SRI EMERALD IDS

From SCADApedia

Jump to: navigation, search

SRI's Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD) is a network intrusion detection system (NIDS) developed in the late 90's for a variety of research projects. EMERALD was customized and extended for control systems as part of the I3P Project.

EMERALD combines the signature approach commonly found in most NIDS, such as Snort, with anomaly detection. The SRI team refers to anomaly detection as model-based techniques. The I3P effort added signature and model-based techniques for the Modbus TCP control system protocol to EMERALD.

[edit]

Modbus TCP Detection Capabilities

Three different detection capabilities were added to EMERALD for Modbus TCP.

  1. Protocol Level Detection - EMERALD modeled the use of Modbus TCP in a control system. Some of the modeling was based on the standard, such as maximum packet length. Modeling was also based on the equipment and usage of the control system. For example, what Modbus TCP function codes were implemented and used. EMERALD includes the Snort NIDS application and Digital Bond's Modbus TCP IDS Signatures were added to the rules along with additional signatures developed by SRI. These signatures identified protocol violations and usage violations based on the modeling.
  2. Communication Pattern Based Detection - After installation, control system communication tends to be static. A set number of clients (HMI's, control servers, engineering workstations) communicate with a set of controllers and instruments. By monitoring and modeling this communication, and then converting this into Snort rules, EMERALD can identify new communication patterns that may be attackers or unauthorized additions to the control system.
  3. New Service and Function Code Detection - Prior to the I3P project, EMERALD supported a Bayes sensor that identified new services on a server. The concept was most services should start up shortly after reboot, so any subsequent services that are started could be a rogue service. Similarly Modbus TCP function code support typically should not change after installation.
[edit]

Status and Availability

The EMERALD system, including the customization and extensions from the I3P project, are not available for purchase or download from SRI.

SRI will entertain the possibility of using EMERALD in a pilot system or spinning this technology out to a commercial entity.

It is unclear whether further extension of the EMERALD system will be part of Phase II of the I3P project.

[edit]

External Links

I3P Emerald Project Page

I3P Process Control Systems Project

SRI Intrusion Detection Page

EMERALD Paper in S4 Proceedings

Retrieved from "http://www.digitalbond.com/wiki/index.php/SRI_EMERALD_IDS"
Personal tools