SlideShare a Scribd company logo

Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting

Slides of the presentation of the paper titled "Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting" in the IVAPP 2016 conference. More information: http://iturbe.info/blog/2016/03/paper-visualizing-network-flows-and-related-anomalies-in-industrial-networks-using-chord-diagrams-and-whitelisting

1 of 29
Download to read offline
Visualizing Network Flows and Related
Anomalies in Industrial Networks using
Chord Diagrams and Whitelisting
M. Iturbe, I. Garitano, U. Zurutuza, R. Uribeetxeberria
Electronics & Computing Department
Faculty of Engineering
Mondragon University
IVAPP 2016, Rome, Italy
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Agenda
1. Introduction
2. System Description
3. Results
4. Conclusions
2
Introduction
.
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Industrial Control Systems
CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz
4
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
Fieldbus Network
Control Network
Demilitarized Zone
Corporate Network
Internet
PLC PLCPLC
HMI
Control
Server Engineering
Workstation
HistorianData Server
Field equipment
Workstations
Corporate
Servers
FieldDevicesFieldControllersSupervisoryDevices
5
. . . . . . . .
Introduction
. . . .
System Description
. . . . .
Results Conclusions
ICS vs. IT
Industrial Networks IT Networks
Main Purpose
Control of Physical equip-
ment
Data processing and trans-
mission
Failure Severity High Low
Reliability Required High Moderate
Determinism High Low
Data Composition
Small packets of periodic and
aperiodic traffic
Large, aperiodic packets
Average Node Complexity
Low (simple devices, sensors,
actuators)
High (large servers/file sys-
tems/databases)
6

Recommended

Object oriented programming 13 input stream and devices in cpp
Object oriented programming 13 input stream and devices in cppObject oriented programming 13 input stream and devices in cpp
Object oriented programming 13 input stream and devices in cppVaibhav Khanna
 
Introduction To The IBM IoT Foundation
Introduction To The IBM IoT FoundationIntroduction To The IBM IoT Foundation
Introduction To The IBM IoT Foundationpetecrocker
 
Industrial Ethernet, Part 1: Technologies
Industrial Ethernet, Part 1: TechnologiesIndustrial Ethernet, Part 1: Technologies
Industrial Ethernet, Part 1: TechnologiesControlEng
 
AWS re:Invent 2016: NEW LAUNCH! Lambda Everywhere (IOT309)
AWS re:Invent 2016: NEW LAUNCH! Lambda Everywhere (IOT309)AWS re:Invent 2016: NEW LAUNCH! Lambda Everywhere (IOT309)
AWS re:Invent 2016: NEW LAUNCH! Lambda Everywhere (IOT309)Amazon Web Services
 
AWS re:Invent 2016: NEW LAUNCH! Introducing AWS Greengrass (IOT201)
AWS re:Invent 2016: NEW LAUNCH! Introducing AWS Greengrass (IOT201)AWS re:Invent 2016: NEW LAUNCH! Introducing AWS Greengrass (IOT201)
AWS re:Invent 2016: NEW LAUNCH! Introducing AWS Greengrass (IOT201)Amazon Web Services
 
A Push-pull based Application Multicast Layer for P2P live video streaming.pdf
A Push-pull based Application Multicast Layer for P2P live video streaming.pdfA Push-pull based Application Multicast Layer for P2P live video streaming.pdf
A Push-pull based Application Multicast Layer for P2P live video streaming.pdfNuioKila
 

More Related Content

Similar to Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting

ErichFicker_FinalDraft_28Mar16_Hardcopy
ErichFicker_FinalDraft_28Mar16_HardcopyErichFicker_FinalDraft_28Mar16_Hardcopy
ErichFicker_FinalDraft_28Mar16_HardcopyErich Ficker
 
Distributed Traffic management framework
Distributed Traffic management frameworkDistributed Traffic management framework
Distributed Traffic management frameworkSaurabh Nambiar
 
Notes On Lan Management Performance And Security Management
Notes On Lan Management Performance And Security ManagementNotes On Lan Management Performance And Security Management
Notes On Lan Management Performance And Security ManagementCarolina Cardona
 
Significance
SignificanceSignificance
SignificanceJulie May
 
Agentless Monitoring with AdRem Software's NetCrunch 7
Agentless Monitoring with AdRem Software's NetCrunch 7Agentless Monitoring with AdRem Software's NetCrunch 7
Agentless Monitoring with AdRem Software's NetCrunch 7Hamza Lazaar
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paperVincenzo Iozzo
 
Crash course on data streaming (with examples using Apache Flink)
Crash course on data streaming (with examples using Apache Flink)Crash course on data streaming (with examples using Apache Flink)
Crash course on data streaming (with examples using Apache Flink)Vincenzo Gulisano
 
Report_Ruag-Espionage-Case
Report_Ruag-Espionage-CaseReport_Ruag-Espionage-Case
Report_Ruag-Espionage-CaseAlexander Rogan
 
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...TanuAgrawal27
 
Automatic Analyzing System for Packet Testing and Fault Mapping
Automatic Analyzing System for Packet Testing and Fault MappingAutomatic Analyzing System for Packet Testing and Fault Mapping
Automatic Analyzing System for Packet Testing and Fault MappingIRJET Journal
 
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdf
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdfcomparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdf
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdfteja61850
 
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328Jörgen Gade
 
Pros And Disadvantages Of Routing
Pros And Disadvantages Of RoutingPros And Disadvantages Of Routing
Pros And Disadvantages Of RoutingSheri Toriz
 
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...IJCSIS Research Publications
 
Mixed Scanning and DFT Techniques for Arithmetic Core
Mixed Scanning and DFT Techniques for Arithmetic CoreMixed Scanning and DFT Techniques for Arithmetic Core
Mixed Scanning and DFT Techniques for Arithmetic CoreIJERA Editor
 

Similar to Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting (20)

ErichFicker_FinalDraft_28Mar16_Hardcopy
ErichFicker_FinalDraft_28Mar16_HardcopyErichFicker_FinalDraft_28Mar16_Hardcopy
ErichFicker_FinalDraft_28Mar16_Hardcopy
 
Distributed Traffic management framework
Distributed Traffic management frameworkDistributed Traffic management framework
Distributed Traffic management framework
 
978-3-659-82929-1
978-3-659-82929-1978-3-659-82929-1
978-3-659-82929-1
 
Notes On Lan Management Performance And Security Management
Notes On Lan Management Performance And Security ManagementNotes On Lan Management Performance And Security Management
Notes On Lan Management Performance And Security Management
 
Significance
SignificanceSignificance
Significance
 
Agentless Monitoring with AdRem Software's NetCrunch 7
Agentless Monitoring with AdRem Software's NetCrunch 7Agentless Monitoring with AdRem Software's NetCrunch 7
Agentless Monitoring with AdRem Software's NetCrunch 7
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paper
 
T401
T401T401
T401
 
Fulltext02
Fulltext02Fulltext02
Fulltext02
 
Crash course on data streaming (with examples using Apache Flink)
Crash course on data streaming (with examples using Apache Flink)Crash course on data streaming (with examples using Apache Flink)
Crash course on data streaming (with examples using Apache Flink)
 
Report_Ruag-Espionage-Case
Report_Ruag-Espionage-CaseReport_Ruag-Espionage-Case
Report_Ruag-Espionage-Case
 
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
 
thesis_template
thesis_templatethesis_template
thesis_template
 
Automatic Analyzing System for Packet Testing and Fault Mapping
Automatic Analyzing System for Packet Testing and Fault MappingAutomatic Analyzing System for Packet Testing and Fault Mapping
Automatic Analyzing System for Packet Testing and Fault Mapping
 
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdf
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdfcomparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdf
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdf
 
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
 
Pros And Disadvantages Of Routing
Pros And Disadvantages Of RoutingPros And Disadvantages Of Routing
Pros And Disadvantages Of Routing
 
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
 
thesis_SaurabhPanda
thesis_SaurabhPandathesis_SaurabhPanda
thesis_SaurabhPanda
 
Mixed Scanning and DFT Techniques for Arithmetic Core
Mixed Scanning and DFT Techniques for Arithmetic CoreMixed Scanning and DFT Techniques for Arithmetic Core
Mixed Scanning and DFT Techniques for Arithmetic Core
 

Recently uploaded

How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanDatabarracks
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...DianaGray10
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfIsidro Navarro
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...shaiyuvasv
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsEvangelia Mitsopoulou
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, GoogleISPMAIndia
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxharimaxwell0712
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfDomotica daVinci
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...MarcovanHurne2
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build PolandGDSC PJATK
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaISPMAIndia
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, TripadvisorProduct School
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 

Recently uploaded (20)

How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response Plan
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdf
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applications
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
 
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptx
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdf
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build Poland
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 

Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting

  • 1. Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting M. Iturbe, I. Garitano, U. Zurutuza, R. Uribeetxeberria Electronics & Computing Department Faculty of Engineering Mondragon University IVAPP 2016, Rome, Italy
  • 2. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Agenda 1. Introduction 2. System Description 3. Results 4. Conclusions 2
  • 4. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Industrial Control Systems CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz 4
  • 5. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Fieldbus Network Control Network Demilitarized Zone Corporate Network Internet PLC PLCPLC HMI Control Server Engineering Workstation HistorianData Server Field equipment Workstations Corporate Servers FieldDevicesFieldControllersSupervisoryDevices 5
  • 6. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions ICS vs. IT Industrial Networks IT Networks Main Purpose Control of Physical equip- ment Data processing and trans- mission Failure Severity High Low Reliability Required High Moderate Determinism High Low Data Composition Small packets of periodic and aperiodic traffic Large, aperiodic packets Average Node Complexity Low (simple devices, sensors, actuators) High (large servers/file sys- tems/databases) 6
  • 7. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Whitelisting Refers to the practice of registering the set of network flows that are allowed in a network, raising an alarm or disallowing connections that have not been explicitly allowed. 7
  • 8. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Whitelisting • Recommended security measure by the industry. • Barbosa et al. [1] demostrated its efficiency to detect flow anomalies. 8
  • 9. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Chord diagrams 9
  • 10. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Chord diagrams • Conceived initially for genomics • Previous usage on security visualizations • ADS visual comparison [4] • Relationships between Phishing websites [3] • Relationships between IT subnets [2] 10
  • 11. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Objectives • Gaps in related literature • No security visualizations for Industrial Networks • Previous works based on whitelisting only detect forbidden connections • Objectives • Provide situational awareness through flow visualizations • Design a visual flow anomaly detection system • Detect flow anomalies through temporal whitelists • Visually highlight detected anomalies 11
  • 13. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Overview Industrial Network Flow Collector Network Flows Tagged Flows Whitelists Chord Diagrams Flow packets Learning phase Flow data Detection phase Visualization phase Online Offline 13
  • 14. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Learning Phase • Whitelists are formed with the detected network traffic. • Source/Destination IP, Server port, IP protocol and packet number • Whitelists of variable time length. 14
  • 15. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Detection Phase • The system evaluates and tags incoming flows comparing them to the whitelists • Types of tags • Legitimate flow • Anomalous flow • Incorrect port • Incorrect protocol • Absent flow • Anomalous flow size • The system triggers an alarm if a non-legitimate flow is detected 15
  • 16. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Visualization Phase • The system builds the diagrams based on the tagged flows: • A host → A section in the circumference • Each host type has a distinctive color group • A bidirectional flow → A chord • Chords inherit the color of the more active host in the communication • Highlights non-legitimate flows: • Missing flows, in black • The rest, in red 16
  • 17. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Visualization Phase (a) Forbidden flow between PLC 1 and HMI 2. (b) Detail of the forbidden flow. 17
  • 19. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Test network Switch 2 Switch 1 Gateway 19
  • 20. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Tools • NetFlow v5 • Logstash • ElasticSearch • D3 20
  • 21. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Denial of Service 21
  • 22. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Network scan 22
  • 23. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Downed host 23
  • 25. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Conclusions • We propose a visual monitoring system based on whitelists and chord diagrams for ICSs. • Collected flows in a time window are tagged and visualized. • Highlighting anomalous ones. 25
  • 26. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions Future work • Distinguish more anomalous flow types. • Research into re-creation of whitelists or its edition consequences. 26
  • 28. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions References I Rafael Ramos Regis Barbosa, Ramin Sadre, and Aiko Pras. Flow Whitelisting in SCADA Networks. International Journal of Critical Infrastructure Protection, 6(3):150–158, 2013. Siming Chen, Cong Guo, Xiaoru Yuan, Fabian Merkle, Hanna Schaefer, and Thomas Ertl. OCEANS: online collaborative explorative analysis on network security. In Proceedings of the Eleventh Workshop on Visualization for Cyber Security, pages 1–8. ACM, 2014. 28
  • 29. . . . . . . . . Introduction . . . . System Description . . . . . Results Conclusions References II Robert Layton, Paul Watters, and Richard Dazeley. Unsupervised authorship analysis of phishing webpages. In Communications and Information Technologies (ISCIT), 2012 International Symposium on, pages 1104–1109. IEEE, 2012. Johan Mazel, Romain Fontugne, and Kensuke Fukuda. Visual comparison of network anomaly detectors with chord diagrams. In Proceedings of the 29th Annual ACM Symposium on Applied Computing, pages 473–480. ACM, 2014. 29