As the Supervisory Control and Data Acquisition (SCADA) system are deployed in infrastructures which are critical to the survival of a nation, they have emerged as a potential terrain for cyber-war, thus attracting the considered attention of ‘nation-states’. The analysis of worms like ‘stuxnet’ ‘flame’ and ‘duqu’ reveals the hand of a ‘nation-state’ in their design and deployment. Hence, the necessity to understand various issues in the defence of SCADA systems arises. The forensics of the SCADA system provide deep insight into the design and deployment of the worm (the malware) once the system is attacked. This is precisely the scope of this essay.
Supervisory control and data acquisition (SCADA) are applications that collect data from a system in order to automate the monitoring and controlling of its activities. Several industrial fields such as, electric utilities, water supplies and buildings’ facilities have already adopted SCADA systems to increase the efficiency and reduce cost. However, the IT community is concerned about the level of security that any applied SCADA system provides. This paper concentrates on the major security threats encountered in SCADA systems. In addition, it discusses a new proposed methodology in order to increase the system security with minimal impact on efficiency. The proposed scheme provides several security services which are mutual authentication, confidentiality, data integrity and accountability.
Supervisory control and data acquisition (SCADA) are applications that collect data from a system in order to automate the monitoring and controlling of its activities. Several industrial fields such as, electric utilities, water supplies and buildings' facilities have already adopted SCADA systems to increase the efficiency and reduce cost. However, the IT community is concerned about the level of security that any applied SCADA system provides. This paper concentrates on the major security threats encountered in SCADA systems. In addition, it discusses a new proposed methodology in order to increase the system security with minimal impact on efficiency. The proposed scheme provides several security services which are mutual authentication, confidentiality, data integrity and accountability.
HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENS...IJNSA Journal
In recent years, wireless ad hoc sensor network becomes popular both in civil and military jobs. However, security is one of the significant challenges for sensor network because of their deployment in open and unprotected environment. As cryptographic mechanism is not enough to protect sensor network from external attacks, intrusion detection system needs to be introduced. Though intrusion prevention mechanism is one of the major and efficient methods against attacks, but there might be some attacks for which prevention method is not known. Besides preventing the system from some known attacks, intrusion detection system gather necessary information related to attack technique and help in the development of intrusion prevention system. In addition to reviewing the present attacks available in wireless sensor network this paper examines the current efforts to intrusion detection
system against wireless sensor network. In this paper we propose a hierarchical architectural design based intrusion detection system that fits the current demands and restrictions of wireless ad hoc sensor network. In this proposed intrusion detection system architecture we followed clustering mechanism to build a four level hierarchical network which enhances network scalability to large geographical area and use both anomaly and misuse detection techniques for intrusion detection. We introduce policy based detection mechanism as well as intrusion response together with GSM cell concept for intrusion detection architecture.
A Modular Approach To Intrusion Detection in Homogenous Wireless NetworkIOSR Journals
This document discusses a modular approach to intrusion detection in homogeneous wireless networks. It begins by introducing wireless networks and the need for intrusion detection systems (IDS) due to security vulnerabilities. It then discusses different types of IDS, including signature-based detection that identifies known attacks, and anomaly-based detection that identifies deviations from normal behavior but can result in high false positives. The document proposes a modular approach combining advantages of signature-based and anomaly-based detection for high detection rates and low false positives. Requirements for IDS in wireless networks are also outlined.
TACTiCS_WP Security_Addressing Security in SDN EnvironmentSaikat Chaudhuri
This document discusses addressing security concerns in SDN environments. It proposes an approach using an application on the SDN controller to monitor alerts from an IDS, analyze network traffic samples, and automate blocking of malicious flows. The application would function similarly to a security operations center (SOC) by correlating security events and taking action. The implementation is demonstrated using the OpenDaylight controller and Mininet virtual network, with SNORT for intrusion detection and sFlow for traffic sampling.
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
The objective of the proposed system is to integrate the high volume of data along with the important
considerations like monitoring a wide array of heterogeneous security. When a real time cyber attack
occurred, the Intrusion Detection System automatically store the log in distributed environment and
monitor the log with existing intrusion dictionary. At the same time the system will check and categorize the
severity of the log to high, medium, and low respectively. After the categorization, the system will
automatically take necessary action against the user-unit with respect to the severity of the log. The
advantage of the system is that it utilize anomaly detection, evaluates data and issue alert message or
reports based on abnormal behaviour.
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IJNSA Journal
With the ever increasing number and diverse type of attacks, including new and previously unseen attacks, the effectiveness of an Intrusion Detection System is very important. Hence there is high demand to reduce the threat level in networks to ensure the data and services offered by them to be more secure. In this paper we developed an effective test suite for improving the efficiency and accuracy of an intrusion detection system using the layered CRFs. We set up different types of checks at multiple levels in each layer. Our framework examines various attributes at every layer in order to effectively identify any breach of security. Once the attack is detected, it is intimated through mobile phone to the system administrator for safeguarding the server system. We established experimentally that the layered CRFs can thus be more effective in detecting intrusions when compared with the other previously known techniques.
Supervisory control and data acquisition (SCADA) are applications that collect data from a system in order to automate the monitoring and controlling of its activities. Several industrial fields such as, electric utilities, water supplies and buildings’ facilities have already adopted SCADA systems to increase the efficiency and reduce cost. However, the IT community is concerned about the level of security that any applied SCADA system provides. This paper concentrates on the major security threats encountered in SCADA systems. In addition, it discusses a new proposed methodology in order to increase the system security with minimal impact on efficiency. The proposed scheme provides several security services which are mutual authentication, confidentiality, data integrity and accountability.
Supervisory control and data acquisition (SCADA) are applications that collect data from a system in order to automate the monitoring and controlling of its activities. Several industrial fields such as, electric utilities, water supplies and buildings' facilities have already adopted SCADA systems to increase the efficiency and reduce cost. However, the IT community is concerned about the level of security that any applied SCADA system provides. This paper concentrates on the major security threats encountered in SCADA systems. In addition, it discusses a new proposed methodology in order to increase the system security with minimal impact on efficiency. The proposed scheme provides several security services which are mutual authentication, confidentiality, data integrity and accountability.
HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENS...IJNSA Journal
In recent years, wireless ad hoc sensor network becomes popular both in civil and military jobs. However, security is one of the significant challenges for sensor network because of their deployment in open and unprotected environment. As cryptographic mechanism is not enough to protect sensor network from external attacks, intrusion detection system needs to be introduced. Though intrusion prevention mechanism is one of the major and efficient methods against attacks, but there might be some attacks for which prevention method is not known. Besides preventing the system from some known attacks, intrusion detection system gather necessary information related to attack technique and help in the development of intrusion prevention system. In addition to reviewing the present attacks available in wireless sensor network this paper examines the current efforts to intrusion detection
system against wireless sensor network. In this paper we propose a hierarchical architectural design based intrusion detection system that fits the current demands and restrictions of wireless ad hoc sensor network. In this proposed intrusion detection system architecture we followed clustering mechanism to build a four level hierarchical network which enhances network scalability to large geographical area and use both anomaly and misuse detection techniques for intrusion detection. We introduce policy based detection mechanism as well as intrusion response together with GSM cell concept for intrusion detection architecture.
A Modular Approach To Intrusion Detection in Homogenous Wireless NetworkIOSR Journals
This document discusses a modular approach to intrusion detection in homogeneous wireless networks. It begins by introducing wireless networks and the need for intrusion detection systems (IDS) due to security vulnerabilities. It then discusses different types of IDS, including signature-based detection that identifies known attacks, and anomaly-based detection that identifies deviations from normal behavior but can result in high false positives. The document proposes a modular approach combining advantages of signature-based and anomaly-based detection for high detection rates and low false positives. Requirements for IDS in wireless networks are also outlined.
TACTiCS_WP Security_Addressing Security in SDN EnvironmentSaikat Chaudhuri
This document discusses addressing security concerns in SDN environments. It proposes an approach using an application on the SDN controller to monitor alerts from an IDS, analyze network traffic samples, and automate blocking of malicious flows. The application would function similarly to a security operations center (SOC) by correlating security events and taking action. The implementation is demonstrated using the OpenDaylight controller and Mininet virtual network, with SNORT for intrusion detection and sFlow for traffic sampling.
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
The objective of the proposed system is to integrate the high volume of data along with the important
considerations like monitoring a wide array of heterogeneous security. When a real time cyber attack
occurred, the Intrusion Detection System automatically store the log in distributed environment and
monitor the log with existing intrusion dictionary. At the same time the system will check and categorize the
severity of the log to high, medium, and low respectively. After the categorization, the system will
automatically take necessary action against the user-unit with respect to the severity of the log. The
advantage of the system is that it utilize anomaly detection, evaluates data and issue alert message or
reports based on abnormal behaviour.
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IJNSA Journal
With the ever increasing number and diverse type of attacks, including new and previously unseen attacks, the effectiveness of an Intrusion Detection System is very important. Hence there is high demand to reduce the threat level in networks to ensure the data and services offered by them to be more secure. In this paper we developed an effective test suite for improving the efficiency and accuracy of an intrusion detection system using the layered CRFs. We set up different types of checks at multiple levels in each layer. Our framework examines various attributes at every layer in order to effectively identify any breach of security. Once the attack is detected, it is intimated through mobile phone to the system administrator for safeguarding the server system. We established experimentally that the layered CRFs can thus be more effective in detecting intrusions when compared with the other previously known techniques.
This document summarizes security schemes for wireless sensor networks, including TinySec, IEEE 802.15.4, and others. It discusses the challenges of WSNs like power constraints and limited resources. It also outlines common security threats to WSNs such as denial of service attacks, attacks on information in transit, Sybil attacks, black hole/sinkhole attacks, and hello flood attacks. The document evaluates the feasibility of applying basic security schemes like cryptography and steganography to WSNs given their unique constraints and requirements.
A NOVEL SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKS BASED ON ELLIPTIC CURV...IJCNCJournal
With the growing usage of wireless sensors in a variety of applications including Internet of Things, the security aspects of wireless sensor networks have been on priority for the researchers. Due to the constraints of resources in wireless sensor networks, it has been always a challenge to design efficient security protocols for wireless sensor networks. An novel elliptic curve signcryption based security protocol for wireless sensor networks has been presented in this paper, which provides anonymity, confidentiality, mutual authentication, forward security, secure key establishment, and key privacy at the same time providing resistance from replay attack, impersonation attack, insider attack, offline dictionary attack, and stolen-verifier attack. Results have revealed that the proposed elliptic curve signcryption based protocol consumes the least time in comparison to other protocols while providing the highest level of security.
This document discusses network intrusion detection systems (NIDS) and their ability to handle high-speed traffic. It introduces NIDS and their role in monitoring network traffic. The document presents an experiment that tests the open-source NIDS Snort under high-volume traffic. The experiment shows that Snort drops more packets as traffic speed and volume increases, demonstrating a weakness of NIDS in high-speed environments. It suggests using a parallel NIDS technique to help NIDS better handle high-speed network traffic and reduce packet dropping.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
This document proposes a hybrid architecture for a distributed intrusion detection system using multiple agents. The key aspects of the architecture include:
- Using multiple independent tracker agents that monitor hosts and generate reports sent to monitors and storage.
- Monitors analyze activity and compare to signatures to detect known attacks, or send data to anomaly detectors.
- Anomaly and misuse detectors use classification and pattern matching to detect known and unknown attacks.
- An inference module coordinates entities across hosts to classify new attacks using a knowledge base and signature generator.
- A countermeasure module alerts administrators and can take actions like dropping packets in response to detected attacks.
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...IJNSA Journal
Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defence against a variety of attacks that can compromise the security and proper functioning of an enterprise information system. Along with the widespread evolution of new emerging services, the quantity and impact of attacks have continuously increased, attackers continuously find vulnerabilities at various levels, from the network itself to operating system and applications, exploit them to crack system and services. Network defence and network monitoring has become an essential component of computer security to predict and prevent attacks. Unlike traditional Intrusion Detection System (IDS), Intrusion Detection and Prevention System (IDPS) have additional features to secure computer networks.
In this paper, we present a detailed study of how deployment of an IDPS plays a key role in its performance and the ability to detect and prevent known as well as unknown attacks. We categorize IDPS based on deployment as Network-based, host-based, and Perimeter-based and Hybrid. A detailed comparison is shown in this paper and finally we justify our proposed solution, which deploys agents at host-level to give better performance in terms of reduced rate of false positives and accurate detection and prevention.
Survey on Host and Network Based Intrusion Detection SystemEswar Publications
With invent of new technologies and devices, Intrusion has become an area of concern because of security issues, in the ever growing area of cyber-attack. An intrusion detection system (IDS) is defined as a device or software application which monitors system or network activities for malicious activities or policy violations. It produces reports to a management station [1]. In this paper we are mainly focused on different IDS concepts based on Host and Network systems.
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...IJCNCJournal
After tightening up network perimeter for dealing with external threats, organizations have woken up to the
threats from inside Local Area Networks (LAN) over the past several years. It is thus important to design
and implement LAN security strategies in order to secure assets on LAN by filtering traffic and thereby
protecting them from malicious access and insider attacks. Banking Financial Services and Insurance
(BFSI) industry is one such segment that faces increased risks and security challenges. The typical
architecture of this segment includes several thousands of users connecting from various branches over
Wide Area Network (WAN) links crossing national and international boundaries with varying network
speed to access data center resources. The objective of this work is to deploy LAN security solution to
protect the data center located at headquarters from the end user machines. A LAN security solution should
ideally provide Network Access Control (NAC) along with cleaning (securing) the traffic going through it.
Traffic cleaning itself includes various features like firewall, intrusion detection/prevention, traffic anomaly
detection, validation of asset ownership etc. LANenforcer (LE) is a device deployed in front of the data
center such that the traffic from end-user machines necessarily passes through it so that it can enforce
security. The goal of this system is to enhance the security features of a LANenforcer security system with
Intrusion Prevention System (IPS) to enable it to detect and prevent malicious network activities. IPS is
plugged into the packet path based on the configuration in such a way that the entire traffic passes through
the IPS on LE.
A technical review and comparative analysis of machine learning techniques fo...IJECEIAES
Machine learning techniques are being widely used to develop an intrusion detection system (IDS) for detecting and classifying cyber attacks at the network-level and the host-level in a timely and automatic manner. However, Traditional Intrusion Detection Systems (IDS), based on traditional machine learning methods, lacks reliability and accuracy. Instead of the traditional machine learning used in previous researches, we think deep learning has the potential to perform better in extracting features of massive data considering the massive cyber traffic in real life. Generally Mobile Ad Hoc Networks have given the low physical security for mobile devices, because of the properties such as node mobility, lack of centralized management and limited bandwidth. To tackle these security issues, traditional cryptography schemes can-not completely safeguard MANETs in terms of novel threats and vulnerabilities, thus by applying Deep learning methods techniques in IDS are capable of adapting the dynamic environments of MANETs and enables the system to make decisions on intrusion while continuing to learn about their mobile environment. An IDS in MANET is a sensoring mechanism that monitors nodes and network activities in order to detect malicious actions and malicious attempt performed by Intruders. Recently, multiple deep learning approaches have been proposed to enhance the performance of intrusion detection system. In this paper, we made a systematic comparison of three models, Inceprtion architecture convolutional neural network (Inception-CNN), Bidirectional long short-term memory (BLSTM) and deep belief network (DBN) on the deep learning-based intrusion detection systems, using the NSL-KDD dataset containing information about intrusion and regular network connections, the goal is to provide basic guidance on the choice of deep learning models in MANET.
In recent years, wireless sensor network (WSN) is used in several application areas resembling observance, tracking, and dominant in IoTs. for several applications of WSN, security is a crucial demand. However, security solutions in WSN disagree from ancient networks because of resource limitation and process constraints. This paper analyzes security solutions: TinySec, IEEE 802.15.4, SPINS, MiniSEC, LSec, LLSP, LISA, and LISP in WSN. This paper additionally presents characteristics, security needs, attacks, cryptography algorithms, and operation modes. This paper is taken into account to be helpful for security designers in WSNs.
Moving From Contactless to Wireless Technologies in Secure, Over-the-Air Tran...Underwriters Laboratories
This UL white paper discusses some of the many issues and challenges that must be addressed in the future deployment of wireless technology for the processing
of secure transactions. It begins with a discussion of the strengths and limitations of both contactless and wireless technologies. The white paper then reviews and assesses internal system risks, as well as external security concerns, for both technologies. The paper concludes with some thoughts on the future use of wireless technology in secure transactions, and how manufacturers can provide assurances to both system providers and users regarding the security of their private data.
This document summarizes a research paper that classifies different types of networks and discusses their associated security issues. It categorizes networks based on size (LAN, MAN, WAN), design (peer-to-peer, client-server, standalone), layering (layered, non-layered), and provides examples such as Ethernet, Wi-Fi, VPNs. It also discusses common security threats for different network types like viruses, denial of service attacks, and evaluates security measures including encryption, firewalls, access control. The paper aims to provide a comprehensive classification of networks and analyze how security needs vary depending on the network and software development stages.
Analytical survey of active intrusion detection techniques in mobile ad hoc n...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
A Collaborative Intrusion Detection System for Cloud Computingijsrd.com
Cloud computing is a computing paradigm that shifts drastically from traditional computing architecture. Although this new computing paradigm brings many advantages like utility computing model but the design in not flawless and hence suffers from not only many known computer vulnerabilities but also introduces unique information confidentiality, integrity and availability risks as well due its inherent design paradigm. To provide secure and reliable services in cloud computing environment is an important issue. To counter a variety of attacks, especially large-scale coordinated attacks, a framework of Collaborative Intrusion Detection System (IDS) is proposed. The proposed system could reduce the impact of these kinds of attacks through providing timely notifications about new intrusions to Cloud users' systems. To provide such ability, IDSs in the cloud computing regions both correlate alerts from multiple elementary detectors and exchange knowledge of interconnected Clouds with each other.
Novel Advances in Measuring and Preventing Software Security Weakness: Contin...theijes
Software weaknesses in design, architecture, code and deployment have led to software vulnerability exploited by the perpetrators. Although counter measure tools have been developed such as patch management systems, firewalls and antivirus, but the perpetrators have advance sophisticated tools such malware with crypto-lock and crypto-wall technologies. The current counter measures technologies are based on detection and respond model or risk management framework, which are no match to the attacker’s technologies based on speed technologies such as machine generated malwares and precision or stealth technologies such as command-andcontrol node malwares. Although lots of ink has been poured on advances in measuring and preventing software weakness on the detection and respond concept,this study is motivated to explore the state-of-art advances specifically on the novel concept of Continuous Trust Restoration (CTR). The Continuous Trust Restoration is a process of breaking down attacker’s activities kill chain and restoring the system trust. The CTR concept deploys speed, precision and stealth technologies on random route mutation, random host mutation, hypervisors, trust boot, software identities and software define infrastructure. Moreover, to deploy these technologies the study further explores a common security architectural framework with software metrics such as CVE (Common Vulnerability and Exposure), CWE (Common Weakness Enumeration), CVSS (Common Vulnerability Scoring System), CWSS (Common Weakness Scoring System), and CAPEC (Common Attack Pattern Enumeration and Classification). Finally, the study recommends a software security counter measures research paradigm shift from the current detection and respond models to Continuous Trust Restoration concept and from risk management frameworks to a Common Security Architectural Framework.
Cyber-Defensive Architecture for Networked Industrial Control SystemsIJEACS
This paper deals with the inevitable consequence of the convenience and efficiency we benefit from the open, networked control system operation of safety-critical applications: vulnerability to such system from cyber-attacks. Even with numerous metrics and methods for intrusion detection and mitigation strategy, a complete detection and deterrence of internal code flaws and outside cyber-attacks has not been found and would not be found anytime soon. Considering the ever incompleteness of detection and prevention and the impact and consequence of mal-functions of the safety-critical operations caused by cyber incidents, this paper proposes a new computer control system architecture which assures resiliency even under compromised situations. The proposed architecture is centered on diversification of hardware systems and unidirectional communication from the proposed system in alerting suspicious activities to upper layers. This paper details the architectural structure of the proposed cyber defensive computer control system architecture for power substation applications and its validation in lab experimentation and on a cybersecurity testbed.
This document provides an overview of cyber security challenges for industrial control systems (ICS) and introduces Darktrace's Industrial Immune System as an innovative solution. The key points are:
1) ICS networks face growing threats as they increasingly connect to corporate IT networks and the internet, but existing defenses like firewalls are inadequate. Attacks have caused damage at facilities like power plants and a German steel mill.
2) Darktrace's system implements a real-time "immune system" that analyzes network behavior to establish a baseline and detect anomalies, allowing threats to be identified early before they cause disruption.
3) Unlike rule-based systems, Darktrace adapts over time and can detect "unknown unknown"
The document provides an overview and comparison of several IoT security frameworks: Infoblox, Fortinet, Digicert, Inside Secure, and ARM PSA. Infoblox uses DNS, DHCP, and IPAM to discover and monitor connected devices. Fortinet uses a fabric-based approach to learn about, segment, and protect IoT devices. Digicert advocates for using PKI to ensure data confidentiality, integrity, and availability. Inside Secure divides security into authentication, secure communication, secure execution, and secure storage. ARM PSA provides specifications for secure hardware, firmware, and software in resource-constrained IoT devices.
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
This document discusses building an intrusion detection system that combines network-based and log-based detection. It proposes using the Security Onion distribution and its included tools like Snort, Sguil, Squert and OSSEC. It describes configuring Security Onion sensors to monitor network traffic and logs, storing alerts in databases, and using the management consoles to analyze alerts. The goal is to create a comprehensive security monitoring platform through centralized log management and correlation of network and host-based events.
Co-operative Wireless Intrusion Detection System Using MIBs From SNMPIJNSA Journal
In emerging technology of Internet, security issues are becoming more challenging. In case of wired LAN it is somewhat in control, but in case of wireless networks due to exponential growth in attacks, it has made difficult to detect such security loopholes. Wireless network security is being addressed using firewalls, encryption techniques and wired IDS (Intrusion Detection System) methods. But the approaches which were used in wired network were not successful in producing effective results for wireless networks. It is so because of features of wireless network such as open medium, dynamic changing topology, cooperative algorithms, lack of centralized monitoring and management point, and lack of a clear line of defense etc. So, there is need for new approach which will efficiently detect intrusion in wireless network. Efficiency can be achieved by implementing distributive, co-operative based, multi-agent IDS. The proposed system supports all these three features. It includes mobile agents for intrusion detection which uses SNMP (Simple network Management Protocol) and MIB (Management Information Base) variables for mobile wireless networks.
In this research work an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) will be implemented to detect and prevent critical networks infrastructure from cyber-attacks. To strengthen network security and improve the network's active defense intrusion detection capabilities, this project will consist of intrusion detection system using honey token based encrypted pointers and intrusion prevention system which based on the mixed interactive honeypot. The Intrusion Detection System (IDS) is based on the novel approach of Honey Token based Encrypted Pointers. This honey token inside the frame will serve as a trap for the attacker. All nodes operating within the working domain of critical infrastructure network are divided into four different pools. This division is based per their computational power and level of vulnerability. These pools are provided with different levels of security measures within the network. IDS use different number of Honey Tokens (HT) per frame for every different pool e.g. Pool-A contains 4 HT/frame, Pool-B contains 3 HT/frame, Pool-C contains 2 HT/frame and Pool-D contain 1 HT/frame. Moreover, every pool uses different types of encryption schemes (AES-128,192,256). Our critical infrastructure network of 64 nodes is under the umbrella of unified security provided by this single Network Intrusion Detection System (NIDS). After the design phase of IDS, we analyze the performance of IDS in terms of True Positives (TP) and False Negatives (FN). Finally, we test these IDS through Network Penetration Testing (NPT) phase. The detection rate depends on the number of honey tokens per frame. Our proposed IDS are a scalable solution and it can be implemented for any number of nodes in critical infrastructure network. However, in case of Intrusion Prevention System (IPS) we use Virtual honeypot technology which is the best active prevention technology among all honeypot technologies. By using the original operating system and virtual technology, the honeypot lures attackers in a pre-arranged manner, analyzes and audits various attacking behavior, tracks the attack source, obtains evidence, and finds effective solutions.
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELijaia
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
This document summarizes security schemes for wireless sensor networks, including TinySec, IEEE 802.15.4, and others. It discusses the challenges of WSNs like power constraints and limited resources. It also outlines common security threats to WSNs such as denial of service attacks, attacks on information in transit, Sybil attacks, black hole/sinkhole attacks, and hello flood attacks. The document evaluates the feasibility of applying basic security schemes like cryptography and steganography to WSNs given their unique constraints and requirements.
A NOVEL SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKS BASED ON ELLIPTIC CURV...IJCNCJournal
With the growing usage of wireless sensors in a variety of applications including Internet of Things, the security aspects of wireless sensor networks have been on priority for the researchers. Due to the constraints of resources in wireless sensor networks, it has been always a challenge to design efficient security protocols for wireless sensor networks. An novel elliptic curve signcryption based security protocol for wireless sensor networks has been presented in this paper, which provides anonymity, confidentiality, mutual authentication, forward security, secure key establishment, and key privacy at the same time providing resistance from replay attack, impersonation attack, insider attack, offline dictionary attack, and stolen-verifier attack. Results have revealed that the proposed elliptic curve signcryption based protocol consumes the least time in comparison to other protocols while providing the highest level of security.
This document discusses network intrusion detection systems (NIDS) and their ability to handle high-speed traffic. It introduces NIDS and their role in monitoring network traffic. The document presents an experiment that tests the open-source NIDS Snort under high-volume traffic. The experiment shows that Snort drops more packets as traffic speed and volume increases, demonstrating a weakness of NIDS in high-speed environments. It suggests using a parallel NIDS technique to help NIDS better handle high-speed network traffic and reduce packet dropping.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
This document proposes a hybrid architecture for a distributed intrusion detection system using multiple agents. The key aspects of the architecture include:
- Using multiple independent tracker agents that monitor hosts and generate reports sent to monitors and storage.
- Monitors analyze activity and compare to signatures to detect known attacks, or send data to anomaly detectors.
- Anomaly and misuse detectors use classification and pattern matching to detect known and unknown attacks.
- An inference module coordinates entities across hosts to classify new attacks using a knowledge base and signature generator.
- A countermeasure module alerts administrators and can take actions like dropping packets in response to detected attacks.
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...IJNSA Journal
Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defence against a variety of attacks that can compromise the security and proper functioning of an enterprise information system. Along with the widespread evolution of new emerging services, the quantity and impact of attacks have continuously increased, attackers continuously find vulnerabilities at various levels, from the network itself to operating system and applications, exploit them to crack system and services. Network defence and network monitoring has become an essential component of computer security to predict and prevent attacks. Unlike traditional Intrusion Detection System (IDS), Intrusion Detection and Prevention System (IDPS) have additional features to secure computer networks.
In this paper, we present a detailed study of how deployment of an IDPS plays a key role in its performance and the ability to detect and prevent known as well as unknown attacks. We categorize IDPS based on deployment as Network-based, host-based, and Perimeter-based and Hybrid. A detailed comparison is shown in this paper and finally we justify our proposed solution, which deploys agents at host-level to give better performance in terms of reduced rate of false positives and accurate detection and prevention.
Survey on Host and Network Based Intrusion Detection SystemEswar Publications
With invent of new technologies and devices, Intrusion has become an area of concern because of security issues, in the ever growing area of cyber-attack. An intrusion detection system (IDS) is defined as a device or software application which monitors system or network activities for malicious activities or policy violations. It produces reports to a management station [1]. In this paper we are mainly focused on different IDS concepts based on Host and Network systems.
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...IJCNCJournal
After tightening up network perimeter for dealing with external threats, organizations have woken up to the
threats from inside Local Area Networks (LAN) over the past several years. It is thus important to design
and implement LAN security strategies in order to secure assets on LAN by filtering traffic and thereby
protecting them from malicious access and insider attacks. Banking Financial Services and Insurance
(BFSI) industry is one such segment that faces increased risks and security challenges. The typical
architecture of this segment includes several thousands of users connecting from various branches over
Wide Area Network (WAN) links crossing national and international boundaries with varying network
speed to access data center resources. The objective of this work is to deploy LAN security solution to
protect the data center located at headquarters from the end user machines. A LAN security solution should
ideally provide Network Access Control (NAC) along with cleaning (securing) the traffic going through it.
Traffic cleaning itself includes various features like firewall, intrusion detection/prevention, traffic anomaly
detection, validation of asset ownership etc. LANenforcer (LE) is a device deployed in front of the data
center such that the traffic from end-user machines necessarily passes through it so that it can enforce
security. The goal of this system is to enhance the security features of a LANenforcer security system with
Intrusion Prevention System (IPS) to enable it to detect and prevent malicious network activities. IPS is
plugged into the packet path based on the configuration in such a way that the entire traffic passes through
the IPS on LE.
A technical review and comparative analysis of machine learning techniques fo...IJECEIAES
Machine learning techniques are being widely used to develop an intrusion detection system (IDS) for detecting and classifying cyber attacks at the network-level and the host-level in a timely and automatic manner. However, Traditional Intrusion Detection Systems (IDS), based on traditional machine learning methods, lacks reliability and accuracy. Instead of the traditional machine learning used in previous researches, we think deep learning has the potential to perform better in extracting features of massive data considering the massive cyber traffic in real life. Generally Mobile Ad Hoc Networks have given the low physical security for mobile devices, because of the properties such as node mobility, lack of centralized management and limited bandwidth. To tackle these security issues, traditional cryptography schemes can-not completely safeguard MANETs in terms of novel threats and vulnerabilities, thus by applying Deep learning methods techniques in IDS are capable of adapting the dynamic environments of MANETs and enables the system to make decisions on intrusion while continuing to learn about their mobile environment. An IDS in MANET is a sensoring mechanism that monitors nodes and network activities in order to detect malicious actions and malicious attempt performed by Intruders. Recently, multiple deep learning approaches have been proposed to enhance the performance of intrusion detection system. In this paper, we made a systematic comparison of three models, Inceprtion architecture convolutional neural network (Inception-CNN), Bidirectional long short-term memory (BLSTM) and deep belief network (DBN) on the deep learning-based intrusion detection systems, using the NSL-KDD dataset containing information about intrusion and regular network connections, the goal is to provide basic guidance on the choice of deep learning models in MANET.
In recent years, wireless sensor network (WSN) is used in several application areas resembling observance, tracking, and dominant in IoTs. for several applications of WSN, security is a crucial demand. However, security solutions in WSN disagree from ancient networks because of resource limitation and process constraints. This paper analyzes security solutions: TinySec, IEEE 802.15.4, SPINS, MiniSEC, LSec, LLSP, LISA, and LISP in WSN. This paper additionally presents characteristics, security needs, attacks, cryptography algorithms, and operation modes. This paper is taken into account to be helpful for security designers in WSNs.
Moving From Contactless to Wireless Technologies in Secure, Over-the-Air Tran...Underwriters Laboratories
This UL white paper discusses some of the many issues and challenges that must be addressed in the future deployment of wireless technology for the processing
of secure transactions. It begins with a discussion of the strengths and limitations of both contactless and wireless technologies. The white paper then reviews and assesses internal system risks, as well as external security concerns, for both technologies. The paper concludes with some thoughts on the future use of wireless technology in secure transactions, and how manufacturers can provide assurances to both system providers and users regarding the security of their private data.
This document summarizes a research paper that classifies different types of networks and discusses their associated security issues. It categorizes networks based on size (LAN, MAN, WAN), design (peer-to-peer, client-server, standalone), layering (layered, non-layered), and provides examples such as Ethernet, Wi-Fi, VPNs. It also discusses common security threats for different network types like viruses, denial of service attacks, and evaluates security measures including encryption, firewalls, access control. The paper aims to provide a comprehensive classification of networks and analyze how security needs vary depending on the network and software development stages.
Analytical survey of active intrusion detection techniques in mobile ad hoc n...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
A Collaborative Intrusion Detection System for Cloud Computingijsrd.com
Cloud computing is a computing paradigm that shifts drastically from traditional computing architecture. Although this new computing paradigm brings many advantages like utility computing model but the design in not flawless and hence suffers from not only many known computer vulnerabilities but also introduces unique information confidentiality, integrity and availability risks as well due its inherent design paradigm. To provide secure and reliable services in cloud computing environment is an important issue. To counter a variety of attacks, especially large-scale coordinated attacks, a framework of Collaborative Intrusion Detection System (IDS) is proposed. The proposed system could reduce the impact of these kinds of attacks through providing timely notifications about new intrusions to Cloud users' systems. To provide such ability, IDSs in the cloud computing regions both correlate alerts from multiple elementary detectors and exchange knowledge of interconnected Clouds with each other.
Novel Advances in Measuring and Preventing Software Security Weakness: Contin...theijes
Software weaknesses in design, architecture, code and deployment have led to software vulnerability exploited by the perpetrators. Although counter measure tools have been developed such as patch management systems, firewalls and antivirus, but the perpetrators have advance sophisticated tools such malware with crypto-lock and crypto-wall technologies. The current counter measures technologies are based on detection and respond model or risk management framework, which are no match to the attacker’s technologies based on speed technologies such as machine generated malwares and precision or stealth technologies such as command-andcontrol node malwares. Although lots of ink has been poured on advances in measuring and preventing software weakness on the detection and respond concept,this study is motivated to explore the state-of-art advances specifically on the novel concept of Continuous Trust Restoration (CTR). The Continuous Trust Restoration is a process of breaking down attacker’s activities kill chain and restoring the system trust. The CTR concept deploys speed, precision and stealth technologies on random route mutation, random host mutation, hypervisors, trust boot, software identities and software define infrastructure. Moreover, to deploy these technologies the study further explores a common security architectural framework with software metrics such as CVE (Common Vulnerability and Exposure), CWE (Common Weakness Enumeration), CVSS (Common Vulnerability Scoring System), CWSS (Common Weakness Scoring System), and CAPEC (Common Attack Pattern Enumeration and Classification). Finally, the study recommends a software security counter measures research paradigm shift from the current detection and respond models to Continuous Trust Restoration concept and from risk management frameworks to a Common Security Architectural Framework.
Cyber-Defensive Architecture for Networked Industrial Control SystemsIJEACS
This paper deals with the inevitable consequence of the convenience and efficiency we benefit from the open, networked control system operation of safety-critical applications: vulnerability to such system from cyber-attacks. Even with numerous metrics and methods for intrusion detection and mitigation strategy, a complete detection and deterrence of internal code flaws and outside cyber-attacks has not been found and would not be found anytime soon. Considering the ever incompleteness of detection and prevention and the impact and consequence of mal-functions of the safety-critical operations caused by cyber incidents, this paper proposes a new computer control system architecture which assures resiliency even under compromised situations. The proposed architecture is centered on diversification of hardware systems and unidirectional communication from the proposed system in alerting suspicious activities to upper layers. This paper details the architectural structure of the proposed cyber defensive computer control system architecture for power substation applications and its validation in lab experimentation and on a cybersecurity testbed.
This document provides an overview of cyber security challenges for industrial control systems (ICS) and introduces Darktrace's Industrial Immune System as an innovative solution. The key points are:
1) ICS networks face growing threats as they increasingly connect to corporate IT networks and the internet, but existing defenses like firewalls are inadequate. Attacks have caused damage at facilities like power plants and a German steel mill.
2) Darktrace's system implements a real-time "immune system" that analyzes network behavior to establish a baseline and detect anomalies, allowing threats to be identified early before they cause disruption.
3) Unlike rule-based systems, Darktrace adapts over time and can detect "unknown unknown"
The document provides an overview and comparison of several IoT security frameworks: Infoblox, Fortinet, Digicert, Inside Secure, and ARM PSA. Infoblox uses DNS, DHCP, and IPAM to discover and monitor connected devices. Fortinet uses a fabric-based approach to learn about, segment, and protect IoT devices. Digicert advocates for using PKI to ensure data confidentiality, integrity, and availability. Inside Secure divides security into authentication, secure communication, secure execution, and secure storage. ARM PSA provides specifications for secure hardware, firmware, and software in resource-constrained IoT devices.
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
This document discusses building an intrusion detection system that combines network-based and log-based detection. It proposes using the Security Onion distribution and its included tools like Snort, Sguil, Squert and OSSEC. It describes configuring Security Onion sensors to monitor network traffic and logs, storing alerts in databases, and using the management consoles to analyze alerts. The goal is to create a comprehensive security monitoring platform through centralized log management and correlation of network and host-based events.
Co-operative Wireless Intrusion Detection System Using MIBs From SNMPIJNSA Journal
In emerging technology of Internet, security issues are becoming more challenging. In case of wired LAN it is somewhat in control, but in case of wireless networks due to exponential growth in attacks, it has made difficult to detect such security loopholes. Wireless network security is being addressed using firewalls, encryption techniques and wired IDS (Intrusion Detection System) methods. But the approaches which were used in wired network were not successful in producing effective results for wireless networks. It is so because of features of wireless network such as open medium, dynamic changing topology, cooperative algorithms, lack of centralized monitoring and management point, and lack of a clear line of defense etc. So, there is need for new approach which will efficiently detect intrusion in wireless network. Efficiency can be achieved by implementing distributive, co-operative based, multi-agent IDS. The proposed system supports all these three features. It includes mobile agents for intrusion detection which uses SNMP (Simple network Management Protocol) and MIB (Management Information Base) variables for mobile wireless networks.
In this research work an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) will be implemented to detect and prevent critical networks infrastructure from cyber-attacks. To strengthen network security and improve the network's active defense intrusion detection capabilities, this project will consist of intrusion detection system using honey token based encrypted pointers and intrusion prevention system which based on the mixed interactive honeypot. The Intrusion Detection System (IDS) is based on the novel approach of Honey Token based Encrypted Pointers. This honey token inside the frame will serve as a trap for the attacker. All nodes operating within the working domain of critical infrastructure network are divided into four different pools. This division is based per their computational power and level of vulnerability. These pools are provided with different levels of security measures within the network. IDS use different number of Honey Tokens (HT) per frame for every different pool e.g. Pool-A contains 4 HT/frame, Pool-B contains 3 HT/frame, Pool-C contains 2 HT/frame and Pool-D contain 1 HT/frame. Moreover, every pool uses different types of encryption schemes (AES-128,192,256). Our critical infrastructure network of 64 nodes is under the umbrella of unified security provided by this single Network Intrusion Detection System (NIDS). After the design phase of IDS, we analyze the performance of IDS in terms of True Positives (TP) and False Negatives (FN). Finally, we test these IDS through Network Penetration Testing (NPT) phase. The detection rate depends on the number of honey tokens per frame. Our proposed IDS are a scalable solution and it can be implemented for any number of nodes in critical infrastructure network. However, in case of Intrusion Prevention System (IPS) we use Virtual honeypot technology which is the best active prevention technology among all honeypot technologies. By using the original operating system and virtual technology, the honeypot lures attackers in a pre-arranged manner, analyzes and audits various attacking behavior, tracks the attack source, obtains evidence, and finds effective solutions.
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELijaia
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELgerogepatton
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
Network Forensics is scientifically proven technique to accumulate, perceive, identify, examine, associate, analyse and document digital evidence from multiple systems for the purpose of uncovering the fact of attacks and other problem incident as well as performing the action to recover from the attack. Many systems are proposed for designing the network forensic systems. In this paper we have prepared comparative analysis of various models based on different techniques.
Three level intrusion detection system based on conditional generative advers...IJECEIAES
Security threat protection is important in the internet of things (IoT) applications since both the connected device and the captured data can be hacked or hijacked or both at the same time. To tackle the above-mentioned problem, we proposed three-level intrusion detection system conditional generative adversarial network (3LIDS-CGAN) model which includes four phases such as first-level intrusion detection system (IDS), second-level IDS, third-level IDS, and attack type classification. In first-level IDS, features of the incoming packets are extracted by the firewall. Based on the extracted features the packets are classified into three classes such as normal, malicious, and suspicious using support vector machine and golden eagle optimization. Suspicious packets are forwarded to the second-level IDS which classified the suspicious packets as normal or malicious. Here, signature-based intrusions are detected using attack history information, and anomaly-based intrusions are detected using event-based semantic mapping. In third-level IDS, adversary packets are detected using CGAN which automatically learns the adversarial environment and detects adversary packets accurately. Finally, proximal policy optimization is proposed to detect the attack type. Experiments are conducted using the NS-3.26 network simulator and performance is evaluated by various performance metrics which results that the proposed 3LIDS-CGAN model outperforming other existing works.
CYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMSGeorge Wainblat
SUMMARY - Current power grids increasingly emerging into smart networked grids and are more accessible from the public internet which poses new cyber threats in the grid. More computer based systems are introduced into power networks in order to monitor and control the network. Future model smart grid and micro grid systems will be based on data flows for communication of system status, usage and control throughout the network infrastructure in addition to the power flow. This creates new security threats on the power grid. Instead of relying mainly on power plants for power generation, there will be a combination of multiple generation sources and at the same time wider use of electrical computer based equipment by consumers. Both increase the amount of data flows in the network as well as introduce additional vulnerable spots. Vulnerability of the power grid to cyber-attacks increases even more because of the wide use of SCADA networks. SCADA networks are more accessible to the internet and lack authentication and authorization mechanisms therefore expose the grid to threats such as DDOS, Data interception, Data alteration and additional hacking threats.
The transition from present to future model has already begun and rapidly growing while it already poses new security challenges which must be attended immediately. It is essential to introduce immediately a single comprehensive security solution which will provide fast detection and prevention tools to cope with a variety of threats with different nature and from multiple sources. The solution should not be tightly coupled with each device in the network so it won’t require upgrade of the devices inside the grid.
The Cyber defense solution should be versatile using variety of cyber technologies such as Firewalls, anomaly detection, Big Data analytics, machine learning and more in a network wise combination.
This document summarizes an article that proposes integrating conditional random fields (CRFs) and a layered approach to improve intrusion detection systems. CRFs can effectively model relationships between different features to increase attack detection accuracy. A layered approach reduces computation time by eliminating communication overhead between layers and using a small set of features in each layer. The proposed system aims to achieve both high attack detection accuracy using CRFs and high efficiency using the layered approach. It presents integrating these two methods for intrusion detection to address issues with limited coverage, high false alarms, and inefficiency in existing systems.
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORTIJMIT JOURNAL
This document proposes an intrusion detection system using customized rules for the Snort tool to improve security. The system uses Wireshark to scan network traffic for anomalies, Snort to detect attacks using customized rulesets for faster response times, and Wazuh and Splunk to analyze log files. Rules are created using the Snorpy tool and added to Snort to monitor for specific attacks like ICMP ping impersonation and authentication attempts. When attacks are attempted, the system successfully detects them and logs the alerts. The integration of these tools provides low-cost intrusion detection capabilities with automated threat identification and faster response compared to existing Snort configurations.
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsCSCJournals
Intrusion detection is an important technology in business sector as well as an active area of research. It is an important tool for information security. A Network Intrusion Detection System is used to monitor networks for attacks or intrusions and report these intrusions to the administrator in order to take evasive action. Today computers are part of networked; distributed systems that may span multiple buildings sometimes located thousands of miles apart. The network of such a system is a pathway for communication between the computers in the distributed system. The network is also a pathway for intrusion. This system is designed to detect and combat some common attacks on network systems. It follows the signature based IDs methodology for ascertaining attacks. A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. It has been implemented in VC++. In this system the attack log displays the list of attacks to the administrator for evasive action. This system works as an alert device in the event of attacks directed towards an entire network.
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
A method and a system for the detection of an intrusion in a computer network compare the network traffic of the computer network at multiple different points in the network. In an uncompromised network the network traffic monitored at these two different points in the network should be identical. A network intrusion detection system is mostly place at strategic points in a network, so that it can monitor the traffic traveling to or from different devices on that network. The existing Software Defined Network SDN proposes the separation of forward and control planes by introducing a new independent plane called network controller. Machine learning is an artificial intelligence approach that focuses on acquiring knowledge from raw data and, based at least in part on the identified flow, selectively causing the packet, or a packet descriptor associated with the packet. The performance is evaluated using the network analysis metrics such as key generation delay, key sharing delay and the hash code generation time for both SDN and the proposed machine learning SDN. Prof P. Damodharan | K. Veena | Dr N. Suguna "Optimized Intrusion Detection System using Deep Learning Algorithm" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-2 , February 2019, URL: https://www.ijtsrd.com/papers/ijtsrd21447.pdf
Paper URL: https://www.ijtsrd.com/engineering/other/21447/optimized-intrusion-detection-system-using-deep-learning-algorithm/prof-p-damodharan
A Review Of Intrusion Detection System In Computer NetworkAudrey Britton
This document provides an overview of intrusion detection systems (IDS) and the techniques used to implement them. It discusses that IDS are used to detect malicious actions on computer networks and protect important files and documents. The document then summarizes that IDS have four main components - sensors to monitor the system, a database to store event information, an analysis module to detect potential threats, and a response module to address detected threats. It also categorizes IDS based on the data source, detection approach, structure, and how intrusions are detected. Finally, the document outlines various techniques used in IDS, including artificial intelligence methods like neural networks, fuzzy logic, genetic algorithms and machine learning approaches.
1) The document discusses security issues in cloud computing, with a focus on vulnerabilities in the virtualization layer.
2) It proposes a secure model (SVM) using intrusion detection systems to monitor virtual machines and detect attacks. This would help virtual machines resist attacks more efficiently in cloud environments.
3) Some key virtualization vulnerabilities discussed include attacks on hypervisors, compromised isolation between virtual machines, and packet sniffing/spoofing in virtual networks. The proposed SVM model aims to address these issues and secure the virtualization layer in cloud infrastructure.
- Wireless sensor networks are vulnerable to security attacks due to their distributed nature, multi-hop communication, and lack of resources. Intrusion detection systems play an important role in detecting attacks.
- There are three main types of intrusion detection systems: signature-based, anomaly-based, and specification-based (a hybrid of the two). Signature-based systems detect known attacks but miss new ones, while anomaly-based systems can detect new attacks but have high false positives.
- The paper compares these intrusion detection systems for wireless sensor networks and finds that anomaly-based systems have the lowest resource usage but may miss known attacks, while signature-based systems detect known attacks but use more resources. The best approach
Include at least 250 words in your posting and at least 250 words inmaribethy2y
Include at least 250 words in your posting and at least 250 words in your reply. Indicate at least one source or reference in your original post. Please see syllabus for details on submission requirements.
Module 1 Discussion Question
Search "scholar.google.com" for a company, school, or person that has been the target of a network
or system intrusion? What information was targeted? Was the attack successful? If so, what changes
were made to ensure that this vulnerability was controlled? If not, what mechanisms were in-place to protect against the intrusion.
Reply-1(Shravan)
Introduction:
Interruption location frameworks (IDSs) are programming or equipment frameworks that robotize the way toward observing the occasions happening in a PC framework or system, examining them for indications of security issues. As system assaults have expanded in number and seriousness in the course of recent years, interruption recognition frameworks have turned into an essential expansion to the security foundation of generally associations. This direction archive is planned as a preliminary in interruption recognition, created for the individuals who need to comprehend what security objectives interruption location components serve, how to choose and design interruption discovery frameworks for their particular framework and system situations, how to deal with the yield of interruption identification frameworks, and how to incorporate interruption recognition capacities with whatever remains of the authoritative security foundation. References to other data sources are likewise accommodated the peruse who requires particular or more point by point guidance on particular interruption identification issues.
In the most recent years there has been an expanding enthusiasm for the security of process control and SCADA frameworks. Moreover, ongoing PC assaults, for example, the Stunt worm, host appeared there are gatherings with the inspiration and assets to viably assault control frameworks.
While past work has proposed new security components for control frameworks, few of them have investigated new and in a general sense distinctive research issues for anchoring control frameworks when contrasted with anchoring conventional data innovation (IT) frameworks. Specifically, the complexity of new malware assaulting control frameworks - malware including zero-days assaults, rootkits made for control frameworks, and programming marked by confided in declaration specialists - has demonstrated that it is exceptionally hard to avert and identify these assaults dependent on IT framework data.
In this paper we demonstrate how, by joining information of the physical framework under control, we can distinguish PC assaults that change the conduct of the focused on control framework. By utilizing information of the physical framework we can center around the last goal of the assault, and not on the specific instruments of how vulnerabilities are misused, and how ...
The document proposes a security model for wireless sensor networks using zero knowledge protocol. It addresses security threats like cloning attacks, man-in-the-middle attacks, and replay attacks. The model uses a unique fingerprint for each node based on its neighboring nodes to detect cloning. It also uses zero knowledge protocol for sensor nodes to verify authenticity without transmitting cryptographic information, preventing man-in-the-middle and replay attacks. The paper analyzes the performance and security of the proposed model.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
In order to the rapid growth of the network application, new kinds of network attacks are emerging endlessly. So it is critical to protect the networks from attackers and the Intrusion detection technology becomes popular. Therefore, it is necessary that this security concern must be articulate right from the beginning of the network design and deployment. The intrusion detection technology is the process of identifying network activity that can lead to a compromise of security policy. Lot of work has been done in detection of intruders. But the solutions are not satisfactory. In this paper, we propose a novel Distributed Intrusion Detection System using Multi Agent In order to decrease false alarms and manage misuse and anomaly detects.
This document summarizes an article about intrusion detection systems (IDS) for secure mobile ad hoc networks (MANETs). It discusses the distributed and cooperative architecture of IDS for MANETs, where each node runs an IDS agent to detect intrusions locally and cooperate with other nodes. It describes several IDS approaches for MANETs including the Watchdog technique to detect misbehaving nodes, the Pathrater technique to find routes without those nodes, and the CORE technique which uses a collaborative reputation system. The document concludes that considering these IDS techniques can help make MANETs more secure.
This document summarizes various soft computing techniques that can be used for intrusion detection, including fuzzy logic, graph-based approaches, and neural networks. Fuzzy logic can be used to classify parameters and detect anomalies by comparing normal and new fuzzy association rule sets. Graph-based approaches model network traffic as graphs of nodes and edges and use clustering algorithms to detect anomalies. Neural networks can be trained on audit log data to recognize normal behavior and detect deviations that may indicate attacks. These soft computing methods aim to improve on signature-based detection by learning patterns of normal network activity and detecting anomalies.
A review of security attacks and intrusion detection schemes in wireless sens...ijwmn
Wireless sensor networks are currently the greatest innovation in the field of telecommunications. WSNs
have a wide range of potential applications, including security and surveillance, control, actuation and
maintenance of complex systems and fine-grain monitoring of indoor and outdoor environments. However
security is one of the major aspects of Wireless sensor networks due to the resource limitations of sensor
nodes. Those networks are facing several threats that affect their functioning and their life. In this paper we
present security attacks in wireless sensor networks, and we focus on comparison and analysis of recent
Intrusion Detection schemes in WSNs.
EU Artificial Intelligence Act (High-level summary of the AI Act)prb404
Updated on 30 May in accordance with the Corrigendum version of the AI Act.
In this article we provide you with a high-level summary of the AI Act, selecting the parts which are most likely to be relevant to you regardless of who you are. We provide links to the original document where relevant so that you can always reference the Act text.
To explore the full text of the AI Act yourself, use our AI Act Explorer. Alternatively, if you want to know which parts of the text are most relevant to you, use our Compliance Checker.
View as PDF
Four-point summary
The AI Act classifies AI according to its risk:
Unacceptable risk is prohibited (e.g. social scoring systems and manipulative AI).
Most of the text addresses high-risk AI systems, which are regulated.
A smaller section handles limited risk AI systems, subject to lighter transparency obligations: developers and deployers must ensure that end-users are aware that they are interacting with AI (chatbots and deepfakes).
Minimal risk is unregulated (including the majority of AI applications currently available on the EU single market, such as AI enabled video games and spam filters – at least in 2021; this is changing with generative AI).
The majority of obligations fall on providers (developers) of high-risk AI systems.
Those that intend to place on the market or put into service high-risk AI systems in the EU, regardless of whether they are based in the EU or a third country.
And also third country providers where the high risk AI system’s output is used in the EU.
Users are natural or legal persons that deploy an AI system in a professional capacity, not affected end-users.
Users (deployers) of high-risk AI systems have some obligations, though less than providers (developers).
This applies to users located in the EU, and third country users where the AI system’s output is used in the EU.
General purpose AI (GPAI):
All GPAI model providers must provide technical documentation, instructions for use, comply with the Copyright Directive, and publish a summary about the content used for training.
Free and open licence GPAI model providers only need to comply with copyright and publish the training data summary, unless they present a systemic risk.
All providers of GPAI models that present a systemic risk – open or closed – must also conduct model evaluations, adversarial testing, track and report serious incidents and ensure cybersecurity protections.
Ensuring Secure and Efficient Automation: Power Automate Compliance Review an...Bert Blevins
Automation is essential for raising productivity and improving operational efficiency in today’s rapidly evolving business environment. Microsoft Power Automate stands out as a leading tool, enabling businesses to integrate various services and automate repetitive tasks. However, ensuring compliance and robust auditing practices is crucial to safeguard data security, privacy, and adherence to legal standards. This article delves into the essentials of conducting a Power Automate compliance review and audit, highlighting key considerations and best practices.
Power Automate, part of the Microsoft Power Platform, offers extensive automation capabilities across diverse services and applications. Compliance involves ensuring that all automated processes align with organizational policies, legal mandates, and industry regulations such as GDPR and HIPAA. Key compliance aspects include data security and privacy, regulatory adherence, and maintaining auditability and transparency.
To ensure data security, Power Automate flows must employ encryption, comply with data residency requirements, and implement strict access controls. Regulatory compliance requires adherence to laws like GDPR, which mandates data minimization and lawful processing, and HIPAA, which protects sensitive patient information. Additionally, maintaining detailed logs, comprehensive audit trails, and robust monitoring are critical for transparency and accountability.
Conducting a compliance review involves identifying applicable regulations, creating an inventory of workflows, assessing security controls, reviewing data handling practices, conducting risk assessments, and evaluating compliance documentation. This systematic approach ensures that automation processes are secure, compliant, and efficient, ultimately enhancing organizational resilience and operational excellence.
IP address - Past, Present and Future presented by Paul WilsonAPNIC
Paul Wilson, Director General of APNIC delivered a keynote presentation on 'IP address - Past, Present and Future' at MyNOG 11 held in Kuala Lumpur, Malaysia on the 5 June 2024.
How To Setup an Arlo Baby Camera Easily?Aliza smith
For the Arlo Baby camera setup, open the Arlo secure app, and access the account by entering the admin credentials. If not using the app, then go ahead with the web GUI. After logging in, go to the Setup wizard and click on Add Devices to add your camera to the app. For further settings, follow the on-screen guidelines or reach us!
https://www.loginarlo.com/arlo-baby-camera-setup/
Understanding Media Literacy and Managing Misinformation (2024 edition)Damian Radcliffe
Presentation delivered to Fulbright Scholars and Teaching Assistants focused on issues related to navigating misinformation and media literacy in Europe/Eurasia, with a special focus on media freedom, gatekeepers, as well as case studies and tips for managing misinformation.
Guidelines for AI and Shared Prosperity - Tools for improving AI’s impact on ...prb404
Our economic future is too important to leave to chance.
AI has the potential to radically disrupt people’s economic lives in both positive and
negative ways. It remains to be determined which of these we’ll see more of. In the best
scenario, AI could widely enrich humanity, equitably equipping people with the time,
resources, and tools to pursue the goals that matter most to them.
Our current moment serves as a profound opportunity — one that we will miss if we
don’t act now. To achieve a better future with AI, we must put in the work today. Many
societal factors outside the direct control of AI-developing and AI-using organizations
will play a role in determining this outcome. However, much still depends on the choices
those organizations make, as well as on the actions taken by labor organizations and
policymakers.
You can help guide AI’s impact on jobs
AI-creating companies, AI-using organizations, policymakers, labor organizations, and
workers can all help steer AI so its economic benefits are shared by all. Using Partnership
on AI’s (PAI) Guidelines for AI & Shared Prosperity, these stakeholders can guide AI
development and use towards better outcomes for workers and labor markets.
Included in the Guidelines are:
• a high-level Job Impact Assessment Tool for analyzing an AI system’s positive and
negative impact on shared prosperity
• a collection of Stakeholder-Specific Recommendations to help minimize the risks and
maximize the opportunities to advance shared prosperity with AI
1. 29January - March, 2015
The Issues in Cyber-Defence
and Cyber-Forensics of the
SCADA Systems
Sandeep Mittal*, IPS
Introduction
T
HE peace, prosperity and economic development of any Nation
depends upon its critical infrastructure and how well-protected
it is. These critical infrastructures are distributed physically
and virtually in space and time. The Supervisory Control and Data
Acquisition (SCADA) systems are an important component of the
process to control and monitor industrial and infrastructure process.
Initially, these SCADA systems were designed to run in an isolated
environment. However, with sudden improvements in information
and communication technology, SCADA systems have evolved and
Author Intro:
* Deputy Inspector General of Police, LNJN National Institute of Criminology and Forensic
Science (Ministry of Home Affairs: Government of India), Delhi-110 085, INDIA,
E-mail ID: mittals.ips@gmail.com
Keywords
Cyber Defence, Cyber Forensics, SCADA Systems, Malware, Cyber
Missile.
Abstract
As the Supervisory Control and Data Acquisition (SCADA) system are
deployed in infrastructures which are critical to the survival of a nation,
they have emerged as a potential terrain for cyber-war, thus attracting the
considered attention of ‘nation-states’. The analysis of worms like ‘stuxnet’
‘flame’ and ‘duqu’ reveals the hand of a ‘nation-state’ in their design and
deployment. Hence, the necessity to understand various issues in the
defence of SCADA systems arises. The forensics of the SCADA system
provide deep insight into the design and deployment of the worm (the
malware) once the system is attacked. This is precisely the scope of this
essay.
2. The Indian Police Journal
30 January - March, 2015
adopted latest technologies like wireline IP communication, and
communicate over public IP network on one hand making the SCADA
system vulnerable to attacks (Bailey Wright, 2003) and malware
infections from the much wider networks. The discovery of ‘ stuxnet’,
‘flame’ and ‘duqu’ in the recent past has opened a ‘can of worms’
which was unimaginable till recently. While ‘stuxnet’ could be termed
as ‘an essentially a precision military-grade, cyber-missile’ which, once
deployed, would not require any human intervention thus heralding
the beginning of digital attacks on physical targets by hunting them
globally (Chen and Abu-Nimes 2011), the other two are more improved
malware to gather intelligence about critical infrastructure worldwide.
The developers and the critical infrastructure stakeholders are realizing
these increasing threats and have started taking measures to address
these (Brandle Naedele, 2008; Ahmed et.al, 2012).
The Components of SCADA System
A typical architecture of a SCADA system controlling a typical critical
infrastructure would mostly comprise of a ‘control-centre’ and ‘field-
sites’. The ‘field-sites’ are equipped with devices like ‘Programmable
Logic Controllers’ (PLCs) Remote Terminal Units (RTUs) which send
information by different communication media (e.g. satellite, wide area
networks or radio/cellular/microwave networks) about the state of Filed-
equipment to Control-centre. The major components of a control centre
are Human Machine interface (HMI), data base management system
(Historian) and Server or Master Terminal Unit (MTU) Components.
All the communications with the field sites are initiated by MTU and
it receives back the data from field-devices, pre-processing this data,
if necessary, and sending to historian for archiving. The HMI provides
the interface to the human operator. The typical architecture is shown
in the following figure (Ahmed et.al, 2012).
3. The Indian Police Journal
31January - March, 2015
The Defence Issues in the SCADA System
The discovery of complex, complicated and deceptive worms e.g.
‘stuxnet’, ‘flame’ ‘duqu’ and ‘careto or mask’ in recent past points to
the fact that the SCADA System are rapidly becoming the targets of
‘nation-states’ who are ever-eager to deploy such cyber weapons to
strike at will in the enemy territory. Therefore, the defence approach for
securing SCADA systems has to be comprehensive and multi-pronged.
These strategies can be broadly divided in to 3 broad categories (after
Nazario, 2004)
a) Host based defence measures provide a deeper entrenchment of
the defence for any single system. Therefore, multiple defences
at host level make things difficult for the malware attack to
exploit the system. However, these defences may fail due to
misconfiguration and may be bypassed. This strategy has the
following components:
Host based static or the dynamic firewalls are used as
a complement to the network firewalls. However, the
limitations to this strategy are that the host based firewalls
are ineffective in stopping the worms following the already
established link paths that are allowed via policy. Moreover,
the worm itself may subvert these firewalls if sufficient
right are obtained by the malicious executable. A worm on
launch may issue a command to unload the firewall’s rule
set, completely neutralising the installed security monitor.
Server side commercial antivirus software can be
implemented. However, it requires regular and timely
updates to the definitions as they rely on signature based
definition, failing which defence becomes ineffective.
Partitioned privileges - The service running on well-known
ports (between 1 and 1024) have elevated rights and handle
authentication and thus having super-user level access
to system databases. However these access rights are not
required through the life time of a program. Any system that
does not need repealed can discard the elevated privileges,
it began with, once the restricted operations are performed.
Privileges Separation – In this method, two instances of the
application run, one with few privileges (only sufficient to
4. The Indian Police Journal
32 January - March, 2015
handle user request) and second with system level privileges
(required to handle services such as authentication) and the
two process communicate via inter-process communication,
with the child requesting the results of any operations that
require any privileged access. Thus a small process run with
system level access that has minimal exposure to external
risks. Compromise, if any, occurs in the unprivileged process
space (Provos, 2002).
The other strategies include disabling the unneeded
service and features, aggressively patching known holes,
implementing the behaviour limits on hosts. The last of
these is a promising area for computer security and can be
applied to different level of networks. The behaviour of the
host in normal circumstances is enforced in this method.
However, this method may prove useful at the network level
rather them at the host level.
However, this approach may not scale well to large SCADA networks,
in addition to difficulties in maintaining and enforcements. But they
would continue to be used in SCADA defence as malware spreads by
attacking the host only.
b) Firewalls and Network Defences
Firewalls are used to enforce a network security policy which
includes authorisation to establish communication between two
end points, controlled by the port, applications and protocols
in place. The firewalls evaluate the connection requests against
its rule base and apply a decision to requested action (Ranum
Avolio, 1994; Wack, Cutler Pole, 2001; Nazario, 2004).
Network architects and administrators managing SCADA systems
should deploy firewall technology to achieve several key
objectives (Wack and Cranahan, 1994);
Protection from malicious applications by controlling their
entry and exit from a network.
Control the destinations and sources of network
communications.
Concentrated security and enhanced privacy
availability of logging statistics for internet activities.
5. The Indian Police Journal
33January - March, 2015
Most of the firewalling devices are of two basic types. The first is a
packet filter which performs policy enforcement at packet level and
could be stateful or stateless. A stateful filter understands the context
of a communication and can conditionally pass or reject packets that
are part of the communication (or at least appear to be so), while, in
contrast, the stateless firewall, only monitors single packet irrespective
of the context of surrounding traffic. Here, filtering rules are applied on
a packet level basis as opposed to a connection level basis (Chapman,
1992). Placing a firewall at the network perimeter, usually the place
where two different policies exist at the end of a network. At the
‘outside’, policies are generally more liberal than on the ‘inside’ of the
network, thus giving rise to the ‘trusted internal network and ‘untrusted
external network’. This creates a protected network and exposed
network. These exposed networks have services such as web servers
and access given to the world at large. Each network is then protected
with different policies to meet the differing security requirements.
However, the perimeter firewalls presume that one security policy can
adequately meet the requirements of entire network which is simply
impossible and therefore inadequate.
Therefore, a set of firewalls on each submit of the network are deployed
and tailored to meet the usage patterns of the different use of groups,
and are an effective natural way to defend against an active worms
who spread and mutate rapidly. Another strategy is to deploy reactive
Intrusion Detection System (IDS). Typically, an IDS sensor passively
listens to the traffic on the network and only sends an alert when it
has observed suspicious traffic, but still allowing the communication
to proceed. In contrast, reactive IDS can be configured to close the
connection via forged packets. A second type of network firewall is the
proxy server which provides their services by being an intermediate
system for a network connection. Typically a listening agent on the
proxy server receives a request for a network action, and fulfils the
action on behalf of the client. At no point of time the client and the
final destination make a direct contact. However, as the proxy act as
an active peer in the communication, it may held the data temporarily
before transfer to the client system. This allows compromise of the
content including the details of malicious activity being removed
(Ptacek Newsham, 1998). However, as using the proxies induces
communication stream latency resulting in time lag in communication
of critical instructions, its use in SCADA systems is limited.
6. The Indian Police Journal
34 January - March, 2015
The most important thing to be kept in mind is that SCADA systems
control the critical infrastructure which requires data transmission
and decision implementation in real time failing which the critical
networks may collapse. Therefore, any defense strategy to be used for
SCADA system should have a judicious blend of security and usability
in real time.
The Forensic issues in the SCADA Systems
The reliability of a SCADA system depends not only on safety, but also
on security (Brandle Naedele, 2008). A comprehensive guide on
Industrial Control Systems (ICT) Security has been published by NIST
(Stouffer et.al, 2011) and is very useful in implementing the security
controls in SCADA systems deployed in critical infrastructure. A SCADA
system is different than a conventional IT System i.e. criticality of
timeliness and availability of its capability all the time, having terminal
devices with limited computing capability and memory resources
and last but not the least the direct impact of logical execution in the
physical world. Additionally, the SCADA systems usually have a static
topology, a presumably regular network traffic pattern and use simple
protocols (Zhu Sastry, 2010).
The Forensic examination of SCADA systems is important post-incident
to understand the design, attack vector of malware and attribute
responsibility if possible, to assist law enforcement in investigation.
From the perspective of digital forensics, a SCADA system can
be viewed in different layers, as demonstrated in following figure
(Ahmad et.al, 2012), based on the connectivity of the various SCADA
components and their network connectivity with other networks such
as Internet (Bailey Wright, 2003),
7. The Indian Police Journal
35January - March, 2015
The upper layers shown in above figure correspond to the enterprise
IT networks environment wherein, the routine corporate desktops,
servers dealing with enterprise business operate. However, it is the first
3 lower layers (layers 0, 1 2) where most of the forensic analysis in
SCADA systems has to be performed as these layers contain the special
SCADA components and are crucial for controlling the underlying
industrial processes. However, the analysis may extend to further up the
higher-layers if necessitated (Ahmed et.al; 2012). As 24/7 availability
is a critical requirement of a SCADA system, a forensic investigator
cannot turn it off for data acquisition and analysis, necessitating use
of live forensics for data acquisition and subsequent offline analysis
of the acquired data (Adelstein, 2006). However, live forensics data
acquisition has a few challenges in capturing data viz;
if the data is not acquired immediately, the volatile data would be
lost.
maintaining the integrity of volatile data and its admissibility in
courts of law.
inconsistent data image.
The SCADA systems typically have a primary system and a backup
system. The investigator may put the SCADA system on the backup
and conduct data acquisition on the primary affected system. But it is
most likely that the malware which has infected the primary system
would have affected the backup system also thus making the life
difficult for a forensic investigator (Stouffer Scarfone, 2011). Forensic
investigators have to deal with the problems arising from the unique
features of SCADA system which limits application of contemporary
forensic tools and techniques to SCADA Systems (Ahmad et.al, 2012;
Fabro and Cornelius, 2008):
predefined rules in network traffic of SCADA system may allow
communication between various components of SCADA system,
but may not allow communication between forensic tool and
SCADA components during data acquisition.
customised operating system kernel of the SCADA components
may not be compatible with the data acquisition tool.
resource (e.g. memory, processing etc.)- constrained nature of
SCADA components (e.g., RTUs PLCs etc.) may limit data
acquisition tools.
log- records of SCADA systems are inadequate due to limited
logging capability of SCADA systems.
8. The Indian Police Journal
36 January - March, 2015
large amount of data generated by individual field-components
(e.g. large number of sensors).
vendor-dependency during analysis as the SCADA components
(modern as well as legacy proprietry technology) are provided
by multiple vendors some of the components being forensically
compatible and some not as shown in following table. (after Fabro
Cornelius, 2008).
Table 2: Modern/Proprietary Technology and Forensics Compatibility
(after Fabro Cornelius, 2008)
Modern/Proprietary
Technology
Effective Audit /
Logging
Forensics
Complaint
Reference
Materials
Available
Engineering Workstations,
Databases, Historian
Unknown Unknown No
HMI, Data Acquisition,
Application Server
Possibly Yes Possibly
Yes Most
Likely No
No
Field Devices (PLC, RTU,
IED), Modern/Remote Comms
Probably No No No
Table 3: Legacy/Proprietary Technology and Forensics Compatibility
(after Fabro Cornelius, 2008)
Legacy/Proprietary Technology Effective Audit/
Logging
Forensics
Complaint
Reference
Materials
Available
Engineering Workstations,
Databases, Historian
No No No
HMI, Data Acquisition,
Application Server
Most Likely No No No
Field Devices (PLC, RTU, IED),
Modern/Remote Comms
No No No
At present the complex SCADA environment presents a number of
challenges to forensic investigator, thus preventing him from applying
contemporary forensic tools and techniques. The challenges are
detailed in the following lines (Wu et.al, 2013):
Live Forensics and Data Integrity – The live forensics is a
dynamic environment and the live data acquisition would not
be forensically sound as volatile memory cannot be verified and
traditional hash algorithms, e.g., MDS cannot be used. However,
baseline hashing algorithms of the ladder logic of field devices
9. The Indian Police Journal
37January - March, 2015
can be taken and stored as read-only-access in a secure unit.
In case of an incident a comparison of existing logic inside the
field device would provide comparison to the baseline hash. The
baseline hash of the ladder logic should be updated at regular
interval to ensure device integrity.
Lack of compatible forensic tools for field devices- The incidents
like ‘stuxnet- attack’ on Iranian Nuclear Facilities clearly
demonstrate that field components of SCADA (like PLCs in
this case) can be compromised. These embedded devices have
low memory and processing power, thereby limiting the data
retention. However, the data on RAM and flash memory would
be useful for forensic investigation.
Lack of Forensically sound storage – OPC clients and Historians
are typically the available devices for storage on SCADA systems.
The data stored in these devices is for specific purposes, accessible
from external environments and therefore forensically unsound.
Identification of Data Sources on a SCADA system is very difficult.
The several layers of connectivity, as discussed earlier, having
complex architecture makes the task inherently difficult.
Another important issue is a sound “SCADA Forensic Process Model”
for preservation, identification, extraction and documentation of digital
evidence so that it is admissible in courts of law from procedural
proprietary of process, law and science. SCADA Forensics Models
have been proposed by researchers recently (Radvanovsky Brodsky,
2013; Wu et.al; 2013). A SCADA Forensic process Model combining
incidents-response and forensic-investigative models is illustrated in
the following figure (Wu et.al; 2013).
10. The Indian Police Journal
38 January - March, 2015
However, it has to be borne in mind that due to complexity of SCADA
components, architecture, and networking and also the sophistication
of attacks now a day, one has to be careful in carrying out the various
steps of the SCADA forensic model.
Conclusion
The complexity of SCADA systems in terms of technology, process
and architecture throw a number of challenges to be experts securing
the SCADA as also in collecting forensic evidence, one an incident is
reported. The embedded technology, short memory, little processing
power poses limitation in live forensics. Any defence strategy to be
used for SCADA system should have a judicious blend of security and
usability in real time. Any process of live forensic should meet the test
of nonrepudiation on procedural aspect of process, technology, science
and integrity of the data has to be assured, so that it is admissible in
court of Law. The attacks on SCADA systems in future are not only
going to increase but would be highly sophisticated, more particularly
when SCADA systems would provide a potential terrain of war for
the nation states. Only a judicious use of technology and common
sense would help to keep the SCADA systems secure. More research is
required in designing live forensic platforms that could be applicable
to SCADA environment.
Note: The views expressed in this paper are of the author and do
not necessarily reflect the views of the organizations where he
worked in the past or is working presently. The author convey
his thanks to Chevening TCS Cyber Policy Scholarship of UK
Foreign and Commonwealth Office, who sponsored part of this
study.
References
Adelstein, F. 2006, “Live forensics: diagnosing your system without killing
it first. Accessed online on 10/05/2014 at: http://frank.notfrank.com/
Papers/CACM06.pdf”, Communications of the ACM, Vol. 49, no. 2, pp.
63-66.
Ahmed, I., Obermeier, S., Naedele, M. Richard III, G.G. 2012, “SCADA
systems: Challenges for forensic investigators. Accessed online on
11/05/2014 at: http://cs.uno.edu/~irfan/Publications/ieee_computer
_2012.pdf”, Computer, Vol. 45, no. 12, pp. 44-51.
11. The Indian Police Journal
39January - March, 2015
Ancillotti, E., Bruno, R. Conti, M. 2013, “The role of communication
systems in smart grids: Architectures, technical solutions and research
challenges”, Computer Communications, Vol. 36, no. 17-18, pp. 1665-
1697.
Bailey, D. Wright, E. 2003, Practical SCADA for industry. Accessed online on
05/05/2014 at: http://books.google.co.in/books?hl=enlr=id=jLthO
QfK-UACoi=fndpg=PR5dq=Bailey+wright+scadaots=Qmcsp
2z0Cisig=S6GPM2XAUEZHXzag6Mo3dAuuny4#v=onepageq=Ba
iley%20wright%20scadaf=false,Newnes.
Brewer, R. 2012, “Protecting Critical Control Systems”, Network Security,
Vol. 2012, no. 3, pp. 7-10.
Chandia, R., Gonzalez, J., Kilpatrick, T., Papa, M. Shenoi, S. 2007, “Security
Strategies for Scada Networks” in Critical Infrastructure Protection
Springer, pp. 117-131.
Chapman,D.B.1992,“Network(in)securitythroughIPpacketfiltering.Accedon
05/05/2014 online https://www.usenix.org/legacy/publications/library/
proceedings/sec92/full_papers/chapman.pdf”, Proceedings of the Third
UNIX Security Symposium.
Choo, K.R. 2011, “The cyber threat landscape: Challenges and future research
directions”, Computers Security, Vol. 30, no. 8, pp. 719-731.
Endicott-Popovsky, B., Frincke, D.A. Taylor, C.A. 2007, “A Theoretical
Framework for Organizational Network Forensic Readiness”, Journal of
Computers, Vol. 2, no. 3, pp. 1-11.
Fabro, M. Cornelius, E. 2008, “Recommended practice: Creating Cyber
Forensics Plans for Control Systems. Accessed online on 10/05/2014
at: http://www.inl.gov/technicalpublications/documents/4113665.pdf”,
Department of Homeland Security.
Genge, B. Siaterlis, C. 2014, “Physical Process Resilience-aware Network
Design for SCADA Systems”,Computers Electrical Engineering, Vol.
40, no. 1, pp. 142-157.
Hildick-Smith, A. 2005, “Security for Critical Infrastructure SCADA Systems”,
SANS Reading Room, GSEC Practical Assignment, Version, Vol. 1.
Igure, V.M., Laughter, S.A. Williams, R.D. 2006, “Security Issues in SCADA
Networks”, Computers Security, Vol. 25, no. 7, pp. 498-506.
Malin, C.H., Casey, E. Aquilina, J.M. 2012, “Introduction to Malware
Forensics” in Malware Forensic Field Guide for Windows Systems,
eds. C.H. Malin, E. Casey J.M. Aquilina, Syngress, Boston, pp. xxiii-
xxxviii.
12. The Indian Police Journal
40 January - March, 2015
NaiFovino,I.,Carcano,A.,Masera,M.Trombetta,A.2009,“AnExperimental
Investigation of Malware Attacks on SCADA Systems”, International
Journal of Critical Infrastructure Protection, Vol. 2, no. 4, pp. 139-145.
NaiFovino,I.,Carcano,A.,Masera,M.Trombetta,A.2009,“AnExperimental
Investigation of Malware Attacks on SCADA Systems”, International
Journal of Critical Infrastructure Protection, Vol. 2, no. 4, pp. 139-145.
Nazario, J. 2004, Defense and detection strategies against Internet worms,
Artech House.
Provos, N., Friedl, M. Honeyman, P. 2003, “Preventing Privilege Escalation”,
Proceedings of the 12th
USENIX Security Symposium Washington DC,
USA, pp. 231.
Ptacek, T.H. Newsham, T.N. 1998, “Insertion, Evasion, and Denial of Service:
Eluding Network Intrusion Detection. Accessed on 05/05/2014 online
http://www.dtic.mil/get-tr-doc/pdf?Location=U2doc=GetTRDoc.
pdfAD=ADA391565”.
Radvanovsky, R. Brodsky, J. 2013, Handbook of SCADA Control Systems
Security. Accessed online on 10/05/2014 at: http://books.google.co.in/
books?hl=enlr=id=FMDTSr63co4Coi=fndpg=PP1dq=radv
anovsky+SCADA+ots=y7hUdArFpHsig=_sKHqPrfbwA9mb8gvY
DJOA2qn60#v=onepageq=radvanovsky%20SCADAf=false,CRC
Press.
Ranum, M.J. Avolio, F.M. 1994, “A Toolkit and Methods for Internet
Firewalls. Available at: https://www.usenix.org/legacy/publications/
library/proceedings/bos94/full_papers/ranum.a”, USENIX Summer, pp.
37.
Rrushi, J.L. 2011, “An Exploration of Defensive Deception in Industrial
CommunicationNetworks”,InternationalJournalofCriticalInfrastructure
Protection, Vol. 4, no. 2, pp. 66-75.
Slay, J. Sitnikova, E. 2009,The Development of a Generic Framework for the
Forensic Analysis of SCADA and Process Control Systems, Springer.
Stouffer, K., Falco, J. Scarfone, K. 2011, “Guide to Industrial Control Systems
(ICS) Security. Accessed online on 05/05/2014 http://citeseerx.ist.psu.
edu/viewdoc/download?doi=10.1.1.224.9549rep=rep1type=pdf”,
NIST Special Publication,, pp. 800-882.
Taveras, P. “SCADA Live Forensics: Real Time Data Acquisition Process to
Detect, Prevent or Evaluate Critical Situations”,.
13. The Indian Police Journal
41January - March, 2015
Taylor, C., Endicott-Popovsky, B. Frincke, D.A. 2007, “Specifying Digital
Forensics: A Forensics Policy Approach”, Digital Investigation, Vol. 4,
Supplement, no. 0, pp. 101-104.
Wack, J.P., Carnahan, L.J. Leibowitz, A. 1994, “Keeping Your Site
Confortably Secure: An introduction to Internet Firewall. Accessed
online on 05/05/2014. http://citeseerx.ist.psu.edu/viewdoc/download;j
sessionid=948AE719480319D3CE64A25B491BF80D?doi=10.1.1.40.
2749rep=rep1type=pdf”, .
Wack, J., Cutler, K. Pole, J. 2002”, Guidelines on firewalls and firewall
policy. Accessed on 10/05/2014 at: http://www.dtic.mil/get-tr-doc/
pdf?Location=U2doc=GetTRDoc.pdfAD=ADA399879
Wright, C. 2013, “Forensics Management”, Handbook of SCADA Control
Systems Security, pp. 173.
Wu, T., Disso, J.F.P., Jones, K. Campos, A. 2013, “Towards a SCADA
Forensics Architecture. Accessed online on 10/05/2014 at: http://ewic.
bcs.org/upload/pdf/ewic_icscsr13_paper2.pdf”, Proceedings of the 1st
International Symposium for ICS SCADA Cyber Security Research,
pp. 12.
Zhu, B. Sastry, S. 2010, “SCADA-specific Intrusion Detection/Prevention
Systems: A Survey and Taxonomy. Accessed online on 05/05/2014 at
http://www.cse.psu.edu/~smclaugh/cse598e-f11/papers/zhu.
pdf”,Proceedings of the 1st Workshop on Secure Control Systems
(SCS).