side channel based intrusion detection for industrial
play

Side-channel based intrusion detection for industrial control - PowerPoint PPT Presentation

Mar 24, 2023 •608 likes •928 views

Side-channel based intrusion detection for industrial control systems I have no idea what this device is doing, but at least its still doing the same thing. CRITIS 2017, October 9 th , 2017 Pol Van Aubel 1/31 Authors Joint work:

  1. Side-channel based intrusion detection for industrial control systems “I have no idea what this device is doing, but at least it’s still doing the same thing.” CRITIS 2017, October 9 th , 2017 Pol Van Aubel 1/31

  2. Authors Joint work: Pol Van Aubel Kostas Papagiannopoulos pol.vanaubel@cs.ru.nl k.papagiannopoulos@cs.ru.nl Radboud University Radboud University iCIS|Digital Security iCIS|Digital Security Łukasz Chmielewski Christian Doerr chmielewski@riscure.com c.doerr@tudelft.nl Riscure BV Delft University of Technology Pol Van Aubel 2/31

  3. Outline Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion Pol Van Aubel 3/31

  4. Outline Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion Pol Van Aubel 4/31

  5. The scenario What if an attacker changes the software on the control systems? Natanz • Ukraine • . . . • Pol Van Aubel 5/31

  6. The problem After a program is written • tested • deployed • how do we ensure that we are always running that program? Pol Van Aubel 6/31

  7. Prevent other software from running Verify software signatures with a Trusted Platform Module. Or similar solutions, requiring integration. Pol Van Aubel 7/31

  8. Detect when other software is running Network intrusion detection . . . and prevention? • Host intrusion detection. • Requiring integration. May be circumvented or worse. Pol Van Aubel 8/31

  9. What about the legacy? Large number of deployed systems. We need an option that can be used without software modifications, • without hardware modifications, • at most superficial hardware additions. • There are no silver bullets. Pol Van Aubel 9/31

  10. Side-channel based intrusion detection We propose a system to detect software compromise of embedded industrial control systems by using the electromagnetic side-channel emissions of the underlying hardware. Pol Van Aubel 10/31

  11. Outline Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion Pol Van Aubel 11/31

  12. Side-channels What is a side-channel? Non-functional transmission of information about the state of a system. Execution time • Processor temperature • Power consumption • Coil whine • WiFi power levels • Electromagnetic radiation • Mostly used for breaking cryptography / security / privacy. Pol Van Aubel 12/31

  13. How to capture EM-radiation? Pol Van Aubel 13/31

  14. What does it look like? Pol Van Aubel 14/31

  15. PLCs 101 Dedicated industrial computers that are built for stability, • robustness, • real-time characteristics, • and huge numbers of I/O arrangements. • Pol Van Aubel 15/31

  16. PLCs 101 Operate on a “scan cycle”: 1. read all inputs into memory, 2. execute the user program, 3. do error handling and other stuff, 4. drive all outputs from memory. over and over again. Pol Van Aubel 16/31

  17. What does it look like? Pol Van Aubel 17/31

  18. Outline Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion Pol Van Aubel 18/31

  19. Attacker model Attacker can upload new software to the PLC to replace or modify the existing user program. Attacker cannot control the PLC operating system. Pol Van Aubel 19/31

  20. Two-layered intrusion detection 1. Timing layer: check program runtime. 2. EM layer: compare program EM trace to baseline. Pol Van Aubel 20/31

  21. Timing side-channel layer Trivially detects large alterations. • Determining runtime? • – EM-analysis – OS-emitted signal Pol Van Aubel 21/31

  22. Determine runtime through EM-analysis Pol Van Aubel 22/31

  23. EM side-channel layer Distinguish between programs with minor modifications in program logic (instructions). • in comparison constants (values). • Pol Van Aubel 23/31

  24. Outline Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion Pol Van Aubel 24/31

  25. Best results – comparison constant Pol Van Aubel 25/31

  26. Best results – comparison constant Pol Van Aubel 26/31

  27. Best results – program logic Pol Van Aubel 27/31

  28. Best results – program logic Pol Van Aubel 28/31

  29. Outline Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion Pol Van Aubel 29/31

  30. Future work Expand on classification techniques to improve recognition rates. • Consider the PLC operating system. • Analyse the impact of EM-noisy environments. • Pol Van Aubel 30/31

  31. Main conclusions Our method is feasible. • However, it does not come without a cost. • Detects when attacker replaces user program. • Software available at • https://polvanaubel.com/research/em-ics/code/ . Pol Van Aubel Kostas Papagiannopoulos pol.vanaubel@cs.ru.nl k.papagiannopoulos@cs.ru.nl PGP key fingerprint: 5937 4550 F873 5C57 A778 Łukasz Chmielewski BDE2 B563 848A 5F60 0EAE chmielewski@riscure.com Paper 59 on the conf. USB Christian Doerr c.doerr@tudelft.nl Pol Van Aubel 31/31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar Supervisor: Prof. Slobodan Petrovic FINSE 10th of may 2017 Contents Introduction Snort: a misuse-based intrusion detection Problem

247 views • 14 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert

CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert

CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert Brotzman, Shen Liu, Danfeng Zhang, Gang Tan, Mahmut Kandemir Pennsylvania State University Cache Side Channels Process Data CPU Cache Program Side

390 views • 20 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to signature-based PCA detection Human intervention By Jeff Terrell Not adaptive; can't learn For COMP 290 - IDS - Spring 2005 Can be

360 views • 7 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Cyber@UC Meeting 40 CEH Networking If Youre New! Join our Slack ucyber.slack.com SIGN

Cyber@UC Meeting 40 CEH Networking If Youre New! Join our Slack ucyber.slack.com SIGN

Cyber@UC Meeting 40 CEH Networking If Youre New! Join our Slack ucyber.slack.com SIGN IN! Feel free to get involved with one of our committees: Content, Finance, Public Affairs, Outreach, Recruitment Ongoing Projects:

644 views • 40 slides
;%"'4<=>20'%#646?420'%$5>46@> ;%)64A0<B%*??6>>%+0'4<03

;%"'4<=>20'%#646?420'%$5>46@> ;%)64A0<B%*??6>>%+0'4<03

"#$%&'(%)*+ ,-./0123245%%%%%%%%$674%899: ;%"'4<=>20'%#646?420'%$5>46@> ;%)64A0<B%*??6>>%+0'4<03 ;%CCC%&'(%AD6<6%(06>%<0&@2'E %%?0@6%2'40%73&5F !

514 views • 7 slides
Scheduling Intrusion Detection Systems in Resource-Bounded Cyber-Physical Systems Waseem Abbas 1 ,

Scheduling Intrusion Detection Systems in Resource-Bounded Cyber-Physical Systems Waseem Abbas 1 ,

Scheduling Intrusion Detection Systems in Resource-Bounded Cyber-Physical Systems Waseem Abbas 1 , Aron Laszka 2 , Yevgeniy Vorobeychik 1 , Xenofon Koutsoukos 1 1 Institute for Software Integrated Systems, Vanderbilt University 2 Electrical

495 views • 24 slides
Efficient Packet Classification for Intrusion Detection Using FPGA Haoyu Song, John W. Lockwood

Efficient Packet Classification for Intrusion Detection Using FPGA Haoyu Song, John W. Lockwood

Efficient Packet Classification for Intrusion Detection Using FPGA Haoyu Song, John W. Lockwood Applied Research Lab : Reconfigurable Network Group Department of Computer Science and Engineering

214 views • 9 slides
HOW TO CONNECT VEHICLE IN SAFE AND SECURE WAY MIKKO HURSKAINEN TECHNOLOGIST 17+ 200+ 70+ 5

HOW TO CONNECT VEHICLE IN SAFE AND SECURE WAY MIKKO HURSKAINEN TECHNOLOGIST 17+ 200+ 70+ 5

HOW TO CONNECT VEHICLE IN SAFE AND SECURE WAY MIKKO HURSKAINEN TECHNOLOGIST 17+ 200+ 70+ 5 YEARS IN AUTOMOTIVE TOP NOTCH LOCATIONS EMBEDDED SOFTWARE PROFESSIONALS AROUND SOFTWARE PROJECTS BUILDING THE GLOBE BUSINESS DELIVERED

616 views • 34 slides
TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies for Local Responding To and Trust Assessment Area Monitoring and Area

291 views • 8 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

703 views • 39 slides
Business Continuity at DESY a collection of themes and thoughts covering among others

Business Continuity at DESY a collection of themes and thoughts covering among others

Business Continuity at DESY a collection of themes and thoughts covering among others measures, procedures and dependencies Peter van der Reest, Yves Kemp, DESY IT Hepix Spring 2014, 21.05.2014 General DESY risk assessment > DESY

469 views • 15 slides

More recommend