Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Annual Report 2018-2019
National Interdisciplinary Center
for
Cyber Security and Cyber Defense of Critical InfrastructuresIndian Institute of Technology Kanpur
Funded By:-Science and Engineering Research Board,
Department of Science and Technology, Govt. of India
C3i Center
IITK Kalyanpur
Kanpur208016
C
3i Center
Annual Report 2018 - 2019
https://security.cse.iitk.ac.in
This document contains material, which is the copyright of C3i
Center, and may not be reproduced or copied without permission
in writing. The commercial/non-commercial use of any informa-
tion contained in this document may require a license from the
proprietor of that information.
Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
List of Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
I C3i Center
1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3 Deliverables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
II Achievements
5 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6 Intrusion Detection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
7 Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8 Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
9 Insider Threat Detection with Blockchain . . . . . . . . . . . . . . . 49
Annual Report 2018-19, C3i Center, IIT Kanpur 3
4
10 Formal Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
11 Cryptographic Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
12 Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
13 Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
III Outreach
14 Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
15 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
16 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
17 Lab Visits at C3i Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Annual Report 2018-19, C3i Center, IIT Kanpur 4
Executive Summary
This progress report summarizes the activities and achievements
of the C3i center since September 2018 till August 2019.
The center has several deliverables namely (i) a national scale
SCADA/ICS test-bed for cyber security studies (ii) developing
tools and techniques for malware collection, benchmarking of mal-
ware detection and classification algorithms; (iii) developing tools
and techniques for vulnerability and penetration testing and dis-
covery of yet to be uncovered vulnerabilities in ICS software; (iv)
developing tools and techniques for insider-threat proofing; (v)
working with power utilities to develop data analytic techniques
on PMU data to detect on-going cyber-attacks; (vi) creating at
least one start-up on the developed technologies; (vii) developing
mobile malware and their analysis techniques.
In the last one year, the test-bed creation in the various critical
infrastructure sectors have been accelerated and at this time, ex-
cept for the power transmission test-bed all other testbeds have
been installed Power distribution, solar and diesel generation and
synchronization, water treatment plant, industrial manufacturing
test-beds have all been installed in the lab. The C3i center also
moved to a new building constructed by IIT Kanpur where the
test beds have been installed. Power Transmission testbed is be-
ing commissioned.
The C3i center researchers installed honeypots to collect mal-
ware, and also worked with various researchers around the world
to collect sizable repositories of windows, Linux, Android malware
Annual Report 2018-19, C3i Center, IIT Kanpur 5
6
for applying machine learning based malware detection and classi-
fication tools. The students and engineers at the center published
3 papers in International conferences on malware and bot-net de-
tection. Adversarial training techniques to defeat malware that
evade machine learning based detection by adversarial design have
been developed.
In the vulnerability and penetration testing, this year has been
quite successful. 7 CVE (Common Vulnerabilities and Exposures)
numbers have been assigned to vulnerabilities discovered and dis-
closed by C3i center. Security advisories attributed to C3i center
has been made world-wide by the vendors. 1 more CVEs have
been assigned but until the vendor sends out security advisories,
they will not be put in the NVD database. More than 15 vul-
nerabilities have been disclosed by C3i center and are being val-
idated by the vendors upon completion of which CVEs will be
assigned. Overall, C3i has now made into the league of organi-
zations that contribute to common vulnerabilities and exposures
database. Several penetration testing, industrial network traffic
capture and analysis tools have been developed which are being
further developed.
In the context of insider-threats, a block-chain based solution
to detecting any tampering in a data-base by privileged admin-
istrators have been developed, implemented and put to use in a
project on block-chain based land-record management. This tech-
nique called Verity has been demonstrated at various block-chain
forums. Further work on insider threat detection are planned.
Several techniques have been developed and implemented to
detect false data injection and data tampering in the industrial
control networks. On the PLC side, due to resource constraint,
an invariant failure based monitoring has been tested and imple-
mented. On the SCADA side, singular spectrum analysis of sensor
measurement time series has been implemented. It has been also
demonstrated that previous work on singular spectrum analysis
has lesser accuracy than our new method.
A start-up development is under discussion at the moment, and
we hope by next year, a start-up would be spawned by C3i. We
already signed MoU with Tech-Mahindra to develop our Malware-
Annual Report 2018-19, C3i Center, IIT Kanpur 6
7
Analysis tool, the Web-application firewall, and Honeypot tech-
nology to the market. We are in the process of signing an MoU
with BEL for similar cooperation. Schneider Electric has signed
an MoU with us to help develop vulnerability discovery tools.
Mobile malware analysis work has progressed and C3i has de-
veloped a tool for android malware detection. An instrumented
sandbox for dynamic analysis of Android has also been developed.
A lot of interaction with government agencies such as National
Cyber Security Coordinator, Central Electric Authority, National
Thermal Power Corporation are on-going. Several industries such
as Schneider, Siemens, Tech-Mahindra have been interacting quite
often. Disclosures of vulnerabilities have been made to many ICS
vendors Schneider and Rockwell in particular.
C3i center also promotes awareness and education in cyber-
security. Yearly cyber-security competition event CSAW in coop-
eration with New York University has been an on-going activity
every year. C3i center organized Indias first ever Capture-the-
flag for SCADA (SCADA-CTF) at Nullcon in 2019. C3i also
hosted 20+ summer interns during the summer who worked for
2 months on various cyber security projects. C3i also conducted
two courses each of 2 weeks duration for engineers from various
Asian and African countries on the behest of the Ministry of Ex-
ternal affairs. A few other training sessions have been organized
for various government agencies (not to be named) and students.
Annual Report 2018-19, C3i Center, IIT Kanpur 7
Message
This is the second issue of the annual report of the C3i Center.
C3i center aims at spawning initiatives to develop technology and
deploy technological safeguards to protect critical infrastructures.
The goal of the center is to create India’s first research centre
whose mission is research, education, training in the field of crit-
ical infrastructure protection and vulnerability studies. Science
and Engineering Research Board (SERB) under the department of
science and technology (DST) of the government of India, funded
the Interdisciplinary Centre for Cyber Security and Cyber De-
fence of Critical Infrastructures (C3i Center) at IIT Kanpur, in
March 2017.
Annual Report 2018-19, C3i Center, IIT Kanpur 9
List of Authors
Authors Manindra Agrawal
Sandeep K Shukla
S C Srivastava
Project Title National Interdisciplinary Center for cyber secu-
rity and cyber defense of critical Infrastructures
Security RESTRICTED (RE)
Version 1.0
Total number of pages 76
Annual Report 2018-19, C3i Center, IIT Kanpur 11
List of Figures
1.1 History of C3i Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.1 Batch / Process Automation Testbed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.2 Solar Power generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3 Diesel power generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.4 Feeder Automation System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.5 Conveyor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.6 Power synchronization system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.7 Industrial Manufacturing Testbed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.1 Peer to Peer botnet detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.2 Threat Intelligence System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.3 Command Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.4 False Data Injection to change set points . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.5 ICS-NIDS Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.6 ICS-NIDS Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.7 RADOLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.1 Types of Honeypot Developed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7.2 Total 1217 attacks observed for a period of 13 days . . . . . . . . . . . . . . . . . . 44
7.3 Attack Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.1 Static Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
8.2 Dynamic Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
9.1 Insider Attack Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
11.1 Hardware Setup of Kryptoceler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
11.2 Five layer Protocol Stack for Kryptoceler operation . . . . . . . . . . . . . . . . . 54
Annual Report 2018-19, C3i Center, IIT Kanpur 13
List of Tables
12.1 Publication of C3i Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
12.2 Publication of C3i Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
12.3 Publication of C3i Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
13.1 Thesis submitted since September’18 to August’19 . . . . . . . . . . . . . . . . . . 59
Annual Report 2018-19, C3i Center, IIT Kanpur 15
I
1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3 Deliverables . . . . . . . . . . . . . . . . . . . . . . . . . 23
4 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . 25
C3i Center
1. History
2017 2018 2019years
1st Year
SE
RB
,DST
sancti
oned
the
est
ablish
ment
Cyb
er
Securi
tyA
ware
ness
Week
Honeyp
ot
SIE
MSolu
tion
Invento
ryIn
tellig
ence
syst
em
0D
ay
Malw
are
Dete
cti
on
and
cla
ssifi
cati
on
Fir
stP
ow
er
test
bed
est
ablish
ed
2nd Year
New
Buildin
g
Pro
cess
auto
mati
on
Test
bed
Manufa
ctu
ring
auto
mati
on
Test
bed
Malw
are
Analy
sis
tool
ICS
Honeyp
ot
Cyb
er
Securi
tyA
ware
ness
Week
SP
AC
E2018
India
’sfirs
tSC
AD
AC
TF
Pow
er
Genera
tion:
DG
setu
p
Pow
er
Genera
tion:
Sola
rse
tup
Pow
er
synch
roniz
ati
on
setu
pw
ith
EB
Blo
ckch
ain
base
dso
luti
ons
IDS
for
netw
ork
:B
otn
et
dete
cto
r
IDS
for
Inte
rnet
facin
gse
rvers
:w
eb
IDS
for
Indust
rial
Contr
ol
/SC
AD
Asy
stem
Figure 1.1: History of C3i Center
In March 2017, SERB/DST sanctioned the establishment of the
National Interdisciplinary center for Cyber Security and Cyber
Defense of Critical Infrastructures (also known as ‘C3i center’).
An amount of 14.43 crores INR was sanctioned over a five year
period (March 2017 Feb 2022), to establish this center as a center
of excellence in securing critical infrastructures of the country. In
last few years it has been recognised for its work internationally.
Annual Report 2018-19, C3i Center, IIT Kanpur 19
2. Objectives
Major Objectives
• Design and Development of Machine learning algorithms
for detecting on-going cyber-attacks and advanced per-
sistent threats on power systems
• Build methodology and techniques for deploying honey
nets to develop a malware repository and malware anal-
ysis and trend forecasting capabilities
• Apply formal methods to develop effective algorithms
for vulnerability and malware detection in applications,
systems, and firmware – and transfer such technology to
a startup ecosystem
• Develop protocol reverse engineering tools and capabili-
ties to detect presence of botnets, trojans and other ad-
vanced persistent threats
• Develop light weight cryptography and block chain-
based authentication, identity management and key
management schemes for network of devices (IoT and
M2M)
• Develop cryptographic co-processors and side-channel
proofing techniques for cryptographic hardware, and
software systems
• Field testing security techniques, architectures, and pro-
tocols on the IITK smart city project
Annual Report 2018-19, C3i Center, IIT Kanpur 21
22 Chapter 2. Objectives
Major Objectives
• Develop security architecture, perimeter defense, net-
work and Cloud security for critical infrastructure, and
inform the policy formulation and best practices guid-
ance for NCIIPC
Annual Report 2018-19, C3i Center, IIT Kanpur 22
3. Deliverables
*—–1—–*
A national scale SCADA test bed for research, training, and
hardware / software in-the-loop testing by vendors at IIT
Kanpur
*—–2—–*
Tools and techniques for malware collection and bench mark
creation for malware analysis
*—–3—–*
Tools and techniques for application software vulnerability
detection
*—–4—–*
Tools and techniques for Insider threat-proofing critical in-
frastructure IT system
*—–5—–*
Work with a power utility or smart grid corporation to ex-
perimentally use our PMU data analytics-based tools for de-
tecting advanced persistent threats
*—–6—–*
Create at least one start up with IIT Kanpur incubation en-
terprise in the cyber security of critical infrastructure space
by licensing IP in vulnerability detection, protocol reverse
engineering, malware detection etc.
Annual Report 2018-19, C3i Center, IIT Kanpur 23
24 Chapter 3. Deliverables
*—–7—–*
Creation of malware for exploitation of criminal information
systems and mobiles for cyber espionage
Annual Report 2018-19, C3i Center, IIT Kanpur 24
4. Infrastructure
Interdisciplinary center for cyber security and cyber defense of
critical infrastructures (C3i) at the Indian Institute of Technology
Kanpur facilitates researchers to work with pilot setup of critical
infrastructures
Testbed
Power Manufacturing Process
Industry Verticals
Power Generation
Power Distribution
Process industry
Material handling
Manufacturing Industry
Annual Report 2018-19, C3i Center, IIT Kanpur 25
26 Chapter 4. Infrastructure
Figure 4.1: Batch / Process Automation Testbed
Process Automation Testbed
Batch / process automation testbed equipped with different
makes of PLC integrated with SCADA system. This testbed
facilitates researchers to design and develop cyber security
solutions for process industry. Major features of the testbed
are as mentioned below.
• Multistage process
• PLC to PLC communication
• Integrated SCADA host
• Level transmitter
• Flow transmitter
• Pressure transmitter
• Water pumps
• Solenoid Valves
• Motorized Valves
• Vaccum pump
• Compressor unit
• Air Dryer
Annual Report 2018-19, C3i Center, IIT Kanpur 26
27
Figure 4.2: Solar Power generation
Figure 4.3: Diesel power generation
Power Generation
Salient features of power generation setup are
• Solar panels
• Invertors
• Diesel gensets
• Anemometer
• Humidity sensor
Annual Report 2018-19, C3i Center, IIT Kanpur 27
28 Chapter 4. Infrastructure
Figure 4.4: Feeder Automation System
Figure 4.5: Conveyor
Power Distribution
Salient features of power distribution system are
• Power control center
• Feeder Automation
• Numerical Relay
• PLC, RTU
• Integrated SCADA
• Bi-directional Conveyor
• VFD units
Annual Report 2018-19, C3i Center, IIT Kanpur 28
29
Figure 4.6: Power synchronization system
Power Synchronization
Salient features of power synchronization system are
• Auto mains failure
• Load management
• DG synchronization
• Integrated PLC
• Integrated SCADA
• Synchronizer
• Protection relays
Figure 4.7: Industrial Manufacturing Testbed
Annual Report 2018-19, C3i Center, IIT Kanpur 29
30 Chapter 4. Infrastructure
Manufacturing System
Salient features of industrial manufacturing system are
• Manufacturing system
• Job feeding station
• Job buffering station
• Job processing station
• Job sorting station
• PLC
• Integrated SCADA
C3i Center facilitates researchers to hands-on with wide variety
of equipment.
Annual Report 2018-19, C3i Center, IIT Kanpur 30
II
5 Vulnerability Assessment . . . . . . . . . . . . . . 33
6 Intrusion Detection System . . . . . . . . . . . 37
7 Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8 Malware Analysis . . . . . . . . . . . . . . . . . . . . 45
9 Insider Threat Detection with Blockchain 49
10 Formal Verification . . . . . . . . . . . . . . . . . . . 51
11 Cryptographic Hardware . . . . . . . . . . . . . . 53
12 Publications . . . . . . . . . . . . . . . . . . . . . . . . . 55
13 Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Achievements
5. Vulnerability Assessment
The assessment of hardware and software pertaining to opera-
tional technologies in industrial control system has commenced
in controlled environment. Team C3i has successfully identified a
large number of vulnerabilities in the products as well as in the
systems. A few of them already received international recogni-
tion.
Acknowledgement of Responsible disclosures
• 15+ Responsible disclosures
• 7 CVE disclosed
• 1 CVE assigned but yet undisclosed
CVE-2018-7811
CVSS v3 BASE SCORE 9.8 (Critical)
Vendor: Schneider Electric
Equipment: PLC
Vulnerability: A CWE-620: Unverified Password Change
vulnerability exists on the embedded web server which could
allow an unauthenticated remote user to access the change
password function of the web server.
SEVD-2018-327-01
https://www.schneider-electric.com/en/download/
document/SEVD-2018-327-01/.
Annual Report 2018-19, C3i Center, IIT Kanpur 33
34 Chapter 5. Vulnerability Assessment
CVE-2019-10981
CVSS v3 BASE SCORE 7.8 (High)
Vendor: AVEVA
Equipment: Vijeo Citect and Citect SCADA
Vulnerability: Insufficiently Protected Credentials
ICS Advisory (ICSA-19-150-01)
https://www.us-cert.gov/ics/advisories/ICSA-19-150-01.
https://nvd.nist.gov/vuln/detail/CVE-2019-10981
CVE-2019-6813
CVSS v3.0 Base Score 7.5 — (High)
Vendor: Schneider Electric
Equipment: PLC
Vulnerability: A CWE-754: Improper Check for Unusual
or Exceptional Conditions vulnerability exists which could
cause denial of service when truncated SNMP packets on
port 161/UDP are received by the device.
SEVD-2019-225-02
https://www.schneider-electric.com/en/download/
document/SEVD-2019-225-02/
CVE-2019-6813
CVSS v3.0 Base Score 7.5 — (High)
Vendor: Schneider Electric
Equipment: RTU
Vulnerability: A CWE-754: Improper Check for Unusual
or Exceptional Conditions vulnerability exists which could
cause denial of service when truncated SNMP packets on
port 161/UDP are received by the device.
SEVD-2019-225-03
https://www.schneider-electric.com/en/download/
document/SEVD-2019-225-03/
Annual Report 2018-19, C3i Center, IIT Kanpur 34
35
CVE-2019-6812
CVSS v3.0 Base Score 7.2 — (High)
Vendor: Schneider Electric
Equipment: RTU
Vulnerability: A CWE-798 use of hardcoded credentials vul-
nerability exists which could cause a confidentiality issue
when using FTP protocol.
SEVD-2019-134-06
https://nvd.nist.gov/vuln/detail/CVE-2019-6812
CVE-2019-6831
CVSS v3.0 Base Score 7.5 — (High)
Vendor: Schneider Electric
Equipment: RTU
Vulnerability: A CWE-754: Improper Check for Unusual
or Exceptional Conditions vulnerability exists which could
cause disconnection of active connections when an unusually
high number of IEC 60870-5-104 packets are received by the
module on port 2404/TCP
SEVD-2019-225-03
https://www.schneider-electric.com/en/download/
document/SEVD-2019-225-03/
CVE-2019-6810
CVSS v3.0 Base Score 8.6 — (High)
Vendor: Schneider Electric
Equipment: RTU
Vulnerability: A CWE-284: Improper Access Control vulner-
ability exists which could cause the execution of commands
by unauthorized users when using IEC 60870-5-104 protocol.
SEVD-2019-225-03
https://www.schneider-electric.com/en/download/
document/SEVD-2019-225-03/
Annual Report 2018-19, C3i Center, IIT Kanpur 35
36 Chapter 5. Vulnerability Assessment
CVE-2019-6833
CVSS v3.0 Base Score 7.4 (High)
Vendor: Schneider Electric
Equipment: HMI
Vulnerability: A CWE-754 Improper Check for Unusual
or Exceptional Conditions vulnerability exists which could
cause a temporary freeze of the HMI when a high rate of
frames is received. When the attack stops, the buffered com-
mands are processed by the HMI panel.
SEVD-2019-225-01
https://www.schneider-electric.com/en/download/
document/SEVD-2019-225-01/
Responsible Disclosure
List of responsible disclosure made by team.
Vendor: Rockwell Automation
Vulnerabilities reported : 04
Vendor: Wago
Vulnerabilities reported : 01
Upcoming CVE
Where CVE is assigned but not officially released.
Vendor: Schneider Electric
CVE-ID : CVE-2019-6811
CASE NO. : 263954
Annual Report 2018-19, C3i Center, IIT Kanpur 36
6. Intrusion Detection System
PeerClear
For zero Trust Network, PeerClear is designed to monitor
existence of botnet agents in the network by analysing the
traffic. It notifies if any network connected device has been
compromised or supporting attacks like DDoS, email spam,
phishing, password sniffing, etc. This intrusion detection
works in two stages - (a) Detect all hosts involved in peer
to peer activities. (b) Among these identified - detect bot
activities in all the hosts which are involved in the Peer to
Peer activity and further detect the bots in the identified
hosts.
Botnet Detection Rate upto = 99.85%
Figure 6.1: Peer to Peer botnet detection
Annual Report 2018-19, C3i Center, IIT Kanpur 37
38 Chapter 6. Intrusion Detection System
Threat Intelligence System
A completely homegrown threat intelligence monitoring and
analytics framework has been built to monitor all cyber
events incident upon the center. Machine learning based
detection of threats with high accuracy (above 95%) and
with low false positive rate (less than 5%) has been imple-
mented and integrated with the threat intelligence monitor-
ing system. This helps any SOC (Security Operation Center)
to obtain full visibility, situational awareness and actionable
threat intelligence. This system can be customized for other
facilities outside the center as well. Fig. 6.2 shows a screen-
shot of C3i threat intelligence console
Figure 6.2: Threat Intelligence System
Annual Report 2018-19, C3i Center, IIT Kanpur 38
39
IDS for ICS
A Retrofit solution for critical infrastructures a light-weight
program to run on the PLC based on business process rules
can detect any data tampering including false data injection
attacks.
Figure 6.3: Command Injection
Figure 6.4: False Data Injection to change set points
Annual Report 2018-19, C3i Center, IIT Kanpur 39
40 Chapter 6. Intrusion Detection System
NIDS for ICS
Network Intrusion Detection System (NIDS) for industrial
control system can be an add-on for enhancing the security
of these systems. An ICS specific IDS that detects SCADA
attacks based on their network traffic behavior, namely the
temporal behaviour of frequent patterns of the industrial
communication protocols have been implemented and de-
ployed.
Figure 6.5: ICS-NIDS Dashboard
Figure 6.6: ICS-NIDS Logs
Annual Report 2018-19, C3i Center, IIT Kanpur 40
41
Robust Attack Detection OnLine Technique (RADOLT)
RADOLT detects attacks by generating an alarm score for a
newly generated measurement of a sensor/actuator. It learns
an embedded sample space of normal sub-sequences and es-
timate the probability of a testing point in sample space
by Gaussian kernel density estimation. RADOLT can learn
the normal sub-sequences throughout its life cycle which de-
creases false alarm rate over time. RADOLT is tested on
SWat, BATADAL, TE-process, C3i datasets. RADOLT is
able to detect more attacks and generates lesser false alarms
than any other available methods.
Figure 6.7: RADOLT
Annual Report 2018-19, C3i Center, IIT Kanpur 41
7. Honeypots
C3i Center is developing and deploying honey network composed
of several honeypots created at the centre. After the success of
C3i IT honeypots, C3i center started development of honeypots
fit for industrial control systems.
Figure 7.1: Types of Honeypot Developed
Annual Report 2018-19, C3i Center, IIT Kanpur 43
44 Chapter 7. Honeypots
Figure 7.2: Total 1217 attacks observed for a period of 13 days
Figure 7.3: Attack Statistics
Annual Report 2018-19, C3i Center, IIT Kanpur 44
8. Malware Analysis
Team C3i offers an indigenous Web based Malware Analysis Tool.
This tool is capable of detecting and classifying malware in near
real time. The tool contains various types of analysis for vari-
ous platforms such as Windows, Linux, Android, etc. It uses an
ensemble of machine learning models.
Static Dynamic Forensic Image based
55417 Malware Samples Analyzed by experienced team of C3i
10980 PDF malware samples
13000 Android malware samples
16300 Linux malware samples
15137 Windows malware samples
Annual Report 2018-19, C3i Center, IIT Kanpur 45
46 Chapter 8. Malware Analysis
Figure 8.1: Static Analysis Results
Figure 8.2: Dynamic Analysis Results
Classification Accuracy of Linux Malware
Malware upto 98.20%
Packed Malware upto 58.40%
Annual Report 2018-19, C3i Center, IIT Kanpur 46
47
Classification Accuracy of Windows Malware
Using Image representation
Malware upto 98.10%
Packed Malware upto 60.50%
Previously Unseen Malware upto 76.97%
Early Stage Behavioral Analysis
Static analysis upto 97.952% with FPR of 0.5%
Dynamic Analysis upto 99.13% with FPR of 0.2%
Hybrid Analysis upto 99.74% with FPR of 0.1%
Memory Forensic
Memory Dumps upto 97.89% with FPR of 0.43%
Classification Accuracy of Android Malware
Malware upto 99.61% with FPR of 0.37%
Annual Report 2018-19, C3i Center, IIT Kanpur 47
9. Insider Threat Detection with Blockchain
Verity: Detects insider attacks on Databases using Blockchain
technology. An insider attack where someone with administra-
tive privileges tampers with the data, poses an unique challenge.
Verity uses a formalism for intercepting SQL queries and their
results are matched against signatures stored on a blockchain to
check the integrity of the query results.
SQL Processor
Web Application
Verity
REST API
1
2 3
4
5
6
1 SQL Request (viaapplication's interface)
2 Modified SQL
3 Tuples to verify
4 Request fingerprints oftuples
5 Return fingerprints
6 Return results
DBMSBlockchainNetwork
Client
Figure 9.1: Insider Attack Detection
Annual Report 2018-19, C3i Center, IIT Kanpur 49
10. Formal Verification
To compute the risk posed to individual nodes due to existing vul-
nerabilities, we use a model checker to compute the probability
scores for all nodes in any network on which vulnerability scan-
ning tools found known vulnerabilities. C3i uses the probabilistic
model checking tool PRISM to compute threat scores.
Annual Report 2018-19, C3i Center, IIT Kanpur 51
52 Chapter 10. Formal Verification
This work has been completed in collaboration with
Annual Report 2018-19, C3i Center, IIT Kanpur 52
11. Cryptographic Hardware
Kryptoceler: An FPGA based hardware accelerator for packet
level encryption reduces the workload and speed up the through-
put of network applications. Stronger security assurance is grounded
in the root-of-trust for software, firmware and hardware that per-
forms reliable security operations. The hardware of “Kryptoceler”
is tested for a back-door or a Trojan to ensure that there is no
point of vulnerability on the board. With this foundation of trust,
software and firmware solutions for cryptographic cores are im-
plemented on the hardware.
Figure 11.1: Hardware Setup of Kryptoceler
Annual Report 2018-19, C3i Center, IIT Kanpur 53
54 Chapter 11. Cryptographic Hardware
Figure 11.2: Five layer Protocol Stack for Kryptoceler operation
Annual Report 2018-19, C3i Center, IIT Kanpur 54
12. Publications
Table 12.1: Publication of C3i Center
2019 · · · · · ·•
Fadadu Fenil kumar Chetanbhai, Anand Handa, Nitesh
Kumar, Sandeep Kumar Shukla, Evading API call sequence
based Malware Classifiers, 14th IEEE International
Conference on Malicious and Unwanted Software MALCON
2019, Nantucket, Massachusetts, USA, 2019
(WITHDRAWN).
2019 · · · · · ·•
Gaurav Kumar, Nitesh Kumar, Anand Handa, Sandeep
Kumar Shukla, Automated Malware Detection using
Memory Forensics, 14th IEEE International Conference on
Malicious and Unwanted Software MALCON 2019,
Nantucket, Massachusetts, USA, 2019 (WITHDRAWN).
2019 · · · · · ·•
Bishwas C. Gupta and Sandeep K. Shukla, ”A Study of
inequality in the Ethereum Smart Contract Ecosystem”,
accepted at the International Symposium on Blockchain
Computing and Applications (BCCA 2019) , Granada,
Spain, October 2019.
2019 · · · · · ·•
Devendra Meena, Ras Dwivedi, Sandeep K. Shukla,
”Preserving Patient’s Privacy using Proxy Re-encryption in
Permissioned Blockchain”, accepted at the International
Symposium on Blockchain Computing and Applications
(BCCA 2019) Granada, Spain, October 2019.
Annual Report 2018-19, C3i Center, IIT Kanpur 55
56 Chapter 12. Publications
Table 12.2: Publication of C3i Center
2019 · · · · · ·•
Harsh Bhagwani, Rohit Negi, Aneet Kumar Dutta, Anand
Handa, Nitesh Kumar and Sandeep Kumar Shukla,
”Automated Classification of Web-Application Attacks for
Intrusion Detection”, accepted at the 9th International
Conference on Security, Privacy, and Applied
Cryptographic Engineering (SPACE 2019),December, 2019,
Gandhinagar, India, 2019.
2019 · · · · · ·•
Nitesh Kumar, Subhasis Mukhopadhyay, Mugdha Gupta,
Anand Handa and Sandeep K. Shukla, ”Malware
Classification using Early Stage Behavioral Analysis”,
accepted at the 14th Asia Joint Conference on Information
Security (AsiaJCIS 2019), August 1-2, 2019, Kobe, Japan,
2019.
2019 · · · · · ·•
Asan M. Basiri and Sandeep K. Shukla, ”Formal Hardware
Verification of InfoSec Primitives”, accepted at IEEE
Computer Society Annual Symposium on VLSI, Miami,
Florida, USA, July , 2019.
2019 · · · · · ·•
Prachi Joshi, S. S. Ravi, Qingyu Liu, Unmesh D. Bordoloi,
Soheil Samii, Sandeep Shukla, and Haibo Zeng,
”Approaches for Assigning Offsets to Signals for Improving
Frame Packing in CAN-FD”, IEEE Transactions on
Computer-Aided Design of Integrated Circuits and Systems
(TCAD)”, Print ISSN: 0278-0070 Online ISSN: 1937-4151
Digital Object Identifier: 10.1109/TCAD.2019.2907921,
2019.
2019 · · · · · ·•
S. Srivastava, Shubham & Atre, Medha & Sharma,
Shubham & Gupta, Rahul & Shukla, Sandeep, ”Verity:
Blockchains to Detect Insider Attacks in DBMS”, CoRR
abs/1901.00228”, February, 2019.
2019 · · · · · ·•
Singh C., Satish S., Mitra J., Shukla S, ”Buffer Overflow
Attack and Prevention for an FPGA-Based Soft-Processor
System”, In: Saini H., Singh R., Kumar G., Rather G.,
Santhi K. (eds) Innovations in Electronics and
Communication Engineering. Lecture Notes in Networks
and Systems, vol 65. Springer, Singapore, 2019 ..
Annual Report 2018-19, C3i Center, IIT Kanpur 56
57
Table 12.3: Publication of C3i Center
2019 · · · · · ·•
Sekhari, Ashwin, Chatterjee, Rishav, Dwivedi, Ras, Negi,
Rohit & Shukla, Sandeep, ”Entangled Blockchains in Land
Registry Management”, In Proceedings of the Third
Workshop on Blockchain Technologies and its Applications,
pp.8-13,Mumbai, February, 2019.
2019 · · · · · ·•
Amit Kumar, Nitesh Kumar, Anand Handa and Sandeep
K. Shukla, ”PeerClear: Peer-to-Peer Bot-net Detection”,
accepted at the 3rd International Symposium on Cyber
Security Cryptology and Machine Learning (CSCML 2019),
Be’er Sheva, Israel, June , 2019.
2019 · · · · · ·•
Ajay Singh, Anand Handa, Nitesh Kumar and Sandeep
Kumar Shukla, ”Malware Classification using Image
Representation”, accepted at the 3rd International
Symposium on Cyber Security, Cryptology and Machine
Learning (CSCML 2019), Be’er Sheva, Israel, June, 2019.
2019 · · · · · ·•
Bhaskar Pratim Mukhoty, Vikas Maurya, and Sandeep K.
Shukla, ”Sequence to sequence deep learning models for
solar irradiation forecasting”, accepted, IEEE Power Tech
Conference, IEEE PES, Milano, Italy, July, 2019.
2019 · · · · · ·•
Soumyo V. Chakraborty, and Sandeep K. Shukla,
”Predictive Modeling of Electricity Trading Prices and the
Impact of Increasing Solar Energy Penetration”, accepted,
IEEE Power Tech Conference, IEEE PES, Milano, Italy,
July, 2019.
2019 · · · · · ·•
Rohit Negi, Sandeep Kumar Shukla, Ashish Gahlot, Parvin
Kumar, Shibashis Ghosh, ”Vulnerability Assessment and
Mitigation for Industrial Critical Infrastructures with
Cyber Physical Test Bed”, IEEE International Conference
on Industrial Cyber Physical Systems (ICPS 2019), Taipei,
Taiwan, 2019.
2019 · · · · · ·•
Handa A, Sharma A, Shukla SK. , ”Machine learning in
cybersecurity: A review. WIREs Data Mining Knowledge
Discovery Journal. 2019;e1306.
https://doi.org/10.1002/widm.1306”, February 2019, 2019.
2018 · · · · · ·•
Mohamed Asan Basiri M, Sandeep K. Shukla,
”Asynchronous Hardware Implementations for Crypto
Primitives”, Microprocessors and Microsystems Journal
(MICPRO)”, Elsevier, Nov 2018, 2018.
Annual Report 2018-19, C3i Center, IIT Kanpur 57
13. Thesis
Table 13.1: Thesis submitted since September’18 to August’19
1 · · · · · ·• Evading API Call Sequence Based Malware Classifiers,
Fadadu, Fenil.
2 · · · · · ·• Analysis of Ethereum Smart Contracts - A Security
Perspective, Gupta, Bishwas C.
3 · · · · · ·• Anomaly Detection in the Ethereum network, Singh, Ajay.
4 · · · · · ·• Preserving patient’s privacy using proxy re-encryption in
permissioned blockchain, Meena, Devendra K.
5 · · · · · ·• Property Registration and Land Record Management via
Blockchains, Gunda, Abhishek.
6 · · · · · ·• Elastico as an ordering service in Hyperledger Fabric,
Agarwal, Ayushi.
7 · · · · · ·• Log based Dynamic Intrusion Detection of Web
Applications, Bhagwani, Harsh.
8 · · · · · ·• Context Aware Honeypot for Cross-Site Scripting attacks
using Machine Learning Techniques, Aggarwal, Shubham.
9 · · · · · ·• Feature Engineering & Analysis Towards Temporally
Robust Detection of Android Malware, Jaiswal, Sagar.
Annual Report 2018-19, C3i Center, IIT Kanpur 59
III
14 Collaboration . . . . . . . . . . . . . . . . . . . . . . . . 63
15 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
16 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
17 Lab Visits at C3i Center . . . . . . . . . . . . . . 69
Outreach
14. Collaboration
Tech Mahindra
Schneider Electric India Private Limited
National Stock Exchange India
Annual Report 2018-19, C3i Center, IIT Kanpur 63
15. Events
Team C3i actively organises cyber security events as mentioned.
CSAW in collaboration with
Annual Report 2018-19, C3i Center, IIT Kanpur 65
66 Chapter 15. Events
SPACE 2018 in collaboration with
SCADA CTF at Nullcon in collaboration with
Annual Report 2018-19, C3i Center, IIT Kanpur 66
16. Training
Team C3i provided training to international IT workforce under
the ITEC programme of the ministry of external affairs.
Hand’s on training to students from different-2 countries
• BHUTAN
• BANGLADESH
• CAMERON
• NIGERIA
• ETHIOPIA
• TANZANIA
• SOUTH SUDAN
• UGANDA
• LAOS
• MAURITIUS
• OMAN
• SYRIA
• PALESTINE
• EGYPT
• IRAQI-KURDISTAN
Annual Report 2018-19, C3i Center, IIT Kanpur 67
68 Chapter 16. Training
Hand’s on Workshop in Techkriti
Hand’s on Workshop in Nullcon
Annual Report 2018-19, C3i Center, IIT Kanpur 68
17. Lab Visits at C3i Center
****
Dr. Koppillil Radhakrishnan (Former Chairman of Space Commission, Secre-
tary of Department of Space and Chairman of ISRO) Chairperson, BoG, IIT
Kanpur
****
Lt. Gen Rajesh Pant, Cyber Security Chief India visited C3i Center
Annual Report 2018-19, C3i Center, IIT Kanpur 69
70 Chapter 17. Lab Visits at C3i Center
****
Prof. Arvind, MIT visited C3i Lab
****
Honorable member of Neeti Aayog Dr. Vijay Saraswat at C3i Lab
****
National Thermal Power Corporation visited C3i Lab
Annual Report 2018-19, C3i Center, IIT Kanpur 70
71
****
Vice President, Quality Council of India visited C3i Lab
****
DRDO scientists at C3i Lab
****
Security & Exchange Board of India cyber security team at C3i Lab
Annual Report 2018-19, C3i Center, IIT Kanpur 71
72 Chapter 17. Lab Visits at C3i Center
****
UPSIDC visiting C3i Lab
****
Additional Director General of UP Police visiting C3i Lab
****
Aditya Birla Group visited C3i Center
Annual Report 2018-19, C3i Center, IIT Kanpur 72
73
****
Eran Toch, Tel Aviv University & Shay Gueron, University of Haifa & Avi
Mendelson, Technion, Israel
****
Founder of Nutanix visiting C3i Lab
****
Vanessa Teague, University of Melbourne, Australia & Nasour Bagheri, SRTTU
Tehran, Iran
Annual Report 2018-19, C3i Center, IIT Kanpur 73
74 Chapter 17. Lab Visits at C3i Center
****
C3i invited Whitehat hackers to the lab
****
Shankya Lab visited C3i lab
Annual Report 2018-19, C3i Center, IIT Kanpur 74
https://security.cse.iitk.ac.in