selection of havex
play

Selection of Havex ICS Malware Plugin Julian Rrushi Western - PowerPoint PPT Presentation

Feb 06, 2023 •259 likes •484 views

Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Julian Rrushi Western Washington University Department of Computer Science Bellingham, WA julian.rrushi@wwu.edu 1 Outline Research problem investigated

  1. Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Julian Rrushi Western Washington University Department of Computer Science Bellingham, WA julian.rrushi@wwu.edu 1

  2. Outline • Research problem investigated • Target selection features measured • Decoy OPC tag deployment • Trials • Target selection measures • Quantitative analysis • Conclusions • Questions 2

  3. Target Selection Features Measured • Ability to discover true servers over the network from the compromised machine • Ability to ignore or discard nonexistent or absent servers on the network • Ability to determine whether or not a network server hosts COM objects and interfaces • Ability to find true OPC server • …and dismiss COM objects that are not OPC 3

  4. Other Important Feature • Ability to differentiate between valid and invalid OPC tags • Honeytoken OPC tags • OPC tags that are no longer mapped to a location in the memory of a controller • Not implemented due to safety reasons • Requires an IED configured to monitor and control the passage of electrical power from one circuit to another • OPC tags updated based on the IED scans • Those would be the target tags 4

  5. Decoy OPC Tag Display 5

  6. Deceptive Emulation 6

  7. Trials • Signal trials • Consist of true targets, i.e., server machines, COM objects, OPC server objects • Targets exposed to Havex • Empirically observed whether Havex recognizes those targets as valid • Noise trials • Consist of fake or nonexistent targets • Fake targets exposed to Havex as well • Empirically observed whether Havex pursues those targets 7

  8. Factors of Interest • Response bias • A general tendency to deem a target to be valid or invalid, i.e., signal or noise, respectively • Sensitivity • The degree of overlap between the valid-target and invalid-target probability distributions • Involves the internal reasons that cause Havex to pursue a target • Both factors are affected by the hit rate and the false-alarm rate 8

  9. Measures of Sensitivity (I) • d ’ measures the distance between the mean values of those probability distributions in standard deviation units • d ’ close to 0 indicates inability to distinguish between valid and invalid targets 9

  10. Measures of Sensitivity (II) • A’ is a measure that ranges between 0.5 and 1.0 • 0.5 indicates inability to distinguish between valid and invalid targets • 1.0 indicates full ability to distinguish valid targets from invalid targets 10

  11. Measures of Response Bias • β measure • When β<1, there is bias towards accepting a target as being valid • When β>1, there is bias towards discarding a target as invalid 11

  12. Server Trials • Windows machine infected by Havex • Signal trials • The machine had access to real servers over the network • Havex recognized most existing servers as valid targets • Noise trials • No real servers, only server displays • Havex pursued most of the phantom servers as valid targets 12

  13. Measurements • d ’=0.179, and thus close to 0 • A’=0.576, and thus close to 0.5 • β=0.791 and thus <1 • Havex has the tendency to recognize as a valid server any software component that can respond to network queries 13

  14. Probability Distributions 14

  15. COM Object Trials • A real server was reachable by Havex over the network • Signal trials • The server hosted true COM objects and interfaces • Havex recognized most of the existing COM objects as valid targets • Noise trials • The server generated a fake response when queried for COM objects and interfaces • No true COM objects and interfaces • Havex accepted most of those nonexistent objects as valid targets 15

  16. Measurements • d’= 0.196, and thus relatively close to 0 • A’= 0.589, and thus close to 0.5 • β= 0.723 and thus <1 • Havex is biased towards accepting as a valid target any server that claims to host COM objects and interfaces 16

  17. Probability Distributions 17

  18. OPC Server Object Trials • A real server with support for COM was reachable by Havex over the network • Signal trials • The server hosted true OPC server objects • Havex recognized most of the existing OPC server objects as valid targets • Noise trials • The server returned lists of OPC server objects that did not exist • No true OPC server objects were involved • Havex accepted most of those nonexistent OPC server objects as valid targets 18

  19. Measurements • d’= 0.1864, and thus relatively close to 0 • A’= 0.775, and thus still relatively close to 0.5 • β= 0.018 and thus <1 • Havex is biased towards accepting any claim of OPC server object as valid 19

  20. Probability Distributions 20

  21. All questions and feedback are welcome! 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Selection Rules: Selection Rules Each of the spectroscopies have associated selection

Selection Rules: Selection Rules Each of the spectroscopies have associated selection

Selection Rules: Selection Rules Each of the spectroscopies have associated selection rules. Selection rules originate from the quantum mechanical description of electromagnetic radiation interaction with matter. Use time-dependent

424 views • 13 slides
SELECTION Deterministic Stochastic Proportionate selection: Roulette Wheel Selection

SELECTION Deterministic Stochastic Proportionate selection: Roulette Wheel Selection

SELECTION Deterministic Stochastic Proportionate selection: Roulette Wheel Selection Rank based selection Tournament Selection COMPETITION (mu) denotes the size of the (parent) population (lambda) denotes the

390 views • 19 slides
ERP Selection KIRTANE &amp; PANDIT Suhas Deshpande Why ERP Selection is important ?

ERP Selection KIRTANE &amp; PANDIT Suhas Deshpande Why ERP Selection is important ?

ERP Selection What are the Key Elements ? Agenda Why ERP Selection is important ? Why ERP Selection is important ? Selection Criteria- General Selection Criteria- General Selection Criteria- General Selection Criteria-

319 views • 18 slides
Feature Selection: ROC and Subset Selection Theodoridis 5.5-5.7 Using ROC for Feature Selection

Feature Selection: ROC and Subset Selection Theodoridis 5.5-5.7 Using ROC for Feature Selection

Feature Selection: ROC and Subset Selection Theodoridis 5.5-5.7 Using ROC for Feature Selection Hypothesis Tests Examined (e.g. t-test): Useful for discarding features But does not tell us about overlap between classes for a feature! At Left

526 views • 21 slides
GRADE 9 STUDENTS WELCOME STUDENTS OF THE CLASS OF 2022 Course Selection This Course Selection

GRADE 9 STUDENTS WELCOME STUDENTS OF THE CLASS OF 2022 Course Selection This Course Selection

GRADE 9 STUDENTS WELCOME STUDENTS OF THE CLASS OF 2022 Course Selection This Course Selection Sheet is like a contract between YOU &amp; Burnaby South All schools are staffed and timetabled based on how you complete your Course Selection

456 views • 27 slides
GRADE 8 STUDENTS WELCOME STUDENTS OF THE CLASS OF 2023 Course Selection This Course Selection

GRADE 8 STUDENTS WELCOME STUDENTS OF THE CLASS OF 2023 Course Selection This Course Selection

GRADE 8 STUDENTS WELCOME STUDENTS OF THE CLASS OF 2023 Course Selection This Course Selection Sheet is like a contract between YOU &amp; Burnaby South All schools are staffed and timetabled based on how you complete your Course Selection

238 views • 22 slides
Vegetation Lateral Selection Methodology Comparison (1) Lateral selection vs. (2) Substation

Vegetation Lateral Selection Methodology Comparison (1) Lateral selection vs. (2) Substation

Vegetation Lateral Selection Methodology Comparison (1) Lateral selection vs. (2) Substation holistic selection Both methodologies leverage sigma level (z-Score) performance of laterals (weighted function) Accounts for last-trim date to

106 views • 9 slides
GPA guidelines. Your Application input &amp; school record 1 9/17/2019 Selection process:

GPA guidelines. Your Application input &amp; school record 1 9/17/2019 Selection process:

9/17/2019 Overview of presentation National Honor Society What do NHS members do? Overview of selection process Selection to NHS: Suggestions for Info Form What does it mean to be selected? Selection process Who is involved?

661 views • 6 slides
Class of 2024 1 Course selection worksheet 1 Course selection online directions for

Class of 2024 1 Course selection worksheet 1 Course selection online directions for

Class of 2024 1 Course selection worksheet 1 Course selection online directions for Skyward 1 Summer School catalog and online selection directions; math readiness course; Spanish readiness course 1 Freshmen Course Selection

329 views • 16 slides
Balancing Selection and Beyond: Machine learning approaches for determining selection scenarios

Balancing Selection and Beyond: Machine learning approaches for determining selection scenarios

Balancing Selection and Beyond: Machine learning approaches for determining selection scenarios in a complex parameter space Thursday 14 th February 2019 Kaileigh Ahlquist Ramachandran Lab, Brown University Balancing selection maintains

536 views • 19 slides
1 Natural selection The conditions for natural selection: 1. variation among individuals

1 Natural selection The conditions for natural selection: 1. variation among individuals

Population Genetics 6: Natural Selection Natural selection GENETIC VARIATION DIFFERENTI AL SUCESS EVOLUTION +

717 views • 24 slides
School Selection Process For 2017-2018 The School Selection Process School Selection is open to

School Selection Process For 2017-2018 The School Selection Process School Selection is open to

School Selection Process For 2017-2018 The School Selection Process School Selection is open to students in all grades (K-12), and can be used to apply to School District of Philadelphia Schools ONLY (including different neighborhood, citywide

738 views • 20 slides
for 2020-2021 Beckendorff Junior High Course Selection Materials Orange course selection

for 2020-2021 Beckendorff Junior High Course Selection Materials Orange course selection

Incoming 7 th Grade Course Selection Information for 2020-2021 Beckendorff Junior High Course Selection Materials Orange course selection packet Course Selection Worksheet KAP Parent Commitment Letter Parent Letter Copy of

705 views • 32 slides
Conference Site Selection Stephanie Sabal Program Coordinator: Site Selection sabal@acm.org

Conference Site Selection Stephanie Sabal Program Coordinator: Site Selection sabal@acm.org

Conference Site Selection Stephanie Sabal Program Coordinator: Site Selection sabal@acm.org 212-626-0612 (direct) 212-302-5826 (fax) Conference Site Selection Step 1 Submit your PAF to begin site selection Please allow time for site selection

348 views • 8 slides
Resident Selection Sharing experiences from using selection science to find the best surgical

Resident Selection Sharing experiences from using selection science to find the best surgical

Resident Selection Sharing experiences from using selection science to find the best surgical trainees Brian J. Dunkin, MD, FACS TSDA General Session Disclosure Not a selection scientist Disclosure I found someone with whom to

794 views • 33 slides
Earl of March S.S. Course Selection Students Entering into Grade 9 Overview Course Selection:

Earl of March S.S. Course Selection Students Entering into Grade 9 Overview Course Selection:

Earl of March S.S. Course Selection Students Entering into Grade 9 Overview Course Selection: The Decision Process 1) Ministry Requirement 2) Course Type Selection 3) Choosing Courses Wisely 4) Other Information 1) Ministry Requirements

798 views • 50 slides
NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need

NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need

NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need finding? Needfinding is the process of uncovering User needs Opportunities for improvement Design Insights by learning about their goals

418 views • 14 slides
Self-report data, part 2 Spring 2017 Michelle Mazurek Some content adapted from Bilge Mutlu,

Self-report data, part 2 Spring 2017 Michelle Mazurek Some content adapted from Bilge Mutlu,

Self-report data, part 2 Spring 2017 Michelle Mazurek Some content adapted from Bilge Mutlu, Vibha Sazawal, 1 Todays class Finish self-reporting Interviews and surveys Start fieldwork 2 Biases in self-reporting data Social

570 views • 16 slides
DEFINING KEY WORDS AND TERMS Difference Identity 1 3/23/2016 PROGRAM APPROACHES Cultural

DEFINING KEY WORDS AND TERMS Difference Identity 1 3/23/2016 PROGRAM APPROACHES Cultural

3/23/2016 SESSION OBJECTIVES - PARTICIPANTS WILL: Investigate the spectrum of commonly used terms in anti-bias approaches Identify fundamental gaps in implementing an anti-bias approach and develop program-level visions for improving

430 views • 8 slides
Background Response rates (RR) have been declining over time. Proven methods to increase

Background Response rates (RR) have been declining over time. Proven methods to increase

5/22/2013 How Important are High Response Rates for College Surveys? Kevin Fosnacht Shimon Sarraf Elijah Howe Leah Peck Indiana University Center for Postsecondary Research Background Response rates (RR) have been declining over time.

527 views • 15 slides
Using Best-Worst Using Best-Worst Scaling to measure all Scaling to measure all sorts of things

Using Best-Worst Using Best-Worst Scaling to measure all Scaling to measure all sorts of things

Using Best-Worst Using Best-Worst Scaling to measure all Scaling to measure all sorts of things sorts of things AIMWA Associate Fellows and Fellows Seminar OCTOBER 2010 OCTOBER 2010 1 Rating Scales are commonly used in management

523 views • 29 slides
Requirements Elicitation R. Kuehl/J. Scott Hawker p. 1 R I T Software Engineering Requirements

Requirements Elicitation R. Kuehl/J. Scott Hawker p. 1 R I T Software Engineering Requirements

Requirements Elicitation R. Kuehl/J. Scott Hawker p. 1 R I T Software Engineering Requirements Elicitation - Discovery A conversation between stakeholders, users, and software engineers about requirements A negotiation to achieve

514 views • 18 slides
Matteo Cesari, MD, PhD EUGMS Congress Nice (France) September 22, 2017 Disclosure of

Matteo Cesari, MD, PhD EUGMS Congress Nice (France) September 22, 2017 Disclosure of

Self-reported screening tools for detecting community-dwelling older persons with frailty Matteo Cesari, MD, PhD EUGMS Congress Nice (France) September 22, 2017 Disclosure of speakers interests Presentations at scientific meetings for

768 views • 41 slides
THIRD QUARTER 2020 November 9, 2020 Q3 2020 Highlights Strong performance across Retail &amp;

THIRD QUARTER 2020 November 9, 2020 Q3 2020 Highlights Strong performance across Retail &amp;

THIRD QUARTER 2020 November 9, 2020 Q3 2020 Highlights Strong performance across Retail &amp; Wholesale business Retail brand comparable sales growth of +8.3%, the highest in 9 years Stabilization of Wholesale business with total

231 views • 20 slides

More recommend