Abstract
Industrial Control Systems (ICS) are attractive targets to attackers because of the significant cyber-physical damage they can inflict. As such, they are often subjected to reconnaissance campaigns aiming at discovering vulnerabilities that can be exploited online. As these campaigns scan large netblocks of the Internet, some of the IP packets are directed to the darknet, routable, allocated and unused IP space. In this paper, we propose a new technique to detect, fingerprint, and track probing campaigns targeting ICS systems by leveraging a /13 darknet traffic. Our proposed technique detects, automatically, and in near-real time such ICS probing campaigns and generates relevant and timely cyber threat intelligence using graph-theoretic methods to compare and aggregate packets into campaigns. Besides, it ascribes to each observed campaign a fingerprint that uniquely characterizes it and allows its tracking over time. Our technique has been tested over 12.85 TB of data, which represents 330 days of darknet network traffic received. The result of our analysis allows for the discovery of not only known legitimate recurrent probing campaigns such as those performed by Shodan and Censys but also uncovers coordinated campaigns launched by other organizations. Furthermore, we give details on a campaign linked to botnet activity targeting the EtherNet/IP protocol.
The research reported in this article is supported by the NSERC/Hydro-Québec Thales Senior Industrial Research Chair in Smart Grid Security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
References
Ban, T., Inoue, D.: Practical darknet traffic analysis: methods and case studies. In: 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), pp. 1–8. IEEE (2017)
Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K.: Detection of botnet activities through the lens of a large-scale darknet. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, E.-S.M. (eds.) ICONIP 2017. LNCS, vol. 10638, pp. 442–451. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70139-4_45
Bou-Harb, E.: A probabilistic model to preprocess darknet data for cyber threat intelligence generation. In: 2016 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2016)
Bou-Harb, E., Debbabi, M., Assi, C.: On detecting and clustering distributed cyber scanning. In: 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 926–933. IEEE (2013)
Bou-Harb, E., Debbabi, M., Assi, C.: A statistical approach for fingerprinting probing activities. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 21–30. IEEE (2013)
Bou-Harb, E., Debbabi, M., Assi, C.: Behavioral analytics for inferring large-scale orchestrated probing events. In: 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 506–511. IEEE (2014)
Bou-Harb, E., Debbabi, M., Assi, C.: Cyber scanning: a comprehensive survey. IEEE Commun. Surv. Tutorials 16(3), 1496–1519 (2014)
Bou-Harb, E., Debbabi, M., Assi, C.: On fingerprinting probing activities. Comput. Secur. 43, 35–48 (2014)
Bou-Harb, E., Debbabi, M., Assi, C.: A time series approach for inferring orchestrated probing campaigns by analyzing darknet traffic. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 180–185. IEEE (2015)
Bou-Harb, E., Scanlon, M.: Behavioral service graphs: a formal data-driven approach for prompt investigation of enterprise and internet-wide infections. Digit. Invest. 20, S47–S55 (2017)
Cherepanov, A.: Win32/industroyer: a new threat for industrial control systems. White paper, ESET, June 2017
Coudriau, M., Lahmadi, A., François, J.: Topological analysis and visualisation of network monitoring data: darknet case study. In: 2016 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6. IEEE (2016)
Dragos: TRISIS Malware Analysis of Safety System Targeted Malware. Dragos Inc. (2017). https://dragos.com/blog/trisis/TRISIS-01.pdf
Fachkha, C., Bou-Harb, E., Keliris, A., Memon, N., Ahamad, M.: Internet-scale probing of CPS: inference, characterization and orchestration analysis. In: The Network and Distributed System Security Symposium (NDSS) (2017)
Furutani, N., Kitazono, J., Ozawa, S., Ban, T., Nakazato, J., Shimamura, J.: Adaptive DDoS-event detection from big darknet traffic data. In: Arik, S., Huang, T., Lai, W.K., Liu, Q. (eds.) ICONIP 2015. LNCS, vol. 9492, pp. 376–383. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26561-2_45
Garg, S., Singh, A., Batra, S., Kumar, N., Obaidat, M.: Enclass: ensemble-based classification model for network anomaly detection in massive datasets. In: GLOBECOM 2017-2017 IEEE Global Communications Conference. pp. 1–7. IEEE (2017)
Gersho, A., Gray, R.M.: Vector Quantization and Signal Compression, vol. 159. Springer Science & Business Media, Berlin (2012)
Hashimoto, N., Ozawa, S., Ban, T., Nakazato, J., Shimamura, J.: A darknet traffic analysis for IoT malwares using association rule learning. Procedia Comput. Sci. 144, 118–123 (2018)
ICS-Cert-US: Rockwell automation controllogix plc vulnerabilities (2018). https://ics-cert.us-cert.gov/advisories/ICSA-13-011-03
Jin, Y., Simon, G., Xu, K., Zhang, Z.L., Kumar, V.: Grays anatomy: dissecting scanning activities using IP gray space analysis. In: Usenix SysML 2007 (2007)
Johnson, B., Caban, D., Krotofil, M., Scali, D., Brubaker, N., Glyer, C.: Attackers deploy new ICS attack framework triton and cause operational disruption to critical infrastructure (2017). https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
Kirubavathi, G., Anitha, R.: Botnet detection via mining of traffic flow characteristics. Comput. Electr. Eng. 50, 91–101 (2016)
Lagraa, S., François, J.: Knowledge discovery of port scans from darknet. In: IFIP/IEEE Symposium on Integrated Network and Service Management (IM), 2017, pp. 935–940. IEEE (2017)
Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. IEEE Trans. Inf. Forensics Secur. 6(1), 175–188 (2011)
Lipovsky, R.: Back in blackenergy *: 2014 targeted attacks in ukraine and poland (2014). https://www.welivesecurity.com/2014/09/22/back-in-blackenergy-2014/
Lipovsky, R., Cherepanov, A.: Blackenergy trojan strikes again: attacks ukrainian electric power industry (2016). https://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/
Lloyd’s: Business blackout: the insurance implications of a cyber attack on the us powergrid. Technical report, Center for Risk Studies, University of Cambridge (2015)
Lu, Z., Sun, X., Wen, Y., Cao, G., La Porta, T.: Algorithms and applications for community detection in weighted networks. IEEE Trans. Parallel Distrib. Syst. 26(11), 2916–2926 (2015)
Lv, Y., Li, Y., Tu, S., Xiang, S., Xia, C.: Coordinated scan detection algorithm based on the global characteristics of time sequence. In: 2014 Ninth International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA), pp. 199–206. IEEE (2014)
Mazel, J., Fontugne, R., Fukuda, K.: Identifying coordination of network scans using probed address structure. In: Traffic Monitoring and Analysis-8th International Workshop, TMA, pp. 7–8 (2016)
Mirian, A., et al.: An internet-wide view of ICS devices. In: 14th Annual Conference on Privacy, Security and Trust (PST), 2016, pp. 96–103. IEEE (2016)
Müllner, D., et al.: Fastcluster: fast hierarchical, agglomerative clustering routines for R and python. J. Stat. Softw. 53(9), 1–18 (2013)
Nichols, K., Blake, S., Baker, F., Black, D.: Definition of the differentiated services field (DS field) in the IPv4 and IPv6 Headers (1998). https://tools.ietf.org/pdf/rfc2474.pdf
Ethernet/IP quick start for vendors handbook (2008). https://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00213R0_EtherNetIP_Developers_Guide.pdf
Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: detecting and monitoring fast-flux service networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186–206. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70542-0_10
Passive DNS FAQ (2018). https://www.farsightsecurity.com/technical/passive-dns/passive-dns-faq/
Pcap4j (2018). https://github.com/kaitoy/pcap4j
Pedregosa, F., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Shannon, C.E.: A mathematical theory of communication. ACM SIGMOBILE Mob. Comput. Commun. Rev. 5(1), 3–55 (2001)
(2018). https://www.tcpdump.org
Zakroum, M., et al.: Exploratory data analysis of a network telescope traffic and prediction of port probing rates. In: 2018 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 175–180. IEEE (2018)
Zetter, K., Barrett, B., Lapowsky, I., Newman, L., Greenberg, A.: An unprecedented look at stuxnet, the world’s first digital weapon (2014). https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
Acknowledgment
We thank our colleagues and partners from Farsight Security, for the access to their network telescope data feed, in addition to the precious and constructive feedback they have provided on our work. Furthermore, we wish to thank our partners at Hydro-Québec and Thales for their help, support and contributions to our research.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Cabana, O., Youssef, A.M., Debbabi, M., Lebel, B., Kassouf, M., Agba, B.L. (2019). Detecting, Fingerprinting and Tracking Reconnaissance Campaigns Targeting Industrial Control Systems. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)