In this research work an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) will be implemented to detect and prevent critical networks infrastructure from cyber-attacks. To strengthen network security and improve the network's active defense intrusion detection capabilities, this project will consist of intrusion detection system using honey token based encrypted pointers and intrusion prevention system which based on the mixed interactive honeypot. The Intrusion Detection System (IDS) is based on the novel approach of Honey Token based Encrypted Pointers. This honey token inside the frame will serve as a trap for the attacker. All nodes operating within the working domain of critical infrastructure network are divided into four different pools. This division is based per their computational power and level of vulnerability. These pools are provided with different levels of security measures within the network. IDS use different number of Honey Tokens (HT) per frame for every different pool e.g. Pool-A contains 4 HT/frame, Pool-B contains 3 HT/frame, Pool-C contains 2 HT/frame and Pool-D contain 1 HT/frame. Moreover, every pool uses different types of encryption schemes (AES-128,192,256). Our critical infrastructure network of 64 nodes is under the umbrella of unified security provided by this single Network Intrusion Detection System (NIDS). After the design phase of IDS, we analyze the performance of IDS in terms of True Positives (TP) and False Negatives (FN). Finally, we test these IDS through Network Penetration Testing (NPT) phase. The detection rate depends on the number of honey tokens per frame. Our proposed IDS are a scalable solution and it can be implemented for any number of nodes in critical infrastructure network. However, in case of Intrusion Prevention System (IPS) we use Virtual honeypot technology which is the best active prevention technology among all honeypot technologies. By using the original operating system and virtual technology, the honeypot lures attackers in a pre-arranged manner, analyzes and audits various attacking behavior, tracks the attack source, obtains evidence, and finds effective solutions.
This document discusses intrusion detection systems (IDS), which monitor networks and systems for malicious activity such as malware, attacks, and unauthorized access. An IDS typically consists of sensors to detect security events, an engine to analyze the events and generate alerts, and a console for administrators to monitor alerts and configure sensors. Network and host-based IDS monitor network traffic and host activities respectively. IDS can detect a wider range of attacks than firewalls by analyzing network traffic and system behaviors.
This document discusses honeypots, which are computer systems set up to appear vulnerable in order to attract cyber attacks. It begins by defining honeypots and their purpose of learning about attacks without risking real systems. The document then covers intrusion detection systems (IDS), firewalls, and how honeypots compare to these methods. Honeypots are able to detect both known and unknown attacks, while providing detailed forensic data with fewer false positives than IDS. The document outlines the advantages and disadvantages of honeypots, and concludes they are useful for understanding attack strategies in order to improve security measures.
The document discusses honeypots and honeynets. It defines a honeypot as a decoy system intended to be attacked to gather threat intelligence. Honeynets contain multiple honeypots within a controlled network for monitoring. The document outlines the benefits of deploying honeypots, such as risk mitigation and research. It also discusses techniques for installing and detecting honeypots, and the future of honeypot technologies.
Honeypots are systems designed to be probed, attacked, or compromised by cyber attackers. They serve several purposes including detecting attacks, learning how attackers operate, and providing network security. There are two main types - research honeypots which capture extensive information but are complex to deploy, and production honeypots which are easier to use but capture limited data. Honeypots can be low or high interaction, with high interaction honeypots providing more realistic and detailed insights but posing greater risks if compromised.
Honeypots are information system resources whose value lie in illicit use of them.In simple words, they are a trap to track the ways in which a hacker can can attack a valuable resource to extract information from it.
Honeypots are systems designed to detect attacks by simulating vulnerable systems and monitoring interactions. There are three main types - low-interaction honeypots like Honeyd that simulate services, and high-interaction Gen I and Gen II Honeynets that provide whole system emulations. Honeypots provide prevention by wasting attackers' time, detection of attacks, and research opportunities to understand attack techniques. While they add complexity, honeypots also help with incident response and protecting real systems from learned attacks. Future work may include easier administration, closer integration with other security tools, and more targeted uses.
This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerability
This document discusses intrusion detection systems (IDS), which monitor networks and systems for malicious activity such as malware, attacks, and unauthorized access. An IDS typically consists of sensors to detect security events, an engine to analyze the events and generate alerts, and a console for administrators to monitor alerts and configure sensors. Network and host-based IDS monitor network traffic and host activities respectively. IDS can detect a wider range of attacks than firewalls by analyzing network traffic and system behaviors.
This document discusses honeypots, which are computer systems set up to appear vulnerable in order to attract cyber attacks. It begins by defining honeypots and their purpose of learning about attacks without risking real systems. The document then covers intrusion detection systems (IDS), firewalls, and how honeypots compare to these methods. Honeypots are able to detect both known and unknown attacks, while providing detailed forensic data with fewer false positives than IDS. The document outlines the advantages and disadvantages of honeypots, and concludes they are useful for understanding attack strategies in order to improve security measures.
The document discusses honeypots and honeynets. It defines a honeypot as a decoy system intended to be attacked to gather threat intelligence. Honeynets contain multiple honeypots within a controlled network for monitoring. The document outlines the benefits of deploying honeypots, such as risk mitigation and research. It also discusses techniques for installing and detecting honeypots, and the future of honeypot technologies.
Honeypots are systems designed to be probed, attacked, or compromised by cyber attackers. They serve several purposes including detecting attacks, learning how attackers operate, and providing network security. There are two main types - research honeypots which capture extensive information but are complex to deploy, and production honeypots which are easier to use but capture limited data. Honeypots can be low or high interaction, with high interaction honeypots providing more realistic and detailed insights but posing greater risks if compromised.
Honeypots are information system resources whose value lie in illicit use of them.In simple words, they are a trap to track the ways in which a hacker can can attack a valuable resource to extract information from it.
Honeypots are systems designed to detect attacks by simulating vulnerable systems and monitoring interactions. There are three main types - low-interaction honeypots like Honeyd that simulate services, and high-interaction Gen I and Gen II Honeynets that provide whole system emulations. Honeypots provide prevention by wasting attackers' time, detection of attacks, and research opportunities to understand attack techniques. While they add complexity, honeypots also help with incident response and protecting real systems from learned attacks. Future work may include easier administration, closer integration with other security tools, and more targeted uses.
This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerability
Using Canary Honeypots for Network Security Monitoringchrissanders88
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
There are a number of different kinds of tools for collecting information about the thoughts and beliefs that different groups have about your organization.
This document discusses honeypots, which are decoy computer systems used to gather intelligence about cyber attacks. Honeypots can be classified based on their level of interaction, implementation, and purpose. Low-interaction honeypots like Honeyd simulate some system aspects with minimal risk, while high-interaction honeypots like Honeynet aim to be fully compromised. Honeynets form a network of honeypots to capture extensive attack information for research. The document outlines the architecture and functionality of Honeyd and Honeynet honeypots. Honeypots provide benefits like reduced false alarms and insights into attacker techniques, but also pose risks if they are detected.
This document provides an overview of intrusion detection systems (IDS). It begins with an introduction that defines intrusion, intrusion detection, and IDS. It then discusses the history and typical scenarios of intrusions. The document outlines different types of attacks and what an IDS is supposed to do in detecting them. It classifies IDS based on detection approach and protected system, covering network/host-based detection. The advantages and disadvantages of different IDS types are presented. Commonly used open source and commercial IDS are listed, with Snort discussed in more detail. References for further information are provided at the end.
Honeypot based intrusion detection system PPTparthan t
This document discusses honeypot-based intrusion detection systems. It defines a honeypot as a resource meant to be attacked in order to gather information about attackers and the tools they use. The document outlines the introduction, related work, future work, advantages and disadvantages of honeypot systems. It explains that honeypots aim to distract attackers while learning about attack methods and attackers themselves.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
Honeypots are systems designed to attract hackers in order to gather information about attacks and attackers. The document discusses different types of honeypots based on their level of interaction, from low-involvement honeypots that only provide basic services to high-involvement honeypots with a full operating system. It also covers honeypot placement options, information gathering techniques, and making honeypots appear attractive to attract more attackers. The goal is to learn about attack patterns and tools used by hackers to improve network defenses.
This is a Seminar Report on a computer security mechanism named Honeypot. In this I've included Honeypot Basics, Types, Value, Implementation, Merits & Demerits, Legal issues and Future of Honeypots.
This document discusses honeypots, which are decoy systems used to gather information about cyber attacks. Honeypots have no production value and anything accessing them is likely an unauthorized probe or attack. They are used to monitor networks for security threats without disrupting normal operations. Honeypots can be classified based on their level of interaction, implementation (physical or virtual), and purpose (production systems or research). They provide valuable security benefits like detecting intruders and gathering threat intelligence, but also have disadvantages like risks of being compromised.
The document provides an introduction to the Internet of Things (IoT). It defines IoT as connecting devices, machines and tools to the internet using wireless technologies. Over 9 billion devices are currently connected, projected to exceed 20 billion. IoT unifies technologies like embedded systems, cloud computing, big data, machine learning and networking. The term originated from a 2005 report discussing internet-connected machines to machine connectivity networks extending to common household devices. IoT enables efficient monitoring and control of physical objects through embedded sensors and communication across networks.
Snort is an open source network intrusion detection system (NIDS) that can perform network monitoring and packet logging. It analyzes network traffic in real-time and compares it to a rulebase to detect anomalous activity such as malware, attacks, and intrusions. Snort works by decoding packet headers and payloads and applying rules to detect patterns across the network, transport, and application layers. It can operate in three modes: sniffer, packet logger, and intrusion detection system. Rules are used to specify conditions that indicate malicious traffic and generate alerts.
Security Requirements in IoT Architecture Vrince Vimal
Security Requirements in IoT Architecture - Security in Enabling Technologies - Security Concerns in IoT Applications. Security Architecture in the Internet of Things - Security Requirements in IoT - Insufficient Authentication/Authorization - Insecure Access Control - Threats to Access Control, Privacy, and Availability - Attacks Specific to IoT. Vulnerabilities – Secrecy and Secret-Key Capacity - Authentication/Authorization for Smart Devices - Transport Encryption
IOT can be used for smart farming applications by connecting devices to monitor and automate agricultural tasks. Soil moisture sensors, temperature sensors, and PIR motion sensors connected to an Arduino board can help farmers precisely manage crop watering, detect predators for pest management, and monitor field conditions. This allows for optimized water usage, high crop yields, and reduced damage compared to traditional farming methods. While the upfront costs may be high, IOT for agriculture can increase profits for farmers through greater productivity and efficiency.
Understanding Penetration Testing & its Benefits for OrganizationPECB
This topic will cover the most important part related the penetration testing and the importance of its implementation on the organization. Considering it as a good tool for companies to deal with information security vulnerabilities, it is becoming significant part for companies to develop it.
Main point that will be covered:
• Overview of Penetration Testing
• Purpose of Penetration testing and benefits
• What are the Rules of Engagement (White, Black and Grey Box Testing)
• Penetration Testing and Phases
Presenter:
Christie Oso is Managing Principal Information Security consultant and trainer at Intex IT. She is also responsible for Risk Management, Vulnerability Assessment, and Penetration Testing. She holds certification on CISSP, CISM, CEH, ISO 27001 LA, ISO 27005 Risk Manager,
Link of the recorded session published on YouTube: https://youtu.be/lyqOJmC94vg
Smart Computing : Cloud + Mobile + SocialRomin Irani
Smart computing is defined as the integration of hardware, software, and people enabled by cloud, mobile, and social technologies, which are disrupting existing business models; opportunities exist for developers in these areas but challenges include privacy, security, interoperability, and developing a skilled workforce for an increasingly mobile and data-driven business environment. The retail sector was provided as an example domain that can leverage location data, offers, analytics and social/mobile integration to enhance customer experience.
This document provides an introduction and overview of honeypots including definitions, uses, types, deployment, and legal issues. It defines a honeypot as a resource designed to be attacked in order to gather information about attacks. Honeypots are used for research, understanding blackhat activities, and building better defenses. They come in low, mid, and high interaction varieties depending on how much an attacker can interact with the operating system. Deployment involves running honeypot programs on hardened machines or using unpatched servers protected by firewalls. Legal issues include privacy, entrapment, and liability concerns.
This document describes an automatic tollgate system that uses RFID and load cell sensors to track vehicles and automatically deduct toll fares. The system identifies approaching vehicles using IR sensors, matches vehicle details like registration and owner stored in an RFID tag to a database, and records the vehicle number and time. For authorized accounts, it automatically opens the tollgate and deducts the toll amount from the associated account. The system allows for automatic vehicle tracking, time management, and toll collection without needing to stop or pay with cash.
In this research work an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) will be implemented to detect and prevent critical networks infrastructure from cyber-attacks. To strengthen network security and improve the network's active defense intrusion detection capabilities, this project will consist of intrusion detection system using honey token based encrypted pointers and intrusion prevention system which based on the mixed interactive honeypot. The Intrusion Detection System (IDS) is based on the novel approach of Honey Token based Encrypted Pointers.
Intrusion detection and prevention systemNikhil Raj
This presentation describes how to implement Network based Intrusion Detection System (SNORT) in the network. Detecting and analyzing alerts generated and blocking the Attacker using Access Control List.
Using Canary Honeypots for Network Security Monitoringchrissanders88
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
There are a number of different kinds of tools for collecting information about the thoughts and beliefs that different groups have about your organization.
This document discusses honeypots, which are decoy computer systems used to gather intelligence about cyber attacks. Honeypots can be classified based on their level of interaction, implementation, and purpose. Low-interaction honeypots like Honeyd simulate some system aspects with minimal risk, while high-interaction honeypots like Honeynet aim to be fully compromised. Honeynets form a network of honeypots to capture extensive attack information for research. The document outlines the architecture and functionality of Honeyd and Honeynet honeypots. Honeypots provide benefits like reduced false alarms and insights into attacker techniques, but also pose risks if they are detected.
This document provides an overview of intrusion detection systems (IDS). It begins with an introduction that defines intrusion, intrusion detection, and IDS. It then discusses the history and typical scenarios of intrusions. The document outlines different types of attacks and what an IDS is supposed to do in detecting them. It classifies IDS based on detection approach and protected system, covering network/host-based detection. The advantages and disadvantages of different IDS types are presented. Commonly used open source and commercial IDS are listed, with Snort discussed in more detail. References for further information are provided at the end.
Honeypot based intrusion detection system PPTparthan t
This document discusses honeypot-based intrusion detection systems. It defines a honeypot as a resource meant to be attacked in order to gather information about attackers and the tools they use. The document outlines the introduction, related work, future work, advantages and disadvantages of honeypot systems. It explains that honeypots aim to distract attackers while learning about attack methods and attackers themselves.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
Honeypots are systems designed to attract hackers in order to gather information about attacks and attackers. The document discusses different types of honeypots based on their level of interaction, from low-involvement honeypots that only provide basic services to high-involvement honeypots with a full operating system. It also covers honeypot placement options, information gathering techniques, and making honeypots appear attractive to attract more attackers. The goal is to learn about attack patterns and tools used by hackers to improve network defenses.
This is a Seminar Report on a computer security mechanism named Honeypot. In this I've included Honeypot Basics, Types, Value, Implementation, Merits & Demerits, Legal issues and Future of Honeypots.
This document discusses honeypots, which are decoy systems used to gather information about cyber attacks. Honeypots have no production value and anything accessing them is likely an unauthorized probe or attack. They are used to monitor networks for security threats without disrupting normal operations. Honeypots can be classified based on their level of interaction, implementation (physical or virtual), and purpose (production systems or research). They provide valuable security benefits like detecting intruders and gathering threat intelligence, but also have disadvantages like risks of being compromised.
The document provides an introduction to the Internet of Things (IoT). It defines IoT as connecting devices, machines and tools to the internet using wireless technologies. Over 9 billion devices are currently connected, projected to exceed 20 billion. IoT unifies technologies like embedded systems, cloud computing, big data, machine learning and networking. The term originated from a 2005 report discussing internet-connected machines to machine connectivity networks extending to common household devices. IoT enables efficient monitoring and control of physical objects through embedded sensors and communication across networks.
Snort is an open source network intrusion detection system (NIDS) that can perform network monitoring and packet logging. It analyzes network traffic in real-time and compares it to a rulebase to detect anomalous activity such as malware, attacks, and intrusions. Snort works by decoding packet headers and payloads and applying rules to detect patterns across the network, transport, and application layers. It can operate in three modes: sniffer, packet logger, and intrusion detection system. Rules are used to specify conditions that indicate malicious traffic and generate alerts.
Security Requirements in IoT Architecture Vrince Vimal
Security Requirements in IoT Architecture - Security in Enabling Technologies - Security Concerns in IoT Applications. Security Architecture in the Internet of Things - Security Requirements in IoT - Insufficient Authentication/Authorization - Insecure Access Control - Threats to Access Control, Privacy, and Availability - Attacks Specific to IoT. Vulnerabilities – Secrecy and Secret-Key Capacity - Authentication/Authorization for Smart Devices - Transport Encryption
IOT can be used for smart farming applications by connecting devices to monitor and automate agricultural tasks. Soil moisture sensors, temperature sensors, and PIR motion sensors connected to an Arduino board can help farmers precisely manage crop watering, detect predators for pest management, and monitor field conditions. This allows for optimized water usage, high crop yields, and reduced damage compared to traditional farming methods. While the upfront costs may be high, IOT for agriculture can increase profits for farmers through greater productivity and efficiency.
Understanding Penetration Testing & its Benefits for OrganizationPECB
This topic will cover the most important part related the penetration testing and the importance of its implementation on the organization. Considering it as a good tool for companies to deal with information security vulnerabilities, it is becoming significant part for companies to develop it.
Main point that will be covered:
• Overview of Penetration Testing
• Purpose of Penetration testing and benefits
• What are the Rules of Engagement (White, Black and Grey Box Testing)
• Penetration Testing and Phases
Presenter:
Christie Oso is Managing Principal Information Security consultant and trainer at Intex IT. She is also responsible for Risk Management, Vulnerability Assessment, and Penetration Testing. She holds certification on CISSP, CISM, CEH, ISO 27001 LA, ISO 27005 Risk Manager,
Link of the recorded session published on YouTube: https://youtu.be/lyqOJmC94vg
Smart Computing : Cloud + Mobile + SocialRomin Irani
Smart computing is defined as the integration of hardware, software, and people enabled by cloud, mobile, and social technologies, which are disrupting existing business models; opportunities exist for developers in these areas but challenges include privacy, security, interoperability, and developing a skilled workforce for an increasingly mobile and data-driven business environment. The retail sector was provided as an example domain that can leverage location data, offers, analytics and social/mobile integration to enhance customer experience.
This document provides an introduction and overview of honeypots including definitions, uses, types, deployment, and legal issues. It defines a honeypot as a resource designed to be attacked in order to gather information about attacks. Honeypots are used for research, understanding blackhat activities, and building better defenses. They come in low, mid, and high interaction varieties depending on how much an attacker can interact with the operating system. Deployment involves running honeypot programs on hardened machines or using unpatched servers protected by firewalls. Legal issues include privacy, entrapment, and liability concerns.
This document describes an automatic tollgate system that uses RFID and load cell sensors to track vehicles and automatically deduct toll fares. The system identifies approaching vehicles using IR sensors, matches vehicle details like registration and owner stored in an RFID tag to a database, and records the vehicle number and time. For authorized accounts, it automatically opens the tollgate and deducts the toll amount from the associated account. The system allows for automatic vehicle tracking, time management, and toll collection without needing to stop or pay with cash.
In this research work an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) will be implemented to detect and prevent critical networks infrastructure from cyber-attacks. To strengthen network security and improve the network's active defense intrusion detection capabilities, this project will consist of intrusion detection system using honey token based encrypted pointers and intrusion prevention system which based on the mixed interactive honeypot. The Intrusion Detection System (IDS) is based on the novel approach of Honey Token based Encrypted Pointers.
Intrusion detection and prevention systemNikhil Raj
This presentation describes how to implement Network based Intrusion Detection System (SNORT) in the network. Detecting and analyzing alerts generated and blocking the Attacker using Access Control List.
This document provides an overview of honeypots, which are security resources that are intended to be probed, attacked, or compromised in order to gather information about attackers. Honeypots can be used to learn about past attacks, detect currently occurring attacks, and identify new types of attacks. They work by monitoring any traffic to resources that are not expected to receive data. Honeypots have advantages like reducing false alarms and providing data for analysis, but also have disadvantages like narrow visibility and risks of the attacker using the honeypot to attack other systems. The document discusses different types of honeypots including low and high interaction honeypots, and specific honeypot tools like Honeyd and Honeynets.
The document discusses intrusion prevention systems (IPS), which monitor network and system activity to identify and block malicious activity. It describes how IPS uses signature-based or anomaly-based detection methods to identify intrusions. IPS can be network-based, host-based, wireless, or focus on network behavior analysis. The document contrasts IPS with intrusion detection systems (IDS), which can only detect and report intrusions, while IPS can actively prevent them. It also compares IPS to firewalls, noting that IPS monitors for unwanted entries while firewalls regulate activity based on set rules.
This document provides an overview of intrusion prevention systems (IPS). It defines IPS and their main functions, which include identifying intrusions, logging information, attempting to block intrusions, and reporting them. It also discusses terminology related to IPS like false positives and negatives. The document outlines different detection methods used by IPS like signature-based, anomaly-based, and stateful protocol analysis. It categorizes IPS based on deployment like network-based, host-based, and wireless. It provides Snort, an open-source IPS, as a case study and discusses its components, rules structure, and challenges.
Network intrusion detection systems (NIDS) monitor network traffic for malicious activity by analyzing network packets at choke points like borders or the demilitarized zone. NIDS identify intrusions by comparing traffic patterns to known attack signatures or by detecting anomalies from established baselines. While NIDS can detect both previously known and unknown attacks, they require frequent signature database updates and may generate false positives. NIDS provide visibility without affecting network performance but cannot inspect encrypted traffic or all traffic on very large networks.
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
The objective of the proposed system is to integrate the high volume of data along with the important
considerations like monitoring a wide array of heterogeneous security. When a real time cyber attack
occurred, the Intrusion Detection System automatically store the log in distributed environment and
monitor the log with existing intrusion dictionary. At the same time the system will check and categorize the
severity of the log to high, medium, and low respectively. After the categorization, the system will
automatically take necessary action against the user-unit with respect to the severity of the log. The
advantage of the system is that it utilize anomaly detection, evaluates data and issue alert message or
reports based on abnormal behaviour.
The document discusses honeypots, which are computer systems designed to attract hackers in order to study their behavior. Honeypots come in two types - production honeypots, which directly protect networks, and research honeypots, which are used to gather threat intelligence. They also vary in their level of interaction, from low-interaction honeypots that emulate systems to high-interaction honeypots with fully functional operating systems. The goals of honeypots are to learn about new attacks, build attacker profiles, and identify vulnerabilities. They provide security benefits but also carry risks if compromised.
This document discusses intrusion detection systems (IDS). An IDS monitors network or system activities for malicious activities or policy violations. IDS can be classified based on detection method (anomaly-based detects deviations from normal usage, signature-based looks for known attack patterns) or location (host-based monitors individual systems, network-based monitors entire network traffic). The document outlines strengths and limitations of different IDS types and discusses the future of integrating detection methods.
IPS (Intrusion Prevention System) is definitely the next level of security technology with its capability to
provide security at all system levels from the operating system kernel to network data packets. It
provides policies and rules for network traffic along with an IDS for alerting system or network
administrators to suspicious traffic, but allows the administrator to provide the action upon being
alerted. Where IDS informs of a potential attack, an IPS makes attempts to stop it. Another huge leap
over IDS, is that IPS has the capability of being able to prevent known intrusion signatures, but also
some unknown attacks due to its database of generic attack behaviours. Thought of as a combination of
IDS and an application layer firewall for protection, IPS is generally considered to be the "next
generation" of IDS.
Introduction To Intrusion Detection SystemsPaul Green
An intrusion detection system (IDS) monitors network traffic and system activities for malicious activities or policy violations. An IDS typically consists of sensors to generate security events, a central engine to correlate events and generate alerts, and a console for administrators to monitor alerts. There are different types of IDS, including network IDS that monitor network traffic, and host-based IDS that monitor activities on individual hosts. While firewalls block unwanted traffic using rules, IDS are needed to monitor for attacks hidden in acceptable traffic and help identify unwanted network traffic using signatures and anomaly detection. IDS can operate passively by detecting anomalies and logging or actively by performing actions like blocking traffic (intrusion prevention system).
Honeypots are information systems that are intended to be attacked to gather threat intelligence. They can be low-interaction systems that emulate services or high-interaction systems with real operating systems. Honeypots provide benefits like attack analysis, evidence collection, and risk mitigation by luring attackers away from real systems. While they offer insights, honeypots also have disadvantages like only monitoring a limited view and carrying legal and security risks if misused.
This document discusses ethical hacking and penetration testing. It begins by defining ethical hacking as using the same tools and techniques as hackers, but legally in order to test an organization's security. It then covers the history of ethical hacking. The rest of the document outlines the methodology of hacking including reconnaissance, scanning, gaining access, maintaining access, and clearing tracks. It discusses the types of hackers and tools used in ethical hacking. The document concludes by discussing the advantages and disadvantages of ethical hacking.
The project entitled with “Network Security System” is related to hacking attacks in computer systems over internet. In today’s world many of the computer systems and servers are not secure because of increasing the hacking attacks or hackers with growing information, so information security specialist’s requirement has gone high.
Wireless lan intrusion detection by using statistical timing approacheSAT Journals
Abstract Today as we all are habitual of using internet through wired or wireless LAN Networks, but using internet through Wireless LAN becomes harder as the threat of unauthorized access point is increasing day by day. In This paper we are focusing on different types of rogue access points (APs) that are masquerading and attracting people to get associate with them or to connect with them. We are implementing a solution to avoid people or users from connecting to the unauthorized access point by using experimental time dependent scheme. Our detection technique is a client-oriented method that uses the complete tour time between the DNS server and user that perfectly determine that whether an access point with which the user has connected is the legitimate access point or a unauthorized access point. In this paper we are implementing concept using .Net framework and sql server, Which gives us the characteristics like robust, accuracy and effectiveness for detecting rogue or unauthorized access point without getting any help from WLAN administrator. In this simulation technique we will get accurate values so that we can distinguish between rogue access point and legitimate access point Keywords— WLAN, APs, RAP, LAN
This document provides guidance on intrusion detection and prevention systems (IDPS) from the National Institute of Standards and Technology (NIST). It discusses the principles of IDPS technologies, their common components and functions. The document also covers how to implement, operate and maintain IDPS, and provides an overview of network-based IDPS.
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...IJCNCJournal
After tightening up network perimeter for dealing with external threats, organizations have woken up to the
threats from inside Local Area Networks (LAN) over the past several years. It is thus important to design
and implement LAN security strategies in order to secure assets on LAN by filtering traffic and thereby
protecting them from malicious access and insider attacks. Banking Financial Services and Insurance
(BFSI) industry is one such segment that faces increased risks and security challenges. The typical
architecture of this segment includes several thousands of users connecting from various branches over
Wide Area Network (WAN) links crossing national and international boundaries with varying network
speed to access data center resources. The objective of this work is to deploy LAN security solution to
protect the data center located at headquarters from the end user machines. A LAN security solution should
ideally provide Network Access Control (NAC) along with cleaning (securing) the traffic going through it.
Traffic cleaning itself includes various features like firewall, intrusion detection/prevention, traffic anomaly
detection, validation of asset ownership etc. LANenforcer (LE) is a device deployed in front of the data
center such that the traffic from end-user machines necessarily passes through it so that it can enforce
security. The goal of this system is to enhance the security features of a LANenforcer security system with
Intrusion Prevention System (IPS) to enable it to detect and prevent malicious network activities. IPS is
plugged into the packet path based on the configuration in such a way that the entire traffic passes through
the IPS on LE.
As the Supervisory Control and Data Acquisition (SCADA) system are deployed in infrastructures which are critical to the survival of a nation, they have emerged as a potential terrain for cyber-war, thus attracting the considered attention of ‘nation-states’. The analysis of worms like ‘stuxnet’ ‘flame’ and ‘duqu’ reveals the hand of a ‘nation-state’ in their design and deployment. Hence, the necessity to understand various issues in the defence of SCADA systems arises. The forensics of the SCADA system provide deep insight into the design and deployment of the worm (the malware) once the system is attacked. This is precisely the scope of this essay.
The document proposes a security model for wireless sensor networks using zero knowledge protocol. It addresses security threats like cloning attacks, man-in-the-middle attacks, and replay attacks. The model uses a unique fingerprint for each node based on its neighboring nodes to detect cloning. It also uses zero knowledge protocol for sensor nodes to verify authenticity without transmitting cryptographic information, preventing man-in-the-middle and replay attacks. The paper analyzes the performance and security of the proposed model.
A honeynet framework to promote enterprise network securityIAEME Publication
This document describes a honeynet framework to promote enterprise network security. The framework consists of two high-interaction honeypot servers connected by a switch to a monitoring station. The honeypots provide real operating systems and services to attract attackers. When an attacker attempts to access a honeypot, its data is captured by a packet sniffer and stored in a database. This data is then sent securely to the monitoring station using web services. The monitoring station analyzes the data, generates an alert report, and provides a GUI to monitor extracted information. The goal is to identify attack traffic and profile attackers to improve network defense.
Cyber-Defensive Architecture for Networked Industrial Control SystemsIJEACS
This paper deals with the inevitable consequence of the convenience and efficiency we benefit from the open, networked control system operation of safety-critical applications: vulnerability to such system from cyber-attacks. Even with numerous metrics and methods for intrusion detection and mitigation strategy, a complete detection and deterrence of internal code flaws and outside cyber-attacks has not been found and would not be found anytime soon. Considering the ever incompleteness of detection and prevention and the impact and consequence of mal-functions of the safety-critical operations caused by cyber incidents, this paper proposes a new computer control system architecture which assures resiliency even under compromised situations. The proposed architecture is centered on diversification of hardware systems and unidirectional communication from the proposed system in alerting suspicious activities to upper layers. This paper details the architectural structure of the proposed cyber defensive computer control system architecture for power substation applications and its validation in lab experimentation and on a cybersecurity testbed.
TACTiCS_WP Security_Addressing Security in SDN EnvironmentSaikat Chaudhuri
This document discusses addressing security concerns in SDN environments. It proposes an approach using an application on the SDN controller to monitor alerts from an IDS, analyze network traffic samples, and automate blocking of malicious flows. The application would function similarly to a security operations center (SOC) by correlating security events and taking action. The implementation is demonstrated using the OpenDaylight controller and Mininet virtual network, with SNORT for intrusion detection and sFlow for traffic sampling.
CYBER ATTACKS ON INTRUSION DETECTION SYSTEMijistjournal
Soft Computing techniques are fast growing technology used for problem solving, Information security is of essence factor in the age of computer world. Protecting information, systems and resources from unauthorized use, duplication, modification ,adjustment or any kind of cause which damage the resources such that it cannot be repaired or no longer exist to the real user is one of the part of soft computing. Researcher proposed several mechanism to fight against cyber attacks. Several existing techniques available intrusion detection systems are responsible to face upcoming cyber attacks. Soft computing is one of the best presently using techniques which is applied in Intrusion Detection System to manage network traffic and use to detect cyber attacks with increased efficiency and accuracy.
Supervisory control and data acquisition (SCADA) are applications that collect data from a system in order to automate the monitoring and controlling of its activities. Several industrial fields such as, electric utilities, water supplies and buildings' facilities have already adopted SCADA systems to increase the efficiency and reduce cost. However, the IT community is concerned about the level of security that any applied SCADA system provides. This paper concentrates on the major security threats encountered in SCADA systems. In addition, it discusses a new proposed methodology in order to increase the system security with minimal impact on efficiency. The proposed scheme provides several security services which are mutual authentication, confidentiality, data integrity and accountability.
Supervisory control and data acquisition (SCADA) are applications that collect data from a system in order to automate the monitoring and controlling of its activities. Several industrial fields such as, electric utilities, water supplies and buildings’ facilities have already adopted SCADA systems to increase the efficiency and reduce cost. However, the IT community is concerned about the level of security that any applied SCADA system provides. This paper concentrates on the major security threats encountered in SCADA systems. In addition, it discusses a new proposed methodology in order to increase the system security with minimal impact on efficiency. The proposed scheme provides several security services which are mutual authentication, confidentiality, data integrity and accountability.
Wireless sensor networks are made up of number of tiny mobile nodes, which
have the capability of computation, sensing and wireless network communication. The
energy efficiency of each node in such kind of networks is one of the important issues under
consideration. Thus for these networks, sensor nodes life time is basically depends on use of
routing protocols for routing operations in WSN. There are various routing protocols
proposed by different researchers, which are considered as efficient on the basis of
performance of network lifetime and energy scavenging. There are different routing
protocols introduced for WSN such as flat routing protocols, clustering routing protocols,
hierarchical routing protocols etc. On the other hand, there are basically two types of
WSNs, homogeneous and heterogeneous sensor networks. As WSN is vulnerable to different
types of security threats, there are many security methods presented with their own
advantages and disadvantages. Most of security methods are applied only on homogeneous
WSN, but recently some methods were presented to provide the routing security in
heterogeneous WSNs as well. In this paper, the different security threats and Intrusions in
WSNs are presented, with review of different security methods.
A Review Of Intrusion Detection System In Computer NetworkAudrey Britton
This document provides an overview of intrusion detection systems (IDS) and the techniques used to implement them. It discusses that IDS are used to detect malicious actions on computer networks and protect important files and documents. The document then summarizes that IDS have four main components - sensors to monitor the system, a database to store event information, an analysis module to detect potential threats, and a response module to address detected threats. It also categorizes IDS based on the data source, detection approach, structure, and how intrusions are detected. Finally, the document outlines various techniques used in IDS, including artificial intelligence methods like neural networks, fuzzy logic, genetic algorithms and machine learning approaches.
This document discusses the cyber security risks of smart grids and proposes an integrated security framework to address these risks. Smart grids integrate information infrastructure with electrical infrastructure, improving performance but also increasing vulnerability to cyber attacks. The framework features security agents, managed security switches, and a security manager to provide layered protection, intrusion detection, and access control across the power automation network in a scalable and extensible manner. This integrated approach is needed as power systems have different security needs than traditional IT networks.
Practical analysis of the cybersecurity of European smart gridsSergey Gordeychik
This paper summarizes the experience gained during a series of
practical cybersecurity assessments of various components of Europe’s
smart electrical grids.
This document summarizes an article from the International Journal of Computer Engineering and Technology about enhancing power-aware hybrid intrusion detection architecture in an ad-hoc network using mobile agents. It discusses designing and implementing an energy-efficient anomaly-based cooperative intrusion detection system that applies mobile agent technology to minimize network load, conserve bandwidth, and improve reactivity. It also aims to minimize energy consumption of monitoring nodes using the Back-Propagation algorithm. The paper then presents a new approach to intrusion detection system architecture in ad-hoc networks using mobile agents to determine which network events need monitoring and where.
Wireless ad hoc networks are autonomous nodes that communicate with each other in a
decentralized manner through multi hop radio network. Wireless nodes form a dynamic network
topology and communicate with each other directly without wireless access point. Wireless networks
are particularly vulnerable to intrusions, as they operate in open medium, and use cooperative
strategies for network communication.
Light sec for utilities and critical infrastructure white paperGeorge Wainblat
The document discusses LightSEC, a cyber security solution from ECI that provides comprehensive protection for utilities and critical infrastructure. It consists of a suite of security services that incorporate threat detection, prevention, and mitigation technologies. These services are delivered through a cloud-based platform called Mercury that uses network function virtualization for flexible deployment. LightSEC also includes a threat management platform called LightSEC-V that aggregates security data from across the solution to provide a consolidated view of risks.
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...IJNSA Journal
Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defence against a variety of attacks that can compromise the security and proper functioning of an enterprise information system. Along with the widespread evolution of new emerging services, the quantity and impact of attacks have continuously increased, attackers continuously find vulnerabilities at various levels, from the network itself to operating system and applications, exploit them to crack system and services. Network defence and network monitoring has become an essential component of computer security to predict and prevent attacks. Unlike traditional Intrusion Detection System (IDS), Intrusion Detection and Prevention System (IDPS) have additional features to secure computer networks.
In this paper, we present a detailed study of how deployment of an IDPS plays a key role in its performance and the ability to detect and prevent known as well as unknown attacks. We categorize IDPS based on deployment as Network-based, host-based, and Perimeter-based and Hybrid. A detailed comparison is shown in this paper and finally we justify our proposed solution, which deploys agents at host-level to give better performance in terms of reduced rate of false positives and accurate detection and prevention.
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELgerogepatton
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
This document discusses trends in threats to SCADA (Supervisory Control and Data Acquisition) systems. It notes that as SCADA systems increasingly use commercial off-the-shelf software and connect to the internet, they have become more vulnerable to cyber threats. The document outlines how SCADA systems work and components like RTUs, PLCs, and HMIs. It also discusses issues like the mistaken belief that SCADA systems are secure due to physical security or isolation from the internet. The conclusion suggests that as capabilities and opportunities for threats increase, the future operational environment will be more vulnerable if an actor emerges with the intent to cause harm.
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Similar to Intrusion detection and prevention system for network using Honey pots and Honey token method (20)
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Intrusion detection and prevention system for network using Honey pots and Honey token method
1. King Saud University
Electrical Engineering Department
EE: 524
Project Report on
Intrusion Detection & Prevention system for network
security
Submitted to
Dr. Yahya Subhi Al-Harthi
Name: Mohammed Ahmed Hussain Siddiqui
ID: 436107960
Date: 14/1/2017
2. 2
Abstract
In this research work an Intrusion Detection System (IDS) and Intrusion Prevention
System (IPS) will be implemented to detect and prevent critical networks
infrastructure from cyber-attacks. To strengthen network security and improve the
network's active defense intrusion detection capabilities, this project will consist of
intrusion detection system using honey token based encrypted pointers and intrusion
prevention system which based on the mixed interactive honeypot. The Intrusion
Detection System (IDS) is based on the novel approach of Honey Token based
Encrypted Pointers. This honey token inside the frame will serve as a trap for the
attacker. All nodes operating within the working domain of critical infrastructure
network are divided into four different pools. This division is based per their
computational power and level of vulnerability. These pools are provided with
different levels of security measures within the network. IDS use different number
of Honey Tokens (HT) per frame for every different pool e.g. Pool-A contains 4
HT/frame, Pool-B contains 3 HT/frame, Pool-C contains 2 HT/frame and Pool-D
contain 1 HT/frame. Moreover, every pool uses different types of encryption
schemes (AES-128,192,256). Our critical infrastructure network of 64 nodes is
under the umbrella of unified security provided by this single Network Intrusion
Detection System (NIDS). After the design phase of IDS, we analyze the
performance of IDS in terms of True Positives (TP) and False Negatives (FN).
Finally, we test these IDS through Network Penetration Testing (NPT) phase. The
detection rate depends on the number of honey tokens per frame. Our proposed IDS
are a scalable solution and it can be implemented for any number of nodes in critical
infrastructure network. However, in case of Intrusion Prevention System (IPS) we
use Virtual honeypot technology which is the best active prevention technology
among all honeypot technologies. By using the original operating system and virtual
technology, the honeypot lures attackers in a pre-arranged manner, analyzes and
audits various attacking behavior, tracks the attack source, obtains evidence, and
finds effective solutions.
3. 3
Table of Contents
Chapter 1 ............................................................................................................... 5
Introduction to IDS................................................................................................ 5
1.1 Approach of Honey tokens for Intrusion Detection Systems ............................ 7
1.2 Problem Statement........................................................................................... 7
1.3 Project Contribution......................................................................................... 8
1.4 Working of Intrusion Detection Systems.......................................................... 8
1.5 Types of Intrusion Detection Systems............................................................ 10
1.6 Network Intrusion Detection Systems (NIDS) ............................................... 10
1.7 Host Intrusion Detection Systems (HIDS)...................................................... 11
1.8 Techniques of Intrusion Detection ................................................................. 11
1.9 Signature based Intrusion Detection Technique ............................................. 11
Chapter 2 ............................................................................................................. 12
2.1 Designing IDS using Honey Token (HT) based Encrypted Pointers for Critical
Infrastructure Networks ....................................................................................... 12
2.2 DNP3 Synthetic Traffic Generator................................................................. 14
2.3 Honey Token based Encrypted Pointers......................................................... 16
2.4 System Design ............................................................................................... 17
2.5 Intrusion Detection System Primary Module.................................................. 18
2.6 Intrusion Detection System Secondary Module.............................................. 20
Chapter 3 ............................................................................................................. 21
Results and Discussions....................................................................................... 21
3.1 DNP3 Synthetic Traffic Generator................................................................. 21
3.2 Alarm Analysis of Intrusion Detection System .............................................. 22
3.4 Network Penetration Testing.......................................................................... 25
Chapter 4 ............................................................................................................. 26
Introduction to Intrusion Prevention System (IPS)............................................... 26
4.1 Honeypot definition and development............................................................ 26
4. 4
4.2 Existing types of honeypot............................................................................. 27
4.3 Low-interaction honeypot system .................................................................. 27
4.4 Middle-interaction honeypot system .............................................................. 27
4.5 High-interaction honeypot system.................................................................. 28
4.6 Mixed-interaction honeypot system ............................................................... 28
4.7 System simulation.......................................................................................... 30
Conclusion Future Work...................................................................................... 31
Reference............................................................................................................. 33
5. 5
Chapter 1
Introduction to IDS
Network Security challenges of 21st century is enormous for both commercial sector
and military. With the evolution of Internet, security became a major concern for
everybody. We can better understand the security technologies if we look at the
history of Internet itself. The basic structure of Internet is vulnerable to many
security threats but if the attack method is known then it is easy to deploy certain
security measures which help in making our networks more secure. The world today
is more interconnected than ever before and there is large amount of information on
different networking infrastructures that belong to government, private sector,
military organization and our daily personal information. Security of intellectual
property makes the importance of cyber security greater than ever before. In the
recent past, we witness that critical infrastructures become the prime target for major
cyber-attacks and the security of these critical infrastructure networks emerge as one
of the biggest challenge of the time.
Critical infrastructure networks commonly have command and control system for
smooth and efficient running of their operations. Supervisory Control and Data
Acquisition (SCADA) is mostly used for these purposes. It collects data from all
systems using wide range of sensors and then issue commands to run the operations
of critical infrastructures. The brief overview of the typical SCADA architecture is
shown in Figure 1.1. These SCADA systems are widely used in industrial
installations for the operational control and management of field sensors and
actuators. The typical components of SCADA architecture are described as follows:
Operator: The one who monitors the SCADA system running operations in 24x7
routine. Mostly the operator of SCADA system is a human being keeping an eye on
all important functional parameters of the network that comprises of motors, sensors,
actuators and PLC etc.
Human Machine Interface (HMI): The system which presents process data to the
human operator is known as HMI and through this HMI the human operator can
control all the processes of critical infrastructure.
Master Terminal Unit (MTU): The unit presents data to the human operator
through the HMI interface. It gathers data from the remote PLCs, sensors, motors
and actuator sites, and control signals (commands) are then transmitted by MTU.
Remote Terminal Unit (RTU): This unit acts as a slave in the master/slave
architecture of SCADA system. It receives control signals (commands) from the
MTU and it then forwards these commands to the devices (sensors, motors etc.)
under its control. RTU acquires data from these devices and then transmits the
gathered data to the MTU. An RTU may be a PLC.
6. 6
Communication Links: For communication between Master Terminal Unit (MTU)
and Remote Terminal Unit (RTU) we have communication channels (links) that may
be wired links or wireless links. For protocols that carry the traffic for SCADA
systems (DNP3, IEC 60870-5) any link that provides the bandwidth above 1200 bps
is workable. Distributed Network Protocol-3 (DNP3) is the backbone protocol for
SCADA systems and used by almost all the vendors as their primary protocol for
SCADA command and control architecture.
Figure 1.1: Typical SCADA Architecture
SCADA systems possess a strategic importance because they are used in critical
infrastructure networks for command and control. SCADA based cyber-attacks
disrupt the monitoring and controlling parameters of industrial control
communication protocols and thus capable of causing serious system failures or in
some cases cause physical damage to the critical infrastructure networks. There are
many real world documented cyber-attacks on critical infrastructures in last few
years which clearly prove the vulnerability of these networks. Number of countries
including Russia and Taiwan are involved in DNP-3 port scanning activities on the
critical infrastructure networks of many western countries. This port scanning is
strong evidence that attackers are searching for potential vulnerabilities in SCADA
command and control networks and trying to get that piece of information which
will later help in launching a massive attack on the critical infrastructure sensor
networks. The forensic systems for the detection of cyber-attacks on these SCADA
based networks are not common. SCADA based cyber-attacks are mostly directed
towards those devices which are used in critical infrastructure environment e.g.,
Programmable Logical Controllers (PLC), Intelligent Electronic Devices (IED),
Programmable Automation Controllers (PAC), Remote Terminal Units (RTU) and
Master Terminal Units (MTU). Critical infrastructure communication networks are
7. 7
vulnerable to command injection attacks, reconnaissance class attacks and response
injection attacks. Command injection attacks inject malicious codes and commands
in the payload area of the packets carrying traffic for SCADA based critical
infrastructures, the malicious codes and commands when successfully executed on
the RTU devices will causes massive damages to the industrial control system
operations e.g., in case of Stuxnet, the worm monitors the communication between
WinCC tool and RTU. When a specific signature related to the RTU operation
(possible command) is found, worm immediately replaced that command signature
by the malicious code and thus causing physical damages in critical infrastructure
control systems. Reconnaissance attacks gather important information about the
critical infrastructure network devices and their configurations e.g., manufacturer of
devices (PLC, RTU, MTU), deployed industrial network support protocol, memory
type, system serial number, system model numbers etc. All this information is used
to design the SCADA based cyber-attack. Response injection attacks are used to
present incorrect sensor information. Out of all these categories the most dangerous
is command injection attack. In our research work we are focused on command
injection attacks in SCADA based critical infrastructure networks and our research
work is focused between HMI/MTU and RTU/PLC because this is the most
vulnerable area of SCADA based critical infrastructure network.
1.1 Approach of Honey tokens for Intrusion Detection Systems
Honey token is the security tool used for intrusion detection. Its concept is derived
from honeypots and honeynets. A honey token is a honeypot that is not a computer
system but just a piece of data. The core value of honey tokens lies not in their use,
but in their abuse. So, a honey token is a piece of data which is used to trap an
attacker, it appears to be the part of the data and alerts system administrator when it
is accessed by an attacker [9]. In our approach of IDS, a honey token is nothing but
a DNP3 packet which we embed inside the transmission frame along with regular
DNP3 packets that carry normal network traffic.
1.2 Problem Statement
The security of critical infrastructure network becomes a key issue after recent
cyber-attacks especially attacks like ―Stuxnet‖ that destroy and disrupt the
operations of these networks. Moreover, there are many hidden vulnerabilities in the
existing industrial protocols like DNP3 and IEC 60870.5 that can easily be exploited
by the attackers. Firewall scanning is only outwards and it is not a complete solution
for a network of critical infrastructure facilities whereas IDS seems to be a good
choice. Our future intrusion detection systems must be able to protect our networks
despite of all these vulnerabilities that exist in running SCADA networks. Future
IDS must also be capable enough to counter the external as well as internal threats.
8. 8
Online connectivity is increasing nowadays and for enhancing the overall
production, these critical infrastructure networks relate to other networks as well as
with Internet. This massive connectivity provides attackers with much more
opportunities and imposes a greater threat for the security of critical infrastructure
networks.
1.3 Project Contribution
The aim of this work is to design and develop an Intrusion Detection System (IDS)
that specifically counters the security challenges of industrial networks. This ID uses
a new and different approach and perform all its functions per the industrial
standards and practices of SCADA networks. In this project, our main contributions
are focused on:
Design an Intrusion Detection System (IDS) specifically for the security of
critical infrastructure networks, which work using the approach of Honey
token based Encrypted Pointers to detect cyber-attacks.
Derive a new strategy for intrusion detection which will improve the overall
security of critical infrastructure network particularly focusing on the security
of field area (RTU, PLC etc.) by detecting attacks more efficiently and
enhance the real-time detection capability. Introduce such approach that all
the systems under the working domain of critical infrastructure network will
be divided into four different pools, the division is based on the computational
power and vulnerability level of each individual system. Different pools are
provided with different levels of security but entire network is under the
umbrella of unified security provided by a single network based IDS.
Develop a mechanism for intrusion detection that will use AES encryption
schemes, honey tokens and pointers for achieving better security against
attacks and thus provides us with the ability to respond fast to the adversarial
activities and get better understanding of the attacker’s behavior.
Provide a scalable solution that can be implemented on the network of any
number of remote computational nodes.
1.4 Working of Intrusion Detection Systems
Intrusion Detection System (IDS) is a system that is used to identify and detect
malicious activities in the network. These types of systems emerged in the arena of
network security when this need was felt that all these advancements in network
technology bring some serious cyber threats with them and to successfully run the
operations of all these networks we must have some sort of security system which is
reliable and flexible. All computer systems and networks have vulnerabilities in
them and it is almost impossible to build a perfect computer system or a perfect
network that is free of all errors and vulnerabilities. So, there is no question of
9. 9
modern network without any type of network security equipment e: g- firewall, IDS
etc. The main goal of intrusion detection system is to detect attempted network
breaches and in some cases, it is looking for open vulnerabilities that could result in
a potential breach of a network. If we study IDS at a very macroscopic level, we
came to know that it just acts as a detector that process information which is coming
from a client’s network. This detector can also send probes that are used to request
audit data from the Information system (network). Intrusion Detection Systems
commonly uses three kinds of information:
1. Long Term Information.
2. Configuration Information.
3. Audit Information.
Long term information is related to the mechanisms and techniques used for
intrusion detection, whereas configuration information is about the currents state of
the system and audit information describes the sequence of events happening on the
connected network or information system. The generic type IDS are shown in Figure
3.1. The function of detector is to filter the information coming from the information
system and eliminate all the unneeded information from audit trails and then decide
about the possible intrusion. The countermeasure unit takes preventive actions in
case of any possible intrusion and tries to save the network from any attempted
security breach.
Figure 3.1: Generic Intrusion Detection System
In Figure 3.1 the basic role of detector is to filter the useless information coming
from audit trails. Based on this crucial information decision is then taken about the
event (possible intrusion) and then preventive action is taken by the counter measure
10. 10
component of Intrusion Detection System (IDS). Based on operational mechanisms
the Intrusion Detection Systems (IDS) are basically divided in two main categories
1. Passive Intrusion Detection Systems
2. Active Intrusion Detection Systems
1.5 Types of Intrusion Detection Systems
There are two main types of IDS that are used by the industry since last many years.
Even though the technique and the target differ but the basic purpose of both types
of systems is to provide security by performing detection functions. For several
years, there has been a debate that which of the two systems possesses a better
detection strategy. In the following the basic principles of these two types are
discussed. The two types of IDS are:
1. Network Intrusion Detection Systems (NIDS)
2. Host Intrusion Detection Systems (HIDS)
1.6 Network Intrusion Detection Systems (NIDS)
Network Intrusion Detection Systems (NIDS) are placed at critical and strategic
places in the network, these systems monitor the network for Internal as well external
threats. It checks the entire traffic of the network for any possible cyber-attacks.
When the attack is detected or any abnormal traffic behaviors are noticed, an alert
message is sent to the administrator. As it is clear by its name (NIDS) that these
intrusion detection systems are always deployed in a subnet where most probably
firewall is placed and network administrator keep a strong check on who is trying to
break the security policy of firewall and trying to detect an inside attacker. As shown
in Figure 3.2, there are two different companies and each company’s network is
connected to the internet. The network of one company is protected by firewall as
well as Intrusion Detection System (IDS) which is placed at the gateway of the
network whereas the network of second company is just protected by network
intrusion detection system placed at the gateway. Figure 3.2 gives a clear idea about
the importance of placement of Network Intrusion Detection Systems (NIDS) in the
network.
11. 11
Figure 3.2: Network Intrusion Detection System
1.7 Host Intrusion Detection Systems (HIDS)
This type of intrusion detection system is designed for the security of single host
(machine) on the network. Host Intrusion Detection System (HIDS) detect all
packets that are coming out of the device and those going into the device and
continuously monitor for malicious activity. Once it found some type of intrusion it
will alert the administrator or the user of that machine. HIDS take the snapshot of
all the system files and compare them with the previous snapshot, if files are missing,
deleted or edited, HIDS will raise an alarm and go for further investigations. HIDS
is mostly installed on mission critical machines. The most common example of
HIDS is the anti-virus software installed on our daily use
computers.
1.8 Techniques of Intrusion Detection
The detection techniques used by IDS are as follows:
1. Signature based Intrusion Detection Technique.
2. Anomaly based Intrusion Detection Technique.
1.9 Signature based Intrusion Detection Technique
Intrusion Detection System (IDS) that uses this approach of signature based
detection scan all the packet on the network and compare them against the database
of signatures. For understanding we can think of signature as a unique digital thumb
prints, every digital signature is different from other and all the signatures in the
12. 12
database are the attributes from known malicious cyber threats. IDS compare the
packets with all the signatures available in database and if it matches at any point of
time, that event is considered as an intrusion by the intrusion detection system.
Almost all anti-virus programs use this signature based intrusion detection approach.
Using this approach system will detect all the known attacks but at the same time it
completely misses all unknown signatures (zero day attacks). In Figure 3.3, we have
a complete basic model of a signature based Intrusion Detection System (IDS).
Packets are matched with malicious signatures and alert administrator in case of
matching.
Figure 3.3: Signature based Intrusion Detection System
Chapter 2
2.1 Designing IDS using Honey Token (HT) based Encrypted Pointers
for Critical Infrastructure Networks
Our approach towards the designing of Intrusion Detection System (IDS) is novel
and simple, we use honey token based encrypted pointers for the detection of
network attacks on critical infrastructure network. We embed these honey tokens
inside the transmission frame and an encrypted pointer keeps record for locations of
all these honeytokens. This encrypted pointer is sent to the destination within the
same transmission frame where honey token packets were embedded earlier. At the
receiver side, we extract all the honey tokens from the frame with the help of
encrypted pointer and compare them with the database of honey tokens already
present at every Remote Terminal Unit (RTU) for verification of changes made in
it. Critical infrastructure is the term mostly used for those national assets which are
very important for operational stability of economy and society, and without them
13. 13
there is no concept of running nation state successfully in 21st
century. In today’s
modern times all these critical infrastructure operations run using smart and
sophisticated networks called critical infrastructure networks. There are
large numbers of these critical infrastructures but few most common are electric
power grid, oil and gas sector, nuclear power plants, water supply systems, air traffic
control systems, water treatment plants, railway traffic systems, industrial
manufacturing etc. Critical infrastructure networks commonly have command and
control system for smooth and efficient running of their operations. Supervisory
Control and Data Acquisition (SCADA) is mostly used for these purposes. It collects
data from all systems using wide range of sensors and then issues commands from
its Master Terminal Station (MTU) for operating industrial control systems. The
common topology of critical infrastructure
sensor network is shown in Figure 2.1.
Figure 2.1 The common topology of critical infrastructure sensor network
SCADA (MTU) system relates to a network of nodes commonly known as
Remote Terminal Unit (RTU) and sensors relate to these RTU. The IDS shown in
Figure 4.1 is Network based Intrusion Detection System (NIDS) and thus serves the
entire critical infrastructure sensor network with its security services. RTU may be
a PLC and it collects data from all the sources which include sensors, actuators,
motors, pressure valves and centrifuges etc. RTU then send this data back to MTU
for monitoring tasks. MTU send commands to RTU for controlling these assets
14. 14
(motors, sensors and actuators). RTU receives these set of commands from MTU
and direct them towards their target devices.
2.2 DNP3 Synthetic Traffic Generator
Distributed Network Protocol-3 (DNP3) is a set of communications protocols
used between components in process automation systems. It is the backbone protocol
for SCADA systems and used by almost all the vendors as their primary protocol for
SCADA command and control software. Our adopted approach for solving the
problem is very simple, we generate DNP3 synthetic traffic, and we designed DNP3
traffic generator capable of producing millions of DNP3 packets. DNP-3 is an open
protocol which means that the complete technical documentation associated with
this protocol is available to the public. The core elements that define DNP3 protocol
are datalink layer protocol description, application layer protocol description and
data object library. In the start of the packet we have data link layer information that
includes start bytes, length bytes, control bytes, destination address, source address
and CRC (Cyclic Redundancy Check) bytes for data link layer, and after this we
have application layer headers. In the end, we have data area where we have actual
data (payload) and object header which carries control information associated with
this data area. Object header contains the fields of function control bytes, internal
information bytes, object type bytes, variation bytes, qualifier bytes, range bytes,
data object bytes, CRC bytes. DNP3 is a robust and flexible protocol as compared
to other conventional communication protocols.
DNP3 was originally designed based on a three-layer model which includes
application layer, datalink layer and physical layer. The application layer provides
objects for most generic data formats, the datalink layer provides methods for
retrieving data and physical layer defines most common RS-232, RS-485 or radio
interfaces. DNP3 uses 3-layer Enhanced Performance Architecture (EPA) stack for
its specifications. The 3 layer EPA stack provides simpler way of data
communication over the industrial control systems where there is no need of many
features that are required on IP networks for communication. Figure 2.3 shows the
comparison of Enhanced Performance Architecture (EPA) stack with 7-layer model.
15. 15
Figure 2.3: Comparison of EPA Stack with 7 Layer Reference Model [63]
Although DNP3 was designed as reliable protocol but it was not designed as a secure
protocol. It is vulnerable against attacks which are designed to disrupt control system
operations to disable critical infrastructure networks. So, enhanced level of security
must be required in the form of IDS to protect such important assets as critical
infrastructure networks. Honey tokens used by IDS are normal DNP3 packets
generated using the same synthetic traffic generator. These honey token packets are
similar as compared to real DNP3 packet and it is impossible for a human being to
differentiate between real token and honey token.
16. 16
2.3 Honey Token based Encrypted Pointers
Our approach for IDS used a technique called Honey Token based Encrypted
Pointers. Honey tokens are artificial digital data items planted deliberately into a
genuine system resource to detect unauthorized attempts to use or disrupt original
information. The honey tokens are characterized by properties which make them
appear as genuine data items. Honey tokens used by our IDS are normal DNP3
packets planted deliberately into a transmission sequence to detect cyber-attack. We
generate these honey tokens once at the start of simulation and make their encrypted
database. All the Remote Terminal Units (RTUs) in the critical infrastructure
network hold a copy of this encrypted honey token database which they later use for
comparison and correlation of honey tokens at RTU for the detection of any changes
made in the sequence by the attacker during transmission from Master Terminal Unit
(MTU) to RTU. The transmission sequence consists of a total of number of packets.
In the first step the IDS will use the length of packets as process length. In other
words, IDS will embed honey tokens in the real traffic at random locations and make
the sequence of length. This sequence of length N-1 is known as process length of
the sequence and is shown in Figure 2.4.
Figure 2.4: Process Length
The last packet contains the locations of all these honey tokens which were
embedded earlier in the process length by the IDS. This last packet is known as the
pointer and after encryption it becomes an Encrypted Pointer (EP). The pointer itself
is also a normal DNP3 packet and all these locations of honey tokens are stored
inside the payload area of this packet, where all empty space in the payload area (if
any) are filled using zero padding technique. It is shown in Figure 4.5 that after
inserting the locations of all the honey tokens inside the payload area of packet,
empty spaces are filled using zero padding.
Figure 2.5: Pointer Structure
17. 17
The entire formation process is shown below in Figure 2.6 where single sequence
has N packets and process length has (N-1) packets, the last packet of the sequence
is the pointer that contains the locations of honey tokens.
Figure 2.6: Formation Process
2.4 System Design
We adopted a modular approach in the system design and IDS consist of two
separate modules working at separate physical locations within the critical
infrastructure network. The two modules of IDS are:
1. IDS Primary Module.
2. IDS Secondary Module.
IDS primary module work in collaboration with MTU and IDS secondary module
work in collaboration with RTU. We divide critical infrastructure sensor network
into four different categories or pools as shown in Figure 2.7. This division of nodes
among four different pools is based on the computational power and level of
vulnerability of that system (node) which is working in critical infrastructure sensor
network.
18. 18
Figure 2.7: Segmentation of Pools in Critical Infrastructure Network
Pool-A contains those systems having greater computational power and higher
vulnerability levels, it uses 4 honey tokens per frame and use encryption scheme of
AES- 256 e.g. - Data Centers etc. whereas Pool-D contain those systems having least
computational power, it uses one honey token per frame and use encryption scheme
of AES-128 e.g. - Tsunami warning system for open ocean etc. Other two Pools (B
and C) contain systems that fall between above defined categories, Pool-B uses 3
honey tokens per frame and use encryption scheme of AES-192 e.g. - Oil rigs and
Pool-C uses 2 honey tokens per frame and use encryption scheme of AES-192 e.g.-
Remote operating station etc. All the encryption schemes assigned to the different
pools are basically used for two basic tasks, at first used for encryption of pointer
and secondly encryption of honey token database (present at RTU’s) for that pool.
2.5 Intrusion Detection System Primary Module
IDS primary module works in collaboration with MTU. It starts with embedding
honeytokens inside the normal DNP3 traffic frame at random locations. First, the
transmission module in Figure 4.8 performs a check that the current frame is directed
towards which RTU in the critical infrastructure network. Then IDS check the pool
of that specific RTU, when the pool is confirmed the IDS perform its operation of
19. 19
embedding honeytokens inside the transmission frame. For example, if the current
frame belongs to pool-A the IDS embed four honeytokens at the random positions
inside the frame. All the locations (addresses) of these four honeytokens are then
placed inside the last packet which is known as the pointer of the frame and empty
spaces are filled with zero padding inside this pointer. IDS then encrypt this pointer
using AES-256 encryption scheme so the only thing which is encrypted inside the
frame is the pointer which hold the locations of all those honeytokens. Encrypted
pointer is then attached to the frame and this frame is now ready for transmission
over the physical channel which may be wired or wireless. In case if the destination
RTU belongs to Pool-B, the IDS primary module embeds 3 honeytokens inside
frame and stores their locations in the pointer. AES-192 is used for the encryption
of the pointer if target RTU belongs to Pool-B. IDS primary module uses 2
honeytokens per frame if the target RTU belongs to Pool-C and AES-192 encryption
scheme is used for Pool-C pointer. In case of Pool-A the IDS use only one
honeytoken per frame and stores its location inside the pointer, all empty spaces are
filled with zero padding and AES-128 is used for pointer encryption.
Figure 2.8: Flow Chart of IDS Primary Module at Master Terminal Unit
(MTU)
20. 20
2.6 Intrusion Detection System Secondary Module
At the receiver side of RTU the IDS secondary module receives the
transmission frame and extract Encrypted Pointer (EP) out of the frame. If the
local RTU falls in the Pool-A of critical infrastructure network the EP is
decrypted using AES-256 encryption schemes and after the successful
decryption of pointer the IDS secondary module opens the pointer and
removes all the zero padding inside the pointer. IDS then extract honeytokens
from the transmission frame using the locations available inside pointer. In
case of Pool-B the EP is decrypted using AES-192 encryption scheme and
zero padding is removed for successful recovery of honeytoken locations at
RTU side. Same process is used for other two pools but the only difference is
that Pool-C is decrypted using AES-192 and Pool-D is decrypted using AES-
128 encryption schemes. After the successful recovery of honeytokens at the
RTU side, the IDS secondary module performs the process of scanning as
shown in Figure 4.9. HT Database contains the entire database of honeytokens
which IDS is using for detection mechanism. Moreover, this HT Database is
also encrypted using AES-256 for Pool-A, AES-192 for Pool-B and Pool-C
and AES- 128 for Pool-D. IDS secondary module perform the operation of
scanning in which it compares all the honeytokens bit by bit with their copies
present in HT Database. The
honeytoken scanning process
detects any tampering with the
honeytokens during the entire
process of transmission from
MTU to RTU. If any
tampering is detected the IDS
immediately raise the alarm
for networks administrator and
consider this event as a
possible intrusion otherwise if
all the honeytokens are
matched with their
counterparts in HT Database
and there is no mismatch in the
bits, the IDS consider this
event as normal and continue
its operations.
Figure 2.9: Flow Chart of IDS Secondary Module at Remote Terminal Unit
(RTU)
21. 21
Chapter 3
Results and Discussions
3.1 DNP3 Synthetic Traffic Generator
Figure 3.1 shows the output of DNP3 synthetic traffic generator which is designed
in MATLAB, this traffic generator can generate millions of packets of DNP3
protocol (synthetic traffic). The start two bytes of every DNP3 packet is always 0564
(defined standard for DNP3 packet) is clearly highlighted. In the Figure 3.1 there are
total 34 packets of DNP3 protocol out of which 10 packets are honeytokens. It is
almost impossible to distinguish between real packet and honeytoken packet.
Figure 3.1: DNP3 synthetic traffic generator output
22. 22
3.2 Alarm Analysis of Intrusion Detection System
We are using the test network of 64 nodes, each pool contains 16 nodes. Here we are
assuming about the length of the attack vector. From the detailed study of Stuxnet
and other related attacks the malicious attacks that are used to disrupt the operations
of critical infrastructure networks comprise of complex and lengthy codes and
commands. These attacks consist of hundreds and sometimes thousands of frames,
but here in our simulation we are if our attack signature which is generated by
MATLAB must be greater than half of the length of the frame. All the results are
average values. Secondly, the reason why we are not using False Positive (FP) and
True Negative (TN) in our alarm analysis is due to the nature of DNP3 protocol
itself. DNP3 is not a general protocol, it is different from SMTP, FTP, HTTP etc. It
is intended for SCADA applications and is designed as a reliable protocol but not as
a secure protocol. It uses CRC (Cyclic Redundancy Check) both for header and
payload, so it discards all corrupted packets (corrupted because of channel noise and
bit errors) and requests for the retransmission of corrupted packets. For our IDS, it
will only happen when honey tokens are corrupted because of channel noise and
mismatches with HT database at RTU. This scenario is not possible because
corrupted frames are discarded by DNP3 protocol. So, FP is not included in our
alarm analysis since honey tokens discarded by RTU due to channel noise are
retransmitted by MTU. These SCADA networks run (24x7) over the period of years
and their operations are not affected by any disruption (bit errors and channel noise
etc.) and this is possible only because of their robust design giving extreme reliability
to these critical infrastructure networks. In Figure 3.6 shown result is the output of
system alarms. ―True Positive‖ means when attack occurs and system successfully
detects that attack and ―False Negative‖ means when attack occurs but system fails
to detect that attack. On y-axis, we have the scale of alarm percentage and on x-axis
we have four different pools [A-B-C-D]. Maximum security is given to Pool-A
because these systems possess high computational power therefore it has very small
percentage of false negative, and from the results in Figure 3.2 it is shown that on
average false negative alarms are less than 2% for Pool-A.
23. 23
Figure 3.2: IDS Performance (Alarm Analysis)
On the other hand, least amount of security is provided to pool-D because these
systems are constrained in computation power and other valuable resources, so the
false negative percentage is almost 12% for pool-D. From graphical results in Figure
3.2 which are also tabulated in Table 3.1 shows different pools with their True
Positive (TP) and False Negative (FN) alarm percentages for the attack vector of
70% the length of the frame, all these results are average values. Encryption schemes
are also listed along with different pools in Table 3.1.
24. 24
Table 3.1: IDS Alarm Analysis for 70% attack vector
From Figure 3.2 and Table 3.1 Pool-A has 98% TP alarms and 2% FN alarms, it
uses 4HT/frame with AES-256 encryption scheme. Pool-B has 97% TP alarms and
3% FN alarms, it uses 3HT/frame with AES-192 encryption scheme, Pool-C has
93% TP alarms and 7% FN alarms, it uses 2HT/frame with AES-192 encryption
scheme and finally Pool-D has 88% TP alarms and 12% FN alarms, it uses only one
HT/frame with AES-128 encryption scheme.
Table 3.2: IDS Alarm Analysis Comparison Table
25. 25
3.4 Network Penetration Testing
To test and verify our designed Intrusion Detection System (IDS) we use Network
Penetration Testing (NPT). Alongside our IDS we place another conventional
signature based IDS which contain signatures for some known attacks for the
security of node critical infrastructure test network as shown in Figure 3.13.
Figure 3.13: Network Penetration Testing Scenario (64 Node Network)
Then using MATLAB, we generate hexadecimal attack signatures (zero day attacks)
and few known attack signatures (hexadecimal signatures) which are already present
in the database of conventional IDS.
Finally, we launch all these attacks on
test network. Known attacks are
immediately stopped by conventional
IDS but all zero-day attack signatures
successfully penetrated in the 64-node
test network. In response, our IDS
successfully detected these pen
scanning process result is shown in
Figure 3.14, where cyber-attacks are
detected by the IDS on node 22, 24 and
penetrated attacks in 64 node network.
Snapshot of IDS
Figure 3.14: Intrusion Detection System scanning process
26. 26
Chapter 4
Introduction to Intrusion Prevention System (IPS)
Virtual honeypot technology is the best active prevention technology among all
honeypot technologies. By using the original operating system and virtual
technology, the honeypot lures attackers in a pre-arranged manner, analyzes and
audits various attacking behavior, tracks the attack source, obtains evidence, and
finds effective solutions. Thereafter, legal means can be used to investigate the
responsibility of the attackers and technology and management tools can be
employed to improve actual system protection. A honeypot system can detect attack
behavior and redirect such attacks to a strictly controlled environment to protect the
practical running system. This system collects intrusion information to observe and
record the behavior of the attacker and examine the level, purpose, tools, and
intrusion methods of the attack such that evidence can be obtained and possible legal
actions can be taken.
4.1 Honeypot definition and development
A honeypot system is designed to attract hackers. Thus, after an intrusion, network
administrators and security specialists can determine how the attacker succeeded,
prevent subsequent attacks, and identify security gaps. In addition to identifying the
various tools used by hackers, honeypot technology can also identify the social
networks of intruders by determining the relationships among hackers.
Figure 4.1 Honeypot principle diagram
27. 27
Honeypot technology is a security resource whose value lies in being scanned,
attacked, and captured. This characteristic indicates that honeypot technology does
not have other actual effects. Therefore, all network traffic that flows into or out of
the honeypot may prefigure being scanned, attacked, and captured. The core value
of this technology lies in monitoring, detecting, and analyzing intrusive activities.
The most popular honeypot tools are the Deception Tool Kit and Honeyd. Based on
traditional honeypot and honeynet technologies, active honeypot, honeyfarm,
honeyapp, honeyclient, and other new concepts have been proposed. Such
applications and concepts have also opened new research directions.
4.2 Existing types of honeypot
If we define the level of honeypot per the level of interactivity of its attackers and
allow a complicated degree of interaction between the operating system and
intruders, then honeypot systems can be divided into low-interaction honeypot
systems, middle-interaction honeypot systems, and high interaction honeypot
systems.
4.3 Low-interaction honeypot system
A low-interaction honeypot provides only specific analog services. In their basic
form, these services can be conducted by monitoring a specific port. Low-interaction
honeypot systems do not provide intruders with the actual operating system for
remote login. Thus, the risk is low. However, the function of this honeypot is highly
passive, like a unidirectional connection wherein limited information can be
collected. With the information flowing from outside to the machine and without
any response message to be sent, this type of honeypot fails to capture the
communication process behind complicated protocols. Low-interaction honeypot
systems have the following characteristics:
Analog services and operating system
Can capture only a small amount of information
Easy to arrange, thus minimizing risk.
4.4 Middle-interaction honeypot system
A middle-interaction honeypot system does not provide the actual operating system
but provides intruders with a complicated decoy process. This type of honeypot
system imitates a specific service, thus causing intruders to believe that they are
attacking the real operating system. Such a mechanism enables the system to collect
high amounts of data. However, this mechanism also increases the risk of intrusion.
Therefore, middle-interaction honeypot systems should ensure that new security
holes could not be generated in the process of imitating the services and holes. By
using high-level interaction, honeypot technology can endure sophisticated attacks
28. 28
while recording and analyzing such attacks. Under environments with increasing
levels of interaction, a honeypot system should be deployed in a manner wherein all
analog services are as safe as possible.
4.5 High-interaction honeypot system
Most high-interaction honeypot systems are placed in a controlled environment,
such as behind a firewall. A hacker is allowed by the firewall to attack the honeypot
but is not allowed to launch new attacks. This structure is difficult to deploy and
maintain because it does not let hackers know that they are being monitored. The
maintenance of a high interaction honeypot is time consuming. Thus, the firewall
capacity and IDS characteristic database should be frequently updated to enable
continuous monitoring. Any error in the system may allow a hacker to control the
full operating system, attack other systems, or intercept messages in the application
system [14]. However, if a high-interaction honeypot system can be maintained
properly, it can allow security specialists to obtain information on hackers that other
types of honeypots cannot obtain. The cost of deploying a high-interaction honeypot
system is extremely high because it requires the continuous monitoring of a system
administrator. An uncontrollable honeypot is meaningless for any organization and
may even pose high network security risks. A high-interaction honeypot system has
the following characteristics:
Provides the actual operating system and services instead of analog data
Captures rich information
Complicated deployment and high security risks
4.6 Mixed-interaction honeypot system
This study aims to establish a mixed honeypot system to monitor various types of
data. The honeypot principle is adopted in data collection to judge if the data is
normal and to prevent attacks. The system maintains a daily record in the application
and virtual system. Furthermore, the system records the internal and exterior
gateways of a virtual control server and a virtual gateway on Debian. These data can
provide detailed tracking and attaching capacity. In turn, the data provided by the
exterior gateway can monitor the transmission of packets to the traffic attacking the
virtual gateway. The relative attacking data can be found in the backup data of the
virtual gateway, which allows security specialists to identify the attack type. The
mixed honeypot system discussed in this paper is a type of application honeypot.
Apache Web is the server used for honeypot testing, and Mozilla Firefox is used to
create log records. We run Apache and server deployment from the Apache Web
server and the Web server. When Debian detects any abnormal traffic to the
Honeypot Apache Web Server, data analysis is conducted. If traffic is suspicious but
legal in practice, then data are sent to the honeypot for treatment. If the system is
29. 29
attacked and modified during operation, traffic will be cut off, thus causing data to
return to their source. The outer interface of the virtual gateway 192.168.10.6 is
connected to an external network. At the same time, the gateway has an internal
interface that provides the DNS server in the Web server and decoy server. The DNS
server is a resolution server that can resolve the overall domain name and forward
any request to the external gateway for treatment.
Figure 4.2 Mixed interactive honeypot system
Two interfaces for the decoy server can be defined as 10.0.2.3 and 10.0.3.3. Interface
10.0.3.0 can be defined as the subnet of the interfaces. The second interface is
connected to an application port in the gateway, thereby connecting the virtual Web
server, database, and specific server port link. If the application gateway detects a
data request that requires a direct connection to a specific network, any application
server, virtual Web server, or common user will produce data feedback that is like
receiving a NAT attack. If the virtual server capacity used in the large-scale network
decreases, the application of the small-scale network increases the cost.
Virtualization prompts the hardware to deploy originally such that the system
becomes a virtual machine. This condition significantly reduces the construction
30. 30
cost of the network. The system we have constructed can help reduce false
information and enhance network stability and security. This system is designed as
an application level of the honeypot to enable the independent reestablishment of the
monitoring mechanism. In practice, if each application should be monitored, the
system must customize the required applications by using a large quantity of
customized codes. Therefore, we mainly monitor the attacks to Apache in a virtual
environment.
4.7 System simulation
In a lab environment, we use Honeyd. It can create virtual hosts, the hosts can be
configured to provide any services, the system is also compatible with it, that makes
it look like a real system running. In a local area network emulation, Honeyd enables
a single host with lots of IP (as many as 65,536). Network topologies are part of the
core configuration file:
create router
set router personality "Cisco 7206
running IOS 11.1(24)"
set router default tcp action reset
add router tcp port 23
"script/router-telnet.pl"
bind 10.0.2.3 router
bind 10.0.3.0 router
bind 10.0.3.3 router
bind 10.0.1.20 windows
bind 192.168.10.5 windows
bind 192.168.10.6 windows
Honeyd honeypot and log file records all the virtual host connection information,
including timestamps, protocol type, source address, destination address, port
number, operating system type and other information. Using the VI command view
is shown in Figure 4.3 Honeyd log:
31. 31
Figure 4.3 Control system hardware structure diagram
In the above log, the attacking host to 11.64., the attacking host is shown in the red
box with the honeypot virtual hosts to establish a connection. Including TELNET,
FTP, HTTP. By querying this information, attacker intrusion evidence can be
collected, and because these virtual hosts are honeypots come out, it will not pose a
threat to the system.
Conclusion Future Work
In this project, we design an Intrusion Detection System (IDS) & Intrusion
Prevention System (IPS) that works on a technique known as ―Honey token based
Encrypted Pointers and Honey pot technology against sophisticated cyber threats
that target industrial networks. Honeypot technology has matured after a leap in its
development. This technology aims to lure hackers to a decoy system, thus delaying
the attack and providing network security specialists a window of opportunity to
prevent the threat. The technology allows system administrators to know the launch
address, verify if the security strategy is effective, and determine if the defense line
is solid. Existing networks are not always safe. IDS, firewall, encryption, and other
technologies have certain defects. Network security can be improved when such
technologies are combined with the honeypot system. We believe that honeypot
technology will play a crucial role in global network security. This ID is specifically
designed for the security of critical infrastructure sensor networks. We analyzed the
performance of IDS model on security and stability issues. The proposed IDS have
the capability of detecting SCADA based cyber-attacks and the use of encryption in
IDS make it more difficult for the attacker to launch a successful attack on critical
infrastructure networks. This type of IDS can also assist conventional signature
based IDS for improving their efficiency in detection of new attacks. Intrusion
32. 32
detection is still a long way from being mature, there is a huge room for
improvements and modification. The signature based detection is reliable but it
completely misses the zero day attacks, while on the other hand anomaly detection
detects some zero day attacks but it produces large number of false alarm thus
reducing the overall efficiency of IDS. Cyber security experts believe that in future
we must have to introduce new methods and mechanisms for intrusion detection and
existing mechanisms will be discarded. Protocol analysis mechanism has a huge
potential in it where protocols are analyzed in depth details and used for intrusion
detection. Target detection method is also very useful because in this method
cryptographic algorithms are used to detect unauthorized changes in files. Rule
based intrusion detection should also be used along with honeypot technologies for
improving the detection efficiency. To enhance the process of intrusion detection
one of the most important tool is honeypots. The core value of this valuable tool not
lies in its use but in its abuse. It detects the intrusion far better than all the other
mechanisms if deployed smartly. Intrusion Prevention Systems (IPS) are becoming
more popular in the security industry because they not only detect the intrusion but
also take some preventive actions and defend the network by stopping the intruders.
So, integration of honeytoken with other key technologies will enhance our existing
IPS and the use of advance encryption methods provide us with more flexible
options against the intruders. Our proposed IDS are a scalable solution and thus
feasible for networks with large number of nodes. Management becomes easy when
you divide system nodes in different pools and it is easy to trap the attacker when
network is divided among different segments. In this research work we use honey
tokens for intrusion detection and found them useful against cyber-attacks on critical
infrastructure networks. Our research work is focused on command injection attacks
that disrupt the operations of critical infrastructure networks. The only limitation of
designed IDS is the length of attack vector, if the attack vector is too small to evade
the tampering of honey token the probability of detection is low. There is a huge
hidden potential in the use of honeypots, honey nets and honey tokens for intrusion
detection and there is a lot more to be done by future researchers and engineers in
the field of intrusion detection.
33. 33
Reference
[1] M. Chemanol, L. Durante, and A. Valenzano, "Review of Security Issues in
Industrial Networks," IEEE Transactions on Industrial Informatics, vol. 9, no. 1,
pp. 277 - 293, 2013.
[2] M. Merabti, K. Michael, and W. Hurst. "Critical infrastructure protection: A
21st
century challenge," International Conference on Communications and
Information Technology (ICCIT), pp. 1 - 6, 2011.
[3] J. McHugh, "Intrusion and intrusion detection," International Journal of
Information Security, vol. 1, no. 1, pp. 14 – 35, 2001.
[4] B. Zhu, J. Anthony, and S. Shankar, "A taxonomy of cyber-attacks on SCADA
systems," 4th International Conference on Cyber, Physical and Social
Computing, pp. 380 - 388, 2011.
[5] J. P. Disso, J. Kevin, and B. Steven, "A Plausible Solution to SCADA Security
Honeypot Systems," In Eighth International Conference on Broadband and
Wireless Computing, Communication and Applications (BWCCA), pp. 443 - 448,
2013.
[6] P. Jain, and S. Anjali, "A hybrid honeyfarm based technique for defense against
worm attacks," World Congress on Information and Communication
Technologies (WICT), pp. 1084 - 1089, 2011.
[7] I. Kuwatly, S. Malek, A. Zaid, and A. Hassan, "A dynamic honeypot design for
intrusion detection," In International Conference on Pervasive Services (ICPS),
pp. 95 -104, 2004.
[8] Y. Yang, and M. Jia, "Design and implementation of distributed intrusion
detection system based on honeypot," In International Conference on Computer
Engineering and Technology (ICCET), vol. 6, pp. 260, 2010.
[9] R. Muraleedharan, and A. O. Lisa, "An intrusion detection framework for
sensor
networks using honeypot and Swarm Intelligence," In 6th Annual International
Mobile and Ubiquitous Systems: Networking & Services, pp. 1 - 2, 2009.
[10] Song LI, Qian Zou, Wei Huang, “A New Type of Intrusion Prevention
System” Guiyang University” Guiyang, China