Intrusion detection and prevention system for network using Honey pots and Honey token method

King Saud University

Electrical Engineering Department

EE: 524

Project Report on

Intrusion Detection & Prevention system for network

security

Submitted to

Dr. Yahya Subhi Al-Harthi

Name: Mohammed Ahmed Hussain Siddiqui

ID: 436107960

Date: 14/1/2017

2

Abstract

In this research work an Intrusion Detection System (IDS) and Intrusion Prevention

System (IPS) will be implemented to detect and prevent critical networks

infrastructure from cyber-attacks. To strengthen network security and improve the

network's active defense intrusion detection capabilities, this project will consist of

intrusion detection system using honey token based encrypted pointers and intrusion

prevention system which based on the mixed interactive honeypot. The Intrusion

Detection System (IDS) is based on the novel approach of Honey Token based

Encrypted Pointers. This honey token inside the frame will serve as a trap for the

attacker. All nodes operating within the working domain of critical infrastructure

network are divided into four different pools. This division is based per their

computational power and level of vulnerability. These pools are provided with

different levels of security measures within the network. IDS use different number

of Honey Tokens (HT) per frame for every different pool e.g. Pool-A contains 4

HT/frame, Pool-B contains 3 HT/frame, Pool-C contains 2 HT/frame and Pool-D

contain 1 HT/frame. Moreover, every pool uses different types of encryption

schemes (AES-128,192,256). Our critical infrastructure network of 64 nodes is

under the umbrella of unified security provided by this single Network Intrusion

Detection System (NIDS). After the design phase of IDS, we analyze the

performance of IDS in terms of True Positives (TP) and False Negatives (FN).

Finally, we test these IDS through Network Penetration Testing (NPT) phase. The

detection rate depends on the number of honey tokens per frame. Our proposed IDS

are a scalable solution and it can be implemented for any number of nodes in critical

infrastructure network. However, in case of Intrusion Prevention System (IPS) we

use Virtual honeypot technology which is the best active prevention technology

among all honeypot technologies. By using the original operating system and virtual

technology, the honeypot lures attackers in a pre-arranged manner, analyzes and

audits various attacking behavior, tracks the attack source, obtains evidence, and

finds effective solutions.

3

Table of Contents Chapter 1 ............................................................................................................... 5

Introduction to IDS ................................................................................................ 5

1.1 Approach of Honey tokens for Intrusion Detection Systems ............................ 7

1.2 Problem Statement ........................................................................................... 7

1.3 Project Contribution ......................................................................................... 8

1.4 Working of Intrusion Detection Systems .......................................................... 8

1.5 Types of Intrusion Detection Systems ............................................................ 10

1.6 Network Intrusion Detection Systems (NIDS) ............................................... 10

1.7 Host Intrusion Detection Systems (HIDS) ...................................................... 11

1.8 Techniques of Intrusion Detection ................................................................. 11

1.9 Signature based Intrusion Detection Technique ............................................. 11

Chapter 2 ............................................................................................................. 12

2.1 Designing IDS using Honey Token (HT) based Encrypted Pointers for Critical

Infrastructure Networks ....................................................................................... 12

2.2 DNP3 Synthetic Traffic Generator ................................................................. 14

2.3 Honey Token based Encrypted Pointers ......................................................... 16

2.4 System Design ............................................................................................... 17

2.5 Intrusion Detection System Primary Module .................................................. 18

2.6 Intrusion Detection System Secondary Module .............................................. 20

Chapter 3 ............................................................................................................. 21

Results and Discussions ....................................................................................... 21

3.1 DNP3 Synthetic Traffic Generator ................................................................. 21

3.2 Alarm Analysis of Intrusion Detection System .............................................. 22

3.4 Network Penetration Testing .......................................................................... 25

Chapter 4 ............................................................................................................. 26

Introduction to Intrusion Prevention System (IPS) ............................................... 26

4.1 Honeypot definition and development ............................................................ 26

4

4.2 Existing types of honeypot ............................................................................. 27

4.3 Low-interaction honeypot system .................................................................. 27

4.4 Middle-interaction honeypot system .............................................................. 27

4.5 High-interaction honeypot system .................................................................. 28

4.6 Mixed-interaction honeypot system ............................................................... 28

4.7 System simulation .......................................................................................... 30

Conclusion Future Work ...................................................................................... 31

Reference ............................................................................................................. 33

5

Chapter 1

Introduction to IDS Network Security challenges of 21st century is enormous for both commercial sector

and military. With the evolution of Internet, security became a major concern for

everybody. We can better understand the security technologies if we look at the

history of Internet itself. The basic structure of Internet is vulnerable to many

security threats but if the attack method is known then it is easy to deploy certain

security measures which help in making our networks more secure. The world today

is more interconnected than ever before and there is large amount of information on

different networking infrastructures that belong to government, private sector,

military organization and our daily personal information. Security of intellectual

property makes the importance of cyber security greater than ever before. In the

recent past, we witness that critical infrastructures become the prime target for major

cyber-attacks and the security of these critical infrastructure networks emerge as one

of the biggest challenge of the time.

Critical infrastructure networks commonly have command and control system for

smooth and efficient running of their operations. Supervisory Control and Data

Acquisition (SCADA) is mostly used for these purposes. It collects data from all

systems using wide range of sensors and then issue commands to run the operations

of critical infrastructures. The brief overview of the typical SCADA architecture is

shown in Figure 1.1. These SCADA systems are widely used in industrial

installations for the operational control and management of field sensors and

actuators. The typical components of SCADA architecture are described as follows:

Operator: The one who monitors the SCADA system running operations in 24x7

routine. Mostly the operator of SCADA system is a human being keeping an eye on

all important functional parameters of the network that comprises of motors, sensors,

actuators and PLC etc.

Human Machine Interface (HMI): The system which presents process data to the

human operator is known as HMI and through this HMI the human operator can

control all the processes of critical infrastructure.

Master Terminal Unit (MTU): The unit presents data to the human operator

through the HMI interface. It gathers data from the remote PLCs, sensors, motors

and actuator sites, and control signals (commands) are then transmitted by MTU.

Remote Terminal Unit (RTU): This unit acts as a slave in the master/slave

architecture of SCADA system. It receives control signals (commands) from the

MTU and it then forwards these commands to the devices (sensors, motors etc.)

under its control. RTU acquires data from these devices and then transmits the

gathered data to the MTU. An RTU may be a PLC.

6

Communication Links: For communication between Master Terminal Unit (MTU)

and Remote Terminal Unit (RTU) we have communication channels (links) that may

be wired links or wireless links. For protocols that carry the traffic for SCADA

systems (DNP3, IEC 60870-5) any link that provides the bandwidth above 1200 bps

is workable. Distributed Network Protocol-3 (DNP3) is the backbone protocol for

SCADA systems and used by almost all the vendors as their primary protocol for

SCADA command and control architecture.

Figure 1.1: Typical SCADA Architecture

SCADA systems possess a strategic importance because they are used in critical

infrastructure networks for command and control. SCADA based cyber-attacks

disrupt the monitoring and controlling parameters of industrial control

communication protocols and thus capable of causing serious system failures or in

some cases cause physical damage to the critical infrastructure networks. There are

many real world documented cyber-attacks on critical infrastructures in last few

years which clearly prove the vulnerability of these networks. Number of countries

including Russia and Taiwan are involved in DNP-3 port scanning activities on the

critical infrastructure networks of many western countries. This port scanning is

strong evidence that attackers are searching for potential vulnerabilities in SCADA

command and control networks and trying to get that piece of information which

will later help in launching a massive attack on the critical infrastructure sensor

networks. The forensic systems for the detection of cyber-attacks on these SCADA

based networks are not common. SCADA based cyber-attacks are mostly directed

towards those devices which are used in critical infrastructure environment e.g.,

Programmable Logical Controllers (PLC), Intelligent Electronic Devices (IED),

Programmable Automation Controllers (PAC), Remote Terminal Units (RTU) and

Master Terminal Units (MTU). Critical infrastructure communication networks are

7

vulnerable to command injection attacks, reconnaissance class attacks and response

injection attacks. Command injection attacks inject malicious codes and commands

in the payload area of the packets carrying traffic for SCADA based critical

infrastructures, the malicious codes and commands when successfully executed on

the RTU devices will causes massive damages to the industrial control system

operations e.g., in case of Stuxnet, the worm monitors the communication between

WinCC tool and RTU. When a specific signature related to the RTU operation

(possible command) is found, worm immediately replaced that command signature

by the malicious code and thus causing physical damages in critical infrastructure

control systems. Reconnaissance attacks gather important information about the

critical infrastructure network devices and their configurations e.g., manufacturer of

devices (PLC, RTU, MTU), deployed industrial network support protocol, memory

type, system serial number, system model numbers etc. All this information is used

to design the SCADA based cyber-attack. Response injection attacks are used to

present incorrect sensor information. Out of all these categories the most dangerous

is command injection attack. In our research work we are focused on command

injection attacks in SCADA based critical infrastructure networks and our research

work is focused between HMI/MTU and RTU/PLC because this is the most

vulnerable area of SCADA based critical infrastructure network.

1.1 Approach of Honey tokens for Intrusion Detection Systems Honey token is the security tool used for intrusion detection. Its concept is derived

from honeypots and honeynets. A honey token is a honeypot that is not a computer

system but just a piece of data. The core value of honey tokens lies not in their use,

but in their abuse. So, a honey token is a piece of data which is used to trap an

attacker, it appears to be the part of the data and alerts system administrator when it

is accessed by an attacker [9]. In our approach of IDS, a honey token is nothing but

a DNP3 packet which we embed inside the transmission frame along with regular

DNP3 packets that carry normal network traffic.

1.2 Problem Statement The security of critical infrastructure network becomes a key issue after recent

cyber-attacks especially attacks like ―Stuxnet‖ that destroy and disrupt the

operations of these networks. Moreover, there are many hidden vulnerabilities in the

existing industrial protocols like DNP3 and IEC 60870.5 that can easily be exploited

by the attackers. Firewall scanning is only outwards and it is not a complete solution

for a network of critical infrastructure facilities whereas IDS seems to be a good

choice. Our future intrusion detection systems must be able to protect our networks

despite of all these vulnerabilities that exist in running SCADA networks. Future

IDS must also be capable enough to counter the external as well as internal threats.

8

Online connectivity is increasing nowadays and for enhancing the overall

production, these critical infrastructure networks relate to other networks as well as

with Internet. This massive connectivity provides attackers with much more

opportunities and imposes a greater threat for the security of critical infrastructure

networks.

1.3 Project Contribution The aim of this work is to design and develop an Intrusion Detection System (IDS)

that specifically counters the security challenges of industrial networks. This ID uses

a new and different approach and perform all its functions per the industrial

standards and practices of SCADA networks. In this project, our main contributions

are focused on:

Design an Intrusion Detection System (IDS) specifically for the security of

critical infrastructure networks, which work using the approach of Honey

token based Encrypted Pointers to detect cyber-attacks.

Derive a new strategy for intrusion detection which will improve the overall

security of critical infrastructure network particularly focusing on the security

of field area (RTU, PLC etc.) by detecting attacks more efficiently and

enhance the real-time detection capability. Introduce such approach that all

the systems under the working domain of critical infrastructure network will

be divided into four different pools, the division is based on the computational

power and vulnerability level of each individual system. Different pools are

provided with different levels of security but entire network is under the

umbrella of unified security provided by a single network based IDS.

Develop a mechanism for intrusion detection that will use AES encryption

schemes, honey tokens and pointers for achieving better security against

attacks and thus provides us with the ability to respond fast to the adversarial

activities and get better understanding of the attacker’s behavior.

Provide a scalable solution that can be implemented on the network of any

number of remote computational nodes.

1.4 Working of Intrusion Detection Systems Intrusion Detection System (IDS) is a system that is used to identify and detect

malicious activities in the network. These types of systems emerged in the arena of

network security when this need was felt that all these advancements in network

technology bring some serious cyber threats with them and to successfully run the

operations of all these networks we must have some sort of security system which is

reliable and flexible. All computer systems and networks have vulnerabilities in

them and it is almost impossible to build a perfect computer system or a perfect

network that is free of all errors and vulnerabilities. So, there is no question of

9

modern network without any type of network security equipment e: g- firewall, IDS

etc. The main goal of intrusion detection system is to detect attempted network

breaches and in some cases, it is looking for open vulnerabilities that could result in

a potential breach of a network. If we study IDS at a very macroscopic level, we

came to know that it just acts as a detector that process information which is coming

from a client’s network. This detector can also send probes that are used to request

audit data from the Information system (network). Intrusion Detection Systems

commonly uses three kinds of information:

1. Long Term Information.

2. Configuration Information.

3. Audit Information.

Long term information is related to the mechanisms and techniques used for

intrusion detection, whereas configuration information is about the currents state of

the system and audit information describes the sequence of events happening on the

connected network or information system. The generic type IDS are shown in Figure

3.1. The function of detector is to filter the information coming from the information

system and eliminate all the unneeded information from audit trails and then decide

about the possible intrusion. The countermeasure unit takes preventive actions in

case of any possible intrusion and tries to save the network from any attempted

security breach.

Figure 3.1: Generic Intrusion Detection System

In Figure 3.1 the basic role of detector is to filter the useless information coming

from audit trails. Based on this crucial information decision is then taken about the

event (possible intrusion) and then preventive action is taken by the counter measure

10

component of Intrusion Detection System (IDS). Based on operational mechanisms

the Intrusion Detection Systems (IDS) are basically divided in two main categories

1. Passive Intrusion Detection Systems

2. Active Intrusion Detection Systems

1.5 Types of Intrusion Detection Systems There are two main types of IDS that are used by the industry since last many years.

Even though the technique and the target differ but the basic purpose of both types

of systems is to provide security by performing detection functions. For several

years, there has been a debate that which of the two systems possesses a better

detection strategy. In the following the basic principles of these two types are

discussed. The two types of IDS are:

1. Network Intrusion Detection Systems (NIDS)

2. Host Intrusion Detection Systems (HIDS)

1.6 Network Intrusion Detection Systems (NIDS) Network Intrusion Detection Systems (NIDS) are placed at critical and strategic

places in the network, these systems monitor the network for Internal as well external

threats. It checks the entire traffic of the network for any possible cyber-attacks.

When the attack is detected or any abnormal traffic behaviors are noticed, an alert

message is sent to the administrator. As it is clear by its name (NIDS) that these

intrusion detection systems are always deployed in a subnet where most probably

firewall is placed and network administrator keep a strong check on who is trying to

break the security policy of firewall and trying to detect an inside attacker. As shown

in Figure 3.2, there are two different companies and each company’s network is

connected to the internet. The network of one company is protected by firewall as

well as Intrusion Detection System (IDS) which is placed at the gateway of the

network whereas the network of second company is just protected by network

intrusion detection system placed at the gateway. Figure 3.2 gives a clear idea about

the importance of placement of Network Intrusion Detection Systems (NIDS) in the

network.

11

Figure 3.2: Network Intrusion Detection System

1.7 Host Intrusion Detection Systems (HIDS) This type of intrusion detection system is designed for the security of single host

(machine) on the network. Host Intrusion Detection System (HIDS) detect all

packets that are coming out of the device and those going into the device and

continuously monitor for malicious activity. Once it found some type of intrusion it

will alert the administrator or the user of that machine. HIDS take the snapshot of

all the system files and compare them with the previous snapshot, if files are missing,

deleted or edited, HIDS will raise an alarm and go for further investigations. HIDS

is mostly installed on mission critical machines. The most common example of

HIDS is the anti-virus software installed on our daily use

computers.

1.8 Techniques of Intrusion Detection The detection techniques used by IDS are as follows:

1. Signature based Intrusion Detection Technique.

2. Anomaly based Intrusion Detection Technique.

1.9 Signature based Intrusion Detection Technique Intrusion Detection System (IDS) that uses this approach of signature based

detection scan all the packet on the network and compare them against the database

of signatures. For understanding we can think of signature as a unique digital thumb

prints, every digital signature is different from other and all the signatures in the

12

database are the attributes from known malicious cyber threats. IDS compare the

packets with all the signatures available in database and if it matches at any point of

time, that event is considered as an intrusion by the intrusion detection system.

Almost all anti-virus programs use this signature based intrusion detection approach.

Using this approach system will detect all the known attacks but at the same time it

completely misses all unknown signatures (zero day attacks). In Figure 3.3, we have

a complete basic model of a signature based Intrusion Detection System (IDS).

Packets are matched with malicious signatures and alert administrator in case of

matching.

Figure 3.3: Signature based Intrusion Detection System

Chapter 2

2.1 Designing IDS using Honey Token (HT) based Encrypted Pointers

for Critical Infrastructure Networks Our approach towards the designing of Intrusion Detection System (IDS) is novel

and simple, we use honey token based encrypted pointers for the detection of

network attacks on critical infrastructure network. We embed these honey tokens

inside the transmission frame and an encrypted pointer keeps record for locations of

all these honeytokens. This encrypted pointer is sent to the destination within the

same transmission frame where honey token packets were embedded earlier. At the

receiver side, we extract all the honey tokens from the frame with the help of

encrypted pointer and compare them with the database of honey tokens already

present at every Remote Terminal Unit (RTU) for verification of changes made in

it. Critical infrastructure is the term mostly used for those national assets which are

very important for operational stability of economy and society, and without them

13

there is no concept of running nation state successfully in 21st century. In today’s

modern times all these critical infrastructure operations run using smart and

sophisticated networks called critical infrastructure networks. There are

large numbers of these critical infrastructures but few most common are electric

power grid, oil and gas sector, nuclear power plants, water supply systems, air traffic

control systems, water treatment plants, railway traffic systems, industrial

manufacturing etc. Critical infrastructure networks commonly have command and

control system for smooth and efficient running of their operations. Supervisory

Control and Data Acquisition (SCADA) is mostly used for these purposes. It collects

data from all systems using wide range of sensors and then issues commands from

its Master Terminal Station (MTU) for operating industrial control systems. The

common topology of critical infrastructure

sensor network is shown in Figure 2.1.

Figure 2.1 The common topology of critical infrastructure sensor network

SCADA (MTU) system relates to a network of nodes commonly known as

Remote Terminal Unit (RTU) and sensors relate to these RTU. The IDS shown in

Figure 4.1 is Network based Intrusion Detection System (NIDS) and thus serves the

entire critical infrastructure sensor network with its security services. RTU may be

a PLC and it collects data from all the sources which include sensors, actuators,

motors, pressure valves and centrifuges etc. RTU then send this data back to MTU

for monitoring tasks. MTU send commands to RTU for controlling these assets

14

(motors, sensors and actuators). RTU receives these set of commands from MTU

and direct them towards their target devices.

2.2 DNP3 Synthetic Traffic Generator Distributed Network Protocol-3 (DNP3) is a set of communications protocols

used between components in process automation systems. It is the backbone protocol

for SCADA systems and used by almost all the vendors as their primary protocol for

SCADA command and control software. Our adopted approach for solving the

problem is very simple, we generate DNP3 synthetic traffic, and we designed DNP3

traffic generator capable of producing millions of DNP3 packets. DNP-3 is an open

protocol which means that the complete technical documentation associated with

this protocol is available to the public. The core elements that define DNP3 protocol

are datalink layer protocol description, application layer protocol description and

data object library. In the start of the packet we have data link layer information that

includes start bytes, length bytes, control bytes, destination address, source address

and CRC (Cyclic Redundancy Check) bytes for data link layer, and after this we

have application layer headers. In the end, we have data area where we have actual

data (payload) and object header which carries control information associated with

this data area. Object header contains the fields of function control bytes, internal

information bytes, object type bytes, variation bytes, qualifier bytes, range bytes,

data object bytes, CRC bytes. DNP3 is a robust and flexible protocol as compared

to other conventional communication protocols.

DNP3 was originally designed based on a three-layer model which includes

application layer, datalink layer and physical layer. The application layer provides

objects for most generic data formats, the datalink layer provides methods for

retrieving data and physical layer defines most common RS-232, RS-485 or radio

interfaces. DNP3 uses 3-layer Enhanced Performance Architecture (EPA) stack for

its specifications. The 3 layer EPA stack provides simpler way of data

communication over the industrial control systems where there is no need of many

features that are required on IP networks for communication. Figure 2.3 shows the

comparison of Enhanced Performance Architecture (EPA) stack with 7-layer model.

15

Figure 2.3: Comparison of EPA Stack with 7 Layer Reference Model [63]

Although DNP3 was designed as reliable protocol but it was not designed as a secure

protocol. It is vulnerable against attacks which are designed to disrupt control system

operations to disable critical infrastructure networks. So, enhanced level of security

must be required in the form of IDS to protect such important assets as critical

infrastructure networks. Honey tokens used by IDS are normal DNP3 packets

generated using the same synthetic traffic generator. These honey token packets are

similar as compared to real DNP3 packet and it is impossible for a human being to

differentiate between real token and honey token.

16

2.3 Honey Token based Encrypted Pointers Our approach for IDS used a technique called Honey Token based Encrypted

Pointers. Honey tokens are artificial digital data items planted deliberately into a

genuine system resource to detect unauthorized attempts to use or disrupt original

information. The honey tokens are characterized by properties which make them

appear as genuine data items. Honey tokens used by our IDS are normal DNP3

packets planted deliberately into a transmission sequence to detect cyber-attack. We

generate these honey tokens once at the start of simulation and make their encrypted

database. All the Remote Terminal Units (RTUs) in the critical infrastructure

network hold a copy of this encrypted honey token database which they later use for

comparison and correlation of honey tokens at RTU for the detection of any changes

made in the sequence by the attacker during transmission from Master Terminal Unit

(MTU) to RTU. The transmission sequence consists of a total of number of packets.

In the first step the IDS will use the length of packets as process length. In other

words, IDS will embed honey tokens in the real traffic at random locations and make

the sequence of length. This sequence of length N-1 is known as process length of

the sequence and is shown in Figure 2.4.

Figure 2.4: Process Length

The last packet contains the locations of all these honey tokens which were

embedded earlier in the process length by the IDS. This last packet is known as the

pointer and after encryption it becomes an Encrypted Pointer (EP). The pointer itself

is also a normal DNP3 packet and all these locations of honey tokens are stored

inside the payload area of this packet, where all empty space in the payload area (if

any) are filled using zero padding technique. It is shown in Figure 4.5 that after

inserting the locations of all the honey tokens inside the payload area of packet,

empty spaces are filled using zero padding.

Figure 2.5: Pointer Structure

17

The entire formation process is shown below in Figure 2.6 where single sequence

has N packets and process length has (N-1) packets, the last packet of the sequence

is the pointer that contains the locations of honey tokens.

Figure 2.6: Formation Process

2.4 System Design We adopted a modular approach in the system design and IDS consist of two

separate modules working at separate physical locations within the critical

infrastructure network. The two modules of IDS are:

1. IDS Primary Module.

2. IDS Secondary Module.

IDS primary module work in collaboration with MTU and IDS secondary module

work in collaboration with RTU. We divide critical infrastructure sensor network

into four different categories or pools as shown in Figure 2.7. This division of nodes

among four different pools is based on the computational power and level of

vulnerability of that system (node) which is working in critical infrastructure sensor

network.

18

Figure 2.7: Segmentation of Pools in Critical Infrastructure Network

Pool-A contains those systems having greater computational power and higher

vulnerability levels, it uses 4 honey tokens per frame and use encryption scheme of

AES- 256 e.g. - Data Centers etc. whereas Pool-D contain those systems having least

computational power, it uses one honey token per frame and use encryption scheme

of AES-128 e.g. - Tsunami warning system for open ocean etc. Other two Pools (B

and C) contain systems that fall between above defined categories, Pool-B uses 3

honey tokens per frame and use encryption scheme of AES-192 e.g. - Oil rigs and

Pool-C uses 2 honey tokens per frame and use encryption scheme of AES-192 e.g.-

Remote operating station etc. All the encryption schemes assigned to the different

pools are basically used for two basic tasks, at first used for encryption of pointer

and secondly encryption of honey token database (present at RTU’s) for that pool.

2.5 Intrusion Detection System Primary Module IDS primary module works in collaboration with MTU. It starts with embedding

honeytokens inside the normal DNP3 traffic frame at random locations. First, the

transmission module in Figure 4.8 performs a check that the current frame is directed

towards which RTU in the critical infrastructure network. Then IDS check the pool

of that specific RTU, when the pool is confirmed the IDS perform its operation of

19

embedding honeytokens inside the transmission frame. For example, if the current

frame belongs to pool-A the IDS embed four honeytokens at the random positions

inside the frame. All the locations (addresses) of these four honeytokens are then

placed inside the last packet which is known as the pointer of the frame and empty

spaces are filled with zero padding inside this pointer. IDS then encrypt this pointer

using AES-256 encryption scheme so the only thing which is encrypted inside the

frame is the pointer which hold the locations of all those honeytokens. Encrypted

pointer is then attached to the frame and this frame is now ready for transmission

over the physical channel which may be wired or wireless. In case if the destination

RTU belongs to Pool-B, the IDS primary module embeds 3 honeytokens inside

frame and stores their locations in the pointer. AES-192 is used for the encryption

of the pointer if target RTU belongs to Pool-B. IDS primary module uses 2

honeytokens per frame if the target RTU belongs to Pool-C and AES-192 encryption

scheme is used for Pool-C pointer. In case of Pool-A the IDS use only one

honeytoken per frame and stores its location inside the pointer, all empty spaces are

filled with zero padding and AES-128 is used for pointer encryption.

Figure 2.8: Flow Chart of IDS Primary Module at Master Terminal Unit

(MTU)

20

2.6 Intrusion Detection System Secondary Module At the receiver side of RTU the IDS secondary module receives the

transmission frame and extract Encrypted Pointer (EP) out of the frame. If the

local RTU falls in the Pool-A of critical infrastructure network the EP is

decrypted using AES-256 encryption schemes and after the successful

decryption of pointer the IDS secondary module opens the pointer and

removes all the zero padding inside the pointer. IDS then extract honeytokens

from the transmission frame using the locations available inside pointer. In

case of Pool-B the EP is decrypted using AES-192 encryption scheme and

zero padding is removed for successful recovery of honeytoken locations at

RTU side. Same process is used for other two pools but the only difference is

that Pool-C is decrypted using AES-192 and Pool-D is decrypted using AES-

128 encryption schemes. After the successful recovery of honeytokens at the

RTU side, the IDS secondary module performs the process of scanning as

shown in Figure 4.9. HT Database contains the entire database of honeytokens

which IDS is using for detection mechanism. Moreover, this HT Database is

also encrypted using AES-256 for Pool-A, AES-192 for Pool-B and Pool-C

and AES- 128 for Pool-D. IDS secondary module perform the operation of

scanning in which it compares all the honeytokens bit by bit with their copies

present in HT Database. The

honeytoken scanning process

detects any tampering with the

honeytokens during the entire

process of transmission from

MTU to RTU. If any

tampering is detected the IDS

immediately raise the alarm

for networks administrator and

consider this event as a

possible intrusion otherwise if

all the honeytokens are

matched with their

counterparts in HT Database

and there is no mismatch in the

bits, the IDS consider this

event as normal and continue

its operations.

Figure 2.9: Flow Chart of IDS Secondary Module at Remote Terminal Unit

(RTU)

21

Chapter 3

Results and Discussions

3.1 DNP3 Synthetic Traffic Generator Figure 3.1 shows the output of DNP3 synthetic traffic generator which is designed

in MATLAB, this traffic generator can generate millions of packets of DNP3

protocol (synthetic traffic). The start two bytes of every DNP3 packet is always 0564

(defined standard for DNP3 packet) is clearly highlighted. In the Figure 3.1 there are

total 34 packets of DNP3 protocol out of which 10 packets are honeytokens. It is

almost impossible to distinguish between real packet and honeytoken packet.

Figure 3.1: DNP3 synthetic traffic generator output

22

3.2 Alarm Analysis of Intrusion Detection System We are using the test network of 64 nodes, each pool contains 16 nodes. Here we are

assuming about the length of the attack vector. From the detailed study of Stuxnet

and other related attacks the malicious attacks that are used to disrupt the operations

of critical infrastructure networks comprise of complex and lengthy codes and

commands. These attacks consist of hundreds and sometimes thousands of frames,

but here in our simulation we are if our attack signature which is generated by

MATLAB must be greater than half of the length of the frame. All the results are

average values. Secondly, the reason why we are not using False Positive (FP) and

True Negative (TN) in our alarm analysis is due to the nature of DNP3 protocol

itself. DNP3 is not a general protocol, it is different from SMTP, FTP, HTTP etc. It

is intended for SCADA applications and is designed as a reliable protocol but not as

a secure protocol. It uses CRC (Cyclic Redundancy Check) both for header and

payload, so it discards all corrupted packets (corrupted because of channel noise and

bit errors) and requests for the retransmission of corrupted packets. For our IDS, it

will only happen when honey tokens are corrupted because of channel noise and

mismatches with HT database at RTU. This scenario is not possible because

corrupted frames are discarded by DNP3 protocol. So, FP is not included in our

alarm analysis since honey tokens discarded by RTU due to channel noise are

retransmitted by MTU. These SCADA networks run (24x7) over the period of years

and their operations are not affected by any disruption (bit errors and channel noise

etc.) and this is possible only because of their robust design giving extreme reliability

to these critical infrastructure networks. In Figure 3.6 shown result is the output of

system alarms. ―True Positive‖ means when attack occurs and system successfully

detects that attack and ―False Negative‖ means when attack occurs but system fails

to detect that attack. On y-axis, we have the scale of alarm percentage and on x-axis

we have four different pools [A-B-C-D]. Maximum security is given to Pool-A

because these systems possess high computational power therefore it has very small

percentage of false negative, and from the results in Figure 3.2 it is shown that on

average false negative alarms are less than 2% for Pool-A.

23

Figure 3.2: IDS Performance (Alarm Analysis)

On the other hand, least amount of security is provided to pool-D because these

systems are constrained in computation power and other valuable resources, so the

false negative percentage is almost 12% for pool-D. From graphical results in Figure

3.2 which are also tabulated in Table 3.1 shows different pools with their True

Positive (TP) and False Negative (FN) alarm percentages for the attack vector of

70% the length of the frame, all these results are average values. Encryption schemes

are also listed along with different pools in Table 3.1.

24

Table 3.1: IDS Alarm Analysis for 70% attack vector

From Figure 3.2 and Table 3.1 Pool-A has 98% TP alarms and 2% FN alarms, it

uses 4HT/frame with AES-256 encryption scheme. Pool-B has 97% TP alarms and

3% FN alarms, it uses 3HT/frame with AES-192 encryption scheme, Pool-C has

93% TP alarms and 7% FN alarms, it uses 2HT/frame with AES-192 encryption

scheme and finally Pool-D has 88% TP alarms and 12% FN alarms, it uses only one

HT/frame with AES-128 encryption scheme.

Table 3.2: IDS Alarm Analysis Comparison Table

25

3.4 Network Penetration Testing To test and verify our designed Intrusion Detection System (IDS) we use Network

Penetration Testing (NPT). Alongside our IDS we place another conventional

signature based IDS which contain signatures for some known attacks for the

security of node critical infrastructure test network as shown in Figure 3.13.

Figure 3.13: Network Penetration Testing Scenario (64 Node Network)

Then using MATLAB, we generate hexadecimal attack signatures (zero day attacks)

and few known attack signatures (hexadecimal signatures) which are already present

in the database of conventional IDS.

Finally, we launch all these attacks on

test network. Known attacks are

immediately stopped by conventional

IDS but all zero-day attack signatures

successfully penetrated in the 64-node

test network. In response, our IDS

successfully detected these pen

scanning process result is shown in

Figure 3.14, where cyber-attacks are

detected by the IDS on node 22, 24 and

penetrated attacks in 64 node network.

Snapshot of IDS

Figure 3.14: Intrusion Detection System scanning process

26

Chapter 4

Introduction to Intrusion Prevention System (IPS)

Virtual honeypot technology is the best active prevention technology among all

honeypot technologies. By using the original operating system and virtual

technology, the honeypot lures attackers in a pre-arranged manner, analyzes and

audits various attacking behavior, tracks the attack source, obtains evidence, and

finds effective solutions. Thereafter, legal means can be used to investigate the

responsibility of the attackers and technology and management tools can be

employed to improve actual system protection. A honeypot system can detect attack

behavior and redirect such attacks to a strictly controlled environment to protect the

practical running system. This system collects intrusion information to observe and

record the behavior of the attacker and examine the level, purpose, tools, and

intrusion methods of the attack such that evidence can be obtained and possible legal

actions can be taken.

4.1 Honeypot definition and development

A honeypot system is designed to attract hackers. Thus, after an intrusion, network

administrators and security specialists can determine how the attacker succeeded,

prevent subsequent attacks, and identify security gaps. In addition to identifying the

various tools used by hackers, honeypot technology can also identify the social

networks of intruders by determining the relationships among hackers.

Figure 4.1 Honeypot principle diagram

27

Honeypot technology is a security resource whose value lies in being scanned,

attacked, and captured. This characteristic indicates that honeypot technology does

not have other actual effects. Therefore, all network traffic that flows into or out of

the honeypot may prefigure being scanned, attacked, and captured. The core value

of this technology lies in monitoring, detecting, and analyzing intrusive activities.

The most popular honeypot tools are the Deception Tool Kit and Honeyd. Based on

traditional honeypot and honeynet technologies, active honeypot, honeyfarm,

honeyapp, honeyclient, and other new concepts have been proposed. Such

applications and concepts have also opened new research directions.

4.2 Existing types of honeypot If we define the level of honeypot per the level of interactivity of its attackers and

allow a complicated degree of interaction between the operating system and

intruders, then honeypot systems can be divided into low-interaction honeypot

systems, middle-interaction honeypot systems, and high interaction honeypot

systems.

4.3 Low-interaction honeypot system A low-interaction honeypot provides only specific analog services. In their basic

form, these services can be conducted by monitoring a specific port. Low-interaction

honeypot systems do not provide intruders with the actual operating system for

remote login. Thus, the risk is low. However, the function of this honeypot is highly

passive, like a unidirectional connection wherein limited information can be

collected. With the information flowing from outside to the machine and without

any response message to be sent, this type of honeypot fails to capture the

communication process behind complicated protocols. Low-interaction honeypot

systems have the following characteristics:

Analog services and operating system

Can capture only a small amount of information

Easy to arrange, thus minimizing risk.

4.4 Middle-interaction honeypot system A middle-interaction honeypot system does not provide the actual operating system

but provides intruders with a complicated decoy process. This type of honeypot

system imitates a specific service, thus causing intruders to believe that they are

attacking the real operating system. Such a mechanism enables the system to collect

high amounts of data. However, this mechanism also increases the risk of intrusion.

Therefore, middle-interaction honeypot systems should ensure that new security

holes could not be generated in the process of imitating the services and holes. By

using high-level interaction, honeypot technology can endure sophisticated attacks

28

while recording and analyzing such attacks. Under environments with increasing

levels of interaction, a honeypot system should be deployed in a manner wherein all

analog services are as safe as possible.

4.5 High-interaction honeypot system Most high-interaction honeypot systems are placed in a controlled environment,

such as behind a firewall. A hacker is allowed by the firewall to attack the honeypot

but is not allowed to launch new attacks. This structure is difficult to deploy and

maintain because it does not let hackers know that they are being monitored. The

maintenance of a high interaction honeypot is time consuming. Thus, the firewall

capacity and IDS characteristic database should be frequently updated to enable

continuous monitoring. Any error in the system may allow a hacker to control the

full operating system, attack other systems, or intercept messages in the application

system [14]. However, if a high-interaction honeypot system can be maintained

properly, it can allow security specialists to obtain information on hackers that other

types of honeypots cannot obtain. The cost of deploying a high-interaction honeypot

system is extremely high because it requires the continuous monitoring of a system

administrator. An uncontrollable honeypot is meaningless for any organization and

may even pose high network security risks. A high-interaction honeypot system has

the following characteristics:

Provides the actual operating system and services instead of analog data

Captures rich information

Complicated deployment and high security risks

4.6 Mixed-interaction honeypot system This study aims to establish a mixed honeypot system to monitor various types of

data. The honeypot principle is adopted in data collection to judge if the data is

normal and to prevent attacks. The system maintains a daily record in the application

and virtual system. Furthermore, the system records the internal and exterior

gateways of a virtual control server and a virtual gateway on Debian. These data can

provide detailed tracking and attaching capacity. In turn, the data provided by the

exterior gateway can monitor the transmission of packets to the traffic attacking the

virtual gateway. The relative attacking data can be found in the backup data of the

virtual gateway, which allows security specialists to identify the attack type. The

mixed honeypot system discussed in this paper is a type of application honeypot.

Apache Web is the server used for honeypot testing, and Mozilla Firefox is used to

create log records. We run Apache and server deployment from the Apache Web

server and the Web server. When Debian detects any abnormal traffic to the

Honeypot Apache Web Server, data analysis is conducted. If traffic is suspicious but

legal in practice, then data are sent to the honeypot for treatment. If the system is

29

attacked and modified during operation, traffic will be cut off, thus causing data to

return to their source. The outer interface of the virtual gateway 192.168.10.6 is

connected to an external network. At the same time, the gateway has an internal

interface that provides the DNS server in the Web server and decoy server. The DNS

server is a resolution server that can resolve the overall domain name and forward

any request to the external gateway for treatment.

Figure 4.2 Mixed interactive honeypot system

Two interfaces for the decoy server can be defined as 10.0.2.3 and 10.0.3.3. Interface

10.0.3.0 can be defined as the subnet of the interfaces. The second interface is

connected to an application port in the gateway, thereby connecting the virtual Web

server, database, and specific server port link. If the application gateway detects a

data request that requires a direct connection to a specific network, any application

server, virtual Web server, or common user will produce data feedback that is like

receiving a NAT attack. If the virtual server capacity used in the large-scale network

decreases, the application of the small-scale network increases the cost.

Virtualization prompts the hardware to deploy originally such that the system

becomes a virtual machine. This condition significantly reduces the construction

30

cost of the network. The system we have constructed can help reduce false

information and enhance network stability and security. This system is designed as

an application level of the honeypot to enable the independent reestablishment of the

monitoring mechanism. In practice, if each application should be monitored, the

system must customize the required applications by using a large quantity of

customized codes. Therefore, we mainly monitor the attacks to Apache in a virtual

environment.

4.7 System simulation

In a lab environment, we use Honeyd. It can create virtual hosts, the hosts can be

configured to provide any services, the system is also compatible with it, that makes

it look like a real system running. In a local area network emulation, Honeyd enables

a single host with lots of IP (as many as 65,536). Network topologies are part of the

core configuration file: create router

set router personality "Cisco 7206

running IOS 11.1(24)"

set router default tcp action reset

add router tcp port 23

"script/router-telnet.pl"

bind 10.0.2.3 router



bind 10.0.1.20 windows



Honeyd honeypot and log file records all the virtual host connection information,

including timestamps, protocol type, source address, destination address, port

number, operating system type and other information. Using the VI command view

is shown in Figure 4.3 Honeyd log:

31

Figure 4.3 Control system hardware structure diagram

In the above log, the attacking host to 11.64., the attacking host is shown in the red

box with the honeypot virtual hosts to establish a connection. Including TELNET,

FTP, HTTP. By querying this information, attacker intrusion evidence can be

collected, and because these virtual hosts are honeypots come out, it will not pose a

threat to the system.

Conclusion Future Work In this project, we design an Intrusion Detection System (IDS) & Intrusion

Prevention System (IPS) that works on a technique known as ―Honey token based

Encrypted Pointers and Honey pot technology against sophisticated cyber threats

that target industrial networks. Honeypot technology has matured after a leap in its

development. This technology aims to lure hackers to a decoy system, thus delaying

the attack and providing network security specialists a window of opportunity to

prevent the threat. The technology allows system administrators to know the launch

address, verify if the security strategy is effective, and determine if the defense line

is solid. Existing networks are not always safe. IDS, firewall, encryption, and other

technologies have certain defects. Network security can be improved when such

technologies are combined with the honeypot system. We believe that honeypot

technology will play a crucial role in global network security. This ID is specifically

designed for the security of critical infrastructure sensor networks. We analyzed the

performance of IDS model on security and stability issues. The proposed IDS have

the capability of detecting SCADA based cyber-attacks and the use of encryption in

IDS make it more difficult for the attacker to launch a successful attack on critical

infrastructure networks. This type of IDS can also assist conventional signature

based IDS for improving their efficiency in detection of new attacks. Intrusion

32

detection is still a long way from being mature, there is a huge room for

improvements and modification. The signature based detection is reliable but it

completely misses the zero day attacks, while on the other hand anomaly detection

detects some zero day attacks but it produces large number of false alarm thus

reducing the overall efficiency of IDS. Cyber security experts believe that in future

we must have to introduce new methods and mechanisms for intrusion detection and

existing mechanisms will be discarded. Protocol analysis mechanism has a huge

potential in it where protocols are analyzed in depth details and used for intrusion

detection. Target detection method is also very useful because in this method

cryptographic algorithms are used to detect unauthorized changes in files. Rule

based intrusion detection should also be used along with honeypot technologies for

improving the detection efficiency. To enhance the process of intrusion detection

one of the most important tool is honeypots. The core value of this valuable tool not

lies in its use but in its abuse. It detects the intrusion far better than all the other

mechanisms if deployed smartly. Intrusion Prevention Systems (IPS) are becoming

more popular in the security industry because they not only detect the intrusion but

also take some preventive actions and defend the network by stopping the intruders.

So, integration of honeytoken with other key technologies will enhance our existing

IPS and the use of advance encryption methods provide us with more flexible

options against the intruders. Our proposed IDS are a scalable solution and thus

feasible for networks with large number of nodes. Management becomes easy when

you divide system nodes in different pools and it is easy to trap the attacker when

network is divided among different segments. In this research work we use honey

tokens for intrusion detection and found them useful against cyber-attacks on critical

infrastructure networks. Our research work is focused on command injection attacks

that disrupt the operations of critical infrastructure networks. The only limitation of

designed IDS is the length of attack vector, if the attack vector is too small to evade

the tampering of honey token the probability of detection is low. There is a huge

hidden potential in the use of honeypots, honey nets and honey tokens for intrusion

detection and there is a lot more to be done by future researchers and engineers in

the field of intrusion detection.

33

Reference [1] M. Chemanol, L. Durante, and A. Valenzano, "Review of Security Issues in

Industrial Networks," IEEE Transactions on Industrial Informatics, vol. 9, no. 1,

pp. 277 - 293, 2013.

[2] M. Merabti, K. Michael, and W. Hurst. "Critical infrastructure protection: A

21st

century challenge," International Conference on Communications and

Information Technology (ICCIT), pp. 1 - 6, 2011.

[3] J. McHugh, "Intrusion and intrusion detection," International Journal of

Information Security, vol. 1, no. 1, pp. 14 – 35, 2001.

[4] B. Zhu, J. Anthony, and S. Shankar, "A taxonomy of cyber-attacks on SCADA

systems," 4th International Conference on Cyber, Physical and Social

Computing, pp. 380 - 388, 2011.

[5] J. P. Disso, J. Kevin, and B. Steven, "A Plausible Solution to SCADA Security

Honeypot Systems," In Eighth International Conference on Broadband and

Wireless Computing, Communication and Applications (BWCCA), pp. 443 - 448,

2013.

[6] P. Jain, and S. Anjali, "A hybrid honeyfarm based technique for defense against

worm attacks," World Congress on Information and Communication

Technologies (WICT), pp. 1084 - 1089, 2011.

[7] I. Kuwatly, S. Malek, A. Zaid, and A. Hassan, "A dynamic honeypot design for

intrusion detection," In International Conference on Pervasive Services (ICPS),

pp. 95 -104, 2004.

[8] Y. Yang, and M. Jia, "Design and implementation of distributed intrusion

detection system based on honeypot," In International Conference on Computer

Engineering and Technology (ICCET), vol. 6, pp. 260, 2010.

[9] R. Muraleedharan, and A. O. Lisa, "An intrusion detection framework for

sensor

networks using honeypot and Swarm Intelligence," In 6th Annual International

Mobile and Ubiquitous Systems: Networking & Services, pp. 1 - 2, 2009.

[10] Song LI, Qian Zou, Wei Huang, “A New Type of Intrusion Prevention

System” Guiyang University” Guiyang, China