Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Visualizing Network Flows and Related
Anomalies in Industrial Networks using
Chord Diagrams and Whitelisting
M. Iturbe, I....
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Agenda
1. Introduction
2. System Des...
Introduction
.
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Industrial Control Systems
CC-BY-SA ...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Fieldbus Network
Control Network
Dem...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
ICS vs. IT
Industrial Networks IT Ne...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Whitelisting
Refers to the practice ...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Whitelisting
• Recommended security ...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Chord diagrams
9
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Chord diagrams
• Conceived initially...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Objectives
• Gaps in related literat...
System Description
.
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Overview
Industrial
Network
Flow
Col...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Learning Phase
• Whitelists are form...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Detection Phase
• The system evaluat...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Visualization Phase
• The system bui...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Visualization Phase
(a) Forbidden flo...
Results
.
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Test network
Switch 2
Switch 1 Gatew...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Tools
• NetFlow v5
• Logstash
• Elas...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Denial of Service
21
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Network scan
22
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Downed host
23
Conclusions
.
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Conclusions
• We propose a visual mo...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Future work
• Distinguish more anoma...
Thank you.
{miturbe,igaritano,uzurutuza,ruribeetxeberria}
@mondragon.edu
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
References I
Rafael Ramos Regis Barb...
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
References II
Robert Layton, Paul Wa...
Upcoming SlideShare
Loading in …5
×

Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting

686 views

Published on

Slides of the presentation of the paper titled "Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting" in the IVAPP 2016 conference.

More information: http://iturbe.info/blog/2016/03/paper-visualizing-network-flows-and-related-anomalies-in-industrial-networks-using-chord-diagrams-and-whitelisting

Published in: Technology
  • Be the first to comment

Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting

  1. 1. Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting M. Iturbe, I. Garitano, U. Zurutuza, R. Uribeetxeberria Electronics & Computing Department Faculty of Engineering Mondragon University IVAPP 2016, Rome, Italy
  2. 2. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Agenda 1. Introduction 2. System Description 3. Results 4. Conclusions 2
  3. 3. Introduction .
  4. 4. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Industrial Control Systems CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz 4
  5. 5. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Fieldbus Network Control Network Demilitarized Zone Corporate Network Internet PLC PLCPLC HMI Control Server Engineering Workstation HistorianData Server Field equipment Workstations Corporate Servers FieldDevicesFieldControllersSupervisoryDevices 5
  6. 6. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions ICS vs. IT Industrial Networks IT Networks Main Purpose Control of Physical equip- ment Data processing and trans- mission Failure Severity High Low Reliability Required High Moderate Determinism High Low Data Composition Small packets of periodic and aperiodic traffic Large, aperiodic packets Average Node Complexity Low (simple devices, sensors, actuators) High (large servers/file sys- tems/databases) 6
  7. 7. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Whitelisting Refers to the practice of registering the set of network flows that are allowed in a network, raising an alarm or disallowing connections that have not been explicitly allowed. 7
  8. 8. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Whitelisting • Recommended security measure by the industry. • Barbosa et al. [1] demostrated its efficiency to detect flow anomalies. 8
  9. 9. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Chord diagrams 9
  10. 10. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Chord diagrams • Conceived initially for genomics • Previous usage on security visualizations • ADS visual comparison [4] • Relationships between Phishing websites [3] • Relationships between IT subnets [2] 10
  11. 11. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Objectives • Gaps in related literature • No security visualizations for Industrial Networks • Previous works based on whitelisting only detect forbidden connections • Objectives • Provide situational awareness through flow visualizations • Design a visual flow anomaly detection system • Detect flow anomalies through temporal whitelists • Visually highlight detected anomalies 11
  12. 12. System Description .
  13. 13. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Overview Industrial Network Flow Collector Network Flows Tagged Flows Whitelists Chord Diagrams Flow packets Learning phase Flow data Detection phase Visualization phase Online Offline 13
  14. 14. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Learning Phase • Whitelists are formed with the detected network traffic. • Source/Destination IP, Server port, IP protocol and packet number • Whitelists of variable time length. 14
  15. 15. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Detection Phase • The system evaluates and tags incoming flows comparing them to the whitelists • Types of tags • Legitimate flow • Anomalous flow • Incorrect port • Incorrect protocol • Absent flow • Anomalous flow size • The system triggers an alarm if a non-legitimate flow is detected 15
  16. 16. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Visualization Phase • The system builds the diagrams based on the tagged flows: • A host → A section in the circumference • Each host type has a distinctive color group • A bidirectional flow → A chord • Chords inherit the color of the more active host in the communication • Highlights non-legitimate flows: • Missing flows, in black • The rest, in red 16
  17. 17. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Visualization Phase (a) Forbidden flow between PLC 1 and HMI 2. (b) Detail of the forbidden flow. 17
  18. 18. Results .
  19. 19. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Test network Switch 2 Switch 1 Gateway 19
  20. 20. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Tools • NetFlow v5 • Logstash • ElasticSearch • D3 20
  21. 21. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Denial of Service 21
  22. 22. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Network scan 22
  23. 23. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Downed host 23
  24. 24. Conclusions .
  25. 25. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Conclusions • We propose a visual monitoring system based on whitelists and chord diagrams for ICSs. • Collected flows in a time window are tagged and visualized. • Highlighting anomalous ones. 25
  26. 26. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Future work • Distinguish more anomalous flow types. • Research into re-creation of whitelists or its edition consequences. 26
  27. 27. Thank you. {miturbe,igaritano,uzurutuza,ruribeetxeberria} @mondragon.edu
  28. 28. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions References I Rafael Ramos Regis Barbosa, Ramin Sadre, and Aiko Pras. Flow Whitelisting in SCADA Networks. International Journal of Critical Infrastructure Protection, 6(3):150–158, 2013. Siming Chen, Cong Guo, Xiaoru Yuan, Fabian Merkle, Hanna Schaefer, and Thomas Ertl. OCEANS: online collaborative explorative analysis on network security. In Proceedings of the Eleventh Workshop on Visualization for Cyber Security, pages 1–8. ACM, 2014. 28
  29. 29. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions References II Robert Layton, Paul Watters, and Richard Dazeley. Unsupervised authorship analysis of phishing webpages. In Communications and Information Technologies (ISCIT), 2012 International Symposium on, pages 1104–1109. IEEE, 2012. Johan Mazel, Romain Fontugne, and Kensuke Fukuda. Visual comparison of network anomaly detectors with chord diagrams. In Proceedings of the 29th Annual ACM Symposium on Applied Computing, pages 473–480. ACM, 2014. 29

×