Annual Report 2018-2019 - security.cse.iitk.ac.in (1).pdfThis is the second issue of the annual report of the C3i Center. C3i center aims at spawning initiatives to develop technology

Annual Report 2018-2019

National Interdisciplinary Center

for

Cyber Security and Cyber Defense of Critical InfrastructuresIndian Institute of Technology Kanpur

Funded By:-Science and Engineering Research Board,

Department of Science and Technology, Govt. of India

C3i Center

IITK Kalyanpur

Kanpur208016

C

3i Center

Annual Report 2018 - 2019

https://security.cse.iitk.ac.in

This document contains material, which is the copyright of C3i

Center, and may not be reproduced or copied without permission

in writing. The commercial/non-commercial use of any informa-

tion contained in this document may require a license from the

proprietor of that information.


Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

List of Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

I C3i Center

1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3 Deliverables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

II Achievements

5 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

6 Intrusion Detection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

7 Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

8 Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

9 Insider Threat Detection with Blockchain . . . . . . . . . . . . . . . 49

Annual Report 2018-19, C3i Center, IIT Kanpur 3

4

10 Formal Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

11 Cryptographic Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

12 Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

13 Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

III Outreach

14 Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

15 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

16 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

17 Lab Visits at C3i Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69


Executive Summary

This progress report summarizes the activities and achievements

of the C3i center since September 2018 till August 2019.

The center has several deliverables namely (i) a national scale

SCADA/ICS test-bed for cyber security studies (ii) developing

tools and techniques for malware collection, benchmarking of mal-

ware detection and classification algorithms; (iii) developing tools

and techniques for vulnerability and penetration testing and dis-

covery of yet to be uncovered vulnerabilities in ICS software; (iv)

developing tools and techniques for insider-threat proofing; (v)

working with power utilities to develop data analytic techniques

on PMU data to detect on-going cyber-attacks; (vi) creating at

least one start-up on the developed technologies; (vii) developing

mobile malware and their analysis techniques.

In the last one year, the test-bed creation in the various critical

infrastructure sectors have been accelerated and at this time, ex-

cept for the power transmission test-bed all other testbeds have

been installed Power distribution, solar and diesel generation and

synchronization, water treatment plant, industrial manufacturing

test-beds have all been installed in the lab. The C3i center also

moved to a new building constructed by IIT Kanpur where the

test beds have been installed. Power Transmission testbed is be-

ing commissioned.

The C3i center researchers installed honeypots to collect mal-

ware, and also worked with various researchers around the world

to collect sizable repositories of windows, Linux, Android malware


6

for applying machine learning based malware detection and classi-

fication tools. The students and engineers at the center published

3 papers in International conferences on malware and bot-net de-

tection. Adversarial training techniques to defeat malware that

evade machine learning based detection by adversarial design have

been developed.

In the vulnerability and penetration testing, this year has been

quite successful. 7 CVE (Common Vulnerabilities and Exposures)

numbers have been assigned to vulnerabilities discovered and dis-

closed by C3i center. Security advisories attributed to C3i center

has been made world-wide by the vendors. 1 more CVEs have

been assigned but until the vendor sends out security advisories,

they will not be put in the NVD database. More than 15 vul-

nerabilities have been disclosed by C3i center and are being val-

idated by the vendors upon completion of which CVEs will be

assigned. Overall, C3i has now made into the league of organi-

zations that contribute to common vulnerabilities and exposures

database. Several penetration testing, industrial network traffic

capture and analysis tools have been developed which are being

further developed.

In the context of insider-threats, a block-chain based solution

to detecting any tampering in a data-base by privileged admin-

istrators have been developed, implemented and put to use in a

project on block-chain based land-record management. This tech-

nique called Verity has been demonstrated at various block-chain

forums. Further work on insider threat detection are planned.

Several techniques have been developed and implemented to

detect false data injection and data tampering in the industrial

control networks. On the PLC side, due to resource constraint,

an invariant failure based monitoring has been tested and imple-

mented. On the SCADA side, singular spectrum analysis of sensor

measurement time series has been implemented. It has been also

demonstrated that previous work on singular spectrum analysis

has lesser accuracy than our new method.

A start-up development is under discussion at the moment, and

we hope by next year, a start-up would be spawned by C3i. We

already signed MoU with Tech-Mahindra to develop our Malware-


7

Analysis tool, the Web-application firewall, and Honeypot tech-

nology to the market. We are in the process of signing an MoU

with BEL for similar cooperation. Schneider Electric has signed

an MoU with us to help develop vulnerability discovery tools.

Mobile malware analysis work has progressed and C3i has de-

veloped a tool for android malware detection. An instrumented

sandbox for dynamic analysis of Android has also been developed.

A lot of interaction with government agencies such as National

Cyber Security Coordinator, Central Electric Authority, National

Thermal Power Corporation are on-going. Several industries such

as Schneider, Siemens, Tech-Mahindra have been interacting quite

often. Disclosures of vulnerabilities have been made to many ICS

vendors Schneider and Rockwell in particular.

C3i center also promotes awareness and education in cyber-

security. Yearly cyber-security competition event CSAW in coop-

eration with New York University has been an on-going activity

every year. C3i center organized Indias first ever Capture-the-

flag for SCADA (SCADA-CTF) at Nullcon in 2019. C3i also

hosted 20+ summer interns during the summer who worked for

2 months on various cyber security projects. C3i also conducted

two courses each of 2 weeks duration for engineers from various

Asian and African countries on the behest of the Ministry of Ex-

ternal affairs. A few other training sessions have been organized

for various government agencies (not to be named) and students.


Message

This is the second issue of the annual report of the C3i Center.

C3i center aims at spawning initiatives to develop technology and

deploy technological safeguards to protect critical infrastructures.

The goal of the center is to create India’s first research centre

whose mission is research, education, training in the field of crit-

ical infrastructure protection and vulnerability studies. Science

and Engineering Research Board (SERB) under the department of

science and technology (DST) of the government of India, funded

the Interdisciplinary Centre for Cyber Security and Cyber De-

fence of Critical Infrastructures (C3i Center) at IIT Kanpur, in

March 2017.


List of Authors

Authors Manindra Agrawal

Sandeep K Shukla

S C Srivastava

Project Title National Interdisciplinary Center for cyber secu-

rity and cyber defense of critical Infrastructures

Security RESTRICTED (RE)

Version 1.0

Total number of pages 76


List of Figures

1.1 History of C3i Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.1 Batch / Process Automation Testbed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.2 Solar Power generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.3 Diesel power generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.4 Feeder Automation System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.5 Conveyor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.6 Power synchronization system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.7 Industrial Manufacturing Testbed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.1 Peer to Peer botnet detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

6.2 Threat Intelligence System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

6.3 Command Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.4 False Data Injection to change set points . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.5 ICS-NIDS Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

6.6 ICS-NIDS Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

6.7 RADOLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

7.1 Types of Honeypot Developed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

7.2 Total 1217 attacks observed for a period of 13 days . . . . . . . . . . . . . . . . . . 44

7.3 Attack Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

8.1 Static Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

8.2 Dynamic Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

9.1 Insider Attack Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

11.1 Hardware Setup of Kryptoceler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

11.2 Five layer Protocol Stack for Kryptoceler operation . . . . . . . . . . . . . . . . . 54


List of Tables

12.1 Publication of C3i Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55



13.1 Thesis submitted since September’18 to August’19 . . . . . . . . . . . . . . . . . . 59


I

1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3 Deliverables . . . . . . . . . . . . . . . . . . . . . . . . . 23

4 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . 25

C3i Center

1. History

2017 2018 2019years

1st Year

SE

RB

,DST

sancti

oned

the

est

ablish

ment

Cyb

er

Securi

tyA

ware

ness

Week

Honeyp

ot

SIE

MSolu

tion

Invento

ryIn

tellig

ence

syst

em

0D

ay

Malw

are

Dete

cti

on

and

cla

ssifi

cati

on

Fir

stP

ow

er

test

bed

est

ablish

ed

2nd Year

New

Buildin

g

Pro

cess

auto

mati

on

Test

bed

Manufa

ctu

ring

auto

mati

on

Test

bed

Malw

are

Analy

sis

tool

ICS

Honeyp

ot

Cyb

er

Securi

tyA

ware

ness

Week

SP

AC

E2018

India

’sfirs

tSC

AD

AC

TF

Pow

er

Genera

tion:

DG

setu

p

Pow

er

Genera

tion:

Sola

rse

tup

Pow

er

synch

roniz

ati

on

setu

pw

ith

EB

Blo

ckch

ain

base

dso

luti

ons

IDS

for

netw

ork

:B

otn

et

dete

cto

r

IDS

for

Inte

rnet

facin

gse

rvers

:w

eb

IDS

for

Indust

rial

Contr

ol

/SC

AD

Asy

stem

Figure 1.1: History of C3i Center

In March 2017, SERB/DST sanctioned the establishment of the

National Interdisciplinary center for Cyber Security and Cyber

Defense of Critical Infrastructures (also known as ‘C3i center’).

An amount of 14.43 crores INR was sanctioned over a five year

period (March 2017 Feb 2022), to establish this center as a center

of excellence in securing critical infrastructures of the country. In

last few years it has been recognised for its work internationally.


2. Objectives

Major Objectives

• Design and Development of Machine learning algorithms

for detecting on-going cyber-attacks and advanced per-

sistent threats on power systems

• Build methodology and techniques for deploying honey

nets to develop a malware repository and malware anal-

ysis and trend forecasting capabilities

• Apply formal methods to develop effective algorithms

for vulnerability and malware detection in applications,

systems, and firmware – and transfer such technology to

a startup ecosystem

• Develop protocol reverse engineering tools and capabili-

ties to detect presence of botnets, trojans and other ad-

vanced persistent threats

• Develop light weight cryptography and block chain-

based authentication, identity management and key

management schemes for network of devices (IoT and

M2M)

• Develop cryptographic co-processors and side-channel

proofing techniques for cryptographic hardware, and

software systems

• Field testing security techniques, architectures, and pro-

tocols on the IITK smart city project


22 Chapter 2. Objectives

Major Objectives

• Develop security architecture, perimeter defense, net-

work and Cloud security for critical infrastructure, and

inform the policy formulation and best practices guid-

ance for NCIIPC


3. Deliverables

*—–1—–*

A national scale SCADA test bed for research, training, and

hardware / software in-the-loop testing by vendors at IIT

Kanpur

*—–2—–*

Tools and techniques for malware collection and bench mark

creation for malware analysis

*—–3—–*

Tools and techniques for application software vulnerability

detection

*—–4—–*

Tools and techniques for Insider threat-proofing critical in-

frastructure IT system

*—–5—–*

Work with a power utility or smart grid corporation to ex-

perimentally use our PMU data analytics-based tools for de-

tecting advanced persistent threats

*—–6—–*

Create at least one start up with IIT Kanpur incubation en-

terprise in the cyber security of critical infrastructure space

by licensing IP in vulnerability detection, protocol reverse

engineering, malware detection etc.


24 Chapter 3. Deliverables

*—–7—–*

Creation of malware for exploitation of criminal information

systems and mobiles for cyber espionage


4. Infrastructure

Interdisciplinary center for cyber security and cyber defense of

critical infrastructures (C3i) at the Indian Institute of Technology

Kanpur facilitates researchers to work with pilot setup of critical

infrastructures

Testbed

Power Manufacturing Process

Industry Verticals

Power Generation

Power Distribution

Process industry

Material handling

Manufacturing Industry


26 Chapter 4. Infrastructure

Figure 4.1: Batch / Process Automation Testbed

Process Automation Testbed

Batch / process automation testbed equipped with different

makes of PLC integrated with SCADA system. This testbed

facilitates researchers to design and develop cyber security

solutions for process industry. Major features of the testbed

are as mentioned below.

• Multistage process

• PLC to PLC communication

• Integrated SCADA host

• Level transmitter

• Flow transmitter

• Pressure transmitter

• Water pumps

• Solenoid Valves

• Motorized Valves

• Vaccum pump

• Compressor unit

• Air Dryer


27

Figure 4.2: Solar Power generation

Figure 4.3: Diesel power generation

Power Generation

Salient features of power generation setup are

• Solar panels

• Invertors

• Diesel gensets

• Anemometer

• Humidity sensor



Figure 4.4: Feeder Automation System

Figure 4.5: Conveyor

Power Distribution

Salient features of power distribution system are

• Power control center

• Feeder Automation

• Numerical Relay

• PLC, RTU

• Integrated SCADA

• Bi-directional Conveyor

• VFD units


29

Figure 4.6: Power synchronization system

Power Synchronization

Salient features of power synchronization system are

• Auto mains failure

• Load management

• DG synchronization

• Integrated PLC


• Synchronizer

• Protection relays

Figure 4.7: Industrial Manufacturing Testbed



Manufacturing System

Salient features of industrial manufacturing system are

• Manufacturing system

• Job feeding station

• Job buffering station

• Job processing station

• Job sorting station

• PLC


C3i Center facilitates researchers to hands-on with wide variety

of equipment.


II

5 Vulnerability Assessment . . . . . . . . . . . . . . 33

6 Intrusion Detection System . . . . . . . . . . . 37

7 Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

8 Malware Analysis . . . . . . . . . . . . . . . . . . . . 45

9 Insider Threat Detection with Blockchain 49

10 Formal Verification . . . . . . . . . . . . . . . . . . . 51

11 Cryptographic Hardware . . . . . . . . . . . . . . 53

12 Publications . . . . . . . . . . . . . . . . . . . . . . . . . 55

13 Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Achievements

5. Vulnerability Assessment

The assessment of hardware and software pertaining to opera-

tional technologies in industrial control system has commenced

in controlled environment. Team C3i has successfully identified a

large number of vulnerabilities in the products as well as in the

systems. A few of them already received international recogni-

tion.

Acknowledgement of Responsible disclosures

• 15+ Responsible disclosures

• 7 CVE disclosed

• 1 CVE assigned but yet undisclosed

CVE-2018-7811

CVSS v3 BASE SCORE 9.8 (Critical)

Vendor: Schneider Electric

Equipment: PLC

Vulnerability: A CWE-620: Unverified Password Change

vulnerability exists on the embedded web server which could

allow an unauthenticated remote user to access the change

password function of the web server.

SEVD-2018-327-01

https://www.schneider-electric.com/en/download/

document/SEVD-2018-327-01/.


https://www.schneider-electric.com/en/download/document/SEVD-2018-327-01/


34 Chapter 5. Vulnerability Assessment

CVE-2019-10981

CVSS v3 BASE SCORE 7.8 (High)

Vendor: AVEVA

Equipment: Vijeo Citect and Citect SCADA

Vulnerability: Insufficiently Protected Credentials

ICS Advisory (ICSA-19-150-01)

https://www.us-cert.gov/ics/advisories/ICSA-19-150-01.

https://nvd.nist.gov/vuln/detail/CVE-2019-10981

CVE-2019-6813

CVSS v3.0 Base Score 7.5 — (High)


Equipment: PLC

Vulnerability: A CWE-754: Improper Check for Unusual

or Exceptional Conditions vulnerability exists which could

cause denial of service when truncated SNMP packets on

port 161/UDP are received by the device.

SEVD-2019-225-02


document/SEVD-2019-225-02/

CVE-2019-6813



Equipment: RTU



cause denial of service when truncated SNMP packets on

port 161/UDP are received by the device.

SEVD-2019-225-03




https://www.us-cert.gov/ics/advisories/ICSA-19-150-01






35

CVE-2019-6812



Equipment: RTU

Vulnerability: A CWE-798 use of hardcoded credentials vul-

nerability exists which could cause a confidentiality issue

when using FTP protocol.

SEVD-2019-134-06


CVE-2019-6831



Equipment: RTU



cause disconnection of active connections when an unusually

high number of IEC 60870-5-104 packets are received by the

module on port 2404/TCP

SEVD-2019-225-03



CVE-2019-6810



Equipment: RTU

Vulnerability: A CWE-284: Improper Access Control vulner-

ability exists which could cause the execution of commands

by unauthorized users when using IEC 60870-5-104 protocol.

SEVD-2019-225-03









36 Chapter 5. Vulnerability Assessment

CVE-2019-6833

CVSS v3.0 Base Score 7.4 (High)


Equipment: HMI

Vulnerability: A CWE-754 Improper Check for Unusual


cause a temporary freeze of the HMI when a high rate of

frames is received. When the attack stops, the buffered com-

mands are processed by the HMI panel.

SEVD-2019-225-01



Responsible Disclosure

List of responsible disclosure made by team.

Vendor: Rockwell Automation

Vulnerabilities reported : 04

Vendor: Wago

Vulnerabilities reported : 01

Upcoming CVE

Where CVE is assigned but not officially released.


CVE-ID : CVE-2019-6811

CASE NO. : 263954




6. Intrusion Detection System

PeerClear

For zero Trust Network, PeerClear is designed to monitor

existence of botnet agents in the network by analysing the

traffic. It notifies if any network connected device has been

compromised or supporting attacks like DDoS, email spam,

phishing, password sniffing, etc. This intrusion detection

works in two stages - (a) Detect all hosts involved in peer

to peer activities. (b) Among these identified - detect bot

activities in all the hosts which are involved in the Peer to

Peer activity and further detect the bots in the identified

hosts.

Botnet Detection Rate upto = 99.85%

Figure 6.1: Peer to Peer botnet detection


38 Chapter 6. Intrusion Detection System

Threat Intelligence System

A completely homegrown threat intelligence monitoring and

analytics framework has been built to monitor all cyber

events incident upon the center. Machine learning based

detection of threats with high accuracy (above 95%) and

with low false positive rate (less than 5%) has been imple-

mented and integrated with the threat intelligence monitor-

ing system. This helps any SOC (Security Operation Center)

to obtain full visibility, situational awareness and actionable

threat intelligence. This system can be customized for other

facilities outside the center as well. Fig. 6.2 shows a screen-

shot of C3i threat intelligence console

Figure 6.2: Threat Intelligence System


39

IDS for ICS

A Retrofit solution for critical infrastructures a light-weight

program to run on the PLC based on business process rules

can detect any data tampering including false data injection

attacks.

Figure 6.3: Command Injection

Figure 6.4: False Data Injection to change set points


40 Chapter 6. Intrusion Detection System

NIDS for ICS

Network Intrusion Detection System (NIDS) for industrial

control system can be an add-on for enhancing the security

of these systems. An ICS specific IDS that detects SCADA

attacks based on their network traffic behavior, namely the

temporal behaviour of frequent patterns of the industrial

communication protocols have been implemented and de-

ployed.

Figure 6.5: ICS-NIDS Dashboard

Figure 6.6: ICS-NIDS Logs


41

Robust Attack Detection OnLine Technique (RADOLT)

RADOLT detects attacks by generating an alarm score for a

newly generated measurement of a sensor/actuator. It learns

an embedded sample space of normal sub-sequences and es-

timate the probability of a testing point in sample space

by Gaussian kernel density estimation. RADOLT can learn

the normal sub-sequences throughout its life cycle which de-

creases false alarm rate over time. RADOLT is tested on

SWat, BATADAL, TE-process, C3i datasets. RADOLT is

able to detect more attacks and generates lesser false alarms

than any other available methods.

Figure 6.7: RADOLT


7. Honeypots

C3i Center is developing and deploying honey network composed

of several honeypots created at the centre. After the success of

C3i IT honeypots, C3i center started development of honeypots

fit for industrial control systems.

Figure 7.1: Types of Honeypot Developed


44 Chapter 7. Honeypots

Figure 7.2: Total 1217 attacks observed for a period of 13 days

Figure 7.3: Attack Statistics


8. Malware Analysis

Team C3i offers an indigenous Web based Malware Analysis Tool.

This tool is capable of detecting and classifying malware in near

real time. The tool contains various types of analysis for vari-

ous platforms such as Windows, Linux, Android, etc. It uses an

ensemble of machine learning models.

Static Dynamic Forensic Image based

55417 Malware Samples Analyzed by experienced team of C3i

10980 PDF malware samples

13000 Android malware samples

16300 Linux malware samples

15137 Windows malware samples


46 Chapter 8. Malware Analysis

Figure 8.1: Static Analysis Results

Figure 8.2: Dynamic Analysis Results

Classification Accuracy of Linux Malware

Malware upto 98.20%

Packed Malware upto 58.40%


47

Classification Accuracy of Windows Malware

Using Image representation

Malware upto 98.10%

Packed Malware upto 60.50%

Previously Unseen Malware upto 76.97%

Early Stage Behavioral Analysis

Static analysis upto 97.952% with FPR of 0.5%

Dynamic Analysis upto 99.13% with FPR of 0.2%

Hybrid Analysis upto 99.74% with FPR of 0.1%

Memory Forensic

Memory Dumps upto 97.89% with FPR of 0.43%

Classification Accuracy of Android Malware

Malware upto 99.61% with FPR of 0.37%


9. Insider Threat Detection with Blockchain

Verity: Detects insider attacks on Databases using Blockchain

technology. An insider attack where someone with administra-

tive privileges tampers with the data, poses an unique challenge.

Verity uses a formalism for intercepting SQL queries and their

results are matched against signatures stored on a blockchain to

check the integrity of the query results.

SQL Processor

Web Application

Verity

REST API

1

2 3

4

5

6

1 SQL Request (viaapplication's interface)

2 Modified SQL

3 Tuples to verify

4 Request fingerprints oftuples

5 Return fingerprints

6 Return results

DBMSBlockchainNetwork

Client

Figure 9.1: Insider Attack Detection


10. Formal Verification

To compute the risk posed to individual nodes due to existing vul-

nerabilities, we use a model checker to compute the probability

scores for all nodes in any network on which vulnerability scan-

ning tools found known vulnerabilities. C3i uses the probabilistic

model checking tool PRISM to compute threat scores.


52 Chapter 10. Formal Verification

This work has been completed in collaboration with


11. Cryptographic Hardware

Kryptoceler: An FPGA based hardware accelerator for packet

level encryption reduces the workload and speed up the through-

put of network applications. Stronger security assurance is grounded

in the root-of-trust for software, firmware and hardware that per-

forms reliable security operations. The hardware of “Kryptoceler”

is tested for a back-door or a Trojan to ensure that there is no

point of vulnerability on the board. With this foundation of trust,

software and firmware solutions for cryptographic cores are im-

plemented on the hardware.

Figure 11.1: Hardware Setup of Kryptoceler


54 Chapter 11. Cryptographic Hardware

Figure 11.2: Five layer Protocol Stack for Kryptoceler operation


12. Publications

Table 12.1: Publication of C3i Center

2019 · · · · · ·•

Fadadu Fenil kumar Chetanbhai, Anand Handa, Nitesh

Kumar, Sandeep Kumar Shukla, Evading API call sequence

based Malware Classifiers, 14th IEEE International

Conference on Malicious and Unwanted Software MALCON

2019, Nantucket, Massachusetts, USA, 2019

(WITHDRAWN).

2019 · · · · · ·•

Gaurav Kumar, Nitesh Kumar, Anand Handa, Sandeep

Kumar Shukla, Automated Malware Detection using

Memory Forensics, 14th IEEE International Conference on

Malicious and Unwanted Software MALCON 2019,

Nantucket, Massachusetts, USA, 2019 (WITHDRAWN).

2019 · · · · · ·•

Bishwas C. Gupta and Sandeep K. Shukla, ”A Study of

inequality in the Ethereum Smart Contract Ecosystem”,

accepted at the International Symposium on Blockchain

Computing and Applications (BCCA 2019) , Granada,

Spain, October 2019.

2019 · · · · · ·•

Devendra Meena, Ras Dwivedi, Sandeep K. Shukla,

”Preserving Patient’s Privacy using Proxy Re-encryption in

Permissioned Blockchain”, accepted at the International

Symposium on Blockchain Computing and Applications

(BCCA 2019) Granada, Spain, October 2019.


56 Chapter 12. Publications


2019 · · · · · ·•

Harsh Bhagwani, Rohit Negi, Aneet Kumar Dutta, Anand

Handa, Nitesh Kumar and Sandeep Kumar Shukla,

”Automated Classification of Web-Application Attacks for

Intrusion Detection”, accepted at the 9th International

Conference on Security, Privacy, and Applied

Cryptographic Engineering (SPACE 2019),December, 2019,

Gandhinagar, India, 2019.

2019 · · · · · ·•

Nitesh Kumar, Subhasis Mukhopadhyay, Mugdha Gupta,

Anand Handa and Sandeep K. Shukla, ”Malware

Classification using Early Stage Behavioral Analysis”,

accepted at the 14th Asia Joint Conference on Information

Security (AsiaJCIS 2019), August 1-2, 2019, Kobe, Japan,

2019.

2019 · · · · · ·•

Asan M. Basiri and Sandeep K. Shukla, ”Formal Hardware

Verification of InfoSec Primitives”, accepted at IEEE

Computer Society Annual Symposium on VLSI, Miami,

Florida, USA, July , 2019.

2019 · · · · · ·•

Prachi Joshi, S. S. Ravi, Qingyu Liu, Unmesh D. Bordoloi,

Soheil Samii, Sandeep Shukla, and Haibo Zeng,

”Approaches for Assigning Offsets to Signals for Improving

Frame Packing in CAN-FD”, IEEE Transactions on

Computer-Aided Design of Integrated Circuits and Systems

(TCAD)”, Print ISSN: 0278-0070 Online ISSN: 1937-4151

Digital Object Identifier: 10.1109/TCAD.2019.2907921,

2019.

2019 · · · · · ·•

S. Srivastava, Shubham & Atre, Medha & Sharma,

Shubham & Gupta, Rahul & Shukla, Sandeep, ”Verity:

Blockchains to Detect Insider Attacks in DBMS”, CoRR

abs/1901.00228”, February, 2019.

2019 · · · · · ·•

Singh C., Satish S., Mitra J., Shukla S, ”Buffer Overflow

Attack and Prevention for an FPGA-Based Soft-Processor

System”, In: Saini H., Singh R., Kumar G., Rather G.,

Santhi K. (eds) Innovations in Electronics and

Communication Engineering. Lecture Notes in Networks

and Systems, vol 65. Springer, Singapore, 2019 ..


57


2019 · · · · · ·•

Sekhari, Ashwin, Chatterjee, Rishav, Dwivedi, Ras, Negi,

Rohit & Shukla, Sandeep, ”Entangled Blockchains in Land

Registry Management”, In Proceedings of the Third

Workshop on Blockchain Technologies and its Applications,

pp.8-13,Mumbai, February, 2019.

2019 · · · · · ·•

Amit Kumar, Nitesh Kumar, Anand Handa and Sandeep

K. Shukla, ”PeerClear: Peer-to-Peer Bot-net Detection”,

accepted at the 3rd International Symposium on Cyber

Security Cryptology and Machine Learning (CSCML 2019),

Be’er Sheva, Israel, June , 2019.

2019 · · · · · ·•

Ajay Singh, Anand Handa, Nitesh Kumar and Sandeep

Kumar Shukla, ”Malware Classification using Image

Representation”, accepted at the 3rd International

Symposium on Cyber Security, Cryptology and Machine

Learning (CSCML 2019), Be’er Sheva, Israel, June, 2019.

2019 · · · · · ·•

Bhaskar Pratim Mukhoty, Vikas Maurya, and Sandeep K.

Shukla, ”Sequence to sequence deep learning models for

solar irradiation forecasting”, accepted, IEEE Power Tech

Conference, IEEE PES, Milano, Italy, July, 2019.

2019 · · · · · ·•

Soumyo V. Chakraborty, and Sandeep K. Shukla,

”Predictive Modeling of Electricity Trading Prices and the

Impact of Increasing Solar Energy Penetration”, accepted,

IEEE Power Tech Conference, IEEE PES, Milano, Italy,

July, 2019.

2019 · · · · · ·•

Rohit Negi, Sandeep Kumar Shukla, Ashish Gahlot, Parvin

Kumar, Shibashis Ghosh, ”Vulnerability Assessment and

Mitigation for Industrial Critical Infrastructures with

Cyber Physical Test Bed”, IEEE International Conference

on Industrial Cyber Physical Systems (ICPS 2019), Taipei,

Taiwan, 2019.

2019 · · · · · ·•

Handa A, Sharma A, Shukla SK. , ”Machine learning in

cybersecurity: A review. WIREs Data Mining Knowledge

Discovery Journal. 2019;e1306.

https://doi.org/10.1002/widm.1306”, February 2019, 2019.

2018 · · · · · ·•

Mohamed Asan Basiri M, Sandeep K. Shukla,

”Asynchronous Hardware Implementations for Crypto

Primitives”, Microprocessors and Microsystems Journal

(MICPRO)”, Elsevier, Nov 2018, 2018.


13. Thesis

Table 13.1: Thesis submitted since September’18 to August’19

1 · · · · · ·• Evading API Call Sequence Based Malware Classifiers,

Fadadu, Fenil.

2 · · · · · ·• Analysis of Ethereum Smart Contracts - A Security

Perspective, Gupta, Bishwas C.

3 · · · · · ·• Anomaly Detection in the Ethereum network, Singh, Ajay.

4 · · · · · ·• Preserving patient’s privacy using proxy re-encryption in

permissioned blockchain, Meena, Devendra K.

5 · · · · · ·• Property Registration and Land Record Management via

Blockchains, Gunda, Abhishek.

6 · · · · · ·• Elastico as an ordering service in Hyperledger Fabric,

Agarwal, Ayushi.

7 · · · · · ·• Log based Dynamic Intrusion Detection of Web

Applications, Bhagwani, Harsh.

8 · · · · · ·• Context Aware Honeypot for Cross-Site Scripting attacks

using Machine Learning Techniques, Aggarwal, Shubham.

9 · · · · · ·• Feature Engineering & Analysis Towards Temporally

Robust Detection of Android Malware, Jaiswal, Sagar.


III

14 Collaboration . . . . . . . . . . . . . . . . . . . . . . . . 63

15 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

16 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

17 Lab Visits at C3i Center . . . . . . . . . . . . . . 69

Outreach

14. Collaboration

Tech Mahindra

Schneider Electric India Private Limited

National Stock Exchange India


15. Events

Team C3i actively organises cyber security events as mentioned.

CSAW in collaboration with


66 Chapter 15. Events

SPACE 2018 in collaboration with

SCADA CTF at Nullcon in collaboration with


16. Training

Team C3i provided training to international IT workforce under

the ITEC programme of the ministry of external affairs.

Hand’s on training to students from different-2 countries

• BHUTAN

• BANGLADESH

• CAMERON

• NIGERIA

• ETHIOPIA

• TANZANIA

• SOUTH SUDAN

• UGANDA

• LAOS

• MAURITIUS

• OMAN

• SYRIA

• PALESTINE

• EGYPT

• IRAQI-KURDISTAN


68 Chapter 16. Training

Hand’s on Workshop in Techkriti

Hand’s on Workshop in Nullcon


17. Lab Visits at C3i Center

****

Dr. Koppillil Radhakrishnan (Former Chairman of Space Commission, Secre-

tary of Department of Space and Chairman of ISRO) Chairperson, BoG, IIT

Kanpur

****

Lt. Gen Rajesh Pant, Cyber Security Chief India visited C3i Center


70 Chapter 17. Lab Visits at C3i Center

****

Prof. Arvind, MIT visited C3i Lab

****

Honorable member of Neeti Aayog Dr. Vijay Saraswat at C3i Lab

****

National Thermal Power Corporation visited C3i Lab


71

****

Vice President, Quality Council of India visited C3i Lab

****

DRDO scientists at C3i Lab

****

Security & Exchange Board of India cyber security team at C3i Lab



****

UPSIDC visiting C3i Lab

****

Additional Director General of UP Police visiting C3i Lab

****

Aditya Birla Group visited C3i Center


73

****

Eran Toch, Tel Aviv University & Shay Gueron, University of Haifa & Avi

Mendelson, Technion, Israel

****

Founder of Nutanix visiting C3i Lab

****

Vanessa Teague, University of Melbourne, Australia & Nasour Bagheri, SRTTU

Tehran, Iran



****

C3i invited Whitehat hackers to the lab

****

Shankya Lab visited C3i lab




Documents

Annual Report 2018-2019 - security.cse.iitk.ac.in (1).pdfThis is the second issue of the annual report of the C3i Center. C3i center aims at spawning initiatives to develop technology