In this research work an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) will be implemented to detect and prevent critical networks infrastructure from cyber-attacks. To strengthen network security and improve the network's active defense intrusion detection capabilities, this project will consist of intrusion detection system using honey token based encrypted pointers and intrusion prevention system which based on the mixed interactive honeypot. The Intrusion Detection System (IDS) is based on the novel approach of Honey Token based Encrypted Pointers. This honey token inside the frame will serve as a trap for the attacker. All nodes operating within the working domain of critical infrastructure network are divided into four different pools. This division is based per their computational power and level of vulnerability. These pools are provided with different levels of security measures within the network. IDS use different number of Honey Tokens (HT) per frame for every different pool e.g. Pool-A contains 4 HT/frame, Pool-B contains 3 HT/frame, Pool-C contains 2 HT/frame and Pool-D contain 1 HT/frame. Moreover, every pool uses different types of encryption schemes (AES-128,192,256). Our critical infrastructure network of 64 nodes is under the umbrella of unified security provided by this single Network Intrusion Detection System (NIDS). After the design phase of IDS, we analyze the performance of IDS in terms of True Positives (TP) and False Negatives (FN). Finally, we test these IDS through Network Penetration Testing (NPT) phase. The detection rate depends on the number of honey tokens per frame. Our proposed IDS are a scalable solution and it can be implemented for any number of nodes in critical infrastructure network. However, in case of Intrusion Prevention System (IPS) we use Virtual honeypot technology which is the best active prevention technology among all honeypot technologies. By using the original operating system and virtual technology, the honeypot lures attackers in a pre-arranged manner, analyzes and audits various attacking behavior, tracks the attack source, obtains evidence, and finds effective solutions.

1. King Saud University
Electrical Engineering Department
EE: 524
Project Report on
Intrusion Detection & Prevention system for network
security
Submitted to
Dr. Yahya Subhi Al-Harthi
Name: Mohammed Ahmed Hussain Siddiqui
ID: 436107960
Date: 14/1/2017

2. 2
Abstract
In this research work an Intrusion Detection System (IDS) and Intrusion Prevention
System (IPS) will be implemented to detect and prevent critical networks
infrastructure from cyber-attacks. To strengthen network security and improve the
network's active defense intrusion detection capabilities, this project will consist of
intrusion detection system using honey token based encrypted pointers and intrusion
prevention system which based on the mixed interactive honeypot. The Intrusion
Detection System (IDS) is based on the novel approach of Honey Token based
Encrypted Pointers. This honey token inside the frame will serve as a trap for the
attacker. All nodes operating within the working domain of critical infrastructure
network are divided into four different pools. This division is based per their
computational power and level of vulnerability. These pools are provided with
different levels of security measures within the network. IDS use different number
of Honey Tokens (HT) per frame for every different pool e.g. Pool-A contains 4
HT/frame, Pool-B contains 3 HT/frame, Pool-C contains 2 HT/frame and Pool-D
contain 1 HT/frame. Moreover, every pool uses different types of encryption
schemes (AES-128,192,256). Our critical infrastructure network of 64 nodes is
under the umbrella of unified security provided by this single Network Intrusion
Detection System (NIDS). After the design phase of IDS, we analyze the
performance of IDS in terms of True Positives (TP) and False Negatives (FN).
Finally, we test these IDS through Network Penetration Testing (NPT) phase. The
detection rate depends on the number of honey tokens per frame. Our proposed IDS
are a scalable solution and it can be implemented for any number of nodes in critical
infrastructure network. However, in case of Intrusion Prevention System (IPS) we
use Virtual honeypot technology which is the best active prevention technology
among all honeypot technologies. By using the original operating system and virtual
technology, the honeypot lures attackers in a pre-arranged manner, analyzes and
audits various attacking behavior, tracks the attack source, obtains evidence, and
finds effective solutions.

3. 3
Table of Contents
Chapter 1 ............................................................................................................... 5
Introduction to IDS................................................................................................ 5
1.1 Approach of Honey tokens for Intrusion Detection Systems ............................ 7
1.2 Problem Statement........................................................................................... 7
1.3 Project Contribution......................................................................................... 8
1.4 Working of Intrusion Detection Systems.......................................................... 8
1.5 Types of Intrusion Detection Systems............................................................ 10
1.6 Network Intrusion Detection Systems (NIDS) ............................................... 10
1.7 Host Intrusion Detection Systems (HIDS)...................................................... 11
1.8 Techniques of Intrusion Detection ................................................................. 11
1.9 Signature based Intrusion Detection Technique ............................................. 11
Chapter 2 ............................................................................................................. 12
2.1 Designing IDS using Honey Token (HT) based Encrypted Pointers for Critical
Infrastructure Networks ....................................................................................... 12
2.2 DNP3 Synthetic Traffic Generator................................................................. 14
2.3 Honey Token based Encrypted Pointers......................................................... 16
2.4 System Design ............................................................................................... 17
2.5 Intrusion Detection System Primary Module.................................................. 18
2.6 Intrusion Detection System Secondary Module.............................................. 20
Chapter 3 ............................................................................................................. 21
Results and Discussions....................................................................................... 21
3.1 DNP3 Synthetic Traffic Generator................................................................. 21
3.2 Alarm Analysis of Intrusion Detection System .............................................. 22
3.4 Network Penetration Testing.......................................................................... 25
Chapter 4 ............................................................................................................. 26
Introduction to Intrusion Prevention System (IPS)............................................... 26
4.1 Honeypot definition and development............................................................ 26

4. 4
4.2 Existing types of honeypot............................................................................. 27
4.3 Low-interaction honeypot system .................................................................. 27
4.4 Middle-interaction honeypot system .............................................................. 27
4.5 High-interaction honeypot system.................................................................. 28
4.6 Mixed-interaction honeypot system ............................................................... 28
4.7 System simulation.......................................................................................... 30
Conclusion Future Work...................................................................................... 31
Reference............................................................................................................. 33

5. 5
Chapter 1
Introduction to IDS
Network Security challenges of 21st century is enormous for both commercial sector
and military. With the evolution of Internet, security became a major concern for
everybody. We can better understand the security technologies if we look at the
history of Internet itself. The basic structure of Internet is vulnerable to many
security threats but if the attack method is known then it is easy to deploy certain
security measures which help in making our networks more secure. The world today
is more interconnected than ever before and there is large amount of information on
different networking infrastructures that belong to government, private sector,
military organization and our daily personal information. Security of intellectual
property makes the importance of cyber security greater than ever before. In the
recent past, we witness that critical infrastructures become the prime target for major
cyber-attacks and the security of these critical infrastructure networks emerge as one
of the biggest challenge of the time.
Critical infrastructure networks commonly have command and control system for
smooth and efficient running of their operations. Supervisory Control and Data
Acquisition (SCADA) is mostly used for these purposes. It collects data from all
systems using wide range of sensors and then issue commands to run the operations
of critical infrastructures. The brief overview of the typical SCADA architecture is
shown in Figure 1.1. These SCADA systems are widely used in industrial
installations for the operational control and management of field sensors and
actuators. The typical components of SCADA architecture are described as follows:
Operator: The one who monitors the SCADA system running operations in 24x7
routine. Mostly the operator of SCADA system is a human being keeping an eye on
all important functional parameters of the network that comprises of motors, sensors,
actuators and PLC etc.
Human Machine Interface (HMI): The system which presents process data to the
human operator is known as HMI and through this HMI the human operator can
control all the processes of critical infrastructure.
Master Terminal Unit (MTU): The unit presents data to the human operator
through the HMI interface. It gathers data from the remote PLCs, sensors, motors
and actuator sites, and control signals (commands) are then transmitted by MTU.
Remote Terminal Unit (RTU): This unit acts as a slave in the master/slave
architecture of SCADA system. It receives control signals (commands) from the
MTU and it then forwards these commands to the devices (sensors, motors etc.)
under its control. RTU acquires data from these devices and then transmits the
gathered data to the MTU. An RTU may be a PLC.

6. 6
Communication Links: For communication between Master Terminal Unit (MTU)
and Remote Terminal Unit (RTU) we have communication channels (links) that may
be wired links or wireless links. For protocols that carry the traffic for SCADA
systems (DNP3, IEC 60870-5) any link that provides the bandwidth above 1200 bps
is workable. Distributed Network Protocol-3 (DNP3) is the backbone protocol for
SCADA systems and used by almost all the vendors as their primary protocol for
SCADA command and control architecture.
Figure 1.1: Typical SCADA Architecture
SCADA systems possess a strategic importance because they are used in critical
infrastructure networks for command and control. SCADA based cyber-attacks
disrupt the monitoring and controlling parameters of industrial control
communication protocols and thus capable of causing serious system failures or in
some cases cause physical damage to the critical infrastructure networks. There are
many real world documented cyber-attacks on critical infrastructures in last few
years which clearly prove the vulnerability of these networks. Number of countries
including Russia and Taiwan are involved in DNP-3 port scanning activities on the
critical infrastructure networks of many western countries. This port scanning is
strong evidence that attackers are searching for potential vulnerabilities in SCADA
command and control networks and trying to get that piece of information which
will later help in launching a massive attack on the critical infrastructure sensor
networks. The forensic systems for the detection of cyber-attacks on these SCADA
based networks are not common. SCADA based cyber-attacks are mostly directed
towards those devices which are used in critical infrastructure environment e.g.,
Programmable Logical Controllers (PLC), Intelligent Electronic Devices (IED),
Programmable Automation Controllers (PAC), Remote Terminal Units (RTU) and
Master Terminal Units (MTU). Critical infrastructure communication networks are

7. 7
vulnerable to command injection attacks, reconnaissance class attacks and response
injection attacks. Command injection attacks inject malicious codes and commands
in the payload area of the packets carrying traffic for SCADA based critical
infrastructures, the malicious codes and commands when successfully executed on
the RTU devices will causes massive damages to the industrial control system
operations e.g., in case of Stuxnet, the worm monitors the communication between
WinCC tool and RTU. When a specific signature related to the RTU operation
(possible command) is found, worm immediately replaced that command signature
by the malicious code and thus causing physical damages in critical infrastructure
control systems. Reconnaissance attacks gather important information about the
critical infrastructure network devices and their configurations e.g., manufacturer of
devices (PLC, RTU, MTU), deployed industrial network support protocol, memory
type, system serial number, system model numbers etc. All this information is used
to design the SCADA based cyber-attack. Response injection attacks are used to
present incorrect sensor information. Out of all these categories the most dangerous
is command injection attack. In our research work we are focused on command
injection attacks in SCADA based critical infrastructure networks and our research
work is focused between HMI/MTU and RTU/PLC because this is the most
vulnerable area of SCADA based critical infrastructure network.
1.1 Approach of Honey tokens for Intrusion Detection Systems
Honey token is the security tool used for intrusion detection. Its concept is derived
from honeypots and honeynets. A honey token is a honeypot that is not a computer
system but just a piece of data. The core value of honey tokens lies not in their use,
but in their abuse. So, a honey token is a piece of data which is used to trap an
attacker, it appears to be the part of the data and alerts system administrator when it
is accessed by an attacker [9]. In our approach of IDS, a honey token is nothing but
a DNP3 packet which we embed inside the transmission frame along with regular
DNP3 packets that carry normal network traffic.
1.2 Problem Statement
The security of critical infrastructure network becomes a key issue after recent
cyber-attacks especially attacks like ―Stuxnet‖ that destroy and disrupt the
operations of these networks. Moreover, there are many hidden vulnerabilities in the
existing industrial protocols like DNP3 and IEC 60870.5 that can easily be exploited
by the attackers. Firewall scanning is only outwards and it is not a complete solution
for a network of critical infrastructure facilities whereas IDS seems to be a good
choice. Our future intrusion detection systems must be able to protect our networks
despite of all these vulnerabilities that exist in running SCADA networks. Future
IDS must also be capable enough to counter the external as well as internal threats.

8. 8
Online connectivity is increasing nowadays and for enhancing the overall
production, these critical infrastructure networks relate to other networks as well as
with Internet. This massive connectivity provides attackers with much more
opportunities and imposes a greater threat for the security of critical infrastructure
networks.
1.3 Project Contribution
The aim of this work is to design and develop an Intrusion Detection System (IDS)
that specifically counters the security challenges of industrial networks. This ID uses
a new and different approach and perform all its functions per the industrial
standards and practices of SCADA networks. In this project, our main contributions
are focused on:
 Design an Intrusion Detection System (IDS) specifically for the security of
critical infrastructure networks, which work using the approach of Honey
token based Encrypted Pointers to detect cyber-attacks.
 Derive a new strategy for intrusion detection which will improve the overall
security of critical infrastructure network particularly focusing on the security
of field area (RTU, PLC etc.) by detecting attacks more efficiently and
enhance the real-time detection capability. Introduce such approach that all
the systems under the working domain of critical infrastructure network will
be divided into four different pools, the division is based on the computational
power and vulnerability level of each individual system. Different pools are
provided with different levels of security but entire network is under the
umbrella of unified security provided by a single network based IDS.
 Develop a mechanism for intrusion detection that will use AES encryption
schemes, honey tokens and pointers for achieving better security against
attacks and thus provides us with the ability to respond fast to the adversarial
activities and get better understanding of the attacker’s behavior.
 Provide a scalable solution that can be implemented on the network of any
number of remote computational nodes.
1.4 Working of Intrusion Detection Systems
Intrusion Detection System (IDS) is a system that is used to identify and detect
malicious activities in the network. These types of systems emerged in the arena of
network security when this need was felt that all these advancements in network
technology bring some serious cyber threats with them and to successfully run the
operations of all these networks we must have some sort of security system which is
reliable and flexible. All computer systems and networks have vulnerabilities in
them and it is almost impossible to build a perfect computer system or a perfect
network that is free of all errors and vulnerabilities. So, there is no question of

9. 9
modern network without any type of network security equipment e: g- firewall, IDS
etc. The main goal of intrusion detection system is to detect attempted network
breaches and in some cases, it is looking for open vulnerabilities that could result in
a potential breach of a network. If we study IDS at a very macroscopic level, we
came to know that it just acts as a detector that process information which is coming
from a client’s network. This detector can also send probes that are used to request
audit data from the Information system (network). Intrusion Detection Systems
commonly uses three kinds of information:
1. Long Term Information.
2. Configuration Information.
3. Audit Information.
Long term information is related to the mechanisms and techniques used for
intrusion detection, whereas configuration information is about the currents state of
the system and audit information describes the sequence of events happening on the
connected network or information system. The generic type IDS are shown in Figure
3.1. The function of detector is to filter the information coming from the information
system and eliminate all the unneeded information from audit trails and then decide
about the possible intrusion. The countermeasure unit takes preventive actions in
case of any possible intrusion and tries to save the network from any attempted
security breach.
Figure 3.1: Generic Intrusion Detection System
In Figure 3.1 the basic role of detector is to filter the useless information coming
from audit trails. Based on this crucial information decision is then taken about the
event (possible intrusion) and then preventive action is taken by the counter measure

10. 10
component of Intrusion Detection System (IDS). Based on operational mechanisms
the Intrusion Detection Systems (IDS) are basically divided in two main categories
1. Passive Intrusion Detection Systems
2. Active Intrusion Detection Systems
1.5 Types of Intrusion Detection Systems
There are two main types of IDS that are used by the industry since last many years.
Even though the technique and the target differ but the basic purpose of both types
of systems is to provide security by performing detection functions. For several
years, there has been a debate that which of the two systems possesses a better
detection strategy. In the following the basic principles of these two types are
discussed. The two types of IDS are:
1. Network Intrusion Detection Systems (NIDS)
2. Host Intrusion Detection Systems (HIDS)
1.6 Network Intrusion Detection Systems (NIDS)
Network Intrusion Detection Systems (NIDS) are placed at critical and strategic
places in the network, these systems monitor the network for Internal as well external
threats. It checks the entire traffic of the network for any possible cyber-attacks.
When the attack is detected or any abnormal traffic behaviors are noticed, an alert
message is sent to the administrator. As it is clear by its name (NIDS) that these
intrusion detection systems are always deployed in a subnet where most probably
firewall is placed and network administrator keep a strong check on who is trying to
break the security policy of firewall and trying to detect an inside attacker. As shown
in Figure 3.2, there are two different companies and each company’s network is
connected to the internet. The network of one company is protected by firewall as
well as Intrusion Detection System (IDS) which is placed at the gateway of the
network whereas the network of second company is just protected by network
intrusion detection system placed at the gateway. Figure 3.2 gives a clear idea about
the importance of placement of Network Intrusion Detection Systems (NIDS) in the
network.

11. 11
Figure 3.2: Network Intrusion Detection System
1.7 Host Intrusion Detection Systems (HIDS)
This type of intrusion detection system is designed for the security of single host
(machine) on the network. Host Intrusion Detection System (HIDS) detect all
packets that are coming out of the device and those going into the device and
continuously monitor for malicious activity. Once it found some type of intrusion it
will alert the administrator or the user of that machine. HIDS take the snapshot of
all the system files and compare them with the previous snapshot, if files are missing,
deleted or edited, HIDS will raise an alarm and go for further investigations. HIDS
is mostly installed on mission critical machines. The most common example of
HIDS is the anti-virus software installed on our daily use
computers.
1.8 Techniques of Intrusion Detection
The detection techniques used by IDS are as follows:
1. Signature based Intrusion Detection Technique.
2. Anomaly based Intrusion Detection Technique.
1.9 Signature based Intrusion Detection Technique
Intrusion Detection System (IDS) that uses this approach of signature based
detection scan all the packet on the network and compare them against the database
of signatures. For understanding we can think of signature as a unique digital thumb
prints, every digital signature is different from other and all the signatures in the

12. 12
database are the attributes from known malicious cyber threats. IDS compare the
packets with all the signatures available in database and if it matches at any point of
time, that event is considered as an intrusion by the intrusion detection system.
Almost all anti-virus programs use this signature based intrusion detection approach.
Using this approach system will detect all the known attacks but at the same time it
completely misses all unknown signatures (zero day attacks). In Figure 3.3, we have
a complete basic model of a signature based Intrusion Detection System (IDS).
Packets are matched with malicious signatures and alert administrator in case of
matching.
Figure 3.3: Signature based Intrusion Detection System
Chapter 2
2.1 Designing IDS using Honey Token (HT) based Encrypted Pointers
for Critical Infrastructure Networks
Our approach towards the designing of Intrusion Detection System (IDS) is novel
and simple, we use honey token based encrypted pointers for the detection of
network attacks on critical infrastructure network. We embed these honey tokens
inside the transmission frame and an encrypted pointer keeps record for locations of
all these honeytokens. This encrypted pointer is sent to the destination within the
same transmission frame where honey token packets were embedded earlier. At the
receiver side, we extract all the honey tokens from the frame with the help of
encrypted pointer and compare them with the database of honey tokens already
present at every Remote Terminal Unit (RTU) for verification of changes made in
it. Critical infrastructure is the term mostly used for those national assets which are
very important for operational stability of economy and society, and without them

13. 13
there is no concept of running nation state successfully in 21st
century. In today’s
modern times all these critical infrastructure operations run using smart and
sophisticated networks called critical infrastructure networks. There are
large numbers of these critical infrastructures but few most common are electric
power grid, oil and gas sector, nuclear power plants, water supply systems, air traffic
control systems, water treatment plants, railway traffic systems, industrial
manufacturing etc. Critical infrastructure networks commonly have command and
control system for smooth and efficient running of their operations. Supervisory
Control and Data Acquisition (SCADA) is mostly used for these purposes. It collects
data from all systems using wide range of sensors and then issues commands from
its Master Terminal Station (MTU) for operating industrial control systems. The
common topology of critical infrastructure
sensor network is shown in Figure 2.1.
Figure 2.1 The common topology of critical infrastructure sensor network
SCADA (MTU) system relates to a network of nodes commonly known as
Remote Terminal Unit (RTU) and sensors relate to these RTU. The IDS shown in
Figure 4.1 is Network based Intrusion Detection System (NIDS) and thus serves the
entire critical infrastructure sensor network with its security services. RTU may be
a PLC and it collects data from all the sources which include sensors, actuators,
motors, pressure valves and centrifuges etc. RTU then send this data back to MTU
for monitoring tasks. MTU send commands to RTU for controlling these assets

14. 14
(motors, sensors and actuators). RTU receives these set of commands from MTU
and direct them towards their target devices.
2.2 DNP3 Synthetic Traffic Generator
Distributed Network Protocol-3 (DNP3) is a set of communications protocols
used between components in process automation systems. It is the backbone protocol
for SCADA systems and used by almost all the vendors as their primary protocol for
SCADA command and control software. Our adopted approach for solving the
problem is very simple, we generate DNP3 synthetic traffic, and we designed DNP3
traffic generator capable of producing millions of DNP3 packets. DNP-3 is an open
protocol which means that the complete technical documentation associated with
this protocol is available to the public. The core elements that define DNP3 protocol
are datalink layer protocol description, application layer protocol description and
data object library. In the start of the packet we have data link layer information that
includes start bytes, length bytes, control bytes, destination address, source address
and CRC (Cyclic Redundancy Check) bytes for data link layer, and after this we
have application layer headers. In the end, we have data area where we have actual
data (payload) and object header which carries control information associated with
this data area. Object header contains the fields of function control bytes, internal
information bytes, object type bytes, variation bytes, qualifier bytes, range bytes,
data object bytes, CRC bytes. DNP3 is a robust and flexible protocol as compared
to other conventional communication protocols.
DNP3 was originally designed based on a three-layer model which includes
application layer, datalink layer and physical layer. The application layer provides
objects for most generic data formats, the datalink layer provides methods for
retrieving data and physical layer defines most common RS-232, RS-485 or radio
interfaces. DNP3 uses 3-layer Enhanced Performance Architecture (EPA) stack for
its specifications. The 3 layer EPA stack provides simpler way of data
communication over the industrial control systems where there is no need of many
features that are required on IP networks for communication. Figure 2.3 shows the
comparison of Enhanced Performance Architecture (EPA) stack with 7-layer model.

15. 15
Figure 2.3: Comparison of EPA Stack with 7 Layer Reference Model [63]
Although DNP3 was designed as reliable protocol but it was not designed as a secure
protocol. It is vulnerable against attacks which are designed to disrupt control system
operations to disable critical infrastructure networks. So, enhanced level of security
must be required in the form of IDS to protect such important assets as critical
infrastructure networks. Honey tokens used by IDS are normal DNP3 packets
generated using the same synthetic traffic generator. These honey token packets are
similar as compared to real DNP3 packet and it is impossible for a human being to
differentiate between real token and honey token.

16. 16
2.3 Honey Token based Encrypted Pointers
Our approach for IDS used a technique called Honey Token based Encrypted
Pointers. Honey tokens are artificial digital data items planted deliberately into a
genuine system resource to detect unauthorized attempts to use or disrupt original
information. The honey tokens are characterized by properties which make them
appear as genuine data items. Honey tokens used by our IDS are normal DNP3
packets planted deliberately into a transmission sequence to detect cyber-attack. We
generate these honey tokens once at the start of simulation and make their encrypted
database. All the Remote Terminal Units (RTUs) in the critical infrastructure
network hold a copy of this encrypted honey token database which they later use for
comparison and correlation of honey tokens at RTU for the detection of any changes
made in the sequence by the attacker during transmission from Master Terminal Unit
(MTU) to RTU. The transmission sequence consists of a total of number of packets.
In the first step the IDS will use the length of packets as process length. In other
words, IDS will embed honey tokens in the real traffic at random locations and make
the sequence of length. This sequence of length N-1 is known as process length of
the sequence and is shown in Figure 2.4.
Figure 2.4: Process Length
The last packet contains the locations of all these honey tokens which were
embedded earlier in the process length by the IDS. This last packet is known as the
pointer and after encryption it becomes an Encrypted Pointer (EP). The pointer itself
is also a normal DNP3 packet and all these locations of honey tokens are stored
inside the payload area of this packet, where all empty space in the payload area (if
any) are filled using zero padding technique. It is shown in Figure 4.5 that after
inserting the locations of all the honey tokens inside the payload area of packet,
empty spaces are filled using zero padding.
Figure 2.5: Pointer Structure

17. 17
The entire formation process is shown below in Figure 2.6 where single sequence
has N packets and process length has (N-1) packets, the last packet of the sequence
is the pointer that contains the locations of honey tokens.
Figure 2.6: Formation Process
2.4 System Design
We adopted a modular approach in the system design and IDS consist of two
separate modules working at separate physical locations within the critical
infrastructure network. The two modules of IDS are:
1. IDS Primary Module.
2. IDS Secondary Module.
IDS primary module work in collaboration with MTU and IDS secondary module
work in collaboration with RTU. We divide critical infrastructure sensor network
into four different categories or pools as shown in Figure 2.7. This division of nodes
among four different pools is based on the computational power and level of
vulnerability of that system (node) which is working in critical infrastructure sensor
network.

18. 18
Figure 2.7: Segmentation of Pools in Critical Infrastructure Network
Pool-A contains those systems having greater computational power and higher
vulnerability levels, it uses 4 honey tokens per frame and use encryption scheme of
AES- 256 e.g. - Data Centers etc. whereas Pool-D contain those systems having least
computational power, it uses one honey token per frame and use encryption scheme
of AES-128 e.g. - Tsunami warning system for open ocean etc. Other two Pools (B
and C) contain systems that fall between above defined categories, Pool-B uses 3
honey tokens per frame and use encryption scheme of AES-192 e.g. - Oil rigs and
Pool-C uses 2 honey tokens per frame and use encryption scheme of AES-192 e.g.-
Remote operating station etc. All the encryption schemes assigned to the different
pools are basically used for two basic tasks, at first used for encryption of pointer
and secondly encryption of honey token database (present at RTU’s) for that pool.
2.5 Intrusion Detection System Primary Module
IDS primary module works in collaboration with MTU. It starts with embedding
honeytokens inside the normal DNP3 traffic frame at random locations. First, the
transmission module in Figure 4.8 performs a check that the current frame is directed
towards which RTU in the critical infrastructure network. Then IDS check the pool
of that specific RTU, when the pool is confirmed the IDS perform its operation of

19. 19
embedding honeytokens inside the transmission frame. For example, if the current
frame belongs to pool-A the IDS embed four honeytokens at the random positions
inside the frame. All the locations (addresses) of these four honeytokens are then
placed inside the last packet which is known as the pointer of the frame and empty
spaces are filled with zero padding inside this pointer. IDS then encrypt this pointer
using AES-256 encryption scheme so the only thing which is encrypted inside the
frame is the pointer which hold the locations of all those honeytokens. Encrypted
pointer is then attached to the frame and this frame is now ready for transmission
over the physical channel which may be wired or wireless. In case if the destination
RTU belongs to Pool-B, the IDS primary module embeds 3 honeytokens inside
frame and stores their locations in the pointer. AES-192 is used for the encryption
of the pointer if target RTU belongs to Pool-B. IDS primary module uses 2
honeytokens per frame if the target RTU belongs to Pool-C and AES-192 encryption
scheme is used for Pool-C pointer. In case of Pool-A the IDS use only one
honeytoken per frame and stores its location inside the pointer, all empty spaces are
filled with zero padding and AES-128 is used for pointer encryption.
Figure 2.8: Flow Chart of IDS Primary Module at Master Terminal Unit
(MTU)

20. 20
2.6 Intrusion Detection System Secondary Module
At the receiver side of RTU the IDS secondary module receives the
transmission frame and extract Encrypted Pointer (EP) out of the frame. If the
local RTU falls in the Pool-A of critical infrastructure network the EP is
decrypted using AES-256 encryption schemes and after the successful
decryption of pointer the IDS secondary module opens the pointer and
removes all the zero padding inside the pointer. IDS then extract honeytokens
from the transmission frame using the locations available inside pointer. In
case of Pool-B the EP is decrypted using AES-192 encryption scheme and
zero padding is removed for successful recovery of honeytoken locations at
RTU side. Same process is used for other two pools but the only difference is
that Pool-C is decrypted using AES-192 and Pool-D is decrypted using AES-
128 encryption schemes. After the successful recovery of honeytokens at the
RTU side, the IDS secondary module performs the process of scanning as
shown in Figure 4.9. HT Database contains the entire database of honeytokens
which IDS is using for detection mechanism. Moreover, this HT Database is
also encrypted using AES-256 for Pool-A, AES-192 for Pool-B and Pool-C
and AES- 128 for Pool-D. IDS secondary module perform the operation of
scanning in which it compares all the honeytokens bit by bit with their copies
present in HT Database. The
honeytoken scanning process
detects any tampering with the
honeytokens during the entire
process of transmission from
MTU to RTU. If any
tampering is detected the IDS
immediately raise the alarm
for networks administrator and
consider this event as a
possible intrusion otherwise if
all the honeytokens are
matched with their
counterparts in HT Database
and there is no mismatch in the
bits, the IDS consider this
event as normal and continue
its operations.
Figure 2.9: Flow Chart of IDS Secondary Module at Remote Terminal Unit
(RTU)

21. 21
Chapter 3
Results and Discussions
3.1 DNP3 Synthetic Traffic Generator
Figure 3.1 shows the output of DNP3 synthetic traffic generator which is designed
in MATLAB, this traffic generator can generate millions of packets of DNP3
protocol (synthetic traffic). The start two bytes of every DNP3 packet is always 0564
(defined standard for DNP3 packet) is clearly highlighted. In the Figure 3.1 there are
total 34 packets of DNP3 protocol out of which 10 packets are honeytokens. It is
almost impossible to distinguish between real packet and honeytoken packet.
Figure 3.1: DNP3 synthetic traffic generator output

22. 22
3.2 Alarm Analysis of Intrusion Detection System
We are using the test network of 64 nodes, each pool contains 16 nodes. Here we are
assuming about the length of the attack vector. From the detailed study of Stuxnet
and other related attacks the malicious attacks that are used to disrupt the operations
of critical infrastructure networks comprise of complex and lengthy codes and
commands. These attacks consist of hundreds and sometimes thousands of frames,
but here in our simulation we are if our attack signature which is generated by
MATLAB must be greater than half of the length of the frame. All the results are
average values. Secondly, the reason why we are not using False Positive (FP) and
True Negative (TN) in our alarm analysis is due to the nature of DNP3 protocol
itself. DNP3 is not a general protocol, it is different from SMTP, FTP, HTTP etc. It
is intended for SCADA applications and is designed as a reliable protocol but not as
a secure protocol. It uses CRC (Cyclic Redundancy Check) both for header and
payload, so it discards all corrupted packets (corrupted because of channel noise and
bit errors) and requests for the retransmission of corrupted packets. For our IDS, it
will only happen when honey tokens are corrupted because of channel noise and
mismatches with HT database at RTU. This scenario is not possible because
corrupted frames are discarded by DNP3 protocol. So, FP is not included in our
alarm analysis since honey tokens discarded by RTU due to channel noise are
retransmitted by MTU. These SCADA networks run (24x7) over the period of years
and their operations are not affected by any disruption (bit errors and channel noise
etc.) and this is possible only because of their robust design giving extreme reliability
to these critical infrastructure networks. In Figure 3.6 shown result is the output of
system alarms. ―True Positive‖ means when attack occurs and system successfully
detects that attack and ―False Negative‖ means when attack occurs but system fails
to detect that attack. On y-axis, we have the scale of alarm percentage and on x-axis
we have four different pools [A-B-C-D]. Maximum security is given to Pool-A
because these systems possess high computational power therefore it has very small
percentage of false negative, and from the results in Figure 3.2 it is shown that on
average false negative alarms are less than 2% for Pool-A.

23. 23
Figure 3.2: IDS Performance (Alarm Analysis)
On the other hand, least amount of security is provided to pool-D because these
systems are constrained in computation power and other valuable resources, so the
false negative percentage is almost 12% for pool-D. From graphical results in Figure
3.2 which are also tabulated in Table 3.1 shows different pools with their True
Positive (TP) and False Negative (FN) alarm percentages for the attack vector of
70% the length of the frame, all these results are average values. Encryption schemes
are also listed along with different pools in Table 3.1.

24. 24
Table 3.1: IDS Alarm Analysis for 70% attack vector
From Figure 3.2 and Table 3.1 Pool-A has 98% TP alarms and 2% FN alarms, it
uses 4HT/frame with AES-256 encryption scheme. Pool-B has 97% TP alarms and
3% FN alarms, it uses 3HT/frame with AES-192 encryption scheme, Pool-C has
93% TP alarms and 7% FN alarms, it uses 2HT/frame with AES-192 encryption
scheme and finally Pool-D has 88% TP alarms and 12% FN alarms, it uses only one
HT/frame with AES-128 encryption scheme.
Table 3.2: IDS Alarm Analysis Comparison Table

25. 25
3.4 Network Penetration Testing
To test and verify our designed Intrusion Detection System (IDS) we use Network
Penetration Testing (NPT). Alongside our IDS we place another conventional
signature based IDS which contain signatures for some known attacks for the
security of node critical infrastructure test network as shown in Figure 3.13.
Figure 3.13: Network Penetration Testing Scenario (64 Node Network)
Then using MATLAB, we generate hexadecimal attack signatures (zero day attacks)
and few known attack signatures (hexadecimal signatures) which are already present
in the database of conventional IDS.
Finally, we launch all these attacks on
test network. Known attacks are
immediately stopped by conventional
IDS but all zero-day attack signatures
successfully penetrated in the 64-node
test network. In response, our IDS
successfully detected these pen
scanning process result is shown in
Figure 3.14, where cyber-attacks are
detected by the IDS on node 22, 24 and
penetrated attacks in 64 node network.
Snapshot of IDS
Figure 3.14: Intrusion Detection System scanning process

26. 26
Chapter 4
Introduction to Intrusion Prevention System (IPS)
Virtual honeypot technology is the best active prevention technology among all
honeypot technologies. By using the original operating system and virtual
technology, the honeypot lures attackers in a pre-arranged manner, analyzes and
audits various attacking behavior, tracks the attack source, obtains evidence, and
finds effective solutions. Thereafter, legal means can be used to investigate the
responsibility of the attackers and technology and management tools can be
employed to improve actual system protection. A honeypot system can detect attack
behavior and redirect such attacks to a strictly controlled environment to protect the
practical running system. This system collects intrusion information to observe and
record the behavior of the attacker and examine the level, purpose, tools, and
intrusion methods of the attack such that evidence can be obtained and possible legal
actions can be taken.
4.1 Honeypot definition and development
A honeypot system is designed to attract hackers. Thus, after an intrusion, network
administrators and security specialists can determine how the attacker succeeded,
prevent subsequent attacks, and identify security gaps. In addition to identifying the
various tools used by hackers, honeypot technology can also identify the social
networks of intruders by determining the relationships among hackers.
Figure 4.1 Honeypot principle diagram

27. 27
Honeypot technology is a security resource whose value lies in being scanned,
attacked, and captured. This characteristic indicates that honeypot technology does
not have other actual effects. Therefore, all network traffic that flows into or out of
the honeypot may prefigure being scanned, attacked, and captured. The core value
of this technology lies in monitoring, detecting, and analyzing intrusive activities.
The most popular honeypot tools are the Deception Tool Kit and Honeyd. Based on
traditional honeypot and honeynet technologies, active honeypot, honeyfarm,
honeyapp, honeyclient, and other new concepts have been proposed. Such
applications and concepts have also opened new research directions.
4.2 Existing types of honeypot
If we define the level of honeypot per the level of interactivity of its attackers and
allow a complicated degree of interaction between the operating system and
intruders, then honeypot systems can be divided into low-interaction honeypot
systems, middle-interaction honeypot systems, and high interaction honeypot
systems.
4.3 Low-interaction honeypot system
A low-interaction honeypot provides only specific analog services. In their basic
form, these services can be conducted by monitoring a specific port. Low-interaction
honeypot systems do not provide intruders with the actual operating system for
remote login. Thus, the risk is low. However, the function of this honeypot is highly
passive, like a unidirectional connection wherein limited information can be
collected. With the information flowing from outside to the machine and without
any response message to be sent, this type of honeypot fails to capture the
communication process behind complicated protocols. Low-interaction honeypot
systems have the following characteristics:
 Analog services and operating system
 Can capture only a small amount of information
 Easy to arrange, thus minimizing risk.
4.4 Middle-interaction honeypot system
A middle-interaction honeypot system does not provide the actual operating system
but provides intruders with a complicated decoy process. This type of honeypot
system imitates a specific service, thus causing intruders to believe that they are
attacking the real operating system. Such a mechanism enables the system to collect
high amounts of data. However, this mechanism also increases the risk of intrusion.
Therefore, middle-interaction honeypot systems should ensure that new security
holes could not be generated in the process of imitating the services and holes. By
using high-level interaction, honeypot technology can endure sophisticated attacks

28. 28
while recording and analyzing such attacks. Under environments with increasing
levels of interaction, a honeypot system should be deployed in a manner wherein all
analog services are as safe as possible.
4.5 High-interaction honeypot system
Most high-interaction honeypot systems are placed in a controlled environment,
such as behind a firewall. A hacker is allowed by the firewall to attack the honeypot
but is not allowed to launch new attacks. This structure is difficult to deploy and
maintain because it does not let hackers know that they are being monitored. The
maintenance of a high interaction honeypot is time consuming. Thus, the firewall
capacity and IDS characteristic database should be frequently updated to enable
continuous monitoring. Any error in the system may allow a hacker to control the
full operating system, attack other systems, or intercept messages in the application
system [14]. However, if a high-interaction honeypot system can be maintained
properly, it can allow security specialists to obtain information on hackers that other
types of honeypots cannot obtain. The cost of deploying a high-interaction honeypot
system is extremely high because it requires the continuous monitoring of a system
administrator. An uncontrollable honeypot is meaningless for any organization and
may even pose high network security risks. A high-interaction honeypot system has
the following characteristics:
 Provides the actual operating system and services instead of analog data
 Captures rich information
 Complicated deployment and high security risks
4.6 Mixed-interaction honeypot system
This study aims to establish a mixed honeypot system to monitor various types of
data. The honeypot principle is adopted in data collection to judge if the data is
normal and to prevent attacks. The system maintains a daily record in the application
and virtual system. Furthermore, the system records the internal and exterior
gateways of a virtual control server and a virtual gateway on Debian. These data can
provide detailed tracking and attaching capacity. In turn, the data provided by the
exterior gateway can monitor the transmission of packets to the traffic attacking the
virtual gateway. The relative attacking data can be found in the backup data of the
virtual gateway, which allows security specialists to identify the attack type. The
mixed honeypot system discussed in this paper is a type of application honeypot.
Apache Web is the server used for honeypot testing, and Mozilla Firefox is used to
create log records. We run Apache and server deployment from the Apache Web
server and the Web server. When Debian detects any abnormal traffic to the
Honeypot Apache Web Server, data analysis is conducted. If traffic is suspicious but
legal in practice, then data are sent to the honeypot for treatment. If the system is

29. 29
attacked and modified during operation, traffic will be cut off, thus causing data to
return to their source. The outer interface of the virtual gateway 192.168.10.6 is
connected to an external network. At the same time, the gateway has an internal
interface that provides the DNS server in the Web server and decoy server. The DNS
server is a resolution server that can resolve the overall domain name and forward
any request to the external gateway for treatment.
Figure 4.2 Mixed interactive honeypot system
Two interfaces for the decoy server can be defined as 10.0.2.3 and 10.0.3.3. Interface
10.0.3.0 can be defined as the subnet of the interfaces. The second interface is
connected to an application port in the gateway, thereby connecting the virtual Web
server, database, and specific server port link. If the application gateway detects a
data request that requires a direct connection to a specific network, any application
server, virtual Web server, or common user will produce data feedback that is like
receiving a NAT attack. If the virtual server capacity used in the large-scale network
decreases, the application of the small-scale network increases the cost.
Virtualization prompts the hardware to deploy originally such that the system
becomes a virtual machine. This condition significantly reduces the construction

30. 30
cost of the network. The system we have constructed can help reduce false
information and enhance network stability and security. This system is designed as
an application level of the honeypot to enable the independent reestablishment of the
monitoring mechanism. In practice, if each application should be monitored, the
system must customize the required applications by using a large quantity of
customized codes. Therefore, we mainly monitor the attacks to Apache in a virtual
environment.
4.7 System simulation
In a lab environment, we use Honeyd. It can create virtual hosts, the hosts can be
configured to provide any services, the system is also compatible with it, that makes
it look like a real system running. In a local area network emulation, Honeyd enables
a single host with lots of IP (as many as 65,536). Network topologies are part of the
core configuration file:
create router
set router personality "Cisco 7206
running IOS 11.1(24)"
set router default tcp action reset
add router tcp port 23
"script/router-telnet.pl"
bind 10.0.2.3 router
bind 10.0.3.0 router
bind 10.0.3.3 router
bind 10.0.1.20 windows
bind 192.168.10.5 windows
bind 192.168.10.6 windows
Honeyd honeypot and log file records all the virtual host connection information,
including timestamps, protocol type, source address, destination address, port
number, operating system type and other information. Using the VI command view
is shown in Figure 4.3 Honeyd log:

31. 31
Figure 4.3 Control system hardware structure diagram
In the above log, the attacking host to 11.64., the attacking host is shown in the red
box with the honeypot virtual hosts to establish a connection. Including TELNET,
FTP, HTTP. By querying this information, attacker intrusion evidence can be
collected, and because these virtual hosts are honeypots come out, it will not pose a
threat to the system.
Conclusion Future Work
In this project, we design an Intrusion Detection System (IDS) & Intrusion
Prevention System (IPS) that works on a technique known as ―Honey token based
Encrypted Pointers and Honey pot technology against sophisticated cyber threats
that target industrial networks. Honeypot technology has matured after a leap in its
development. This technology aims to lure hackers to a decoy system, thus delaying
the attack and providing network security specialists a window of opportunity to
prevent the threat. The technology allows system administrators to know the launch
address, verify if the security strategy is effective, and determine if the defense line
is solid. Existing networks are not always safe. IDS, firewall, encryption, and other
technologies have certain defects. Network security can be improved when such
technologies are combined with the honeypot system. We believe that honeypot
technology will play a crucial role in global network security. This ID is specifically
designed for the security of critical infrastructure sensor networks. We analyzed the
performance of IDS model on security and stability issues. The proposed IDS have
the capability of detecting SCADA based cyber-attacks and the use of encryption in
IDS make it more difficult for the attacker to launch a successful attack on critical
infrastructure networks. This type of IDS can also assist conventional signature
based IDS for improving their efficiency in detection of new attacks. Intrusion

32. 32
detection is still a long way from being mature, there is a huge room for
improvements and modification. The signature based detection is reliable but it
completely misses the zero day attacks, while on the other hand anomaly detection
detects some zero day attacks but it produces large number of false alarm thus
reducing the overall efficiency of IDS. Cyber security experts believe that in future
we must have to introduce new methods and mechanisms for intrusion detection and
existing mechanisms will be discarded. Protocol analysis mechanism has a huge
potential in it where protocols are analyzed in depth details and used for intrusion
detection. Target detection method is also very useful because in this method
cryptographic algorithms are used to detect unauthorized changes in files. Rule
based intrusion detection should also be used along with honeypot technologies for
improving the detection efficiency. To enhance the process of intrusion detection
one of the most important tool is honeypots. The core value of this valuable tool not
lies in its use but in its abuse. It detects the intrusion far better than all the other
mechanisms if deployed smartly. Intrusion Prevention Systems (IPS) are becoming
more popular in the security industry because they not only detect the intrusion but
also take some preventive actions and defend the network by stopping the intruders.
So, integration of honeytoken with other key technologies will enhance our existing
IPS and the use of advance encryption methods provide us with more flexible
options against the intruders. Our proposed IDS are a scalable solution and thus
feasible for networks with large number of nodes. Management becomes easy when
you divide system nodes in different pools and it is easy to trap the attacker when
network is divided among different segments. In this research work we use honey
tokens for intrusion detection and found them useful against cyber-attacks on critical
infrastructure networks. Our research work is focused on command injection attacks
that disrupt the operations of critical infrastructure networks. The only limitation of
designed IDS is the length of attack vector, if the attack vector is too small to evade
the tampering of honey token the probability of detection is low. There is a huge
hidden potential in the use of honeypots, honey nets and honey tokens for intrusion
detection and there is a lot more to be done by future researchers and engineers in
the field of intrusion detection.

33. 33
Reference
[1] M. Chemanol, L. Durante, and A. Valenzano, "Review of Security Issues in
Industrial Networks," IEEE Transactions on Industrial Informatics, vol. 9, no. 1,
pp. 277 - 293, 2013.
[2] M. Merabti, K. Michael, and W. Hurst. "Critical infrastructure protection: A
21st
century challenge," International Conference on Communications and
Information Technology (ICCIT), pp. 1 - 6, 2011.
[3] J. McHugh, "Intrusion and intrusion detection," International Journal of
Information Security, vol. 1, no. 1, pp. 14 – 35, 2001.
[4] B. Zhu, J. Anthony, and S. Shankar, "A taxonomy of cyber-attacks on SCADA
systems," 4th International Conference on Cyber, Physical and Social
Computing, pp. 380 - 388, 2011.
[5] J. P. Disso, J. Kevin, and B. Steven, "A Plausible Solution to SCADA Security
Honeypot Systems," In Eighth International Conference on Broadband and
Wireless Computing, Communication and Applications (BWCCA), pp. 443 - 448,
2013.
[6] P. Jain, and S. Anjali, "A hybrid honeyfarm based technique for defense against
worm attacks," World Congress on Information and Communication
Technologies (WICT), pp. 1084 - 1089, 2011.
[7] I. Kuwatly, S. Malek, A. Zaid, and A. Hassan, "A dynamic honeypot design for
intrusion detection," In International Conference on Pervasive Services (ICPS),
pp. 95 -104, 2004.
[8] Y. Yang, and M. Jia, "Design and implementation of distributed intrusion
detection system based on honeypot," In International Conference on Computer
Engineering and Technology (ICCET), vol. 6, pp. 260, 2010.
[9] R. Muraleedharan, and A. O. Lisa, "An intrusion detection framework for
sensor
networks using honeypot and Swarm Intelligence," In 6th Annual International
Mobile and Ubiquitous Systems: Networking & Services, pp. 1 - 2, 2009.
[10] Song LI, Qian Zou, Wei Huang, “A New Type of Intrusion Prevention
System” Guiyang University” Guiyang, China