Conference PaperPDF Available

Intrusion Detection System using Honey Token based Encrypted Pointers to Mitigate Cyber Threats for Critical Infrastructure Networks


Abstract and Figures

Recent advancements in cyberspace impose a greater threat to the security of critical infrastructure than ever before. The scale of damage that could be done on these infrastructures by well-planned cyber-attacks is enormous. Most of the research work done for the security of these critical infrastructures focuses on conventional security measures. In this paper, we designed an Intrusion Detection System (IDS) that is based on the novel approach of Honey Token based Encrypted Pointers to prevent critical infrastructure networks from cyber-attacks particularly from zero day cyber threats. These honey tokens inside the frame will serve as a trap for the attacker. All nodes operating within the working domain of critical infrastructure network are divided into four different pools. This division is based according to their computational power and level of vulnerability. These pools are provided with different levels of security measures within the network. IDS use different number of Honey Tokens (HT) per frame for every different pool. Moreover every pool uses different types of encryption schemes (AES-128,192,256) etc. We use critical infrastructure network of 64 nodes for our simulations. We analyzed the performance of IDS in terms of True Positive and False Negative Alarms. Finally we test this IDS through Network Penetration Testing (NPT). This NPT is accomplished by putting the critical infrastructure network of 64 nodes directly under the zero day cyber-attacks and then we analyze the behavior of the IDS under such realistic conditions. The IDS is designed in such a way that it not only detects the intrusions but also recovers the entire zero day attack using reverse engineering approach.
Content may be subject to copyright.
Intrusion Detection System using Honey Token
based Encrypted Pointers to Mitigate Cyber Threats
for Critical Infrastructure Networks
Muhammad Kamran Asif Yahya Subhi Al-Harthi
Department of Electrical Engineering Department of Electrical Engineering
King Saud University King Saud University
Riyadh, Kingdom of Saudi Arabia Riyadh, Kingdom of Saudi Arabia
Abstract - Recent advancements in cyberspace impose a greater
threat to the security of critical infrastructure than ever before.
The scale of damage that could be done on these infrastructures
by well-planned cyber-attacks is enormous. Most of the research
work done for the security of these critical infrastructures focuses
on conventional security measures. In this paper, we designed an
Intrusion Detection System (IDS) that is based on the novel
approach of Honey Token based Encrypted Pointers to prevent
critical infrastructure networks from cyber-attacks particularly
from zero day cyber threats. These honey tokens inside the frame
will serve as a trap for the attacker. All nodes operating within
the working domain of critical infrastructure network are divided
into four different pools. This division is based according to their
computational power and level of vulnerability. These pools are
provided with different levels of security measures within the
network. IDS use different number of Honey Tokens (HT) per
frame for every different pool. Moreover every pool uses different
types of encryption schemes (AES-128,192,256) etc. We use
critical infrastructure network of 64 nodes for our simulations.
We analyzed the performance of IDS in terms of True Positive
and False Negative Alarms. Finally we test this IDS through
Network Penetration Testing (NPT). This NPT is accomplished by
putting the critical infrastructure network of 64 nodes directly
under the zero day cyber-attacks and then we analyze the
behavior of the IDS under such realistic conditions. The IDS is
designed in such a way that it not only detects the intrusions but
also recovers the entire zero day attack using reverse engineering
Keywords— Intrusion Detection System; Cyber Threats; Zero Day
Attacks; Critical Infrastructure Networks; Information Security;
Honey Token; Encrypted Pointers; Industrial Networks; Distributed
Sensor Networks; Industrial Communication Protocol; DNP3;
Cyber Security; Cyber Space; SCADA Command and Control
System; Cyber Warfare; Intelligence Infrastructure; Information
In today’s world we are much more dependent on cyberspace
than ever before. During last two decades internet has grown
exponentially and now it becomes the part of our everyday life.
Our national critical infrastructure networks use cyberspace for
running their operations successfully and efficiently. Electric
power grid networks, water supply systems, nuclear power
plants, air traffic control systems and other critical
infrastructures are continuously facing the threat of cyber-
attacks that are well planned and sometimes backed by other
nation states. So for the protection of these networks which are
very high value national assets require new standards of cyber
security [1]. In last few years we saw major cyber-attacks
which were well planned and specifically designed to target
critical infrastructure sensor networks, most well-known
among these attacks is the “Stuxnet”. It is known as first cyber
weapon which is designed to target Iranian nuclear facilities
and its impact was massive. Other than stuxnet, one of the
biggest challenges is the zero day attacks, those attacks which
can easily bypass the traditional signature based Intrusion
detection systems and if penetrated successfully they will
damage our networks to the huge extent. Today we are facing
enormous challenges in cyber security particularly in critical
infrastructure networks and Cyber Physical Systems (CPS); we
need new approach to improve our existing detection
capabilities [2-4]. Our approach towards IDS is novel and
simple, we use honey token based encrypted pointers for the
detection of zero-day attacks. We embed these honey tokens
inside a frame and an encrypted pointer keeps record of
locations of all these honey tokens. This encrypted pointer is
sent to the destination within the same frame where honey
token packets were embedded earlier. At the receiver side we
extract all the honey tokens from the frame with the help of
encrypted pointer and correlate them with the database of
honey tokens already present at every Remote Terminal Unit
(RTU) for verification of changes made in it.
Critical infrastructure is the term mostly used for those
national assets which are very important for operational
stability of economy and society, and without them there is no
concept of running nation state successfully in 21st century. In
today’s modern times all these critical infrastructure operations
run using smart and sophisticated networks called critical
infrastructure networks. There are large numbers of these
critical infrastructures but few most common are as follows.
Electric Power Grid.
Oil and Gas Sector.
2014 IEEE International Conference on Systems, Man, and Cybernetics
October 5-8, 2014, San Diego, CA, USA
978-1-4799-3840-7/14/$31.00 ©2014 IEEE 1266
Nuclear Power Plants.
Water Supply Systems.
Air Traffic Control Systems.
Water Treatment Plants.
Railway Traffic Systems.
Industrial Manufacturing.
Critical infrastructure networks commonly have command and
control system for smooth and efficient running of their
operations. Supervisory Control and Data Acquisition
(SCADA) is mostly used for these purposes. It collects data
from all systems using wide range of sensors and then issues
commands from its Master Terminal Station (MTU) for
conducting proper operators [5-9]. The common topology of
critical infrastructure sensor network is shown in Figure 1.
= Sensors, Actuators etc
Fig. 1. Critical Infrastructure Network Topology
SCADA system is connected with a network of routing nodes
commonly known as Remote Terminal Unit (RTU), and
sensors are connected with RTU’s. IDS shown in Figure 1 is
Network based Intrusion Detection System (NIDS) and thus
serves the entire critical infrastructure sensor network with its
security services.
Distributed Network Protocol-3 (DNP3) is a set of
communications protocols used between components in
process automation systems. It is the backbone protocol for
SCADA systems and used by almost all the vendors as their
primary protocol for SCADA command and control software
[10]. Our adopted approach for solving the problem is very
simple, we generate DNP3 synthetic traffic, and we designed
DNP3 traffic generator capable of producing millions of DNP3
packets. The frame structure of DNP3 packet is shown in
Figure 2. In the start of the packet we have data link layer
information that includes start bytes, length bytes, control
bytes, destination address, source address and CRC (Cyclic
Redundancy Check) bytes for data link layer, and after this we
have transport layer and application layer headers. In the end
we have data area where we have actual data (payload) and
object header which carries control information associated
with this data area. Object header contains the fields of
function control bytes, internal information bytes, object type
bytes, variation bytes, qualifier bytes, range bytes, data object
bytes, CRC bytes.
Fig. 2. DNP3 Packet Structure
Although DNP3 was designed as reliable protocol but it was
not designed as a secure protocol. It is vulnerable against
attacks which are designed to disrupt control system operations
to disable critical infrastructure networks. So enhanced level of
security must be required in the form of IDS to protect such
important assets as critical infrastructure networks. Honey
tokens used by IDS are normal DNP3 packets generated using
the same synthetic traffic generator. These honey token
packets are similar as compared to real DNP3 packet.
Our approach for IDS used a technique called Honey Token
based Encrypted Pointers. Honey tokens are artificial digital
data items planted deliberately into a genuine system resource
in order to detect unauthorized attempts to use or disrupt
original information [11-15]. The honey tokens are
characterized by properties which make them appear as
genuine data items. Honey tokens used by IDS are normal
DNP3 packets planted deliberately into a frame in order to
detect cyber-attack. We generate these honey tokens once at
the start of simulation and make their encrypted database. All
the Remote Terminal Units (RTUs) in the critical
infrastructure network hold a copy of this encrypted honey
token database which they later use for comparison and
correlation of honey tokens at RTU for the detection of any
changes made in the frame by the attacker during transmission
from Master Terminal Unit (MTU) to RTU. The transmission
frame consists of a total of ܰ number of packets; the IDS will
use the length of ܰെͳ packets as process length. In other
words, IDS will embed honey tokens in real traffic at random
locations and make the strings of lengthܰ െ ͳ. The process
length of the frame is as shown in Figure 3.
1 2 3 . . . . . .
Fig. 3. Process Length for Transmission Frame
The last ܰ௧௛ packet contains the locations of all these honey
tokens which were embedded earlier in the process length of
the frame by IDS. This last ܰ௧௛ packet is known as the pointer
of the frame and after encryption it becomes an Encrypted
Pointer (EP). The pointer itself is also a normal DNP3 packet
and all these locations of honey tokens are stored inside the
payload area of this ܰ௧௛ packet, where all empty space in the
payload area (if any) are filled using zero padding technique. It
is shown in Figure 4 that after inserting the locations of all the
Layer Data Area
Header Data
honey tokens inside the payload area of ܰ௧௛packet, empty
spaces are filled using zero padding.
HT-2 Location
HT-3 Location
HT-4 0 0 0
Zero Padding
Fig. 4. Pointer Structure
An Intrusion Detection System (IDS) is a hardware device or
software program/application that is used to monitor network
or individual system activities against malicious attacks or
policy violations and regularly produces logs and reports for
the management stations. Traditionally, IDS were developed
with two major approaches
Signature based Intrusion Detection Approach.
Anomaly based Intrusion Detection Approach.
The advantage of signature based intrusion detection approach
is very simple, it is efficient in terms of speed and detection of
known attacks but at the same time it completely fails to detect
zero day attacks or those attacks for which we don’t have
specific signature in IDS database [16-20]. Anomaly based
detection is successful to some extent in detecting novel
attacks but it commonly has a disadvantage that it generates a
large number of false alarms. Moreover in the past IDS were
designed on a generic approach. To the best of our knowledge
very few researchers tried to design intrusion detection
systems that work within specific domains of defined
protocols. We divide critical infrastructure sensor network in
four different categories or pools as shown in Figure 5.
Fig. 5. Segmentation of Pools in Critical Infrastructure Network
This division is based according to the computational power
and level of vulnerability of systems which are working in this
critical infrastructure sensor network.
Fig. 6. IDS working principle at MTU (Master Terminal Unit)
The working principle of IDS at Master Terminal Unit (MTU)
is shown in Figure 6, and working principle of IDS at Remote
Terminal Unit (RTU) is shown in Figure 7.
Fig. 7. IDS working principle at RTU (Remote Terminal Unit)
In Figure 6 the IDS embed honey tokens in the real traffic and
encrypt the pointer, both actions are performed according to
the pool in which destination RTU falls, then the frame is
transmitted towards RTU after attaching encrypted pointer
with it. At receiving end, in Figure 7 the IDS extract encrypted
Traffic Generator HT Generator
Pool-B Pool-C
Extract EP
Pool-B Pool-C
Extract HT
Scanning No
Engineering END
Pool - A Pool - B
Pool - C Pool - D
HT Database
pointer from the frame, decrypt it according to the pool in
which RTU falls and after that it extracts all honey tokens from
the frame and correlate them with HT Database which is
already present on RTU. If any mismatch occurs an attack is
detected, the IDS will perform reverse engineering approach
and recover entire signature of zero day attack. Pool-A
contains those systems having greater computational power
and higher vulnerability levels, it uses 4 honey tokens per
frame and use encryption of AES-256 e.g. - Data Centers etc.
whereas Pool-D contain those systems having least
computational power, it uses one honey token per frame and
use encryption of AES-128 e.g. - Tsunami warning system for
open ocean etc. Other two Pools (B and C) contain systems
that fall between above defined categories, Pool-B uses 3
honey tokens per frame and use encryption of AES-192 e.g. -
Oil rigs and Pool-C uses 2 honey tokens per frame and use
encryption of AES-192 e.g.- Remote operating station etc. All
the encryption schemes assigned to the different pools are
basically used for two basic tasks, firstly encryption of pointer
and secondly encryption of honey token database (present at
RTU) for that particular pool. Different encryption schemes
uses different key lengths, larger the key means more is the
required computational power, so key length is directly
proportional to the required computational resources of the
system. All three encryption schemes along with their key
lengths which are used for proposed IDS are mentioned in the
Table 1.
Encryption Type Key Length
AES-256 32 bytes
AES-192 24 bytes
AES-128 16 bytes
In Figure 8 shown result is the output of DNP3 synthetic traffic
generator in matlab, this traffic generator is capable of
generating millions of packets of DNP3 (synthetic traffic). The
start two bytes of every DNP3 packet is always 0564 (defined
standard for DNP3 packet) is clearly highlighted in the Figure
8. In Figure 9 shown result is the output of system alarms.
“True Positive” means when attack occurs and system
successfully detects that attack and “False Negative” means
when attack occurs but system fails to detect that attack. On y-
axis we have the scale of alarm percentage and on x-axis we
have four different pools [A-B-C-D]. Maximum security is
given to Pool-A because these systems possess high
computational power therefore it has very small percentage of
false negative, and from the results in Figure 9 it is shown that
on average false negative alarms are less than 2% for Pool-A.
Fig. 8. DNP3 synthetic traffic generator output
On the other hand least amount of security is provided to pool-
D because these systems are constrained in computation power
and other valuable resources, so the false negative percentage
is almost 12% for Pool-D. From graphical results in Figure 9
which are tabulated in Table 2 shows different pools with their
True Positive (TP) and False Negative (FN) alarm percentages,
all these results are average values. Encryption schemes are
also listed along with different pools in Table 2.
Fig. 9. IDS Performance (Alarm Analysis)
From Figure 9 and Table 2 it is clear that Pool-A has 98% TP
alarms and 2% FN alarms, it uses 4HT/frame with AES-256
encryption scheme. Pool-B has 97% TP alarms and less than
3% FN alarms, it uses 3HT/frame with AES-192 encryption
scheme, Pool-C has 93% TP alarms and 7% FN alarms, it uses
2HT/frame with AES-192 encryption scheme and finally Pool-
D has 88% TP alarms and 12% FN alarms, it uses only one
HT/frame with AES-128 encryption scheme.
Pool Honeytokens
per Frame
Scheme TP Alarm FN
A 4 AES-256 98% 2%
B 3 AES-192 97% 3%
C 2 AES-192 93% 7%
D 1 AES-128 88% 12%
In order to test and verify our designed IDS we use NPT.
Alongside our IDS we place another conventional signature
based IDS which contain signature database for some known
attacks for the security of 64 node critical infrastructure test
network and then using matlab we generate zero day attacks
and some known attacks which are already present in the
database of conventional IDS. Finally we launch all these
attacks on test network. Known attacks are immediately
stopped by conventional IDS but all zero day attacks
successfully penetrated in the network. In response our IDS
successfully detected these attacks and recovered them
completely using reverse engineering approach. Snapshot of
IDS scanning process result is shown in Figure 10, where
cyber-attacks are detected by the IDS on node 22, 24 and 32.
Fig. 10. IDS scanning process
In this paper we design an IDS that works on a technique
known as honey token based encrypted pointers against zero
day cyber threats, this IDS is specifically designed for critical
infrastructure sensor networks. We analyzed the performance
of IDS model on security and stability issues. We found that
proposed IDS improved three key issues in existing systems,
the capability of detecting zero day cyber-attacks is much
better than the existing system, the use of encryption in IDS
makes it more difficult for attacks to launch a successful
attack. IDS successfully recover the zero day cyber-attack
signatures using reverse engineering and in this way it assists
conventional signature based IDS in improving their
[1] Madjid Merabti, Michael Kennedy, William Hurst, “Critical
Infrastructure Protection: A 21st Century Challenge” International
Conference on Communications and Information Technology.
[2] Ragunathan (Raj) Rajkumar, Insup Lee, Lui Sha, John Stankovic,
“Cyber-Physical Systems: The Next Computing Revolution”
Design Automation Conference 2010.
[3] Jing Lin, Sahra Sedigh and Ann Miller, “A General Framework for
Quantitative Modeling of Dependability in Cyber-Physical
Systems”: A Proposal for Doctoral Research” 33rd Annual IEEE
International Computer Software and Applications Conference.
[4] N. HadjSaid, C. Tranchita, B. Rozel, M. Viziteu, R. Caire,”
Modeling Cyber and Physical Interdependencies– Application in
ICT and Power Grids” IEEE 2009.
[5] Edward Chikuni, Maxwell Dondo, “Investigating the Security of
Electrical Power Systems SCADA” IEEE 2007.
[6] Nai Fovino, A. Carcano, M. Masera “A Secure and Survivable
Architecture for SCADA Systems” pp.34-39, Second International
Conference on Dependability 2009.
[7] Eugene Babeshko, Vyacheslav Kharchenko, Anatoliy Gorbenko
“Applying F(I)MEA-technique for SCADA-based Industrial
Control Systems Dependability Assessment and Ensuring”, Third
International Conference on Dependability of Computer Systems.
[8] Athar Mahboob, Junaid Zubairi “Intrusion Avoidance for SCADA
Security in Industrial Plants”, pp.447-452, IEEE 2010.
[9] Securing SCADA InfrastructureFortnet – Securing SCADA
Infrastructure White Paper.
[10] Gordon Clarke, Deon Reynders, Edwin Wright, “Practical Modern
SCADA Protocols: DNP3, 60870.5 and Related Systems” 2004,
IDC Technologies.
[11] Craig M. McRae, Rayford B. Vaughn, “Phighting the Phisher:
Using Web Bugs and Honeytokens to Investigate the Source of
Phishing Attacks” 2007.
[12] Colon & E. Peldaez, John Bowles “Computer Viruses”, pp. 513-
517, IEEE 1991.
[13] Maya Bercovitch, Meir Renford, Lior Hasson, Asaf Shabtai, Lior
Rokach, Yuval Elovici “HoneyGen: an Automated Honey tokens
Generator” pp:131-136, IEEE 2011.
[14] Jonathan White and Brajendra Panda “Implementing PII
Honeytokens to Mitigate Against the Threat of Malicous
Insiders”,ISI 2009, June 8-11, IEEE 2009.
[15] Anoosha Prathapani, Lakshmi Santhananr and Dharma P. Agrawal
“Intelligent Honeypot Agent for Blackhole Attack Detection in
Wireless Mesh Networks” pp.753-758, IEEE 2009.
[16] Luigi Coppolino, Salvatore D’Antonio, Luigi Romano and
Gianluigi Spagnuolo “An Intrusion Detection System for Critical
Information Infrastructures Using Wireless Sensor Network
Technologies” pp.1-8, IEEE 2010.
[17] Guangcheng Huo , Xiaodong Wang, “DIDS: A Dynamic Model of
Intrusion Detection System in Wireless Sensor Networks”
International Conference on Information and Automation, pp.374-
378, published in 2008.
[18] Muhammad Kamran Asif, Talha A. Khan, Talha A. Taj, Umar
Naeem, Sufyan Yakoob, “Network Intrusion Detection and its
Strategic Importance” IEEE Business Engineering and Industrial
Applications Colloquium, 2013.
[19] Leonard J. LaPadula “Intrusion Detection for Air Force Networks”,
MITRE Technical Report, October 1997.
[20] Daniel C. Hurley, James F.X. Payne, Mary T. Anderson, “Critical
Infrastructure: Electric Power Subcommittee Risk Mitigation in the
Electric Power Sector: Serious Attention Needed”, Armed Forces
Communication and Electronics Association Cyber Committee.
... We observed fewer papers in this group (e.g., Rough Sets Classification [56] and RIPPER [91] techniques) that used automated rules set discovery technique compared to the signature-based approach. Apart from that, special "honey" tokens can also be applied to detect tampers with the communication traffic [17]. ...
... Coutinho M. P. et al. [30] Rough Sets Classification Premaratne U. K. et al. [95] Rules enumeration Yang Y. et al. [130] IEC 60870-5-104 Signature Asif M. K. and Al-Harthi Y. S. [17] Signature-based Rule-based Yang Y. et al. [131] If-then rules Erez N. and Wool A. [37] Single Window Classification Yang Y. et al. [132] Rule-based Pan Z. et al. [91] RIPPER Jamei M. et al. [56] Rule-based [23] PCA, ANN, OCSVM, others (6 methods) Shahir H. Y. et al. [106] HMM, SVM Ensemble Ponomarev S. and Atkison T. [94] REPTree,NB,Simple Logistic, Ripple-Down Rule, Decision Stump, C4.5 Maglaras L. A. et al. [72] IT-OCSVM and SNA Cruz T. et al. [31] OCSVM, SNA and K-means clustering Kosek A. M. and Gehrke O. [62] RM-AD Sadhasivan D. K. and Balasubramaninan K. [63] FCM clustering and RBA Ozgur A. and Erdem H. [89] SVM, NB, DT Hurst W. et al. [52] LDC, UDC, QDC, PARZENC and TREEC Benchmarking Swetha R. B. S. and Meena K. G. [113] DT, K-NN, SVM Junejo K. N. and Goh J. [57] Multiple Onoda T. [88] HMM,CRF, OCSVM, SVDD, Rule-based HMM is the most popular option in this group. Although HMM is computationally efficient and flexible to retrain the model when the updated data is available, it cannot capture higher order correlation of the data. ...
Supervisory Control and Data Acquisition (SCADA) systems play an important role in monitoring industrial processes such as electric power distribution, transport systems, water distribution, and wastewater collection systems. Such systems require a particular attention with regards to security aspects, as they deal with critical infrastructures that are crucial to organizations and countries. Protecting SCADA systems from intrusion is a very challenging task because they do not only inherit traditional IT security threats but they also include additional vulnerabilities related to field components (e.g., cyber-physical attacks). Many of the existing intrusion detection techniques rely on supervised learning that consists of algorithms that are first trained with reference inputs to learn specific information, and then tested on unseen inputs for classification purposes. This article surveys supervised learning from a specific security angle, namely SCADA-based intrusion detection. Based on a systematic review process, existing literature is categorized and evaluated according to SCADA-specific requirements. Additionally, this survey reports on well-known SCADA datasets and testbeds used with machine learning methods. Finally, we present key challenges and our recommendations for using specific supervised methods for SCADA systems.
... Asif et al. [4] propose the AES in that 128 192 256 bit keys are considered with 64 nodes in the simulation process. An Intrusion Detection System has been developed to rule out the Zero day attack. ...
... In [4] and [12], encryption systems have been proposed which could recover from all type of attacks. In the paper [7], an efficient implementation of other encryption algorithms (Blowfish, Serpent, Twofish) and also includes GPU implementation of hashing and public key algorithm in order to generate a total cryptographic framework by GPU has been discussed. ...
Recently, the major challenging attack is the side channel attack for both symmetric and asymmetric algorithm. Because in both cases, the secret key has to be sent out via a safe secured channel. The advanced encryption standard (AES) is mentioned as the best standard encryption algorithm by the US government, but there is one major attack on the AES that is the brute force attack. So, how to rule out these kinds of attack and how it is implemented effectively in hardware are being discussed in this paper. The honey encryption scheme is an effective algorithm, and it is also being discussed. In this paper, the detailed description of the AES and the methods to improve its speed and how it is integrated with the honey technique have been discussed. The different kinds of attacks and the various solutions are discussed for both of the algorithms. A survey of papers which has used these algorithms for various reasons with different perspective has been given. The honey algorithm creates the fake message for the wrong try of the key puncher. Thus, this is considered as the best algorithm, but it is also has some disadvantages that is also focussed in our survey. Copyright
... This approach uses the Bloom Filter data structure for memory efficiency and incorporates the physical state of the power grid for greater robustness. [36] designed an IDS that relies on the Honey Token based Encrypted Pointers to protect SCADA networks from cyber-attacks. These honey tokens inside the frame serve as a trap for the cyber-attacker. ...
Power grids are undergoing a major modernization process, which is transforming them into Smart Grids. In such cyber-physical systems, a security incident may cause catastrophic consequences. Unfortunately, the number of reported incidents in power grids has been increasing in the last years. In this article we advocate that the adoption of Computer Security Incident Response Teams (CSIRTs) is necessary for the proper management of security incidents in Smart Grids. CSIRTs for Smart Grids must cover different parts of the grid, thus consisting of specialized response teams for handling incidents not only on the physical infrastructure, but also on the Smart Grid equipment and on the IT infrastructure. We thus propose an incident classification to assist the implementation of CSIRTs for Smart Grids, considering the specific concerns of the different response teams. We evaluate attack classifications available in the literature and review a well-known database of Smart Grid security incidents.
Conference Paper
Intrusion detection system using honeypot being increasingly used technique for intrusion detection and recovery of data disrupted by intruders. This paper presents survey of intrusion detection system with different honeypot techniques, which are mostly useful to identify zero day phishing attack are listed in table. We focus on the basic ideas based on network security tools such as firewalls, IDS, IDS using honeypots and honeytokens which plays an important role in finding out source of attack, types of attack and provide the result as signature to the attack investigators to prevent same kind of attacks in future.
Conference Paper
Full-text available
In computer network security, a Network Intrusion Detection (NID) is an Intrusion Detection mechanism that attempts to discover unauthorized access to a computer network by analyzing traffic on the network for signs of malicious activity. There are many areas of research in this vast field of Network Intrusion Detection (NID) but in this survey paper, we will focus on its technology, development & strategic importance. Virus attacks, unauthorized access, theft of information and denial-of-service attacks were the greatest contributors to computer crime, a number of techniques have been developed in the past few years to help cyber security experts in strengthening the security of a single host or the whole computer network. Intrusion Detection is important for both Military as well as commercial sectors for the sack of their Information Security, which is the most important topic of research for the future networks.
SCADA (Supervisory Control and Data Acquisition) systems are at the heart of the modern industrial enterprise ranging from mining plants, water and electrical utility installations to oil and gas plants. In a market that is crowded with high-level monographs and reference guides, more practical information for professional engineers is required. This book covers the essentials of SCADA communication systems focussing on DNP3, the IEC 60870.5 standard and other new developments in this area. It commences with a brief review of the fundamentals of SCADA systems' hardware, software and the communications systems (such as RS-232, RS-485, Ethernet and TCP/IP) that connect the SCADA Modules together. A solid review is then done on the DNP3 and IEC 60870.5 protocols where its features, message structure, practical benefits and applications are discussed. This book provides you with the knowledge to design your next SCADA system more effectively with a focus on using the latest communications technologies available.
Wireless Sensor Network (WSN) technology is being increasingly used for data collection in Critical Infrastructures (CIs). The paper presents an Intrusion Detection System (IDS), which is able to protect a CI from attacks directed to its WSN-based parts. By providing accurate and timely detection of malicious activities, the proposed IDS solution ultimately results in a dramatic improvement in terms of protection, since opportunities are given for performing proper remediation/reconfiguration actions, which counter the attack and/or allow the system to tolerate it. We present the basic ideas, discuss the main implementation issues, and perform a preliminary experimental campaign. Not only have experiments demonstrated the effectiveness of the proposed approach in protecting the system against two very serious attacks to WSNs (namely: sinkhole, and bogus packet), but they have also proved that the stringent requirements (in terms of limited availability of resources) which are typical of current state-of-the-art WSN technologies, are met.
Abstract Will future intrusion detection tools meet the goals of the US Air Force? To help ensure that they will, the MITRE C2 Protect Mission-OrientedInvest igation and Experimentation (MOIE) project is forecasting the environment,for Air Force intrusion detection. The forecast should be helpful to commercial interests that may develop capabilities, can be a means of coordinating and shaping future funding decisions, and may provide a common framework for discussing issues. The first phase of the MOIE project captured customer and corporate experience with
Conference Paper
Honeytokens are artificial digital data items planted deliberately into a genuine system resource in order to detect unauthorized attempts to use information. The honeytokens are characterized by properties which make them appear as genuine data items. Honeytokens are also accessible to potential attackers who intend to violate an organization's security in an attempt to mine information in a malicious manner. One of the main challenges in generating honeytokens is creating data items that appear as real and that are difficult to distinguish from real tokens. In this paper we present #x201C;HoneyGen #x201D; - a novel method for generating honeytokens automatically. HoneyGen creates honeytokens that are similar to the real data by extrapolating the characteristics and properties of real data items. The honeytoken generation process consists of three main phases: rule mining in which various types of rules that characterize the real data are extracted from the production database; honeytoken generation in which an artificial relational database is generated based on the extracted rules; and the likelihood rating in which a score is calculated for each honeytoken based on its similarity to the real data. A Turing-like test was performed in order to evaluate the ability of the method to generate honeytokens that cannot be detected by humans as honeytokens. The results indicate that participants were unable to distinguish honeytokens having a high likelihood score from real tokens.
Conference Paper
This paper presents a summary of research findings for a new reacitve phishing investigative technique using Web bugs and honeytokens. Phishing has become a rampant problem in today 's society and has cost financial institutions millions of dollars per year. Today's reactive techniques against phishing usually involve methods that simply minimize the damage rather than attempting to actually track down a phisher. Our research objective is to track down a phisher to the IP address of the phisher's workstation rather than innocent machines used as intermediaries. By using Web bugs and honeytokens on the fake Web site forms the phisher presents, one can log accesses to the honeytokens by the phisher when the attacker views the results of the forms. Research results to date are presented in this paper
Conference Paper
Industrial systems are nowadays exposed to new kinds of malicious threats. The cause of this is related to the large number of new vulnerabilities and architectural weaknesses introduced by the extensive use of ICT and networking technologies for the operation and monitoring of such complex systems. Several scientific works, have showed how supervisory control and data acquisition systems (SCADA), i.e. the systems which control industrial installations, are exposed to cyber attacks. These, due to the intrinsic nature of SCADA systems, cannot be avoided by using traditional ICT security measures. In this paper, we present a first prototype of survivable SCADA architecture, conceived in order to be resilient and robust to cyber SCADA attacks.
Conference Paper
In the past several years, extensive research has been performed in various honeypot technologies, including honeynets, honeywalls, and honeytokens, primarily to gather information about external threats. Little to no research has been performed on how honeytokens, pieces of digital information designed to attract and trace illicit uses of data, can be implemented to catch one of the most dangerous threats, the trusted insider. The goal of this work is to detect, identify, and confirm insider threats, specifically threats that are after personally identifiable information (PII) data. These insiders are not after the physical system; they are after the information that these systems contain, which is often a significant threat . Malicious insiders are a threat because they are technically skilled, generally highly motivated, and insiders have access to extensive resources. For example, this threat may be a disgruntled employee who wishes to sell information to an overseas competitor. Or, this threat could be a spy working for a foreign country to compromise national security. Examples of such spies include Robert Hansen, Aldrich Ames, and Anna Montes, all of whom caused extreme harm to their organizations over a long period of time without being detected. Insider threats are real, and they must be mitigated against. While honeytokens can be designed to appear like any type of valuable data, personally identifiable information is especially valuable. Identity theft is a huge problem in countries all over the world, and information about people's intimate lives has to be protected from a multitude of threats, both internal and external. This type of personal information is typically contained in a database, and consists of a small but varied set of elements, including attributes such as names, addresses, birth dates, telephone numbers, credit card numbers, passport numbers, and email addresses. Personal information is also something that every organization possesses, - no matter how large or small it is, no matter where the business is located, and no matter what types of operations the organization is involved in. In the case of the spy Robert Hansen, it is known that he used an FBI search engine to look up his own name in the active case database, as well as sensitive information about several other agents. Also, when the 2008 presidential election was in full swing, state department officials were forced to admit that Barack Obama's personal passport data had been accessed maliciously several times by government employees. In this case, it is believed that the employees were just curious, but this is still a severe breach of security. Insiders illicitly accessing PII data are a serious threat, and it happens all too often, with several instances identified in the literature. The purpose of this work is to describe the method we took to use and develop PII honeytokens to trace insiders who are using personal information maliciously. The deployment of internal PII honeytokens can significantly reduce risk profiles within an organization because monitored honeytokens can detect illicit behaviors before they have escalated into full blown data leaks and can work as an early warning system for administrators. There are several areas where personally identifiable honeytokens could be deployed, including packets sent across the network, in the same file space as personal information, and also as returned search results from a search engine. In the poster, we will show how we developed a PII honeytoken system, how we tested the realism of the honeytokens, and how we deployed them into a people search engine to track potential misuse. When an individual uses the search engine, honeytokens are returned along with the correct information. The honeytokens are designed to have no valid business use; in fact, they are completely fabricated, though they are still life-like. These honeytokens are then monitored, and if access is ever detected
Conference Paper
Presently, there is a poor knowledge about the coupled systems and their interdependency. Failures caused by cascade effects are increasing and operators' systems do not know how to control adequately the negative consequences on their systems. At the same time, critical infrastructures due to their relevance are potential targets of outlaw groups, ill- disposed people, and terrorist groups. The modeling of the coupled infrastructures may lead to an evaluation of the power system security and could help to asses the impact of the cascading effect between ICT and Power Grid. By consequence, it is possible to find vulnerabilities and relevant risk indices of the power system.In our research group, different ways of modeling critical infrastructures in their interdependencies are explored: a behavioral co-simulator, the use of Complex Networks theory and Bayesian Networks among others theories and tools which can be investigated. Because of the necessity to assess the security of the coupled infrastructures, which implies the modeling of theses networks, precedence graphs and modified FMECA are being employed for this purpose.
Conference Paper
Wireless mesh networking (WMN), the static mesh routers (MRs) cooperatively relay each other packets to the Internet Gateway (IGW). The routing protocols assume all the nodes in the network to be non-malicious. However, the open architecture of WMNs paves way to malicious attackers who can exploit hidden loopholes in the routing protocol. In this paper, we mainly focus on the vulnerability of the network to a suction attack called blackhole attack. In detecting such attacks, we explore the use of intelligent agents called honeypots which are roaming virtual software agents that generate a dummy route request (RREQ) packets to lure and trap blackhole attackers. We illustrate the performance of our proposed detection approach by extensive simulation results using the ns-2 simulator.