three level deep packet inspection
play

Three-Level Deep Packet Inspection Jianghai LI, Wen Si, Xiaojin - PowerPoint PPT Presentation

Dec 12, 2023 •275 likes •611 views

CPS-SR CPS-IoT Week 2019 April 15 - 18, 2019 Montreal, Canada Intrusion Detection of Networked Cyber-Physical Systems via Three-Level Deep Packet Inspection Jianghai LI, Wen Si, Xiaojin Huang Institute of Nuclear Energy Technology (INET)

  1. CPS-SR CPS-IoT Week 2019 April 15 - 18, 2019 Montreal, Canada Intrusion Detection of Networked Cyber-Physical Systems via Three-Level Deep Packet Inspection Jianghai LI, Wen Si, Xiaojin Huang Institute of Nuclear Energy Technology (INET) Tsinghua University April, 2019

  2. Outline  Introduction of INET of Tsinghua Univ.  Cybersecurity of Networked CPS  Three Level of Deep Packet Inspection  Intrusion Detection based on Neural Network  Data Capture and Results  Conclusions 2

  3. Tsinghua University A comprehensive and research-intensive university  Founded in 1911  Engineering 19 schools  Science 55 departments  Humanities and Social Sciences  Architecture  Arts and Design  Medicine  …… 3

  4. INET  INET ◦ Institute of Nuclear and New Energy Technology, Tsinghua University, Beijing, China ◦ Founded in 1960s  Research Areas ◦ Advanced Nuclear Energy Technology (three research reactors)  A twin-core experimental shielding reactor  A 5MW nuclear heating reactor (NHR-5)  A 10MW modular high temperature gas-cooled reactor (HTR-10): a type of Gen-IV reactor ◦ Nuclear Technology  60 Co container inspection system ◦ New Energy Technology  Lithium-ion batteries and fuel cells ◦ Energy Policy Research 4

  5. HTR-PM: a commercial NPP  High Temperature Gas- cooled Reactor - Pebble-Bed Module  Total thermal power: 2*250MWth  Rated electrical power: 210MWe  Primary helium press: 7MPa  Temperature at inlet/outlet: 250/750 ℃ 5

  6. NPP Plan of China FI CA UK SE DE US FR CH CN JP RU IR KR Fortune China, 2014 6

  7. Main Control Room - 3D Model 7

  8. Outline  Intro of INET of Tsinghua Univ.  Cybersecurity of Networked CPS  Three Level of Deep Packet Inspection  Intrusion Detection based on Neural Network  Data Capture and Results  Conclusions 8

  9. Networked CPS  Industrial Control  Networking Protocols Systems (ICS)  Not standard TCP/IP  P: sensors and actuators  Modbus, Siemens S7, OPC UA  C: control programs  Commercial IDS  Proprietary ones  TCP/IP variants 9

  10. Difficulties Real-time Requirement • ICS-SIEM Prevention Proprietary • Intrusion Detection based on Detection Protocol physical data Operational • Intrusion-tolerant Control Response continuity 10

  11. Outline  Intro of INET of Tsinghua Univ.  Cybersecurity of Networked CPS  Three Level of Deep Packet Inspection  Intrusion Detection based on Neural Network  Data Capture and Results  Conclusions 11

  12. Categories of Hackers based on Their Abilities • skilled with IT security IT Hackers • unaware of industrial control • skilled with IT security ICS Hackers • familiar with ICS and protocols • skilled with IT security NPP Hackers • familiar with I&C systems (Process Hackers) • access NPP (Process) information 12

  13. Deny of Service  by IT hackers  Intercept data packets of HMI commands  Effect: operators lose control of PLC 13

  14. Command Injection  by ICS hackers  Inject the STOP command of PLC  Effect: PLC offline 14

  15. Data Falsification  by NPP hackers  falsify the feedback data to HMI  Effect: Operators deceived 15

  16. Three-level Deep Packet Inspection  1. Network level  Inspection with networking protocols (TCP/IP)  Network flow statistics and packet analysis  Commercial IDS for Internet  2. Control level  Inspection with control protocols (Modbus, S7, ...)  Values of the protocol fields  ICS-IDS  3. Process level  Inspection with control configuration  Phy hysic ical l dat data: Quantities or commands, such as temperature, pressure, valve status, motor start/stop command  ICS ICS-IDS cus customiz ized for for NPP 16

  17. Deep Packet Inspection  IPv4 Src IP = 141.81.0.10 Dest IP = 141.81.0.86 Src port = 57184 Dest port = 502  Function code = 4 (Read input registers) Reference number = 2258 (Staring address) Word count = 2 (Number of registers) 17

  18. Outline  Intro of INET of Tsinghua Univ.  Cybersecurity of Networked CPS  Three Level of Deep Packet Inspection  Intrusion Detection based on Neural Network  Data Capture and Results  Conclusions 18

  19. Intrusion Detection Algorithms  Characteristic detection  Based on known malicious data models  Efficient and accurate, only for known attacks  Applied in control level inspection  Anomaly detection  Based on a legal behavior model, either by experts, or by machine learning  for unknown attacks, false alarms  Applied in process level inspection  Still an open question 19

  20. One-class Detection based on RNN  Why One-class?  Few attack data, while abundant normal data  Replicator neural network (RNN)  replicating the input data as the desired outputs, with the same number of neurons in output layer and the input layer 20

  21. Feature extraction Attributes Time A packet Frame number Header Window size IP address Port Data Data length Flag code Protocol type ……

  22. Feature extraction  Sliding window feature extraction approach Features extracted from packet headers Average time interval Number of packets with a 0 data length Number of IP addresses Number of ports Number of packets using ARP protocol Average data length Number of sorts of flag codes Average frame length Number of packets with a 0 window size Average total length of packets

  23. Outline  Intro of INET of Tsinghua Univ.  Cybersecurity of Networked CPS  Three Level of Deep Packet Inspection  Intrusion Detection based on Neural Network  Data Capture and Results  Conclusions 23

  24. Security Test Box  I&C Testbed  Attack Generation  Intrusion Detection HMI Attack Server Network switch Security Monitoring Controllers (PLC) Module 24

  25. Structure of Test Box 25

  26. Cooling Water System

  27. Video 27

  28. Structure of Datasets normal abnormal Normal operation Training dataset 25121 0 Normal Normal DoS Testing dataset1 4936 820 operation operation Normal Normal Command 2688 1556 Testing dataset2 operation operation injection Normal Data Normal 2963 2282 Testing dataset3 operation tampering operation

  29. Training of RNN 0.1366 1 𝑜 𝑧 𝑗 − 𝑢 𝑗 2 𝑜 σ 𝑗=1 𝑆𝑁𝑇𝐹 =   is used to measure the difference between output and input  To enhance robustness of our model, we set 3 times of the max value of RMSE as the threshold

  30. Attack Detection and Identification Wen SI, Jianghai LI, Xiaojin HUANG, One-class Anomaly Wen SI, Jianghai LI, Xiaojin HUANG, Attack Detection for I&C Systems based on Replicator Neural Identification In I&C Systems based on Networks, NPIC-HMIT 2019, Orlando, FL, US, Feb. 2019. Physical Data, ICONE27, accepted 30

  31. Conclusions  Three classes of hackers and attacks  Three levels of DPI  Intrusion detection based on replicator neural network  ICS security test box for data capture 31

  32. Thank you. Jianghai LI +86-133-6647-7697 lijianghai@tsinghua.edu.cn 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada

BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada

BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley (Work under submission). Intrusion Prevention Deep Packet Inspection Parental Filtering (DPI) In-network

851 views • 42 slides
SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang , Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Kevin Chan, and Tracy Braun What is DPI (Deep Packet Inspection)?

205 views • 19 slides
Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used to enhance the scanning process. Specifically, even if the Abstract Deep Packet Inspection (DPI) plays a major role in contemporary networks, and

479 views • 9 slides
Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data Robin Sommer

Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data Robin Sommer

Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data Robin Sommer International Computer Science Institute, & Corelight, Inc. robin@icsi.berkeley.edu robin@corelight.io http://www.icir.org/robin Deep Packet

931 views • 68 slides
DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced

DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced

Bram C.M. Cappers Jarke J. van Wijk b.c.m.cappers@tue.nl j.j.v.wijk@tue.nl SEMANTIC NETWORK TRAFFIC ANALYSIS USING DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced Persistent Threats (APTs)

240 views • 5 slides
Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections

Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections

Chair for Network Architectures and Services Technical University of Munich (TUM) Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections Intermediate Talk Julien Schmidt May 30, 2016 Chair for

384 views • 16 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik Pete , Systems Engineer 28 th March, 2018 Car Hacking Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the

371 views • 35 slides
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Xiaofei Wang

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Xiaofei Wang

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Xiaofei Wang Junchen Jiang Yi Tang Yi Wang Bin Liu Xiaojun Wang School of Electronic Engineering, Dublin City University, Dublin, Ireland

81 views • 5 slides
Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017

Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017

Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017 May 2017 Background Main uses for network traffic analysis Operations & management Capacity planning Performance troubleshooting

520 views • 24 slides
Head-Body Partitioned String Matching for Deep Packet Inspection with Scalable and

Head-Body Partitioned String Matching for Deep Packet Inspection with Scalable and

Head-Body Partitioned String Matching for Deep Packet Inspection with Scalable and Attack-Resilient Performance* Yi-Hua E. Yang Viktor K. Prasanna Chenqian Jiang Ming Hsieh Dept. of Electrical Eng. Ming Hsieh Dept. of Electrical Eng. Ming

432 views • 11 slides
SWM: Simplified Wu-Manber for GPU-based Deep Packet Inspection Lucas Vespa Ning Weng Department

SWM: Simplified Wu-Manber for GPU-based Deep Packet Inspection Lucas Vespa Ning Weng Department

SWM: Simplified Wu-Manber for GPU-based Deep Packet Inspection Lucas Vespa Ning Weng Department of Computer Science Department of Electrical and Computer Engineering University of Illinois at Springfield Southern Illinois University

181 views • 6 slides
Scheduling in Wireless Networks With Packet-Level and Flow-Level Dynamics Ramin Khalili Reading

Scheduling in Wireless Networks With Packet-Level and Flow-Level Dynamics Ramin Khalili Reading

Scheduling in Wireless Networks With Packet-Level and Flow-Level Dynamics Ramin Khalili Reading Group: 01.02.2011 1 Outline network model packet-level scheduling flow-level scheduling multi-channel case conclusion 2

328 views • 22 slides
EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are

EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are

EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are Olli-Pekka Niemi An; Levomki Chief Research Officer, Senior Vulnerability Stoneso9

1.02k views • 57 slides
Advances in ad hoc networking: Packet Level Authentication Dmitrij Lagutin, dlagutin@cc.hut.fi

Advances in ad hoc networking: Packet Level Authentication Dmitrij Lagutin, dlagutin@cc.hut.fi

Advances in ad hoc networking: Packet Level Authentication Dmitrij Lagutin, dlagutin@cc.hut.fi T-79.5401 Special Course in Mobility Management: Ad hoc networks, 2.5.2007 Contents Introduction Packet Level Authentication

542 views • 20 slides
GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The

GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The

FERMILAB-SLIDES-18-122-CD GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The 43nd IEEE Conference on Local Computer Networks October 4, 2018 This manuscript has been authored by Fermi Research

473 views • 24 slides
INSPECTIONS IN SMALL PROJECTS Juha Iisakka University of Oulu, Finland Department of

INSPECTIONS IN SMALL PROJECTS Juha Iisakka University of Oulu, Finland Department of

INSPECTIONS IN SMALL PROJECTS Juha Iisakka University of Oulu, Finland Department of Information Science Juha Iisakka SOQUA 2004 TIETOJENKSITTELYTIETEIDEN LAITOS Inspection what means "normal" inspection limited

201 views • 6 slides
GlaxoSmithKline MODA 8 Almagro, Spain 48 June 2007 INTRODUCTION Patient recruitment

GlaxoSmithKline MODA 8 Almagro, Spain 48 June 2007 INTRODUCTION Patient recruitment

RECRUITMENT IN MULTICENTRE TRIALS: PREDICTION & ADJUSTMENT Vladimir Anisimov, Darryl Downing, Valerii Fedorov Statistical Quantitative Sciences GlaxoSmithKline MODA 8 Almagro, Spain 48 June 2007 INTRODUCTION Patient recruitment

430 views • 31 slides
16.1 Review Recall from the previous lectures that non-parametric learning is a process which

16.1 Review Recall from the previous lectures that non-parametric learning is a process which

CS/CNS/EE 253: Advanced Topics in Machine Learning Topic: GP Classification & Active Nonparametric Learning Lecturer: Andreas Krause Scribe: Daniel Erenrich Date: March 3, 2010 16.1 Review Recall from the previous lectures that non-parametric

645 views • 6 slides
MAS2602: Computing for Statistics Newcastle University lee.fawcett@ncl.ac.uk Semester 1, 2019/20

MAS2602: Computing for Statistics Newcastle University lee.fawcett@ncl.ac.uk Semester 1, 2019/20

MAS2602: Computing for Statistics Newcastle University lee.fawcett@ncl.ac.uk Semester 1, 2019/20 MAS2602 Arrangements Statistics classes run in teaching weeks 59 Lecturer is Dr. Lee Fawcett ( lee.fawcett@ncl.ac.uk ) Schedule: 4 lectures, 4

1.01k views • 41 slides
Automatic Extraction of Object-Oriented Observer Abstractions from Unit-Test Executions Tao Xie

Automatic Extraction of Object-Oriented Observer Abstractions from Unit-Test Executions Tao Xie

Automatic Extraction of Object-Oriented Observer Abstractions from Unit-Test Executions Tao Xie David Notkin Dept. of Computer Science & Engineering University of Washington, Seattle Nov. 2004 ICFEM 04, Seattle 1 of 24 Motivation

477 views • 25 slides
Intersections of Three Planes MCV4U: Calculus & Vectors There are many more ways in which

Intersections of Three Planes MCV4U: Calculus & Vectors There are many more ways in which

i n t e r s e c t i o n s o f l i n e s a n d p l a n e s i n t e r s e c t i o n s o f l i n e s a n d p l a n e s Intersections of Three Planes MCV4U: Calculus & Vectors There are many more ways in which three planes may intersect (or

580 views • 3 slides
A Power Comparison for Testing Normality Shigekazu Nakagawa, Hiroki Hashiguchi, and Naoto Niki

A Power Comparison for Testing Normality Shigekazu Nakagawa, Hiroki Hashiguchi, and Naoto Niki

A Power Comparison for Testing Normality Shigekazu Nakagawa, Hiroki Hashiguchi, and Naoto Niki Kurashiki University of Science and the Arts Saitama University Tokyo University of Science COMPSTAT2010, Paris-France, Aug. 22-27 Nakagawa,

490 views • 24 slides
Normality and Automata Olivier Carton LIAFA Universit e Paris Diderot & CNRS Join work

Normality and Automata Olivier Carton LIAFA Universit e Paris Diderot & CNRS Join work

Normality and Automata Olivier Carton LIAFA Universit e Paris Diderot & CNRS Join work with Ver onica Becher and Pablo Heiber (Universidad de Buenos Aires & CONICET) Work supported by LIA Infinis AutoMathA 2015, Leipzig Outline

811 views • 61 slides

More recommend