Authors: Tomáš Bajtoš, Pavol Sokol, Terézia Mézešová
Abstract
Industrial Control Systems are a prestigious target for attackers and the attacks are becoming more sophisticated. Intrusion detection systems can uncover suspicious activity and point towards steps of attacks. Detection systems raise an overwhelming number of alerts, so their aggregation and correlation are necessary. It is important for the security analysts to correlate the alerts raised by detection systems and project the next steps of the attack to better protect critical resources. In this chapter, we search for attack patterns in the correlated alerts from industrial control systems network. Our correlation approach is similarity-based according to IP addresses and ports. We construct a directed graph that describes all possible attack paths between multiple attack stages. Several interesting patterns are discussed.
Introduction
Our society is becoming more dependent on computers and networks. Industrial control systems are no exceptions as they govern the most critical systems, without which people cannot continue with their daily lives. Supervisory control and data acquisition (SCADA) systems are used in industrial control systems (ICS) to run automated processes to perform various industrial tasks. SCADA manages and controls a variety of systems, including cooling, ventilation, and power distribution and generation in addition to sensitive processes such as nuclear fusion. However, the landscape of the ICS creates plenty of security challenges that must be addressed. When the devices in ICS are connected to the Internet, they must be properly protected. One example of a sophisticated attack towards ICS is Stuxnet [1]. The statistics by Kaspersky Lab published in [2] clearly shows that there is an increase in the number of connected ICS components and the vulnerabilities in those components are diverse and exploitable by low-skilled attackers.
An intrusion is defined as any set of actions that compromise the integrity, confidentiality, or availability of a resource [3]. The main line of defence in critical computer networks are intrusion detection systems (IDS). They mostly work by recognizing known attacks from signatures or detecting anomalies in the network traffic. As network traffic increases, the alerts produced by IDS are also increasing exponentially. Sophisticated attacks, however, evade IDS systems by splitting the attack into several consequential phases and carrying out each phase independently. Moreover, current cyberattacks show a tendency to become more precise, distributive, and large-scale. The consequences of such attacks being undetected are severe. Establishing a description and projection of the attack and documenting the attacker’s behaviour is useful for immediate use to protect critical resources [4] or for later use, such as planning of patches.
To detect the individual stages of the attack, and assign them to a broader context, we need to look at relationships between individual security events sent from the IDS. This chapter contributes to the detection of multi-stage attacks by presenting a method for finding attack patterns in a dataset of raw individual security events captured from network industrial detection systems.
To formalize the scope of the chapter, we state the following research objectives:
- to survey related works about searching for attack paths, applicable to ICS;
- to establish an appropriate method for searching for attack paths in industrial control networks.
This chapter is organized into 5 sections. Section 2 presents the main terminology and introduces the functionality of the components needed for multi-stage attack detection. In Sect. 3 we discuss the related works in the area of finding attack patterns. Section 4 focuses on the specifics of 4SICS dataset with events from industrial control systems. Section 5 presents our approach to finding relationships between security events. Finally, in Sect. 6, the results of our approach run on the dataset 4SICS are presented and discussed.
