SlideShare a Scribd company logo

Configuring monitoring

R
RamnGonzlezRuiz2

Slides for the implementation of communications monitoring.

Engineering
1 of 25
Download to read offline
Configuring Communications Monitoring TU/e Training – Advanced Technical Module Communication Monitoring 1
Prerequisites  This modules assumes the Advance Technical Module on communications monitoring [1] has already been studied.  That module provides the theory behind this material.  Uses same examples to show how to configure policies.  External preliminaries - prior knowledge:  Wireshark/tshark basics; packet filter syntax [3]  Basics of Python expressions and regular expressions [4] ● Message [2] features are expressed in terms of Python expressions. ● Signatures use python conditions syntax.  Knowledge of communication protocols used in your use case:  Protocols are supported if tshark/wireshark dissector is available [3] ● Need to know relevant field names (again see [3])  If not natively supported, a protocol dissector needs to be written [5] ● This is beyond the scope of this training material. TU/e Training – Advanced Technical Module Communication Monitoring 2
Configuring a communications monitor TU/e Training – Advanced Technical Module Communication Monitoring 3
Steps assumed to have been taken already:  Determine the monitoring approach to be used:  Choose features of the network traffic, which to use in learning and build a list of signatures. In this section we discus the following steps:  Implement the features and signature  These steps involve some basic python coding and understanding of network packets and protocols.  Learning a white-box model and association rules  Tune the learned models as needed.  Configure the monitor to use these  create a main configuration file `config.py’ We first quickly recall the bottle lab scenario from [1] so we can use it to illustrate. Configuring a monitor TU/e Training – Advanced Technical Module Communication Monitoring 4
Bottle Filling Plant (BFP) A smart manufacturing use case  Remote controlled production facility.  Fills bottles with two ingredients, mixes them & inspects result.  Picture shows main components and communication links. TU/e Training – Advanced Technical Module Communication Monitoring 5
Components of the BFP  Physical Process:  Belt: moves the bottles from station to station, can be started and stopped.  Stations : ● each station has a sensor (1-4) to detect whether a bottle is present ● Filling stations: with valves that can be opened and closed to control the flow of liquid ● Mixer: blends the liquids in the bottle, can be started and stopped. ● Quality check station: has sensor (5) to measure amount of liquid in the bottle  Programmable Logic Controller (PLC)  controls `actuators’ (belt, valves, mixer) and sensors.  Uses the Modbus protocol to communicate.  Remote Terminal Unit (RTU)  provides an interface to connect to the PLC from the outside network.  Master (at the factory headquarters)  provides the remote Human machine interface (HMI) TU/e Training – Advanced Technical Module Communication Monitoring 6
BFP – Features TU/e Training – Advanced Technical Module Communication Monitoring 7
Implementing features  All detection approaches are based on features.  In the implementation a feature is specified by a name and a python expression  "name-of-the-feature" : "python-expression"  The python expression extracts the value of the feature from the fields of the message.  The monitor will parse messages, extracting fields  Results in a pyshark.packet (see [2]) called: pkt  Fields can be accesses with syntax (see [3]): pkt.protocol.field , e.g. ● pkt.ip.src for the source ip address ● pkt.modbus for the entire modbus packet TU/e Training – Advanced Technical Module Communication Monitoring 8
Implementing features  Format: "name-of-the-feature" : "python-expression"  The feature’s python-expression builds values from packets  It could simply use a field: "timestamp" : "pkt.sniff_time"  Could be a combination of fields: "connection" : "(pkt.ip.src+’:’+pkt.srcport, pkt.ip.dst+’:’+pkt.dstport)"  It may need to search for the value in the packet: "re.search(r’Register 0 .*: (d+)’, pkt.modbus)" ● This example uses regular expression search (see [4]) TU/e Training – Advanced Technical Module Communication Monitoring 9
Implementing complex features  The feature’s python-expression builds values from packets  It may do some computation "bodylength" : "ip.length - ip.hdr_len"  It may manually bin fields into a distinct set of values: "packet_type" : "`short’ if pkt.ip.len < 50 else `medium’ if pkt.ip.len < 250 else `large’“  It may explicitly turn fields into number (int or float): "packet_length" : "int(pkt.ip.len)" ● The anomaly detector assumes numbers are binned, see white-box description below.  It may use custom functions defined in the main configuration file (see custom functions below). "setpoint_1" : "config.get_Reg(pkt,0)", TU/e Training – Advanced Technical Module Communication Monitoring 10
Feature file  Gather the features in a `feature_file’ with the following structure: { "name-of-the-feature1" : "python-expression1", "name-of-the-feature2" : "python-expression2", ... "name-of-the-featureN" : "python-expressionN" }  Below we assume it is called features.json TU/e Training – Advanced Technical Module Communication Monitoring 11
Example feature file for BFP { "func_code" : "pkt.modbus.func_code", "setpoint_1" : "re.search(r’Register 0 .*: (d+)’, pkt.modbus)", "setpoint_2" : "re.search(r’Register 1 .*: (d+)’, pkt.modbus)", "setpoint_mixer" : "re.search(r’Register 2 .*: (d+)’, pkt.modbus)", "ultrasonic" : "re.search(r’Register 3 .*: (d+)’, pkt.modbus)", "arm_command" : "re.search(r’Register 5 .*: (d+)’, pkt.modbus)", "at_valve1" : "re.search(r’Register 7 .*: (d+)’, pkt.modbus)", "at_valve2" : "re.search(r’Register 8 .*: (d+)’, pkt.modbus)", "at_mixer" : "re.search(r’Register 9 .*: (d+)’, pkt.modbus)", "at_quality_chk" : "re.search(r’Register 10 .*: (d+)’, pkt.modbus)", "bottles_started“ : "re.search(r’Register 11 .*: (d+)’, pkt.modbus)", "bottles_done" : "re.search(r’Register 12 .*: (d+)’, pkt.modbus)", "bottles_on_belt“ : "re.search(r’Register 14 .*: (d+)’, pkt.modbus)", "pre_valve1" : "re.search(r’Register 15 .*: (d+)’, pkt.modbus)", "btw_valve1_valve2": "re.search(r’Register 16 .*: (d+)’, pkt.modbus)", "btw_valve2_mixer" : "re.search(r’Register 17 .*: (d+)’, pkt.modbus)", "btw_mixer_qc" : "re.search(r’Register 18 .*: (d+)’, pkt.modbus)" } TU/e Training – Advanced Technical Module Communication Monitoring 12
Implementing signatures  Recall that a signature comprises a condition and an alert identifier.  The implementation uses the format: "Python-boolean-expression" : "alert-id"  To use a feature in the boolean expression use syntax: [[featurename]]  The alert-id is a string; it should match the system model alert name.  Signature are gathered in a signature_file with the same structure as the feature_file, e.g. { "’1’ == [[func_code]]": "ALARM_WRITE_SINGLE_COIL" }  Below we assume it is called signatures.json TU/e Training – Advanced Technical Module Communication Monitoring 13
Learning a white-box model  To learn a white-box model, a training set is needed with recorded normal traffic.  Training set should be representative; contain (almost) all normal behaviour with respect to the features, and (almost) only normal traffic. ● Missing normal traffic may lead to false positives; tune the model to eliminate these. ● Illegitimate traffic in the training set could lead to false negatives; use a non-zero threshold and/or inspect the model to find and eliminate these.  To train (both white-box and association rules): main.py -f <features_file> -l <training_file>  For numerical features (ints, floats) the learning will automatically create bins using Scott’s rule to choose the bin sizes. TU/e Training – Advanced Technical Module Communication Monitoring 14
Tuning a white-box model  The whitebox_file contains histograms; a textual representation of a white-box model and intervals for automatically created bins. Histograms format: histograms= { "featurenameA" : { ’featurevalueA1’ : likelihoodA1, ( a number in (0,1] ) ’featurevalueA2’ : likelihoodA2, ... ’featurevalueAN’ : likelihoodAN }, "featurenameB" : { ’featurevalueB1’ : likelihoodB1, ’featurevalueB2’ : likelihoodB2, ... ’featurevalueBM’ : likelihoodBN } ... }  Values can be added and removed and likelihood adjusted as needed.  Setting a value’s likelihood above 1 (for example when finding a false positive) ensures it is always seen as normal,  removing it or setting its `likelihood’ below 0 ensures it is considered anomalous. TU/e Training – Advanced Technical Module Communication Monitoring 15
Example white-box model for BFP histograms = { "connection": { (’192.168.188.11:59542’, ’192.168.188.2:502’): 0.5, (’192.168.188.2:502’, ’192.168.188.11:59542’): 0.5 }, "func_code" : { ’1’ : 0.19327731092436976, ’16’: 0.0016806722689075631, ’3’ : 0.7983193277310925, ’5’ : 0.0033613445378151263, ’6’ : 0.0033613445378151263 }, "setpoint_1": { ’0’: 0.07692307692307693, ’30’: 0.9230769230769231 }, "setpoint_2": { ’0’: 0.07692307692307693, ’30’: 0.9230769230769231 } ... } Connection takes value (’192.168.188.11:59542’, ’192.168.188.2:502’) in half the packets and (’192.168.188.2:502’, ’192.168.188.11:59542’) in the other half; Both setpoint_1 and setpoint_2 take value ‘0’ in ~7.7% of the packets and ‘30’ in the other ~92.3%. TU/e Training – Advanced Technical Module Communication Monitoring 16
Binning  The second part of whitebox_file (if present it must be separated from the first part with an empty line) captures the automatically created bins (intervals). intervals = { "num_feature": { [a,b], [b,c], ... } ... }  Here a is part of the first but b is part of the second bin (interval), so the first bin runs from a up to, not including, b.  Note that the intervals must match the histogram; the histogram of num_feature will have feature values "[a,b]", "[b,c]" etc. TU/e Training – Advanced Technical Module Communication Monitoring 17
Thresholds  The white-box model captures how likely certain feature values are.  Likelihood of an observed value will be compared with a threshold.  A default threshold can be set in the main configuration  It is also possible to set a threshold per features and feature specific alert ids  Set in thresholds_file. Below we assume it is thresholds.json.  Any feature not mentioned uses default threshold and alarm "ALARM_UNKNOWN"  Example: { "connection": [0.01, "ALARM_CONNECTION"], "func_code" : [0.02, "ALARM_FUNC_CODE"], "setpoint_1": [0.05, "ALARM_SETPOINT_1"], "setpoint_2": [0.05, "ALARM_SETPOINT_2"] } TU/e Training – Advanced Technical Module Communication Monitoring 18
Configuring a sliding window  The white-box detector can use a sliding window approach. To this end the detector has two parameters (set in the main config file):  sliding_window_seconds: The size W of the window in seconds  sliding_window_alerts: The number N of anomalous messages that must be encountered  As soon as N packets that are anomalous for a specific feature have been seen within the last W seconds the alarm for that feature is raised (and the count is reset). TU/e Training – Advanced Technical Module Communication Monitoring 19
Learning Association Rules  The learning also learns association rules main.py -f <features_file> -l <training_file>  Two parameters (set in the main configuration file) are used in the learning of association rules:  confidence : In what portion of the situations does the rule hold  support: How often (actual count) does the situation occur.  For example, to look for rules that are never contradicted and apply at least 10 times we can use: confidence = 1.0 support = 10 TU/e Training – Advanced Technical Module Communication Monitoring 20
Tuning Association Rules  Inspecting the association_rules file shows that each rule comprises:  antecedents: (feature1_value1,...,featureN_valueN) that identify when a rule applies  a triple that capture the conclusion of the rule: ( ● conclusions : (featureN+1_ValueN+1,...,featureM_valueM), ● confidence: (a floating point number from 0 to 1), ● an alarm id: (a string) ) { (’bottles_started_0’):((’bottles_done_0’, ’bottles_on_belt_0’), 1.0, ’ALARM_BOTTLE’), ... }  Above rule states: if bottles_started has value 0 then so do ’bottles_done’ and ’bottles_on_belt’ in all cases. On violation raise alarm `ALARM_BOTTLE’.  Rules can be removed, altered (eg using a tailored alert id) or added. For example using other learning approached (see for example Bayesian Network learning [D3.3]) may also be used to obtain rules that can be added here.  Rules with lower than 1.0 confidence: To evaluate such rules, association rules use a sliding window (but based on number of occurrences not on time like for the white- box model). We count the number of cases the association does not hold and raise an alert when that number exceeds the expected number.  If this behaviour gives (too many) FPs: can lower confidence to create a margin TU/e Training – Advanced Technical Module Communication Monitoring 21
Putting it all together  A main configuration file config.py is used  to select detectors to use  set parameters and files for these detectors  Add any code needed ● Define custom functions for use in python expressions  Set required feature file with: features_file = "features.json“  To select detectors edit the following lines: whitebox_detector = True association_rules_detector = True signatures_detector = True TU/e Training – Advanced Technical Module Communication Monitoring 22
Putting it all together (config.py)  Set detector parameters for white-box by editing: whitebox_file = "whitebox.json" thresholds_file = "thresholds.json" default_threshold = 0.05 sliding_window_seconds = 300 sliding_window_alerts = 3  for the association rules detector edit the lines: association_rules_file = "association_rules.json" support = 2 confidence = 0.9 window_max_size = 100  for signature detector only the file can be set: signatures_file = "signatures.json" TU/e Training – Advanced Technical Module Communication Monitoring 23
Custom functions (config.py)  We can add custom functions to config.py: def get_Reg( pkt, number ) re.search(’Register ’ + number + r’ .*: (d+)’, pkt.modbus).group(1)  we can then use that function e.g. in the feature file: ... "setpoint_1" : "config.get_Reg(pkt,0)", "setpoint_2" : "config.get_Reg(pkt,1)", ... TU/e Training – Advanced Technical Module Communication Monitoring 24
Related reading [1] Advanced Technical Module Communications Monitoring of CITADEL D6.6 Training Materials for Electronic Delivery [2] Pyshark packet, github.com/KimiNewt/pyshark/blob/master/src/pyshark/packet/packet.py [3] Wireshark display filter reference, www.wireshark.org/docs/dfref/ [4] Python regular expressions, docs.python.org/2/library/re.html [5] Wireshark documentation; adding a protocol dissector www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html TU/e Training – Advanced Technical Module Communication Monitoring 25

Recommended

Citadel training on context awareness solution
Citadel training on context awareness solutionCitadel training on context awareness solution
Citadel training on context awareness solutionRamnGonzlezRuiz2
 
State monitoring configuration
State monitoring configurationState monitoring configuration
State monitoring configurationRamnGonzlezRuiz2
 
Software Modeling and Verification
Software Modeling and VerificationSoftware Modeling and Verification
Software Modeling and VerificationRamnGonzlezRuiz2
 
Adaptive MILS Evidential Tool Bus
Adaptive MILS Evidential Tool BusAdaptive MILS Evidential Tool Bus
Adaptive MILS Evidential Tool BusRamnGonzlezRuiz2
 
CITADEL configuration and reconfiguration synthesis
CITADEL configuration and reconfiguration synthesisCITADEL configuration and reconfiguration synthesis
CITADEL configuration and reconfiguration synthesisRamnGonzlezRuiz2
 
Communications monitoring
Communications monitoringCommunications monitoring
Communications monitoringRamnGonzlezRuiz2
 
Modeling, Specification and Verification Tools
Modeling, Specification and Verification ToolsModeling, Specification and Verification Tools
Modeling, Specification and Verification ToolsRamnGonzlezRuiz2
 
Adaptation-Engine traning
Adaptation-Engine traningAdaptation-Engine traning
Adaptation-Engine traningRamnGonzlezRuiz2
 

Recommended

Citadel training on context awareness solution
Citadel training on context awareness solutionCitadel training on context awareness solution
Citadel training on context awareness solutionRamnGonzlezRuiz2
 
State monitoring configuration
State monitoring configurationState monitoring configuration
State monitoring configurationRamnGonzlezRuiz2
 
Software Modeling and Verification
Software Modeling and VerificationSoftware Modeling and Verification
Software Modeling and VerificationRamnGonzlezRuiz2
 
Adaptive MILS Evidential Tool Bus
Adaptive MILS Evidential Tool BusAdaptive MILS Evidential Tool Bus
Adaptive MILS Evidential Tool BusRamnGonzlezRuiz2
 
CITADEL configuration and reconfiguration synthesis
CITADEL configuration and reconfiguration synthesisCITADEL configuration and reconfiguration synthesis
CITADEL configuration and reconfiguration synthesisRamnGonzlezRuiz2
 
Communications monitoring
Communications monitoringCommunications monitoring
Communications monitoringRamnGonzlezRuiz2
 
Modeling, Specification and Verification Tools
Modeling, Specification and Verification ToolsModeling, Specification and Verification Tools
Modeling, Specification and Verification ToolsRamnGonzlezRuiz2
 
Adaptation-Engine traning
Adaptation-Engine traningAdaptation-Engine traning
Adaptation-Engine traningRamnGonzlezRuiz2
 
Advanced tech module - state monitoring
Advanced tech module - state monitoringAdvanced tech module - state monitoring
Advanced tech module - state monitoringRamnGonzlezRuiz2
 
Citadel Platform Architecture
Citadel Platform ArchitectureCitadel Platform Architecture
Citadel Platform ArchitectureRamnGonzlezRuiz2
 
PRFC SysML 1.4
PRFC SysML 1.4PRFC SysML 1.4
PRFC SysML 1.4Pascal Roques
 
safety assurence in process control
safety assurence in process controlsafety assurence in process control
safety assurence in process controlNathiya Vaithi
 
SysML for embedded system engineering - Academy Camp 2015
SysML for embedded system engineering - Academy Camp 2015SysML for embedded system engineering - Academy Camp 2015
SysML for embedded system engineering - Academy Camp 2015Régis Castéran
 
Formal Model Based Design of Control Software
Formal Model Based Design of Control SoftwareFormal Model Based Design of Control Software
Formal Model Based Design of Control SoftwareVadim Alimguzhin
 
Microcontroller Based Testing of Digital IP-Core
Microcontroller Based Testing of Digital IP-CoreMicrocontroller Based Testing of Digital IP-Core
Microcontroller Based Testing of Digital IP-CoreVLSICS Design
 
[2015/2016] AADL (Architecture Analysis and Design Language)
[2015/2016] AADL (Architecture Analysis and Design Language)[2015/2016] AADL (Architecture Analysis and Design Language)
[2015/2016] AADL (Architecture Analysis and Design Language)Ivano Malavolta
 
Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...
Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...
Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...Kimberly Daich
 
Matthew Hause Building Bridges between Systems and Software with SysML and UML
Matthew Hause Building Bridges between Systems and Software with SysML and UMLMatthew Hause Building Bridges between Systems and Software with SysML and UML
Matthew Hause Building Bridges between Systems and Software with SysML and UMLINCOSE Colorado Front Range Chapter
 
System verilog verification building blocks
System verilog verification building blocksSystem verilog verification building blocks
System verilog verification building blocksNirav Desai
 
Tracy–Widom distribution based fault detection approach: Application to aircr...
Tracy–Widom distribution based fault detection approach: Application to aircr...Tracy–Widom distribution based fault detection approach: Application to aircr...
Tracy–Widom distribution based fault detection approach: Application to aircr...ISA Interchange
 
Model Based Design of Hybrid and Electric Powertrains
Model Based Design of Hybrid and Electric PowertrainsModel Based Design of Hybrid and Electric Powertrains
Model Based Design of Hybrid and Electric PowertrainsSandeep Sovani, Ph.D.
 
Design the implementation of CDEx Robust DC Motor.
Design the implementation of CDEx Robust DC Motor.Design the implementation of CDEx Robust DC Motor.
Design the implementation of CDEx Robust DC Motor.Ankita Tiwari
 
On an LAS-integrated soft PLC system based on WorldFIP fieldbus
On an LAS-integrated soft PLC system based on WorldFIP fieldbusOn an LAS-integrated soft PLC system based on WorldFIP fieldbus
On an LAS-integrated soft PLC system based on WorldFIP fieldbusISA Interchange
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signalsUltraUploader
 
A framework for distributed control and building performance simulation
A framework for distributed control and building performance simulationA framework for distributed control and building performance simulation
A framework for distributed control and building performance simulationDaniele Gianni
 
Co emulation of scan-chain based designs
Co emulation of scan-chain based designsCo emulation of scan-chain based designs
Co emulation of scan-chain based designsijcsit
 
Decentralized supervisory based switching control for uncertain multivariable...
Decentralized supervisory based switching control for uncertain multivariable...Decentralized supervisory based switching control for uncertain multivariable...
Decentralized supervisory based switching control for uncertain multivariable...ISA Interchange
 
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...Osama M. Khaled
 
Linux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioLinux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioPVS-Studio
 
Process Synchronization Producer-Consumer ProblemThe purpos.docx
Process Synchronization Producer-Consumer ProblemThe purpos.docxProcess Synchronization Producer-Consumer ProblemThe purpos.docx
Process Synchronization Producer-Consumer ProblemThe purpos.docxstilliegeorgiana
 

More Related Content

What's hot

Advanced tech module - state monitoring
Advanced tech module - state monitoringAdvanced tech module - state monitoring
Advanced tech module - state monitoringRamnGonzlezRuiz2
 
Citadel Platform Architecture
Citadel Platform ArchitectureCitadel Platform Architecture
Citadel Platform ArchitectureRamnGonzlezRuiz2
 
safety assurence in process control
safety assurence in process controlsafety assurence in process control
safety assurence in process controlNathiya Vaithi
 
SysML for embedded system engineering - Academy Camp 2015
SysML for embedded system engineering - Academy Camp 2015SysML for embedded system engineering - Academy Camp 2015
SysML for embedded system engineering - Academy Camp 2015Régis Castéran
 
Formal Model Based Design of Control Software
Formal Model Based Design of Control SoftwareFormal Model Based Design of Control Software
Formal Model Based Design of Control SoftwareVadim Alimguzhin
 
Microcontroller Based Testing of Digital IP-Core
Microcontroller Based Testing of Digital IP-CoreMicrocontroller Based Testing of Digital IP-Core
Microcontroller Based Testing of Digital IP-CoreVLSICS Design
 
[2015/2016] AADL (Architecture Analysis and Design Language)
[2015/2016] AADL (Architecture Analysis and Design Language)[2015/2016] AADL (Architecture Analysis and Design Language)
[2015/2016] AADL (Architecture Analysis and Design Language)Ivano Malavolta
 
Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...
Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...
Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...Kimberly Daich
 
Matthew Hause Building Bridges between Systems and Software with SysML and UML
Matthew Hause Building Bridges between Systems and Software with SysML and UMLMatthew Hause Building Bridges between Systems and Software with SysML and UML
Matthew Hause Building Bridges between Systems and Software with SysML and UMLINCOSE Colorado Front Range Chapter
 
System verilog verification building blocks
System verilog verification building blocksSystem verilog verification building blocks
System verilog verification building blocksNirav Desai
 
Tracy–Widom distribution based fault detection approach: Application to aircr...
Tracy–Widom distribution based fault detection approach: Application to aircr...Tracy–Widom distribution based fault detection approach: Application to aircr...
Tracy–Widom distribution based fault detection approach: Application to aircr...ISA Interchange
 
Model Based Design of Hybrid and Electric Powertrains
Model Based Design of Hybrid and Electric PowertrainsModel Based Design of Hybrid and Electric Powertrains
Model Based Design of Hybrid and Electric PowertrainsSandeep Sovani, Ph.D.
 
Design the implementation of CDEx Robust DC Motor.
Design the implementation of CDEx Robust DC Motor.Design the implementation of CDEx Robust DC Motor.
Design the implementation of CDEx Robust DC Motor.Ankita Tiwari
 
On an LAS-integrated soft PLC system based on WorldFIP fieldbus
On an LAS-integrated soft PLC system based on WorldFIP fieldbusOn an LAS-integrated soft PLC system based on WorldFIP fieldbus
On an LAS-integrated soft PLC system based on WorldFIP fieldbusISA Interchange
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signalsUltraUploader
 
A framework for distributed control and building performance simulation
A framework for distributed control and building performance simulationA framework for distributed control and building performance simulation
A framework for distributed control and building performance simulationDaniele Gianni
 
Co emulation of scan-chain based designs
Co emulation of scan-chain based designsCo emulation of scan-chain based designs
Co emulation of scan-chain based designsijcsit
 
Decentralized supervisory based switching control for uncertain multivariable...
Decentralized supervisory based switching control for uncertain multivariable...Decentralized supervisory based switching control for uncertain multivariable...
Decentralized supervisory based switching control for uncertain multivariable...ISA Interchange
 
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...Osama M. Khaled
 

What's hot (20)

Advanced tech module - state monitoring
Advanced tech module - state monitoringAdvanced tech module - state monitoring
Advanced tech module - state monitoring
 
Citadel Platform Architecture
Citadel Platform ArchitectureCitadel Platform Architecture
Citadel Platform Architecture
 
PRFC SysML 1.4
PRFC SysML 1.4PRFC SysML 1.4
PRFC SysML 1.4
 
safety assurence in process control
safety assurence in process controlsafety assurence in process control
safety assurence in process control
 
SysML for embedded system engineering - Academy Camp 2015
SysML for embedded system engineering - Academy Camp 2015SysML for embedded system engineering - Academy Camp 2015
SysML for embedded system engineering - Academy Camp 2015
 
Formal Model Based Design of Control Software
Formal Model Based Design of Control SoftwareFormal Model Based Design of Control Software
Formal Model Based Design of Control Software
 
Microcontroller Based Testing of Digital IP-Core
Microcontroller Based Testing of Digital IP-CoreMicrocontroller Based Testing of Digital IP-Core
Microcontroller Based Testing of Digital IP-Core
 
[2015/2016] AADL (Architecture Analysis and Design Language)
[2015/2016] AADL (Architecture Analysis and Design Language)[2015/2016] AADL (Architecture Analysis and Design Language)
[2015/2016] AADL (Architecture Analysis and Design Language)
 
Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...
Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...
Lot Completion Estimation Using Self-Configuring Equipment Model-based Applic...
 
Matthew Hause Building Bridges between Systems and Software with SysML and UML
Matthew Hause Building Bridges between Systems and Software with SysML and UMLMatthew Hause Building Bridges between Systems and Software with SysML and UML
Matthew Hause Building Bridges between Systems and Software with SysML and UML
 
System verilog verification building blocks
System verilog verification building blocksSystem verilog verification building blocks
System verilog verification building blocks
 
Tracy–Widom distribution based fault detection approach: Application to aircr...
Tracy–Widom distribution based fault detection approach: Application to aircr...Tracy–Widom distribution based fault detection approach: Application to aircr...
Tracy–Widom distribution based fault detection approach: Application to aircr...
 
Model Based Design of Hybrid and Electric Powertrains
Model Based Design of Hybrid and Electric PowertrainsModel Based Design of Hybrid and Electric Powertrains
Model Based Design of Hybrid and Electric Powertrains
 
Design the implementation of CDEx Robust DC Motor.
Design the implementation of CDEx Robust DC Motor.Design the implementation of CDEx Robust DC Motor.
Design the implementation of CDEx Robust DC Motor.
 
On an LAS-integrated soft PLC system based on WorldFIP fieldbus
On an LAS-integrated soft PLC system based on WorldFIP fieldbusOn an LAS-integrated soft PLC system based on WorldFIP fieldbus
On an LAS-integrated soft PLC system based on WorldFIP fieldbus
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signals
 
A framework for distributed control and building performance simulation
A framework for distributed control and building performance simulationA framework for distributed control and building performance simulation
A framework for distributed control and building performance simulation
 
Co emulation of scan-chain based designs
Co emulation of scan-chain based designsCo emulation of scan-chain based designs
Co emulation of scan-chain based designs
 
Decentralized supervisory based switching control for uncertain multivariable...
Decentralized supervisory based switching control for uncertain multivariable...Decentralized supervisory based switching control for uncertain multivariable...
Decentralized supervisory based switching control for uncertain multivariable...
 
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...
 

Similar to Configuring monitoring

Linux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioLinux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioPVS-Studio
 
Process Synchronization Producer-Consumer ProblemThe purpos.docx
Process Synchronization Producer-Consumer ProblemThe purpos.docxProcess Synchronization Producer-Consumer ProblemThe purpos.docx
Process Synchronization Producer-Consumer ProblemThe purpos.docxstilliegeorgiana
 
Ive posted 3 classes after the instruction that were given at star.pdf
Ive posted 3 classes after the instruction that were given at star.pdfIve posted 3 classes after the instruction that were given at star.pdf
Ive posted 3 classes after the instruction that were given at star.pdfdeepaarora22
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
PVS-Studio delved into the FreeBSD kernel
PVS-Studio delved into the FreeBSD kernelPVS-Studio delved into the FreeBSD kernel
PVS-Studio delved into the FreeBSD kernelPVS-Studio
 
Lab3 testbench tutorial (1)
Lab3 testbench tutorial (1)Lab3 testbench tutorial (1)
Lab3 testbench tutorial (1)Abhishek Bose
 
Picking Mushrooms after Cppcheck
Picking Mushrooms after CppcheckPicking Mushrooms after Cppcheck
Picking Mushrooms after CppcheckAndrey Karpov
 
Reproducible AI Using PyTorch and MLflow
Reproducible AI Using PyTorch and MLflowReproducible AI Using PyTorch and MLflow
Reproducible AI Using PyTorch and MLflowDatabricks
 
cscript_controller.pdf
cscript_controller.pdfcscript_controller.pdf
cscript_controller.pdfVcTrn1
 
Flight Landing Distance Study Using SAS
Flight Landing Distance Study Using SASFlight Landing Distance Study Using SAS
Flight Landing Distance Study Using SASSarita Maharia
 
Code instrumentation
Code instrumentationCode instrumentation
Code instrumentationBryan Reinero
 
SMP4 Thread Scheduler (PART 1)======================INSTR.docx
SMP4 Thread Scheduler (PART 1)======================INSTR.docxSMP4 Thread Scheduler (PART 1)======================INSTR.docx
SMP4 Thread Scheduler (PART 1)======================INSTR.docxpbilly1
 
Project FoX: A Tool That Offers Automated Testing Using a Formal Approach
Project FoX: A Tool That Offers Automated Testing Using a Formal ApproachProject FoX: A Tool That Offers Automated Testing Using a Formal Approach
Project FoX: A Tool That Offers Automated Testing Using a Formal ApproachIvo Neskovic
 
Designing a production grade realtime ml inference endpoint
Designing a production grade realtime ml inference endpointDesigning a production grade realtime ml inference endpoint
Designing a production grade realtime ml inference endpointChandim Sett
 
Sap bpc Planning and consolidation
Sap bpc Planning and consolidationSap bpc Planning and consolidation
Sap bpc Planning and consolidationSreekanth Gogula
 
Oracle plsql and d2 k interview question1
Oracle plsql and d2 k interview question1Oracle plsql and d2 k interview question1
Oracle plsql and d2 k interview question1Arunkumar Gurav
 

Similar to Configuring monitoring (20)

Linux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioLinux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-Studio
 
Process Synchronization Producer-Consumer ProblemThe purpos.docx
Process Synchronization Producer-Consumer ProblemThe purpos.docxProcess Synchronization Producer-Consumer ProblemThe purpos.docx
Process Synchronization Producer-Consumer ProblemThe purpos.docx
 
Ive posted 3 classes after the instruction that were given at star.pdf
Ive posted 3 classes after the instruction that were given at star.pdfIve posted 3 classes after the instruction that were given at star.pdf
Ive posted 3 classes after the instruction that were given at star.pdf
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
PVS-Studio delved into the FreeBSD kernel
PVS-Studio delved into the FreeBSD kernelPVS-Studio delved into the FreeBSD kernel
PVS-Studio delved into the FreeBSD kernel
 
Lab3 testbench tutorial (1)
Lab3 testbench tutorial (1)Lab3 testbench tutorial (1)
Lab3 testbench tutorial (1)
 
Picking Mushrooms after Cppcheck
Picking Mushrooms after CppcheckPicking Mushrooms after Cppcheck
Picking Mushrooms after Cppcheck
 
UDP Report
UDP ReportUDP Report
UDP Report
 
Reproducible AI Using PyTorch and MLflow
Reproducible AI Using PyTorch and MLflowReproducible AI Using PyTorch and MLflow
Reproducible AI Using PyTorch and MLflow
 
cscript_controller.pdf
cscript_controller.pdfcscript_controller.pdf
cscript_controller.pdf
 
Flight Landing Distance Study Using SAS
Flight Landing Distance Study Using SASFlight Landing Distance Study Using SAS
Flight Landing Distance Study Using SAS
 
Readme
ReadmeReadme
Readme
 
Code instrumentation
Code instrumentationCode instrumentation
Code instrumentation
 
SMP4 Thread Scheduler (PART 1)======================INSTR.docx
SMP4 Thread Scheduler (PART 1)======================INSTR.docxSMP4 Thread Scheduler (PART 1)======================INSTR.docx
SMP4 Thread Scheduler (PART 1)======================INSTR.docx
 
Project FoX: A Tool That Offers Automated Testing Using a Formal Approach
Project FoX: A Tool That Offers Automated Testing Using a Formal ApproachProject FoX: A Tool That Offers Automated Testing Using a Formal Approach
Project FoX: A Tool That Offers Automated Testing Using a Formal Approach
 
Designing a production grade realtime ml inference endpoint
Designing a production grade realtime ml inference endpointDesigning a production grade realtime ml inference endpoint
Designing a production grade realtime ml inference endpoint
 
08 -functions
08 -functions08 -functions
08 -functions
 
Sap bpc Planning and consolidation
Sap bpc Planning and consolidationSap bpc Planning and consolidation
Sap bpc Planning and consolidation
 
Oracle plsql and d2 k interview question1
Oracle plsql and d2 k interview question1Oracle plsql and d2 k interview question1
Oracle plsql and d2 k interview question1
 
DSD
DSDDSD
DSD
 

Recently uploaded

AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsvanyagupta248
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdfKamal Acharya
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwaitjaanualu31
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projectssmsksolar
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationBhangaleSonal
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.Kamal Acharya
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesChandrakantDivate1
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesRAJNEESHKUMAR341697
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086anil_gaur
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityMorshed Ahmed Rahath
 

Recently uploaded (20)

AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planes
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 

Configuring monitoring

  • 1. Configuring Communications Monitoring TU/e Training – Advanced Technical Module Communication Monitoring 1
  • 2. Prerequisites  This modules assumes the Advance Technical Module on communications monitoring [1] has already been studied.  That module provides the theory behind this material.  Uses same examples to show how to configure policies.  External preliminaries - prior knowledge:  Wireshark/tshark basics; packet filter syntax [3]  Basics of Python expressions and regular expressions [4] ● Message [2] features are expressed in terms of Python expressions. ● Signatures use python conditions syntax.  Knowledge of communication protocols used in your use case:  Protocols are supported if tshark/wireshark dissector is available [3] ● Need to know relevant field names (again see [3])  If not natively supported, a protocol dissector needs to be written [5] ● This is beyond the scope of this training material. TU/e Training – Advanced Technical Module Communication Monitoring 2
  • 3. Configuring a communications monitor TU/e Training – Advanced Technical Module Communication Monitoring 3
  • 4. Steps assumed to have been taken already:  Determine the monitoring approach to be used:  Choose features of the network traffic, which to use in learning and build a list of signatures. In this section we discus the following steps:  Implement the features and signature  These steps involve some basic python coding and understanding of network packets and protocols.  Learning a white-box model and association rules  Tune the learned models as needed.  Configure the monitor to use these  create a main configuration file `config.py’ We first quickly recall the bottle lab scenario from [1] so we can use it to illustrate. Configuring a monitor TU/e Training – Advanced Technical Module Communication Monitoring 4
  • 5. Bottle Filling Plant (BFP) A smart manufacturing use case  Remote controlled production facility.  Fills bottles with two ingredients, mixes them & inspects result.  Picture shows main components and communication links. TU/e Training – Advanced Technical Module Communication Monitoring 5
  • 6. Components of the BFP  Physical Process:  Belt: moves the bottles from station to station, can be started and stopped.  Stations : ● each station has a sensor (1-4) to detect whether a bottle is present ● Filling stations: with valves that can be opened and closed to control the flow of liquid ● Mixer: blends the liquids in the bottle, can be started and stopped. ● Quality check station: has sensor (5) to measure amount of liquid in the bottle  Programmable Logic Controller (PLC)  controls `actuators’ (belt, valves, mixer) and sensors.  Uses the Modbus protocol to communicate.  Remote Terminal Unit (RTU)  provides an interface to connect to the PLC from the outside network.  Master (at the factory headquarters)  provides the remote Human machine interface (HMI) TU/e Training – Advanced Technical Module Communication Monitoring 6
  • 7. BFP – Features TU/e Training – Advanced Technical Module Communication Monitoring 7
  • 8. Implementing features  All detection approaches are based on features.  In the implementation a feature is specified by a name and a python expression  "name-of-the-feature" : "python-expression"  The python expression extracts the value of the feature from the fields of the message.  The monitor will parse messages, extracting fields  Results in a pyshark.packet (see [2]) called: pkt  Fields can be accesses with syntax (see [3]): pkt.protocol.field , e.g. ● pkt.ip.src for the source ip address ● pkt.modbus for the entire modbus packet TU/e Training – Advanced Technical Module Communication Monitoring 8
  • 9. Implementing features  Format: "name-of-the-feature" : "python-expression"  The feature’s python-expression builds values from packets  It could simply use a field: "timestamp" : "pkt.sniff_time"  Could be a combination of fields: "connection" : "(pkt.ip.src+’:’+pkt.srcport, pkt.ip.dst+’:’+pkt.dstport)"  It may need to search for the value in the packet: "re.search(r’Register 0 .*: (d+)’, pkt.modbus)" ● This example uses regular expression search (see [4]) TU/e Training – Advanced Technical Module Communication Monitoring 9
  • 10. Implementing complex features  The feature’s python-expression builds values from packets  It may do some computation "bodylength" : "ip.length - ip.hdr_len"  It may manually bin fields into a distinct set of values: "packet_type" : "`short’ if pkt.ip.len < 50 else `medium’ if pkt.ip.len < 250 else `large’“  It may explicitly turn fields into number (int or float): "packet_length" : "int(pkt.ip.len)" ● The anomaly detector assumes numbers are binned, see white-box description below.  It may use custom functions defined in the main configuration file (see custom functions below). "setpoint_1" : "config.get_Reg(pkt,0)", TU/e Training – Advanced Technical Module Communication Monitoring 10
  • 11. Feature file  Gather the features in a `feature_file’ with the following structure: { "name-of-the-feature1" : "python-expression1", "name-of-the-feature2" : "python-expression2", ... "name-of-the-featureN" : "python-expressionN" }  Below we assume it is called features.json TU/e Training – Advanced Technical Module Communication Monitoring 11
  • 12. Example feature file for BFP { "func_code" : "pkt.modbus.func_code", "setpoint_1" : "re.search(r’Register 0 .*: (d+)’, pkt.modbus)", "setpoint_2" : "re.search(r’Register 1 .*: (d+)’, pkt.modbus)", "setpoint_mixer" : "re.search(r’Register 2 .*: (d+)’, pkt.modbus)", "ultrasonic" : "re.search(r’Register 3 .*: (d+)’, pkt.modbus)", "arm_command" : "re.search(r’Register 5 .*: (d+)’, pkt.modbus)", "at_valve1" : "re.search(r’Register 7 .*: (d+)’, pkt.modbus)", "at_valve2" : "re.search(r’Register 8 .*: (d+)’, pkt.modbus)", "at_mixer" : "re.search(r’Register 9 .*: (d+)’, pkt.modbus)", "at_quality_chk" : "re.search(r’Register 10 .*: (d+)’, pkt.modbus)", "bottles_started“ : "re.search(r’Register 11 .*: (d+)’, pkt.modbus)", "bottles_done" : "re.search(r’Register 12 .*: (d+)’, pkt.modbus)", "bottles_on_belt“ : "re.search(r’Register 14 .*: (d+)’, pkt.modbus)", "pre_valve1" : "re.search(r’Register 15 .*: (d+)’, pkt.modbus)", "btw_valve1_valve2": "re.search(r’Register 16 .*: (d+)’, pkt.modbus)", "btw_valve2_mixer" : "re.search(r’Register 17 .*: (d+)’, pkt.modbus)", "btw_mixer_qc" : "re.search(r’Register 18 .*: (d+)’, pkt.modbus)" } TU/e Training – Advanced Technical Module Communication Monitoring 12
  • 13. Implementing signatures  Recall that a signature comprises a condition and an alert identifier.  The implementation uses the format: "Python-boolean-expression" : "alert-id"  To use a feature in the boolean expression use syntax: [[featurename]]  The alert-id is a string; it should match the system model alert name.  Signature are gathered in a signature_file with the same structure as the feature_file, e.g. { "’1’ == [[func_code]]": "ALARM_WRITE_SINGLE_COIL" }  Below we assume it is called signatures.json TU/e Training – Advanced Technical Module Communication Monitoring 13
  • 14. Learning a white-box model  To learn a white-box model, a training set is needed with recorded normal traffic.  Training set should be representative; contain (almost) all normal behaviour with respect to the features, and (almost) only normal traffic. ● Missing normal traffic may lead to false positives; tune the model to eliminate these. ● Illegitimate traffic in the training set could lead to false negatives; use a non-zero threshold and/or inspect the model to find and eliminate these.  To train (both white-box and association rules): main.py -f <features_file> -l <training_file>  For numerical features (ints, floats) the learning will automatically create bins using Scott’s rule to choose the bin sizes. TU/e Training – Advanced Technical Module Communication Monitoring 14
  • 15. Tuning a white-box model  The whitebox_file contains histograms; a textual representation of a white-box model and intervals for automatically created bins. Histograms format: histograms= { "featurenameA" : { ’featurevalueA1’ : likelihoodA1, ( a number in (0,1] ) ’featurevalueA2’ : likelihoodA2, ... ’featurevalueAN’ : likelihoodAN }, "featurenameB" : { ’featurevalueB1’ : likelihoodB1, ’featurevalueB2’ : likelihoodB2, ... ’featurevalueBM’ : likelihoodBN } ... }  Values can be added and removed and likelihood adjusted as needed.  Setting a value’s likelihood above 1 (for example when finding a false positive) ensures it is always seen as normal,  removing it or setting its `likelihood’ below 0 ensures it is considered anomalous. TU/e Training – Advanced Technical Module Communication Monitoring 15
  • 16. Example white-box model for BFP histograms = { "connection": { (’192.168.188.11:59542’, ’192.168.188.2:502’): 0.5, (’192.168.188.2:502’, ’192.168.188.11:59542’): 0.5 }, "func_code" : { ’1’ : 0.19327731092436976, ’16’: 0.0016806722689075631, ’3’ : 0.7983193277310925, ’5’ : 0.0033613445378151263, ’6’ : 0.0033613445378151263 }, "setpoint_1": { ’0’: 0.07692307692307693, ’30’: 0.9230769230769231 }, "setpoint_2": { ’0’: 0.07692307692307693, ’30’: 0.9230769230769231 } ... } Connection takes value (’192.168.188.11:59542’, ’192.168.188.2:502’) in half the packets and (’192.168.188.2:502’, ’192.168.188.11:59542’) in the other half; Both setpoint_1 and setpoint_2 take value ‘0’ in ~7.7% of the packets and ‘30’ in the other ~92.3%. TU/e Training – Advanced Technical Module Communication Monitoring 16
  • 17. Binning  The second part of whitebox_file (if present it must be separated from the first part with an empty line) captures the automatically created bins (intervals). intervals = { "num_feature": { [a,b], [b,c], ... } ... }  Here a is part of the first but b is part of the second bin (interval), so the first bin runs from a up to, not including, b.  Note that the intervals must match the histogram; the histogram of num_feature will have feature values "[a,b]", "[b,c]" etc. TU/e Training – Advanced Technical Module Communication Monitoring 17
  • 18. Thresholds  The white-box model captures how likely certain feature values are.  Likelihood of an observed value will be compared with a threshold.  A default threshold can be set in the main configuration  It is also possible to set a threshold per features and feature specific alert ids  Set in thresholds_file. Below we assume it is thresholds.json.  Any feature not mentioned uses default threshold and alarm "ALARM_UNKNOWN"  Example: { "connection": [0.01, "ALARM_CONNECTION"], "func_code" : [0.02, "ALARM_FUNC_CODE"], "setpoint_1": [0.05, "ALARM_SETPOINT_1"], "setpoint_2": [0.05, "ALARM_SETPOINT_2"] } TU/e Training – Advanced Technical Module Communication Monitoring 18
  • 19. Configuring a sliding window  The white-box detector can use a sliding window approach. To this end the detector has two parameters (set in the main config file):  sliding_window_seconds: The size W of the window in seconds  sliding_window_alerts: The number N of anomalous messages that must be encountered  As soon as N packets that are anomalous for a specific feature have been seen within the last W seconds the alarm for that feature is raised (and the count is reset). TU/e Training – Advanced Technical Module Communication Monitoring 19
  • 20. Learning Association Rules  The learning also learns association rules main.py -f <features_file> -l <training_file>  Two parameters (set in the main configuration file) are used in the learning of association rules:  confidence : In what portion of the situations does the rule hold  support: How often (actual count) does the situation occur.  For example, to look for rules that are never contradicted and apply at least 10 times we can use: confidence = 1.0 support = 10 TU/e Training – Advanced Technical Module Communication Monitoring 20
  • 21. Tuning Association Rules  Inspecting the association_rules file shows that each rule comprises:  antecedents: (feature1_value1,...,featureN_valueN) that identify when a rule applies  a triple that capture the conclusion of the rule: ( ● conclusions : (featureN+1_ValueN+1,...,featureM_valueM), ● confidence: (a floating point number from 0 to 1), ● an alarm id: (a string) ) { (’bottles_started_0’):((’bottles_done_0’, ’bottles_on_belt_0’), 1.0, ’ALARM_BOTTLE’), ... }  Above rule states: if bottles_started has value 0 then so do ’bottles_done’ and ’bottles_on_belt’ in all cases. On violation raise alarm `ALARM_BOTTLE’.  Rules can be removed, altered (eg using a tailored alert id) or added. For example using other learning approached (see for example Bayesian Network learning [D3.3]) may also be used to obtain rules that can be added here.  Rules with lower than 1.0 confidence: To evaluate such rules, association rules use a sliding window (but based on number of occurrences not on time like for the white- box model). We count the number of cases the association does not hold and raise an alert when that number exceeds the expected number.  If this behaviour gives (too many) FPs: can lower confidence to create a margin TU/e Training – Advanced Technical Module Communication Monitoring 21
  • 22. Putting it all together  A main configuration file config.py is used  to select detectors to use  set parameters and files for these detectors  Add any code needed ● Define custom functions for use in python expressions  Set required feature file with: features_file = "features.json“  To select detectors edit the following lines: whitebox_detector = True association_rules_detector = True signatures_detector = True TU/e Training – Advanced Technical Module Communication Monitoring 22
  • 23. Putting it all together (config.py)  Set detector parameters for white-box by editing: whitebox_file = "whitebox.json" thresholds_file = "thresholds.json" default_threshold = 0.05 sliding_window_seconds = 300 sliding_window_alerts = 3  for the association rules detector edit the lines: association_rules_file = "association_rules.json" support = 2 confidence = 0.9 window_max_size = 100  for signature detector only the file can be set: signatures_file = "signatures.json" TU/e Training – Advanced Technical Module Communication Monitoring 23
  • 24. Custom functions (config.py)  We can add custom functions to config.py: def get_Reg( pkt, number ) re.search(’Register ’ + number + r’ .*: (d+)’, pkt.modbus).group(1)  we can then use that function e.g. in the feature file: ... "setpoint_1" : "config.get_Reg(pkt,0)", "setpoint_2" : "config.get_Reg(pkt,1)", ... TU/e Training – Advanced Technical Module Communication Monitoring 24
  • 25. Related reading [1] Advanced Technical Module Communications Monitoring of CITADEL D6.6 Training Materials for Electronic Delivery [2] Pyshark packet, github.com/KimiNewt/pyshark/blob/master/src/pyshark/packet/packet.py [3] Wireshark display filter reference, www.wireshark.org/docs/dfref/ [4] Python regular expressions, docs.python.org/2/library/re.html [5] Wireshark documentation; adding a protocol dissector www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html TU/e Training – Advanced Technical Module Communication Monitoring 25