Digital Bond

For Secure & Robust ICS

  • Home
  • Consulting
  • S4x19
  • Dale Peterson
  • Hire Dale To Speak
  • Contact Us

S4x13 Video: Detecting 0-Day Attacks with Non-Signature IDS

May 9, 2013 by Dale Peterson 5 Comments

Damiano Bolzoni’s of Security Matters presented Detecting 0-Day and Targeted Attacks on ICS with Non-Signature Based IDS. While the quantitative mode of anomaly detection, looking at the quantity of packets, has had some success, qualitative approach has had a lot of research with minimal practical results.

The session explains n-gram analysis and shows the results of four different n-gram approaches on finding anomalies in 30-days of Modbus/TCP traffic on a water ICS and 7-days of SMB traffic on a gas SCADA. This was great to see because using real world data in ICS research is actually still rare.

The results of the n-gram models were better for the Modbus/TCP, but even the best model had 10 false positives a day even with the highly repetitive Modbus traffic.

Damiano then proposes a new method that is an extension of what is done in Tenable’s Passive Security Scanner, INL’s Sofia and other products. Those products will identify “normal” communication on the network by source IP, destination IP and destination TCP/UDP port. The example demonstrated in the presentation includes other ICS protocol parameters.

For example, it will identify what function codes are used and alert on new function codes. It will identify data lengths and alert on new data lengths. Obviously the similar the protocol the easier it is to do this. An application layer protocol like Modbus/TCP is relatively simple. A protocol that includes its own data and transport layer, like DNP3, could cause more false positives unless packet fragmentation is dealt with. A complex protocol like EtherNet/IP would be much more difficult. It is similar to the issues that require a preprocessor in signature based network IDS.

In fact, some of our early Quickdraw IDS signatures detect similar anomalous behavior. However, the signature based approach requires selecting and modifying the signatures manually. Damiano’s approach generates these rules automatically.

Filed Under: Network IDS/IPS, S4 Tagged With: Damiano Bolzoni, S4x13, SCADA IDS

Subscribe to the S4 Events YouTube Channel

S4x19 Is Open For Registration

Jan 14 – 17 in Miami Beach

Follow S4 Events on Facebook

Tools & Talks

DNS Squatting and You

DNS Squatting and You

February 24, 2016 By Reid W 3 Comments

Basecamp for Serial Converters

Basecamp for Serial Converters

October 30, 2015 By Reid W 3 Comments

escar Asia

escar Asia

September 9, 2015 By Dale Peterson 1 Comment

Unsolicited Response Podcast: Cyber Insurance

Unsolicited Response Podcast: Cyber Insurance

August 27, 2015 By Dale Peterson 3 Comments

S4 Events Newsletter

Subscribe to our newsletter on leading / bleeding edge ICS cyber security information and S4 Events.

* indicates required
Email Format

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.

Recent Comments

  • Chris on Attacking CANBus – Part 1
  • Chris on Koyo/Automation Direct Vulnerabilities
  • Brandon Workentin on The ICS Security Stories We Tell And Love
  • Joe Weiss on Insanely Crowded ICS Anomaly Detection Market
  • Stuart Bailey on Unsolicited Response Podcast Is Back … With John Matherly of Shodan

Search….

Follow @digitalbond

Copyright © 2019 Digital Bond. - All Rights Reserved ·