types of tags • Legitimate flow • Anomalous flow • Incorrect port • Incorrect protocol • Absent flow • Anomalous flow size • The system triggers an alarm if a non-legitimate flow is detected 15
- 16. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Visualization Phase • The system builds the diagrams based on the tagged flows: • A host → A section in the circumference • Each host type has a distinctive color group • A bidirectional flow → A chord • Chords inherit the color of the more active host in the communication • Highlights non-legitimate flows: • Missing flows, in black • The rest, in red 16
- 17. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Visualization Phase (a) Forbidden flow between PLC 1 and HMI 2. (b) Detail of the forbidden flow. 17
- 18. Results .
- 19. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Test network Switch 2 Switch 1 Gateway 19
- 20. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Tools • NetFlow v5 • Logstash • ElasticSearch • D3 20
- 21. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Denial of Service 21
- 22. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Network scan 22
- 23. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Downed host 23
- 24. Conclusions .
- 25. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Conclusions • We propose a visual monitoring system based on whitelists and chord diagrams for ICSs. • Collected flows in a time window are tagged and visualized. • Highlighting anomalous ones. 25
- 26. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Future work • Distinguish more anomalous flow types. • Research into re-creation of whitelists or its edition consequences. 26
- 28. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions References I Rafael Ramos Regis Barbosa, Ramin Sadre, and Aiko Pras. Flow Whitelisting in SCADA Networks. International Journal of Critical Infrastructure Protection, 6(3):150–158, 2013. Siming Chen, Cong Guo, Xiaoru Yuan, Fabian Merkle, Hanna Schaefer, and Thomas Ertl. OCEANS: online collaborative explorative analysis on network security. In Proceedings of the Eleventh Workshop on Visualization for Cyber Security, pages 1–8. ACM, 2014. 28
- 29. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions References II Robert Layton, Paul Watters, and Richard Dazeley. Unsupervised authorship analysis of phishing webpages. In Communications and Information Technologies (ISCIT), 2012 International Symposium on, pages 1104–1109. IEEE, 2012. Johan Mazel, Romain Fontugne, and Kensuke Fukuda. Visual comparison of network anomaly detectors with chord diagrams. In Proceedings of the 29th Annual ACM Symposium on Applied Computing, pages 473–480. ACM, 2014. 29