20180226 D2.2 CNR V10 - anastacia-h2020.eu · BYOD Bring-your-own-device C&C Command and Control...

ANASTACIA has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement N° 731558

and from the Swiss State Secretariat for Education, Research and Innovation. This document only reflects the ANASTACIA Consortium’s view.

The European Commission is not responsible for any use that may be made of the information it contains.

D2.2AttacksThreatsAnalysisandContingencyActionsThisdeliverablepresentstheresultsofthefirst14monthsofworkconcerningthetask2.2.

Distributionlevel PU

Contractualdate 28.02.2018[M14]

Deliverydate 28.02.2018[M14]

WP/Task WP2/T2.2

WPLeader CNR

Authors E.Cambiaso(CNR),I.Vaccari(CNR),E.Punta(CNR),S.Scaglione(CNR),S.Bianchi(SOFT),A.Zarca(UMU),R.Trapero(ATOS),P.Sobonski(UTRC),D.Rivera(MONT)

ECProjectOfficer [email protected]

ProjectCoordinator

SoftecoSismatSpAStefanoBianchiViaDeMarini1,16149Genova–[email protected]

Projectwebsite www.anastacia-h2020.eu

of39

TableofcontentsPUBLICSUMMARY..............................................................................................................................3

1 Introduction................................................................................................................................4

1.1 Aimsofthedocument........................................................................................................4

1.2 Applicableandreferencedocuments................................................................................4

1.3 RevisionHistory..................................................................................................................4

1.4 AcronymsandDefinitions..................................................................................................4

2 Overviewofattackcategories....................................................................................................6

2.1 Activeattacks.....................................................................................................................7

2.1.1 PacketsCrafting..............................................................................................................7

2.1.2 PacketsAlteration..........................................................................................................8

2.1.3 ServiceCompromising....................................................................................................8

2.2 Passiveattacks....................................................................................................................9

2.2.1 DataInterception...........................................................................................................9

3 Analysedattackscenarios.........................................................................................................10

3.1 UseCaseMEC.3................................................................................................................12

3.1.1 Attackdescription........................................................................................................12

3.1.2 Protectionapproach.....................................................................................................14

3.1.3 Detectionplan..............................................................................................................14

3.1.4 Mitigationplan.............................................................................................................15

3.2 UseCaseBMS.3................................................................................................................16



3.2.3 Detectionplan..............................................................................................................17

3.2.4 Mitigationplan.............................................................................................................18

3.3 UseCaseBMS.4................................................................................................................19


3.3.2 Protectionplan.............................................................................................................19

3.3.3 Detectionplan..............................................................................................................20

3.3.4 Mitigationplan.............................................................................................................20

3.4 UseCaseBMS.2................................................................................................................22



3.4.3 Detectionplan..............................................................................................................23

of39

3.4.4 Mitigationplan.............................................................................................................23

4 AttacksDetectioninANASTACIA..............................................................................................25

4.1 MontimageMonitoringTool(MMT)................................................................................25

4.1.1 GeneralDescription......................................................................................................25

4.1.2 Capabilities...................................................................................................................26

4.1.3 MMTGeneralWorkflow...............................................................................................27

4.2 XL-SIEM.............................................................................................................................28

4.3 UTRCAgents.....................................................................................................................31

5 Additionalconsiderations.........................................................................................................33

5.1 SlowDenialofServiceAttacks..........................................................................................33

5.2 IoTSecurityConsiderations..............................................................................................34

6 Conclusions...............................................................................................................................35

7 REFERENCES..............................................................................................................................37

of39

PUBLICSUMMARYConcerningtheANASTACIAplatform,itisimportanttoanalyseandprotectinanaccuratewaytheunderlying infrastructure, inorder toavoidmalicioususers toperpetratemaliciousactivitiesonthenetwork.Inthiscontext,itiscrucialtoanalyseindeepthethreatsanattackermayexploitformaliciousactivities.Also, it is important to classify theattacker’saimsandwhichmeanshecanadopt.Theaimofthisdocumentistoaddressfourselectedusecases,focusedonsecurityaspectsofIoTandsmartdevices,andaddressingthefollowingattacks:

1. DistributedDenialofService,2. SQLinjection,3. 0-dayexploit,and4. malware.

For each attack, the document reports applicable detection andmitigation actions, in order toidentifythethreatandreacttoit.Suchactivitiesoftenrequireaprotectionplanthatinvolvestheentire life cycle of the components, from the design and implementation, to a continuousprotectionplan tobe continuously adoptedon the components, e.g., through signatureupdateactivitiesexecutedtoupdatethedetectionsystemtothelatestdiscoveredthreats.Also, the document reports detailed information about unique protection componentsimplementedbyANASTACIApartners,andadoptedforthedevelopmentoftheplatform.Finally,focusingontwospecificthreatsdiscoveredduringthestudy,weanalysethepanoramaofattacks,inordertoidentifyemergingthreatsinthecyber-securitycontext.

of39

1 INTRODUCTION1.1 AIMSOFTHEDOCUMENT

TheaimofthisdocumentistoanalyseindeeptheselectedsecurityusecasesconsideredfortheANASTACIA platform. For each use case, the document reports detailed information about theexploited threat, henceproposingdetection andmitigation approaches tobe implementedanddeployed on the ANASTACIA platform. The document also reports how such proposals aremanagedbyANASTACIA,byexploitingunique tools,methodologiesandknowledgeprovidedbyproject partners. Finally, the document reports innovative threats discovered while during thestudyandproposestheevaluationofsuchmenacesforfutureworkonthetopic.

1.2 APPLICABLEANDREFERENCEDOCUMENTSThisdocumentreferstothefollowingdocuments:

• ANASTACIADeliverableD1.2“User-centredRequirementsInitialAnalysis”• ANASTACIAMilestoneMS12a“Monitoringcomponentservicespecifiedandagreedbytheboard”• ANASTACIAMilestoneMS12c“Monitoringagentservicespecification”• ISO/IEC27002Informationtechnology-Securitytechniques

1.3 REVISIONHISTORYVersion Date Author Description0.1 02/10/2017 I.Vaccari InitialDraft0.2 09/01/2018 E.Cambiaso Enhancedusecasesdescription0.3 12/02/2018 E.Cambiaso Enhancedthequalityofthedocument0.4 23/02/2018 E.Punta ImprovedANASTACIAdetectiontoolsand

conclusionssection0.5 26/02/2018 E.Cambiaso Producedthefinalversionofthedocument

1.4 ACRONYMSANDDEFINITIONSAcronym MeaningBMS BuildingManagementSystemBYOD Bring-your-own-deviceC&C CommandandControlDBMS DatabasemanagementsystemDDoS DistributedDenialofServiceDoS DenialofServiceIDS IntrusionDetectionSystemIoT InternetofThingsIPS IntrusionProtectionSystem

of39

MEC MobileEdgeComputing/Multi-accessEdgeComputingMitM Man-in-the-MiddleSDA SlowDoSAttackSDN Software-definednetworkingSQL StructuredQueryLanguageSQLi SQLinjection

of39

2 OVERVIEWOFATTACKCATEGORIESThe aim of this section of the document is to define and identify relevant threats against anetwork infrastructure, by focusing on the core components of the ANASTACIA scenarios, andconsidering in particular Internet of Things (IoT) and Software-Defined Networking (SDN)environments. Different types of threats will be presented, with the aim of enhancing thedevelopment of the project, by identifying relevant security threats and to define the rightprotectionapproachtodeployonthesystem.Although communication networks have brought great technological innovation, they alwaysattractedmalicioususers.Therefore,networksecurityassumesacrucialroleforeveryICTbasedsystem.Inthiscontext,Figure1reportsabasicclassificationofwell-knownnetworkattacks.

Figure1:Categorisationofnetworkattacks

The classification is based on two main categories of threats: active and passive attacks.Concerningactiveattacks,amaliciousclientactivelyinjectsoraltersanetworkmessageinordertoexploitsomesortofvulnerabilityaffectingthetargetedhostornetwork.Thistypeofattacksisconsideredverycomplexanditspreventionisnoteasytobeaccomplished.Instead,relativelytopassiveattacks,theaimoftheattackeristoobtaintheinformationwithoutactivelycommunicateonthenetwork.

of39

In general, each of these attacks aims to introduce delays on the network or to steal sensitiveinformation from the targeted systems. In order to detect andmitigate these threats, specificapproaches can be implemented to avoid/reduce the possibility of the exploitation. A goodstartingpoint istoanalyse internationalstandardsoncybersecurity,suchasthe ISO/IEC27002.For instance, analysing requirements reported in chapter9.1.2 “Control access tonetworksandnetworkservices”,thestandardsuggeststoanalyseifVPNorwirelessnetworkpoliciesaredefinedor if network usage ismonitored. By following the standard, it is possible to identify sensitiveactionstotakeonsensitivenetworksornodes.TheadoptionofstandardsliketheISO/IEC27002helpsnetworkandsystemadministratorstokeeptheinfrastructuresafeandsecurefrompossiblecyberandphysicalattacksonthesystem.

2.1 ACTIVEATTACKSActive attacks allow an attacker to interact on the network, for example by sending packets tonetworkdevicesorbyaccessingtheirservices[Uma,2013].Themainobjectiveofsuchthreatsisto damage the network or the entire infrastructure depending on the extent of the attack.Concerning active network attacks, three different activities are involved: fabrication/craft ofnovelpackets,modification/alterationofexistingpackets,servicesinterruption.Inthesecondcase(packets alteration), the attacking host usually have to be placed between the two entitiesinvolvedinthetransmission.AccordingtoFigure1,wewillnowanalysethemostknownandmostharmfulactiveattacks.

2.1.1 PacketsCraftingInthiscase,newpacketsarecraftedinordertotargetthevictim.

• ReplayAttackAreplayattack is intended topostponeor replay the transmissionofapackage togetavictim'sdisserviceor toobtain information that itwouldnothaveaccess to.Anattackeracquires data that he previously had no access to and uses them for his (malicious)purposes.Forinstance,byrepeatingaconnectionpacketseizingsomesortofresourceonthe victim, it would be possible to seize all the available resources, hence creating adisservice.

• MasqueradingDuring amasquerading attack, the attacker assumes the identity of another user of thesystemtogainaccesstospecificinformation.Itisatechniqueusedbyamalicioususertopretend to be an authorized person to gain access to confidential information (e.g., byexecutingsomesortofprivilegeescalation)inanillegalway.

• MalwareMalwarearemaliciousfilesorsoftwarerunningoninfectedhosts.Themalwarecategoryincludes several kinds of malicious programs such as computer viruses, worms, trojanhorses, spyware, and ransomware. These programs aim to attack users' devices fordifferentmaliciousreasons.Forexample,theycanstealusersensitivedata,encryptdatatorequestanunlockransom,ordirectlydeletethemtocausedamagetothevictim.

• Zero-dayvulnerabilitiesZero-day vulnerabilities (also known as "0-days") concerns the exploitation of unknownsoftware vulnerabilities never appeared in networks before. Because of this, theirknowledge is extremely limited, usually only to a restricted number of malicious users(evennotknowing/communicatingamongthem).Invirtueofthis,sincemostofthetimeseventhesoftwareproducerisnotawareofthevulnerability,appropriatepatchesarenot

of39

availableandtheaffectedsystemisvulnerable.Untilappropriatepatchesaredeployedonthe vulnerable systems, hosts afflicted with such vulnerabilities are exposed to cyber-attacksthatmayevencauseseriousdamagetothesystem.

2.1.2 PacketsAlterationInthiscase,theattacker(physicallyorlogically)placesthemalicioushostbetweenthetwonodesofthecommunication.

• Man-in-the-Middle(MitM)A man-in-the-middle attack is implemented to access private data exchanged in acommunicationsessionortomodifypacketsthusviolatingsessionintegrity.Thisattackisexecuted in real-time, which means that the attack occurs during the communicationsession between two network devices. Data can be read, edited and stored when theattackerisabletoaccessthesession.Theattackerwillknowthecontentsofthemessagebefore the intendedrecipient receives itorchanges themessagealong thepath [Welch,2003]. The attacker could adopt different well-known techniques (e.g. by exploiting theHTTP protocol [Callegati, 2009], or by perpetrating ARP poisoning attacks [Nam, 2010]),couldputhimselfinthemiddleofthecommunicationbetweentwohostspretendingtobetherespectiverecipientsofthesession.

2.1.3 ServiceCompromisingInthiscase,theaimoftheattackeristocompromiseavailabilityorintegrityofthetarget.

• DenialofService(DoS)In a denial of service attack, an attacker exploits the network connection to make theservices offered by the victim unavailable, by simply flooding the victim with severalpackets (e.g., flooding [Huici, 2009], amplification and reflectionDoS [Wei, 2013]), or byexploiting some sort of vulnerability (e.g., low-rate [Kuzmanovic, 2003] or exploit basedDoS[Muscat,2016]).Denialofserviceattackscausesignificantdamageeachyear,makingitessentialtoimplementanddevelopinnovativetechniquesfordetectionandprotectionagainst this attack. In order to develop innovative protection techniques, a thoroughknowledgeofthedynamicsoftheattackisrequired.Beingawell-knownattackwithvastpotentials,itisconsideredoneofthemostdangerouscyber-attacks[Hussain,2013].

• DistributedDenialofService(DDoS)ADistributedDenialofService(DDoS)threatisasimultaneousattackexecutedbydifferentcoordinatednodesagainstcommonlytargetedservicesofferedbythevictims.Theservicesunderattackcanbeclassifiedinprimaryvictims,wherethetargetedserviceistheonethatthe attacker wishes to make inaccessible, and third victims, where third-party hosts orservices are exploited to execute the attack against the primary victims (real targets).Instead,theuseofsecondaryvictimsduringaDDoSattackprovidestheattackertheabilityto exploit (usually infected) zombies/bots to amplify the attack power by remaininganonymous[Specht,2004].

• SQLInjection(SQLi)StructuredQueryLanguage(SQL)injectionisacomputerattackthatinvolvestheinjectionof malicious SQL code to target a web application directly connected to a databasemanagement system (DBMS) and to access/steal or inject illegitimate data. During thisattack,theattackerusuallycraftsaportionoftheSQLstatementbypassingittotheserverintoanHTTP request, inorder to alter the initial query andgain access to thedatabase[Sadeghian.2013].

of39

2.2 PASSIVEATTACKSThistypeofattackdoesnotinvolvetheattacker'sinteractionwiththenetworkdevices.Oftenintheseattacks,hackersonlycareaboutstayinghiddenandreadingandsavingtheinformationofinterest exchanged by the various devices on the network. Their goal is to steal informationwithoutinteractingandremaininghidden.

2.2.1 DataInterceptionPassiveattacksfocusoninterceptingsystemornetworkcommunications.

• TrafficanalysisTrafficanalysisisaprocessofinterceptingandanalysingpacketsexchangedinanetworkinordertoinfertheexchangedcontent.Thiskindofthreatcanalsobeexecutedifanalysedpackets are encrypted and decryption is not possible [Aiello, 2013]. In general (but notalways), more packets are exchanged on the network, more information can beextrapolatedfromthecapturedtraffic.

• Sniffing/EavesdroppingIngeneral, ifnetworkcommunicationsoccur inplaintext,henceexchangeddataarenotencrypted, it is possible for a malicious user to intercept exchanged information andprocessthem.Inthiscase, itmayberequiredtotheattackertoplacethemalicioushostbetween the two nodes of the communication (seeMiTM attack description in Section2.1.2).Forinstance,thisispossibleforanetworkadministrator,byusingmirroringportsofnetwork switches, or for an insider threat, by placing a tap on the network. Theinterceptionactionisgenerallyreferredassniffingorspoofing.Theabilityofanattackertomonitorthenetwork isgenerallyoneofthemainproblemsthatusershavetodealwith,especially if unknown networks (e.g. public access points) are adopted, since, withoutenabling strong and effective encryption algorithms, data can be read and stored bymalicioususers.

• KeyloggerKeyloggers runs in the background on the infected system, recording key press andexecuted commands. Keyloggers can be software based or physical devices attachedbetween the keyboard and the motherboard of the target. Concerning software basedkeyloggers, once data are stored, they are hidden in particular memory areas for laterretrieval,ordirectlysentinbackgroundtotheattackerontheInternet.Oncethemaliciouspayloadisretrieved,theattackermayfindpasswordsorothersensitivedatathatcouldbeusedtocompromisethesystem,forpersonification,orforsocialengineeringattacks.

of39

3 ANALYSEDATTACKSCENARIOSThe main contribution described in this deliverable document concerns different selectedscenarios and attacks, considered at the current stage of the development of the ANASTACIAplatform.Inordertoimplementanefficientprotectionsystemtodetectandmitigateanattacktothenetwork, it is importanttoanalysetheconsideredthreat, its functioning,andhowtodetectandmitigateittoprotectthesystem.According to Table 1, four use cases were extrapolated from the ANASTACIA D1.2 deliverabledocument,describingawiderangeofpossibleattackscenarios.Particularly,thethreeusecasesconcerntheBuildingManagementSystems(BMS)context,whileoneisrelatedtotheMobileEdgeComputing/Multi-access Edge Computing (MEC) context. By deeply analysing the selected usecases, related attacks, their functioning and their aim were deeply investigated to defineappropriateprotectionmethodstobeadoptedanddeployed.

D1.2USECASES(Attacks) HowtoDetect?WP4-WP5 HowtoMitigate?WP2-WP3

UseCase_MEC.3DoSorDDoSattackswithPing-ICMP

throughSmartCamerasorIoTdevices.

SNORTasMonitoringAgent.MMTToolforMontimage.

TwodetectionmechanismsprovidemorereliabilityforXL-SIEMofATOS.

VirtualFirewallforNFV.

IPTableswithNetconf.

UseCase_BMS.3Remoteattacktobuildingmanagement

system(i.e.SQLinjectiontowardsSCADA)

MMTToolforMontimage. SDN-ONOSisolatesIPv6addresses

UseCase_BMS.4Ahackermanipulateacritical

temperaturesensortotriggerthefireandevacuationalarms

DataanalysisforUTRC.

IoTControllerrequeststostopIoTdevice.

SDNisolatesIPv6addresses.VirtualHoneynet.

UseCase_BMS.2Insiderattacktoafiresuppression

system

IoTinfrastructuredetectattackswithinvalidcredentialforactionsthat

requireauthenticationorauthorization

AAAArchitectureforNFVDTLSchannelprotection

SDNisolatesIPv6addresses.

Table1:SelectedUseCasesforfirstinteraction

According to the description reported in ANASTACIA D1.2 deliverable, the selected attackscenarioscoverawiderangeofpossiblethreats,asreportedinTable2,wherefor“wellknown”wemeanthattheconsideredattackisdeeplyinvestigatedinliteratureandappropriateprotectionsystemsmaybeapplied.

USECASE WELLKNOWN 0-DAY TARGET ATTACKTYPEUseCase_MEC.3 • IoTdevice DenialofService

UseCase_BMS.3 • Database SQLInjection

UseCase_BMS.4 • Temperaturesensordata 0-day

UseCase_BMS.2 • Firealarmpanel Malware

Table2:SelectedUseCasesforfirstinteraction

Thenextsectionsof thischapter focusontheseusecases,describingthem indetail inorder todefine innovative protection systems to be adopted. Before describing them, it is important to

of39

defineanappropriateseverityranktobeadoptedtoscoreaspecificthreat.Particularly,ourrankderives from the distinction between critical and non-critical attacks, in conjunction with thetargetedentity,thatmayingeneralbea(non-)sensitivehostornetwork(infunctionofitsimpactonthenetworkoftheimpairmentofthehost/network),theentirenetwork,orhumanbeings.Byfollowing this approach, Table 3 reports the proposed severity rank, considering that 1 is thelower,10isthehigher.

ATTACKSEVERITYNON-SENSITIVE SENSITIVE

ENTIRENETWORK

HUMANBEINGSHOSTS SUBNET

SHOSTS SUBNET

S

NON-CRITICAL 1 2 3 4 - -

CRITICAL 5 6 7 8 9 10Table3:Proposedseverityrank(10ishigher)

Foreachoftheconsidered levels,Table4reports insteadasampleattack, inordertoprovidearealexampleofthreatassignedtoeachofthespecifiedranks.Rank Attackscategory Attacktargetsample

1 Non-criticalfornon-sensitivehosts Adwareinstallationonadeviceconnectedtothepublicwirelessnetwork

2 Non-criticalfornon-sensitivesubnets Adwarespreadonthepublicwirelessnetwork

3 Non-criticalforsensitivehosts Loweringperformanceonpublicservers

4 Non-criticalforsensitivesubnets Loweringperformanceontheservernetwork

5 Criticalfornon-sensitivehosts Compromissionofahostconnectedtothepublicwirelessnetwork

6 Criticalfornon-sensitivesubnets Compromissionofapublicwirelessnetwork

7 Criticalforsensitivehosts Compromissionofaproductionserverhost

8 Criticalforsensitivesubnets Compromissionofthesubnetworkincludingproductionservers

9 Criticalfortheentirenetwork Powerinterruptionfortheentireorganizationfacilities

10 Criticalforhumanbeings CompromissionoffiresuppressionsystemscapabilitiesTable4:Exampleofattacksforeachoftheproposedrank

of39

3.1 USECASEMEC.3This scenario is focused on the execution of Denial of Service (DoS) and Distributed Denial ofService(DDoS)attacksthroughsmartcamerasandIoTdevicesbelongingtothetargetednetwork.Theaimof theattacker is in this case to createdisserviceon thenetworkandmake the smartcameraserviceunavailabletoitsintendedusers.

3.1.1 AttackdescriptionIn the cyber-securitypanorama,Denial of service (DoS) attacks are considereda serious threat,since their aim is to compromise connectivity capabilities of an entire network or internalnodes/hosts.DoSattackscanbeexecutedatevery layerof the ISO/OSIstack, fromthephysicallayer (e.g., by physically accessing a network server and removing the power cord) to theapplication one (e.g., by communicating with the listening application in order to make themcrash).ADoSattackcanbeexecutedautonomouslybyasingleattackinghost. Inthiscase, ifastatefulprotocolisadopted,theattackmayeasilybeidentifiedandmitigatedfromthetargetednodeornetwork, since the source IP address usually does not change during the attack, hence, itscommunications/incoming packets can be blocked, thus making the threat ineffective.Nevertheless, in order to bypass such limit, an attacker may execute a simultaneous andcoordinated attack from several different nodes/hosts, willing or not to participate to themaliciousactivity,thusexecutingadistributedDoSattack.Thisapproachcanbeadoptedalsotoincreasetheoverallattackbandwidth,especiallyforvolumetricattacks1.Usually, it isquiteeasy to implementand runadenialof serviceattack,due to thevastnessoftools available on the Internet. In general, it should be highlighted that, analogously to manycomputerandnetworkattacks,DoSthreatsshouldnotonlybeconsideredformaliciousactivities,but for benign ones too. For instance, a legitimate network administrator may legitimatelyaccomplish a DoS attack against non-production services in order to evaluate the ability torespondunderstressconditions.Theresultsmay inthiscasebeextremely importanttoanalysethecapabilitiesoftheservertoeffectivelymanageflashcrowdevents.Forourscenario,aDoSisaccomplishedbyamalicioususerwithmaliciousgoals.Althoughadenialofserviceattackcouldmake itpossibletodismantleanentirebuildingororganizationnetwork,theusecaseisfocusedonanattackagainstasmartcamerasystem.Althoughtheseverityrankoftheattackislowerthanincaseofatargettotheentirenetwork,itshouldbeconsideredthatinthiscasetheattackmaybethefirststepofamoreaccurateplan(e.g.involvingphysicalaccesstothebuilding).Figure 2 depicts the analysed scenario. It is possible to notice that the attacker accesses theANASTACIAnetworktotargetthesmartIPcamera,whichisdirectlyconnectedtothenetwork.

1 In the following, although we will refer generically to the “denial of service” term, a distributed attack will be considered.

of39

Figure2:RepresentationoftheMEC.3scenario

Inthisscenario,anattacker,externalatthenetwork,controlsasetofinternalnodes/zombiesandinstructsthemtoexecuteapingfloodDoSattackonthenetwork.InthiscasetheattackinghostsarecompromisedIoTdevicesandsmartcameras,thatfloodthetargetedhost/victimwithalargeamount of ping requests packets. The victim is therefore induced to consume its resources, inordertoreplytoeachreceivedrequest.Duringasuccessfulattack,itisexpectedthataftersomeminutes,all targetedhostsareunable tocommunicatewithothernetworknodes.Therefore, incase a protection plan is not deployed, as for other DoS attacks, the attacked hosts becomeuseless.Inlegitimatesituations,pingmessagesarebasedontheICMPprotocolandtheyareusedtocheckreachabilityofaremotehost. Ina legitimatesituation,apingpacket,usuallysized lessthan 100 bytes, is sent every second to the host.Moreover, the attack is characterized by theabilitytospoofpacketsourceIPaddress(sinceitmakesuseofastatelessprotocol).Therefore,itistrivial for theattackertoexecutean(apparent)DDoSattack,since inthiscasethevictimwouldreceivepacketsfrommanydifferentsources,althoughasinglehostisperpetratingtheattack.Figure3reportsasampleexecutionoftheattack.TheattackerstartsthethreatbysendingICMPecho/ping request to the targeted IP camera in order to make it unavailable on the network,temporarilyorindefinitely.

ANASTACIANETWORK

C&C PING FLOOD

VICTIM

of39

Figure3:RepresentationofapingDoSattack

3.1.2 ProtectionapproachBy analysing how the ping floodDoS attackworks, being source IP spoofing easy to do for theattacker, a protection system may not bind on the source of the attack. For simplicity, let’ssupposetheattackerchangesthesourceIPaddressoftheattackeveryminute. Inthiscase,theprotection systemwould successfullyblock the first sourceof attack,but at the first IP addresschange from the attacker (after 60 seconds from thebeginof the attack), a newattackwill beidentifiedbythevictim,involvingadifferentsourceaddressandleadingtoanotherpotentialDoS.Hence, the protection system may not be effective in this case. Let’s imagine if the attackerchangesthesourceIPaddressoftheattackeverypacket(e.g.bycontinuouslychangingtheattacksource/smartcamera/IoThostinordertopreventdetection).Inthiscase,theprotectionsystemwould be totally ineffective and useless. Therefore, in this case, it is important to bind on thedestinationaddress(theinternaltargetedhost),insteadofthesourceaddressofthepackets.Ingeneral,twopossibleprotectionapproachescanbeadopted:fromoneside,itmaybepossibletoblockallpingpackets,henceblockingtheattackatthesource.Nevertheless,althoughproperevaluation of such solution will be dedicated in the development of the project, since somelegitimate ping requests may be needed for other network nodes, this approach may not beadopted (or adopted partially, by allowing ping packets receiving only from specific hosts,althoughtheymaybeunder thecontrolof theenemy).Theotherprotectionapproach involvespackets limiting. In this case, considered in the following (since the first approach is trivial todeploy), a filter isapplied to limit the incoming flowofpingpackets involvinga specifichostornetwork.

3.1.3 DetectionplanIn order to protect the ANASTACIA infrastructure by a ping flood DoS attack, the proposedprotectionsystemshouldbebindedonthedestinationaddressofthetargetedsystem,tocounterIP spoofing and DDoS attacks, although it is important to highlight that in case of continuousattacks this solutionmay lead to inject large traffic volumeson thenetwork (hence, a networkblockofthe(internal)attackinghostsmaybeappliedaswell).Also,aspreviouslydescribed,the

of39

proposed solution limits thenumberofpackets involvinga singlehostallowedon thenetwork.Particularly,theproposedsolutionallowsamaximumof10packetsevery5seconds.Byexceedingsuchlimit,analertistriggered.Inthisway,thereisamaximumbandwidthconsumptionallowed(without triggering any alert) of about 200bytesper second (that is almost equal to 1.6Mbps).Such trade-off allows in average two different legitimate clients to simultaneously send pingpackets to thedestinationhost, plus it detectsDoSorDDoSon the victim, since themaximumallowedbandwidth is extremely low, compared to thebandwidthneeded to successfully leadaDoS.Forinstance,iftheSnortintrusiondetectionandpreventionsystem[Roesch,1999]isdeployedonthe network, it is possible to deploy a Snort rule on network taps integrated in ANASTACIA, inordertodetectapingDoSattackattempt,byusingarulesimilartothefollowingone:

alerticmpanyany->anyany(itype:8;detection_filter:trackby_dst,count10,seconds5;priority:7;msg:”PingDoSattempt”;sid:100121)

The proposed rule, generically valid for the entire network, should be in practice binded to aspecifichost/network,inordertoassignaproperranking/priorityvalue.

3.1.4 MitigationplanAfter theattack isdetected, theANASTACIAplatformhas to react to the threat,bydeployingamitigation plan. Particularly, in this case amitigation plan is followed in order to interrupt theattack, thus making the smart IP camera able to properly communicate on the network,independently from the fact the detection alert was triggered when the camera was able tocommunicate (hence,before theDoS is reached)ornot (hence,under theDoS). Themitigationplancanbedeployedindifferentways.Forinstance,ifSnortisadopted,itispossibletoaltertheSnort rule reported in Section3.1.3 touse thedropdirective (insteadof alert), todirectlydroppotentiallymalicious packetsmatching the filter. Nevertheless, since such solution requires thenetwork tap including Snort to intercept and validate each packet passing through the node(instead,ifthealertbasedtriggerisadopted,thetapmayaccessmirroredtraffic),itmayleadtoefficiencyandperformanceissues.Another solution that may be adopted involves the iptables firewall available on Linux basedoperating systems. In this case, it is possible to execute the following commands to block theattack.

iptables-AINPUT-picmp-mlimit--limit2/second--limit-burst2-jACCEPTiptables-AINPUT-picmp-jDROP

Itshouldbenotedthatthesesolutionsarejustrepresentativesolutions.Forinstance,inpractice,the reaction/mitigation component of ANASTACIA may receive the alert from themonitoring/detection component, interpret it to identify the targeted node, hence deploy aspecificruleabletolimitonlythetrafficdirectedtothetargetedhost.Later,inordertoreducethenumberof rules installedon the system, the samecomponentmay restore the situation to theoriginalstate(hence,deletingthegeneratedrule).

of39

3.2 USECASEBMS.3This scenario is relative to a situation where a malicious user targets an energy micro-grid byexploitingthenetworknodesinordertoviolateaSCADAdatabase,byexecutingaSQLinjectionattack.

3.2.1 AttackdescriptionSQLinjectionattacksrepresentsawell-knownseriousthreatforwebapplications[Halfond,2006].Byexecutingsuchthreats,anattackerispotentiallyabletoretrieveoralterdatabaseinformation.Indeed, web applications vulnerable to SQL injection attacks may allow an attacker to gaincomplete access to the adopted databases. Usually, databases are directly accessed by webservers in order to access structured data from the (web) user interface. SQL injection attacksexploitvulnerabilitiesaffectingwebpages,oftenderivingfrombadcodequality.AsimpleexampleofSQLinjectionisreportedinFigure4,wheretheattackerexploitsavulnerabilityaffectingHTTPrequestsinordertoretrievealltheusersdatastoredinthedatabase.

Figure4:SampleSQLInjectionattack

IntheanalysedBMS.3scenarioofANASTACIA,accordingtoFigure5,anexternalattackerexploitsawebpagevulnerabilitytoinjectSQLmaliciouscodeinordertoaccessormanipulatetheSCADAdatabase. Such exploitation is based on the generation of the query by using unfiltered inputsprovidedby theuser.Thetargeteddevice isadatabasemanagementsystemandtheattacker’saimmaybethreefold:

• Toalter/tamperthedatabasecontent:inthiscase,themaliciouspayloadincludes,e.g.,aconcatenation of queries, in the following form (underlined text identifies the inputpayloadprovidedbytheattacker):SELECT*FROMusersWHEREname='foo';DROPTABLEusers;SELECT*FROMusersWHERE'1'='1';

• Tobypassaccessrestrictions(inordertoaccomplishprivilegeescalation):inthiscase,themalicious payload includes, e.g., a concatenation of a logical condition always truebypassing required checks (underlined text identifies the input payload provided by theattacker):SELECT*FROMusersWHEREpassword=''OR'1'='1';

• To access/steal sensitive data: in this case, the malicious payload includes, e.g., aconcatenationofalogicalconditionalwaystrueenlargingthenumberofresultingrecords(underlinedtextidentifiestheinputpayloadprovidedbytheattacker):SELECT*FROMcustomersWHEREid=''OR'1'='1';

of39

Figure5:RepresentationoftheBMS.3scenario

3.2.2 ProtectionapproachConcerning SQL injection attacks, it is worth mentioning that nowadays it is possible to easilymitigate the threat, for instance by applying input sanitization [Mui, 2010]. Nevertheless, sincesuchimplementationdependsoncomputerprogrammersandnetworkadministratorsactivities,itis importanttoconsiderpotentialbadcodeormisconfigurationsthatmayexposethesystemtoSQL injection attacks. In order to protect the system from SQL injection attacks, differentprotection approaches could be implemented: a summary of the proposed protection plan isreportedinTable5.Proposedactivity Goal

Accesscontrol• Reducethepossibilityofattacks

• Lognetworkanddatabaseaccesses

Logsinspection• Identifytheintrusion

• Identifythesourceoftheattack(e.g.the“formeremployee”)

• Identifytheattackvector

Generalprotection• Preventdatatheftandtampering

• Preventhostscompromising

• Preventapplicationcompromising

Restorecapabilities• Blockandavoidfuturecompromising

• MaketheattackineffectiveTable5:ProposedprotectionactivitiesfortheBMS.3scenario

3.2.3 DetectionplanInordertodetectaSQLinjectionattackonthenetwork,basedontheattacker’saimsdescribedinSection3.2.1,logsfromthreeprincipalcomponentsshouldbemonitored:database,network,andapplicationserver.FurtherdetailsarereportedinTable6.

ANASTACIANETWORK

PLANTNETWORK

ATTACK …

of39

Attacker’saim Processedlogs DetectionaimAltertheDBcontent Database Toidentifyunexpected(non-)queries

Bypassaccessrestrictions

Database ToidentifyunexpectedqueriesNetwork Toidentifyunwantednetworkaccesses

Applicationserver Toidentifyunwantedaccessestotheapplication

Access/stealsensitivedata

Database ToidentifygenericandunexpectedqueriesNetwork Todetectanomalous/large1-to-1traffic

Table6:ProposeddetectionplanfortheBMS.3scenario

The main idea is to monitor logs from the three components, in order to analyse performedqueries and network and application accesses. In this way, if an attacker tries to exploit thenetwork infrastructure throughaSQL injectionattack, themaliciousactivity canbedetectedbytheANASTACIAplatform.

3.2.4 MitigationplanInorder toefficientlymitigateSQL injectionattacks, threeseparatedapproachesaresuggested.Thefirstoneinvolvesadesigntimemitigationplan,nativelyimplementedinthesystembeforeitgoes intoproduction. The secondone involves run-timemitigation, executedafter theattack isdetectedby thedetection componentofANASTACIAandable tomitigate the identified attack.Thelastapproachinvolvesinsteadcontinuousmitigation,inordertokeepthesystemupdatedinviewofnovelthreats.MoredetailsoftheseapproachesarereportedinTable7.Mitigationapproach Activities

Designtimemitigation

• AccessControlLists/Permissions(bothnetworkanddatabase)

• Applicationvulnerabilitieschecks

• Databasebackup/restoreprocedures(e.g.fromlogs)

Run-timemitigation

• Databaselevel:o Block/validatetheclient’scredentialso Executionofdatabaserestoreprocedures

• Networklevel:o Block/validatethenetworkcliento BlockofsourceIPaddresses

• Applicationserverlevel:o Block/validatetheapplicationcliento BlockofsourceIPaddresses(alreadyappliedatthenetworklevel)

Continuousmitigation • Continuousmaintenanceneeded,tocounternovelthreatsTable7:ProposedreactionplanfortheBMS.3scenario

The proposed mitigation plan implements these three different approaches at three differentlevels,inordertoprotecttheinfrastructureandthenetworkdevicesfromSQLinjectionattacks.

of39

3.3 USECASEBMS.4In this scenario, a malicious user exploits the system in order to manipulate some criticaltemperature sensors, to trigger fire and evacuation alarms. The attacker exploits in this case azero-dayvulnerabilitytobypasssignature-basedintrusiondetectionsystems.

3.3.1 AttackdescriptionA zero-day vulnerability (0-day) is exploited by an attacker that makes use of unknownvulnerabilities on the system to target it [Bilge, 2012; Endorf, 2004]. Indeed, unlikewell-knownvulnerabilities,“known”bythesystemandoftenmitigated,azero-dayattack isunknowntothetargeted system, usually attacked in such way for the first time. Since the vulnerability isdiscovered for the first time during the execution (if it is detected), there may not be knownsolutionsorpatchesabletoefficientlyprotectthesystem.A well-known example of zero-day vulnerability is WannaCry [Mohurle, 2017], a ransomware[O’Gordman, 2012] similar to CryptoLocker [Liao, 2016], whosemain objective is to block useraccess to thehost,encrypt sensitivedataon thediskandaska ransomto theuser, inorder toallowdatarecovery/decryption.ConsideringtheANASTACIAselectedscenario,ahacker,externaltothenetwork,exploitsazero-dayvulnerabilitytoremotelytargetasensitivedevice,inordertoaccesstheentirenetworkandattacktheinfrastructure.AccordingtotheANASTACIAdeliverableD1.2document,theaimoftheattacker is totamperorcraftnovel temperaturepackets, inordertotrigger fireandevacuationalarmsordeactivatebuildingelevators.AsimpleschemaofthescenarioisreportedinFigure6.


3.3.2 ProtectionplanConcerning zero-day vulnerabilities, due to their novelty, there is not a common and generalprotectionandmitigationplanthatcanbeadoptedinordertodefendasystem.Nevertheless,itiswell known that zero-day threats can be identified through anomaly based intrusion detectionsystems [Alazab, 2011; Endorf, 2004; Song, 2013]. Concerning mitigation, it is important toconsiderthatcommonguidelinescanbedeployedonthenetwork, inordertopreventzero-dayattacks,or,atleast,tolimittheireffects.Fortheanalysedscenario,threeprotectionapproachesareproposed:

• Toisolatesourceaddressesfromthenetwork:althougheachattackercommunicationisinterrupted, such approachmay not be efficient in case of distributed attack, since the

ANASTACIANETWORK

TRIGGER

of39

attacking source is not a single IP address on the network, but composed by multiplecooperatingaddresses.Inthiscase,althoughanisolationofthedestinationaddresswouldmaketheattackineffective,itwouldleadonadenialofserviceattack,hence,itshouldbeavoided.Moreover,itisimportanttoconsiderthatthesourceaddressisolationmayaffectan(infected)hostthatissupposedtocontinuouslycommunicatewiththetargetedsensor.Inthiscase,theisolationmaygeneratenewproblemsonthenetwork.

• To deploy a virtual honeynet: in this case, targeted sensors are not real sensors, but,instead, simulated devices built to fool the attacker and protect real sensor hosts. Byexploitingahoneynet, it ispossibletoaccomplishdetailedanalysisoftheexploitedzero-day vulnerabilities. The virtual honeynet may be instantiated only after an attack isdetected,inordertolimitresourcesusage.

• To apply sensor data and communication access control: in this case, it is possible toimplement access control for communications involving sensor data transmissions. Forinstance,client-sensorauthenticationmaybedeployed(eveninconjunctionwithsensor-clientauthentication).

• Tocontinuously scanvulnerability to counternovel threats: due to thenatureof0-dayattacks, it is required to continuously scan the network to assess the exposure to novelpotentialthreats.

3.3.3 DetectionplanInorder to identify thezero-day threat, it is important todeployan IntrusionDetectionSystem(IDS). IDS can be categorized into anomaly detection andmisuse detection (or signature baseddetection) systems [Cambiaso, 2016]:while anomaly detection systems flag as anomalous eachactivity that significantly deviates from normal usage profile, misuse detection systems profilewell-knownmenacesextrapolatingattacksignaturescharacterizinganintrusion.Beinginthiscasethepayloadcarriedoutbytheattackpotentiallyunknown,nosignaturecanbeadopted,duetothelackofknowledgeaboutthethreat.Anomaly based detection systemsmay adopt algorithms and properties belonging to differentresearchbranches,suchasstatistics[Debar,1999],machinelearning[Tsai,2009],neuralnetworks[Mukkamala,2002],orgametheory[Alpcan,2003].Forthecontextoftheselectedusecase,theaim is to identifyanomaloustemperaturevalues fromthesensor,e.g.,byreplicatingthesensorand comparing the different detected values, or by computingmean and variance of expectedvalues,hencecomparingvaluesobtainedatrun-time.Whilethefirstcasemay,e.g.,alsoidentifybrokensensorseasily,inthelattercase,asforotherpossiblecases,atrainingphaseisrequiredtotrain the algorithm to classify the boundaries of legitimate situations, in order to identify thethresholdsabletodiscriminatebetweenalegitimateandananomaloussituation.

3.3.4 MitigationplanTheproposedapproachissimilartotheplandescribedfortheusecaseBMS.3(seeSection3.2.4),composed by three separated approaches, design time mitigation, run-time mitigation, andcontinuousmitigation.MoredetailsoftheseapproachesarereportedinTable7.Mitigationapproach Activities

Designtimemitigation• Sensordataandcommunicationaccesscontrol

• Honeynetsimulatinganetworkofsensors

of39

Run-timemitigation

• Deployavirtualhoneyneto Anomalouspacketsareautomaticallyredirectedtothehoneynet

• Isolatetheattackeraddresseso Blockpacketssentfromtheattackero Connectthetargettoasecurenetworktoprotectit


Theproposedmitigationplanimplementsthesethreedifferentapproachesinordertoprotecttheinfrastructureandthenetworkdevicesfrom0-daythreats.At design time, involving the infrastructure implementation period, appropriate protectionsystems should be developed, in order to monitor sensitive network sensors and to deployhoneynetssimulatingasensornetwork.Hence,atrun-time,itispossibletoinstantiateahoneynetin case a zero-day attack is found, to redirect the threat to non-sensitive nodes (apparentlysensitivefortheattacker)andtobetteranalysetheexploitedthreat.Also,IPaddressisolationoftheattackinghostscanbeadopted toblockpackets received fromthemaliciousnodes.Finally,duetothecontinuousappearanceofnovelthreats,itisimportanttomaintainthesystemsecureoverthetime,throughcontinuousmitigationactivities.

of39

3.4 USECASEBMS.2In this scenario, an insider injects a malware on the network in order to target a fire alarmapplicationsystemwiththeaimtocontrolafiresuppressionsystem.

3.4.1 AttackdescriptionTheselectedusecaseisrelativetoaninsiderthreat,e.g.anunhappyemployeetargetinghisowncompany for some sort of revenge. This kind of threats is extremely dangerous, since insiderstypicallyhaveadvancedknowledgeonthetargetedsystemandaccesstorestrictedareas.Fortheselectedusecase,themalwareisspreadbyusingdifferentattackvectors,suchasUSBinfectionofabuildingoperationworkstationofthemaliciousemployee,orbyexploitingwirelessconnectivitytoaccessthenetworkandspreadthemalware.Figure7depictsthefirstcase:forouraim,suchscenarioallowsustodeploybettersecuritysystems(sincetheoperationworkstationiscontrolledby the entity, while wireless devicesmay be controlled by the insider, e.g., in a BYOD context[Miller,2012]).


For the depicted scenario, themalware is spread via network using a computer internal to theinfrastructureofthetargetedorganization.Themalwareexploitsanunpatchedapplicationofthefiresuppressionsystemtoaccesssensitivesensors.

3.4.2 ProtectionapproachTheprotectionplanproposed for thisusecase isbasedon theprotectionandanalysisat threedifferent layers:network,hostandapplication. Indeed, inordertoprotectasystembymalwarespreadsonthenetwork,itisimportanttoapplyamulti-layerprotection.

• Networklevelprotection:basedonnetworktrafficanalysistoidentifyanddropmaliciouspackets,plusaccesscontroltolimitnetworkaccesstointernalhosts(e.g.byapplyingMAC

ANASTACIANETWORK

ATTACK BUILDINGOPERATION

WORKSTATION

TARGETEDAPPLICATION

INSIDER

FIREALARMPANEL

of39

addressfilteringtoavoidmobiledevicestoconnecttothenetwork,or,at least,tomakethemjoinonlyaseparateisolatednetwork)

• Host levelprotection:basedon controllinghostsand limitprivilegesandactivitiesuserscanexecute:

o Installationandupdateofantivirusandanti-malwaresoftwareo Limituserprivilegesonthehost,toavoid,e.g.,installationofcustomandunsigned

softwareo Block of USB plugging capabilities, to avoid host infections from USB drives and

devices (this protection is not efficient in case of a custom hardware deviceadoptedbytheinsider,incaseofmalwaredownloadfromthenetwork,orwirelessattack)

• Application server protection:based on continuous vulnerabilities patching on both thesystemanditsnodesandexposedapplications

3.4.3 DetectionplanTheattackdetectionplanproposedfortheselectedscenario isbasedmainlyon logs inspection,accomplishedbytheANASTACIAmonitoringcomponent.Byadoptingthisapproach,itispossibletohaveacompletevisionofthecurrentstateofthesysteminordertoidentifytheattackintime,forpropermitigation.Logsofdifferentnatureshouldbeanalysed,accordingtoTable9.

Analyzedlog SampleofdetectedactivityNetworklogs Sendofmaliciouspackets,connecteddevices,etc.Hostslogs Installationofnewsoftware,USBplugging,etc.

Protectionsoftwarelogs VirusdetectedonthehostAccesslogs Accesstotheapplicationserver,usersauthenticatedonthenetwork,etc.

Applicationlogs AccesstothefirealarmpanelIoTdeviceslogs Statuschanges

Table9:ProposeddetectionplanfortheBMS.2scenario

Concerning access control activities, it is important to highlight that some sort of actionrules/boundariesmayalsobe implemented,toavoidunexpectedandunpredictedbehavioursofthe insider threat. For instance, if it is supposed that employees work during day light, accesscontrol rules could be deployed to block employee traffic on sensitive nodes during night. Ingeneral,basedonthescenario,date-timeconstraints,ormulti-permissionactions,itispossibletodesignandimplementsomesortof“advanced”accesscontrolrules.

3.4.4 MitigationplanTheproposedapproachissimilartotheplandescribedfortheusecaseBMS.3(seeSection3.2.4),composed by three separated approaches, design time mitigation, run-time mitigation, andcontinuousmitigation.MoredetailsoftheseapproachesarereportedinTable10.Mitigationapproach Activities

Designtimemitigation

• Hostlevel:o EvaluatethepossibilitytoblockUSBpluggingonsensitivehosts

• Applicationlevel:o Applicationservervulnerabilitieschecks

of39

• Networklevel:o Applicationservervulnerabilitiescheckso MACaddressfilteringo Externaldevicesblock/isolation

Run-timemitigation

• Networklevel:o Block/validationofuseraccountso ValidationofIoTdevicescredentialsonthenetworko BlockofsourceIPaddresses

• Applicationlevel:o Block/validationofapplicationuseraccountso BlockofsourceIPaddresses(alreadyappliedatthenetworklevel)

• Systemrestore:o Toblockmaliciousactionsintime(or,atleast,tolimitthedamages)


Particularly, at design time, it is important to evaluate the possibility to blockUSB plugging onsensitive hosts, although, as mentioned above, this solution does not protect the system ifdifferentattackvectorsareadoptedbytheinsider.Instead,atrun-time,itisimportanttoexecutesystem restore procedure to restore the state of the system to a secure situation prior to theattack,or,atleast,tolimitthedamagesoftheattack.

of39

4 ATTACKSDETECTIONINANASTACIAConcerning ANASTACIA and, in particular, the monitoring components, the identifiedmethodologies will be addressed through the adoption of an architecture composed by bothsensorsandprocessingunities.Theaimofthesensorsistolive-capturesensitiveinformationandforward them to theprocessingunities, inorder toevaluate if anattack is runningornot, alsoextrapolating detailed information about the identified threat. ANASTACIA monitoringcomponentsarebasedonthreeuniquetechnologiesprovidedbythepartnersof theproject. Inparticular,theMontimageMonitoringTool(MMT),theXLSIEM,andinnovativeUTRCagents.Eachofthesetoolswillbedescribedindetailinthefollowing.

4.1 MONTIMAGEMONITORINGTOOL(MMT)

4.1.1 GeneralDescriptionTheMontimageMonitoring Tool (MMT) has been designed as a modular approach to analysenetwork traffic and extract protocols metadata. The tool makes use of the Deep Packet/FlowInspection (DPI/DFI) techniques to extract the required metadata that will be used by othermodulesofthetoolwithanalysisandtestingpurposes.Inaddition,thistoolalsoallowscollectingstatisticsabouttheanalysedflowsthatfacilitatesmonitoringtheperformance,thesecurityofthenetwork,andoperationtroubleshooting.Ingeneral terms,MMTisacollectionofmodulesthatwork inacoordinatedmannertoanalysenetworks protocols and streams by checking two types of properties: “Security rules” and“Attacks”.Theformeronesdescribeanexpectedbehaviouroftheapplicationorprotocolundertest;bynon-respectinganMMT-Security rule,anabnormalworkingcanbedetected.The latterones describe an attack behaviour of any nature – an attack model, a vulnerability or amisbehaviour.Inthiscase,respectingaMMT-Securityruleindicatesanabnormalbehaviourthatmightindicatethepresenceofanattack.Theprincipalmodulesof thesolutionarepresentedbelow,andageneralviewof theworkflowbetweenthemispresentedinFigure8.

• MMTExtract:ThismoduleisthelibrarythatimplementstheDPI/DFItechniquestoanalysethepacketsandextractinformationrelatedtotheprotocolsincluding(butnotlimitedto)protocolfieldvalues,networkandapplicationsQoSparametersandKPIs.Thehandlersandprotocol-dependentextractorfunctionsmustbeimplementedasapluginofthisenginetoimplementtheprotocolsunderstudy,whichallowsatthesametimeaneasyextensionofthislibrary.

• MMT Probe: The Probe module is a standalone application that makes use of theExtraction Engine – via APIs of this module – to extract the data from the networkinterface. This tool can be configured to control the source of the packets to analyse(online or offline analysis) and the output of the extracted data (CSV files, Rediscommunicationchannels,orothers).

• MMT Security: Thismodule is the core component to specify andmonitor security andattack rules. The core functionality of this module allows correlating network andapplicationeventstodetectoperationandsecurityincidents.TherulesusedbyMMTareexpressed in XML files, which are then compiled to work with the MMT software. In

of39

addition,thesetoolsallowusingtheruleseitherinformofpluginsoftheProbemoduleorasstandalonepacketanalyserapplication.

• MMTOperator:Finally, theMMTOperatormodule isaweb-basedplatformthatactivelytracks the information reported by the probe on an event bus. This information is laterdisplayedtothemonitoringagenttointhewebbrowser.Thissolutionhasbeenconceivedto constantly display the statistics of the data computed by, principally, the Probe andSecuritymodules.

Figure8ModularoverviewoftheMontimageMonitoringTool

ThemodulesinteractactivelybetweenthemtoprovideacompletesecuritymonitoringsolutionasshowninFigure8.All theaforementionedmodulesare implementedusingamodularapproach. In this sense, it ispossible toextend them inorder tooffer support fornewprotocols (extracting the informationcontained in the flows concerned by the newly-implemented protocol) and novel attackdetections by means of defining new attack definitions and security rules that will be activelymonitoredontheanalysedtraffic.

4.1.2 CapabilitiesTheDPI/DFItechniqueusedbyMMTProbeallowsaccessingtherawpacketsthataretraversingthenetwork.Inthissense,theProbeiscapableofidentifyingdifferentcommunicationprotocolsatdifferentlayersoftheIPstack,extractinginformationfromeachoneofthem.Thefollowinglistisnotexhaustive,anditgivesanexampleoftherecognizedprotocols,butMMTProbeiscapableofrecognizingalonglistofprotocols:

• Layer2-relatedprotocols:Ethernet(macaddresses,payloadsize)• Layer3-relatedprotocols: IPv4,IPv6(IPaddresses,Fragments,flagsofthepacket,among

others)• Layer 4-related protocols: TCP (port numbers, sequence/acknowledgement numbers,

controlbits,windowsize),UDP(portnumbers,packetlength)• Upperlayersprotocols:RTP(sequencenumbers,timestamps,synchronizationinformation,

etc.),HTTP,andmanymore.

Asmentionedbefore, the list of recognized protocols is not extensive, and only provides someexamples of the protocols from whom the MMT Probe is capable of extract information. Inaddition,sincetheExtractionEngineispartoftheMMTSDK,itispossibletoextendthesupportto

of39

newprotocolsbycorrectlydefiningthestructureofthenewprotocolandhowtocorrectlyextractthedata.ThedocumentationofMMTSDKgivestheguidelineshowtoimplementnewprotocols,whicharecompiledandloadedaspluginsoftheMMTProbesoftware.Oncetheagentwasabletoextractthedata,theprobeisalsocapableofaggregatingandfilteringtheextracteddata, generating reports regarding at different levels of thenetwork stack.A fewexamplesofthesereportsarethefollowing:

• System info reports: These reports contain information about the resource usageof themachinerunningMMTProbe,suchastheusagememoryandtheCPUload.

• Generalstatisticalreports:containinginformationabouttheamountofdata.• ProtocolsandApplicationsstatisticsreport(withnosession):Ifthesereportsareactivated,

MMT Probe will periodically report the amount of detected protocols and theircorrespondingtrafficstatistics.

• Flowreport(Protocolwithsession):Ageneral-purposereportthatisusedwitheachflowdetected in the network. It contains information about the IP andMAC addresses, portnumbers, number of packets involved, the volumesof data involved in the flow, amongother statistics.Dependingon theprotocols detected in theupper layer, this report canhaveextensions:

o HTTP report: It contains information extracted from the HTTP headers of thedetected flow, such as the User agent, the server response time, accessed URL,numberofrequestsassociatedwiththisflow,etc.

o SSLreport:Ifanapplicationusesanencryptionprotocol,theamountofinformationthat can be extracted is limited, however, MMT is capable of detecting theApplication Family (Web, P2P, etc.), the content type (text, video, etc.), amongotherfields

o RTPReport:WhenamultimediaapplicationusesRTPtostreamthecontent,MMTiscapableofcomputingthepacketlossrate,thepacketburstinessandjitter.

o FTPReport:ForFTPprotocol,MMTcangiveinformationabouttheusernameusedinthesession,theirpassword,thefilename,etc.

Formore informationabout the specificationof securitypropertiesplease refer2 toANASTACIAMS12a. Inaddition,more information regarding theusageandconfigurationof theMMT-Probecanbefound3inANASTACIAMS12c.

4.1.3 MMTGeneralWorkflowThegeneralworkflowoftheMMTsolutionisshowninFigure9.

Figure9MMTGeneralWorkflow

2 Please note that the mentioned milestone document is not public. 3 Please note that the mentioned milestone document is not public.

of39

TheMontimageMonitoringToohasbeenconceivedwithamodularapproach.Inthissense,theprincipalpartsofthesolutioninteractwitheachotherinordertoevaluatethesecuritypropertiesunderanalysisThe MMT-Probe binds itself to a capturing interface in order to have complete access to thepacketsprocessedonthenetworkcardunderstudy.OnceMMT-Probehaveaccesstothepackets,it extracts the information contained in them by using DPI techniques. This functionality isprovidedbyalibrarycalledMMT-DPI,whichis inchargeofparsingthestructureoftheinvolvedprotocols and extracting the information contained in them. The MMT-DPI is a plugin-based,extensiblelibrary,offeringthepossibilitytoenlargetheMMTdataextractioncapabilitiestonewprotocols.Tothisend,MMT-DPIprovidesanAPI(partoftheMMT-SDK)thatallowsdefiningnewprotocolsandtheirstructure.ThedefinitionisthencompiledinformofMMTpluginsthatcanbeeasilyintegratedintotheMMT-DPILibrary.Once the information has been extracted from the protocols, it is passed to theMMT-SecurityLibrary, themodule that will be in charge of correlating the extracted information in order todetect attacks and security issues. The MMT-Security Library has also been conceived in anextensibleway, providing an API (also part of theMMT-SDK) that allows the definition of newsecurityproperties.Thesepropertiesarecompiled intoplugins thatare loadedandexecutedbytheMMT-Securitymodule.Oncethesecurityproperties(rules)aretested,theygenerateverdictsaboutthetestedproperties.Theseverdicts(inadditionwithstatisticaldataabouttheconnectionsdetectedinthenetwork)aretransmittedtothevisualisationinterface,usingtheMMTReportingInterface.IntheparticularcaseofANASTACIA,thereportedinformationwillbefedtotheANASTACIAbuses:aKafkaBroker(inaJSON-basedformat)anddirectlytotheXLSIEMTool(inasyslogformat).ThisdesignallowsthedirectcorrelationoftheMMT-verdictsintheXL-SIEMtool,andalsousethisinformationandthestatisticofthenetworkbyotherdetectiontoolsthatwillbeintegratedintheplatform.

4.2 XL-SIEMThe Atos XL-SIEM solutions provide with cross-level cybersecurity event and informationmanagementcapabilities.Differenttypesofsecuritysystemscanbeintegrated,correlatingeventsacrossmultiplelayersandidentifyinganomaliesinreal-time.Tothisend,theAtosXL-SIEMcanbedeployed upon a distributed approach, thus reducing the overhead upon the operation of theinfrastructuretoprotectandincreasingtheresilienceofthesecurityinfrastructureitself.TheXL-SIEMisbuiltbasedonthreemainparts:

• XL-SIEM dashboard: provides with a graphical user interface to be used by systemadministrators for configuration, visualization of events, alarms, reports and decisionsupportassistance.

• XL-SIEMserver: provideswith correlation capabilitiesbasedon theevents compiledandon thresholds defined for the generation of alarms. It is the core of the Atos XL-SIEMsolution, providing with a vision of the current status of the security within aninfrastructure.

• XL-SIEM agent: provides with a decentralized way to compile and distribute eventsgeneratedbymanydifferenttypesofsensors,unifyingtheformatoftheeventsinordertobeinterpretedcorrectlybytheXL-SIEMagent.

of39

Figure10.XL-SIEMagents,serveranddashboarddeploymentlayout

XL-SIEMagentsprovidewithaflexibleapproachforthecompilationofsecurityrelatedevents.XL-SIEM agents are based on plugins which interpret the information received from sensors,normalize it and submit it to the XL-SIEM server. There are a wide variety of plugins alreadydeveloped formanywell-known security solutions and sensors, including (to name just a few):Snort/Suricata (network based intrusion detection), Arpwatch (ARP activity monitor), Ntop(network usage monitor), Kismet (wireless intrusion detection system), OSSEC (host basedintrusion detection system), Fprobe (network traffic), pads (Passive Asset Detection System),tcptrack (Monitor TCP connections on the network) or openVAS-Client (the client part of theOpenVASSecurityScanner),nagios3 (Network/systemsstatusmonitoringdaemon),p0f (Identifyremotesystemspassively).

Besidethepredefinedlistofavailableplugins,theXL-SIEMprovideswithaflexiblewaytoadaptnew sources of information. New events from sensors are received either from a RabbitMQmessagebrokerorthroughRemotesyslog.Inbothcases,theeventisreceivedandprocessesbythecorrespondingplugin.

Pluginsparsesthelog,lookingforamatchamongthemessageformatsdefinedintheplugins.Theinformation contained in the event is processed and extracted prior to be sent to the XL-SIEMserver.

of39

Figure11.Informationflowforprocessingsecurityevents

ThefollowinginformationisincludedinthenormalizedeventsentfromtheXL-SIEMagenttotheXL-SIEMserver:

• Date:Timestampoftheeventreceived

• Sensor:Nameoftheagentsubmittingtheevent

• TriggeredSignature:Textdescribingtheeventreceived

• CategoryandSubcategory:Typeofeventbasedonthepluginprocessingtheevent

• DataSourceName:Nameidentifyingthetypeofeventforthepluginprocessingtheevent

• ProductName(optional):Nameoftheproductrelatedtothepluginprocessingtheevent

• SourceAddress:IPaddressofthesensorproducingtheevent

• SourcePort(optional):Portusedtosendtheevent

• DestinationAddress: IP addressof theentity receiving theevent (generally theXL-SIEMagent)

• Protocol:Protocolusedtotransmittheevent

• Userdefineddata (1..n):Customuserdatacontainingadditional information included intheevent

ForeveryeventprocessedbytheXL-Agentauniqueevent ID isassigned.Additionally, foreveryeventthereisapreliminaryanalysiswhichresultsinseveralproperties:

of39

• Priority:Thisparameterdeterminestheimportanceoftheeventprocessed,whichisusedfortheXL-SIEMservertoassignmoreresourcestoitsprocessing.

• Reliability:Thisparameterdetermineshowtrustworthyistheinformationcontainedintheevent.Thereliability level isbasedonthesensorproducingit,whichissetbythesystemadministrator depending on the importance of the sensor or the infrastructure beingmonitored.

• Risk:Thisparameterdeterminesthesecuritythreatthattheprocessedeventmightentail.

TheflexibilityoftheXL-SIEMmodelallowstheintegrationoftheMontimageMonitoringToolandtheUTRCagentsasadditionalsourcesofinformation,usingtheireventsoralertsasanadditionalinputwhencorrelatingeventsandgeneratingmoreaccuratealarms.

4.3 UTRCAGENTSUTRCAgents are used to build a data-drivenmodel basedon collectedoperational data of themachines that will be continuously monitoring and analysing newly collected data in order todetectifaseveredeviationfromexpectedbehaviourcanbenoticed,thatcouldbecausedbyanattack.ThefunctioningoftheUTRCAgentcanbedescribedasanomaly-basedintrusiondetectionanditcanbedividedintwophases:

• Offline:when it builds and learns themodel, based on collected and processed data torepresentthenormalsystembehaviour.OfflinedataprocessingflowhasbeenillustratedonFigure12.

Figure12.Offlinedatahandlerprocessingflow.

• Online: when the built model is used to continuously monitor and evaluate the newlycollecteddata inorder to state if thereareany signsof anattack takingplace from thepointoftheofsensordata.ThisphaseofoperationwasshownonFigure13.

of39

Figure13.Onlinedatahandlerprocessingflow.

Initially, theagentundergoesanofflinephase,also referred toas trainingperiod,whenadata-drivenmodelisbuilt.Thismodelconsistsoffeaturesandasetofrelationsamongthemtocapturenormal system behaviour. By system behaviour wemean collection of system states, where astate is defined by the attributes of the features of the model that are derived from theoperationaldata.TheagentcollectsoperationaldatafromthephysicalIoTdevicesandperformscleaning, aggregation, filtering. Feature extraction is performed on this data, capturing systembehaviourover time, through identifying relationsamongoneormore features. These featuresthemselves already describe themonitored systems state but in order to better capture globalbehaviour relationsbetween featuresarealsocreated.Fromthecollectionof features relationsarebuiltbetweenthemthatcapturethenormalandalreadyobservedsystemstates.Athresholdis learned that is used as a measurement to state whether a new system state is considerednormal or not. In case of anomaly the threshold is also capable to provide ameasurement ofdeviationofexpectedandactualsystemstate.Afterinitialconstructingthismodelitisevaluatedandupdatedbasedonitsperformanceuntilitreachesaspecifiedperformance.Afterlearningthemodelthatrepresentthebehaviourofthesystemitisusedintheonlinephasewheretheoperationaldataiscontinuouslymonitored,collectedandprocessed.TheAgentcollectsthe available operational data, maps it to the features used by the model and feeds themaccordingly. The model then decides if the received system state can be classified as normalbehaviour. When a system state derived from a collection of operational data is deviatingsignificantly from the previously observed behaviour, the agent flags the specified state as ananomalyandreportsitwiththeexplanationtoXL-SIEMcomponent.Theagentisabletoprovidefurtherdetailswhatsensororcollectionsensorscausedthedeviationandhowsevereitis,thatis,howmuchitdeviatedfromtheexpectedsystembehaviour.

of39

5 ADDITIONALCONSIDERATIONSConcerningtheconsideredthreats, fourusecaseshavebeenselected,byconsidering importantattacks able to compromise the security of the entire infrastructure. Although the mentionedthreats are extremely serious and represents nowadays relevant threats every system andnetwork administrator has to face, it is important to consider novel threats also, able toperpetrateattacksbyadoptinglastgenerationattackmethodologiesandtechnologies.DuringthedevelopmentofANASTACIA,hardworkwasdedicatedtothestudyoflastgenerationthreats,and,inparticular,twodifferenttypesofattackwereinvestigated,relativetotheMEC.3andBMS.4usecases.

5.1 SLOWDENIALOFSERVICEATTACKSInparticular,theMEC.3usecaseconcernsa(distributed)denialofserviceattackagainstsmartIoTdevices.AlthoughthisscenarioincludestheimportantPingfloodDoSattack,inthelastyears,theDoS arena of cyber-threats evolved. Generally speaking, there are several approaches that canleadtoadenialofservice(for instance,physicalattacks,exploitbasedthreats,floodingDoSlikePingDoS,etc.).Overall these typesof threats,weanalyzedtheemergingcategoryofSlowDoSAttacks (SDA), also known as application layer or Low-Bandwidth Rate DoS, that represent thesecond generation of network based DoS attacks [Cambiaso, 2017]. Particularly, the firstgenerationofDoSattacks,includingPing/ICMPDoSandSYNfloodattacks,isbasedon“flooding”thevictimwithlargeamountofdata,until itsresourcesareoverwhelmedandaDoSisreached.Differently, a SlowDoSattack is able to leadaDoSon the victimbyadoptinga low fractionofattack bandwidth [Cambiaso, 2013]. In virtue of this, the resources employed to successfullyperpetrate Slow DoS Attacks are reduced, hencemaking them amore dangerous threat, sincethey could be executed even from non-performing devices. Concerning slowDoS threats, theircharacteristicsmaketheirtrafficappeartothevictimparticularlysimilartolegitimatetraffic,sincethe exchanged payload is compliant to the protocols of the ISO/OSI stack (e.g. to the HTTPprotocol,incaseofwebserverexploitation).Althoughthischaracteristicmakesithardtoidentifya running attack [Aiello, 2013], some works on this context try to detect a SDA by reducingdetectiontimes[Aiello,2014].Duringourstudyonthetopic,wehavediscoveredandmodelledanovelSlowDoSAttackcalledSlowComm[Cambiaso,2017].Theattackexploitsavulnerabilityonmost server applications that limits the number of simultaneous threads on the host. UnlikefloodingDoSthreats,whichaimtooverwhelmsomenetworkcapabilitiesofthevictimhost,SDAoftenadoptasmarterapproach,seizingalltheavailableconnectionswiththeapplicationlisteningdaemon and exploiting specific timeouts [Cambiaso, 2013]. Compared to older types of DoSattacks, this approach requires extremely low amounts of attack bandwidth, as the number ofconnectionsa server isable to simultaneouslymanageat theapplication layer is sensibly lowerthatthenumberitisabletomanageatthetransportlayeroftheISO/OSImodel.In particular, SlowComm sends a large amount of slow (and endless) requests to the server,saturatingtheavailableconnectionsattheapplication layerontheserver inducing ittowaitforthe(neversent)completionoftherequests.Asanexample,werefertotheHTTPprotocol,wherethe characters sequence \r\n\r\n represent the request end: SlowComm is supposed to neversendthesecharacters to thevictim,by forcing it toanendlesswait.Additionally, therequest issentslowly,byfragmentingitinmultiplepackets,henceapplyingtimeoutsbetweeneachpacketsend.Similarbehaviorcouldbeadopted forotherprotocolsaswell (e.g.,SMTP,FTP,etc.).Asaconsequence,byapplyingthisbehaviortoa largeamountofconnectionswiththevictim,aDoS

of39

state may be reached. By executing the attack on test environments, we observed that it issuccessful and a DoS is reached on the victim, although future enhancements may focus onmaintaining it for long times (without perpetrate a new attack). In virtue of this, the proposedattackshouldbeconsideredextremelydangerousforICTinfrastructures.

5.2 IOTSECURITYCONSIDERATIONSConcerninginsteadtheBMS.4usecase,focusedonIoTcriticaltemperaturesensorsexploitation,duringthedevelopmentoftheproject,wehaveworkedtostudyindeeptheIoTsecuritycontext.Inparticular,ourworkonthetopic investigatessecurityaspectsof InternetofThingsnetworks.We focused on ZigBee, a communication protocol ensuring low power consumption andcharacterized by low data transmission rates.We found important security issues related to aZigBee based system and, potentially, to other similar protocols. Particularly, we identified[Vaccari, 2017] the possibility to send Remote AT Commands, AT meaning “attention”, to aconnectedsensor, inordertoreconfigure it, for instance,bymaking it joinadifferentmaliciousnetwork,hence to forwardcaptureddata toamaliciousentity. Inparticular,ATCommandsarespecific packets, historically used by old generation modems to interface with the device andtoday adopted by radiomodules such as XBee [Boonsawat, 2010], ESP8266 [Thaker, 2016], orETRX3[Dao,2017]toconfiguredeviceparameterslikeconnectiontype,networkidentifier,devicename on the network, or destination address. AT Commands are today implemented onmanydevicesofdifferentnature,providingdifferentfunctionalitiesandhencecommands.Theproposedthreat focuses on XBee based sensors exploitation. XBee modules support remote send of ATCommands(RemoteATCommands).Sincethesepacketsbelongtothe(IEEE802.15.4)MAClayer,they are interpreted by the XBee module automatically, hence, being this interpretationdemandedtothedevicefirmwareandbeingsuchfirmwareclosed/providedbythemanufacturer,Digi International, it is not possible to avoid implicit Remote AT Commands interpretation. TheproposedattackexploitsRemoteATCommandfunctionalitytoreconfigurethesensor,potentially,for malicious aims. XBee supports several AT Command packets4. For our aim, we evaluatedfeasibilityof theproposedthreatbyusingATIDcommandsagainst targetedsensors, inorder toreconfigure identifier of the joinednetworkon the attackeddevice. By executing the attackontestenvironments,weobservedthattheattackissuccessfulanditisabletotargetasinglenodewithout affecting the other nodes of the network, hence resulting extremely precise andpotentiallydifficulttoidentify.Attackidentificationisalsoextremelydifficultduetothenumberofpackets sent by the attacker, resulting minimum. The proposed attack should therefore beconsideredparticularlydangerous,sinceitmaycompromisethesecurityofanentireIoTnetworkwithminimumeffortfortheattacker.Althoughourstudiesonlow-rateDoSattacksandIoTsensorssecurity,includingtheproposalsofnovel threatsoperating inthesecontext,arenotdirectlyrelatedtotheselectedusecases, theyrepresentanimportantresultfortheprotectionoftheentireinfrastructure,sinceitiswellknowninthecyber-securityfieldthatstudyingnovelthreats,and,possibly,implementingnovelattacks,isa fundamental activity to reduce the gap betweenwhite and black hackers, entitiesworking incyber-protectionandcyber-criminal,anditisneededinordertoenhancetheoverallprotectionofICTsystems.

4 More information can be found at the following address: https://www.sparkfun.com/datasheets/Wireless/Zigbee/XBee-Datasheet.pdf

of39

6 CONCLUSIONSIn thisdocument, the securityuse cases selected for theANASTACIAplatformwereanalysed indepth. For each use case, detailed information on the exploited threat was provided, thusproposing detection and mitigation approaches to be implemented and deployed on theANASTACIA platform. The document also showed how these proposals are managed byANASTACIA,exploitinguniquetools,methodologiesandknowledgeprovidedbyprojectpartners.Furthermore,thedocumentpresentedtheinnovativethreatsdiscoveredduringthestudyandtheevaluationofthesethreatsforfutureworkonthesubject.First, an overview of the possible categories of attacks was presented in order to define andidentifytherelevantthreatsagainstanetworkinfrastructure,focusingonthemaincomponentsofthe ANASTACIA scenarios and considering in particular Internet of Things (IoT) and Software-DefinedNetworking(SDN)environments.Differenttypesofthreatswerepresented,withtheaimofimprovingprojectdevelopment,identifyingtherelevantsecuritythreatsanddefiningtherightprotectionapproachforimplementationonthesystem.Communicationnetworksrepresentagreattechnologicalinnovationandalwaysattractmalicioususers. Therefore, network security assumes a crucial role for any ICT-based system. A basicclassificationofwell-knownnetworkattacks isbasedontwomaincategoriesof threats,namelyactive and passive attacks. As for active attacks, a malicious client actively injects or alters anetworkmessagetoexploitsomesortofvulnerabilitythataffectsthetargetedhostornetwork.Activeattacksallowanattackerto interactonthenetwork,suchassendingpacketstonetworkdevicesoraccessingtheirservices.Themainobjectiveofthesethreatsistodamagethenetworkortheentireinfrastructuredependingonthescopeoftheattack.Withregardtoactivenetworkattacks, three different activities are involved: fabrication/craft of new packets,modification/alterationofexistingpackets,servicesinterruption.Thistypeofattacksisconsideredverycomplexandpreventionisnoteasytoachieve.Instead, as for passive attacks, the attacker's goal is to obtain information without activelycommunicatingonthenetwork.Thistypeofattackdoesnotinvolvetheattacker'sinteractionwithnetworkdevices.Oftenintheseattacks,hackersonlycareaboutstayinghiddenandreadingandsavingtheinformationofinterestexchangedbythevariousdevicesonthenetwork.Thegoalistostealinformationwithoutactivelyinteractingandremaininghidden.In general, each of these attacks aims to introduce delays on the network or to steal sensitiveinformation from the targeted systems. In order to identify andmitigate these threats, specificapproachescanbeimplementedtoavoid/reducethepossibilityofexploitation.Inthisdocument,itwasemphasized thatagood startingpoint is theanalysisof international standardsoncybersecurity,suchasISO/IEC27002.Followingthestandard,itispossibletoidentifysensitiveactionsto be undertaken on sensitive networks or nodes. The adoption of standards such as ISO/IEC27002helpsnetworkandsystemadministratorskeeptheinfrastructuresafeandprotectedfrompossiblecyberandphysicalattacksonthesystem.InthisANASTACIAD2.2deliverabledocument,differentattackscenarioswereselected,analysedandconsideredinthecurrentphaseofthedevelopmentoftheANASTACIAplatform.Theanalysisoftheconsideredthreatanditsfunctioningiscrucialtoimplementanefficientprotectionsystemtodetectandmitigateanattackonthenetwork.

of39

Four use cases were extrapolated from the ANASTACIA D1.2 deliverable document, whichdescribedawiderangeofpossibleattackscenarios.OneoftheselectedusecasesisrelatedtotheMobile Edge Computing/Multi-access Edge Computing (MEC) context, while three use casesconcerntheBuildingManagementSystems(BMS)context,inparticular:DoSorDDoSattackswithPing-ICMP via Smart Camera or IoT devices (UseCase_MEC.3); remote attack to buildingmanagementsystem, i.e.SQL injectiontowardsSCADA(UseCase_BMS.3);ahackermanipulateacritical temperature sensor to trigger the fire and evacuation alarms (UseCase_BMS.4); insiderattacktoafiresuppressionsystem(UseCase_BMS.2).Theselectedusecaseswereanalyseddeeply.Therelatedattacks,howtheyworkandtheiraim,were examined to define the appropriate security methods to be adopted and implemented.According to the description reported in ANASTACIA D1.2 deliverable document, the selectedattackscenarioscoverawiderangeofpossiblethreats,rangingfrom“wellknown”tozero-day.Anappropriate severity rankwas defined and adopted to score a specific threat. In particular, thedefined rank considers the fundamental distinction between critical and non-critical attacks, inconjunctionwiththetargetedentity,thatmayingeneralbea(non-)sensitivehostornetwork(infunctionofitsimpactonthenetworkoftheimpairmentofthehost/network),theentirenetwork,orhumanbeings.Innovative attacks detection and protection systemswere proposed and described through theuse cases and classified according to the severity rank of the specific threat. In ANASTACIAplatform, the identified methodologies have been addressed through the adoption of anarchitecturecomposedbybothsensorsandprocessingunities,asformonitoringcomponents.Thesensors have the aim to live-capture sensitive information and forward them to the processingunities,inordertoevaluateifanattackisrunningornot,alsoextrapolatingdetailedinformationabout the identified threat. ANASTACIA monitoring components are based on three uniquetechnologies provided by the partners of the project. In particular, theMontimageMonitoringTool(MMT),theXLSIEM,andinnovativeUTRCagents.Regarding the threats considered, four use cases were selected, considering important attacksthatcouldcompromisethesecurityoftheentireinfrastructure.Althoughthethreatsmentionedareextremelyseriousandrepresentnowadaysrelevantthreats,whicheverysystemandnetworkadministratorfaces,itisimportanttoconsidernewthreats,capableofperpetratingattacksusingthe latest generation of attack technologies andmethods. As a final remark, it is important tounderlinethatduringthedevelopmentofANASTACIA,animportantactivitywasdedicatedtothestudyofthelatestgenerationthreats.

of39

7 REFERENCES[Aiello,2013] Aiello,M.,Cambiaso,E.,Scaglione,S.,&Papaleo,G.(2013,July).Asimilarity

basedapproachforapplicationDoSattacksdetection.InComputersandCommunications(ISCC),2013IEEESymposiumon(pp.000430-000435).IEEE.

[Aiello,2014] Aiello,M.,Cambiaso,E.,Mongelli,M.,&Papaleo,G.(2014,October).Anon-lineintrusiondetectionapproachtoidentifylow-rateDoSattacks.InSecurityTechnology(ICCST),2014InternationalCarnahanConferenceon(pp.1-6).IEEE.

[Alazab,2011] Alazab,M.,Venkatraman,S.,Watters,P.,&Alazab,M.(2011,December).Zero-daymalwaredetectionbasedonsupervisedlearningalgorithmsofAPIcallsignatures.InProceedingsoftheNinthAustralasianDataMiningConference-Volume121(pp.171-182).AustralianComputerSociety,Inc.

[Alpcan,2003] Alpcan,T.,&Basar,T.(2003,December).Agametheoreticapproachtodecisionandanalysisinnetworkintrusiondetection.InDecisionandControl,2003.Proceedings.42ndIEEEConferenceon(Vol.3,pp.2595-2600).IEEE.

[Bilge,2012] Bilge,L.,&Dumitras,T.(2012,October).Beforeweknewit:anempiricalstudyofzero-dayattacksintherealworld.InProceedingsofthe2012ACMconferenceonComputerandcommunicationssecurity(pp.833-844).ACM.

[Boonsawat,2010] Boonsawat,V.,Ekchamanonta,J.,Bumrungkhet,K.,&Kittipiyakul,S.(2010,May).XBeewirelesssensornetworksfortemperaturemonitoring.Inthesecondconferenceonapplicationresearchanddevelopment(ECTI-CARD2010),ChonBuri,Thailand.

[Callegati,2009] Callegati,F.,Cerroni,W.,&Ramilli,M.(2009).Man-in-the-MiddleAttacktotheHTTPSProtocol.IEEESecurity&Privacy,7(1),78-81.

[Cambiaso,2013] Cambiaso,E.,Papaleo,G.,Chiola,G.,&Aiello,M.(2013).SlowDoSattacks:definitionandcategorisation.InternationalJournalofTrustManagementinComputingandCommunications,1(3-4),300-319.

[Cambiaso,2016] Cambiaso,E.,Papaleo,G.,Chiola,G.,&Aiello,M.(2016).ANetworkTrafficRepresentationModelforDetectingApplicationLayerAttacks.

[Cambiaso,2017] Cambiaso,E.,Papaleo,G.,&Aiello,M.(2017).Slowcomm:Design,developmentandperformanceevaluationofanewslowDoSattack.JournalofInformationSecurityandApplications,35,23-31.

[Dao,2017] Dao,V.L.,&Hoang,V.P.(2017,October).AsmartdeliverysystemusingInternetofThings.InIntegratedCircuits,Design,andVerification(ICDV),20177thInternationalConferenceon(pp.58-63).IEEE.

[Debar,1999] Debar,H.,Dacier,M.,&Wespi,A.(1999).Towardsataxonomyofintrusion-detectionsystems.ComputerNetworks,31(8),805-822.

[Endorf,2004] Endorf,C.,Schultz,E.,&Mellander,J.(2004).Intrusiondetection&prevention(pp.1-247).Emeryville,CA:McGraw-Hill/Osborne.

[Halfond,2006] Halfond,W.G.,Viegas,J.,&Orso,A.(2006,March).AclassificationofSQL-injectionattacksandcountermeasures.InProceedingsoftheIEEEInternationalSymposiumonSecureSoftwareEngineering(Vol.1,pp.13-15).IEEE.

of39

[Huici,2009] Huici, F., Niccolini, S., & d'Heureuse, N. (2009, November). Protecting SIPagainst very large flooding DoS attacks. InGlobal TelecommunicationsConference,2009.GLOBECOM2009.IEEE(pp.1-6).IEEE.

[Hussain,2013] Hussain,A.,Heidemann,J.,&Papadopoulos,C.(2003,August).Aframeworkforclassifyingdenialofserviceattacks.InProceedingsofthe2003conferenceon Applications, technologies, architectures, and protocols for computercommunications(pp.99-110).ACM.

[Kuzmanovic,2003]Kuzmanovic,A.,&Knightly,E.W.(2003,August).Low-rateTCP-targeteddenialofserviceattacks:theshrewvs.themiceandelephants.InProceedingsofthe2003conferenceonApplications,technologies,architectures,andprotocolsforcomputercommunications(pp.75-86).ACM.

[Liao,2016] Liao,K.,Zhao,Z.,Doupé,A.,&Ahn,G.J.(2016,June).Behindcloseddoors:measurementandanalysisofCryptoLockerransomsinBitcoin.InElectronicCrimeResearch(eCrime),2016APWGSymposiumon(pp.1-13).IEEE.

[Miller,2012] Miller,K.W.,Voas,J.,&Hurlburt,G.F.(2012).BYOD:Securityandprivacyconsiderations.ItProfessional,14(5),53-55.

[Mohurle,2017] Mohurle,S.,&Patil,M.(2017).Abriefstudyofwannacrythreat:Ransomwareattack2017.InternationalJournal,8(5).

[Mui,2010] Mui,R.,&Frankl,P.(2010).PreventingSQLinjectionthroughautomaticquerysanitizationwithASSIST.arXivpreprintarXiv:1009.3712.

[Mukkamala,2002]Mukkamala,S.,Janoski,G.,&Sung,A.(2002).Intrusiondetectionusingneuralnetworksandsupportvectormachines. InNeuralNetworks,2002. IJCNN'02.Proceedings of the 2002 International Joint Conferenceon(Vol. 2, pp. 1702-1707).IEEE.

[Muscat,2016] Muscat, I. (2016). Web vulnerabilities: identifying patterns andremedies.NetworkSecurity,2016(2),5-10.

[Nam,2010] Nam,S.Y.,Kim,D.,&Kim,J.(2010).EnhancedARP:preventingARPpoisoning-basedman-in-the-middleattacks.IEEEcommunicationsletters,14(2).

[O’Gordman,2012] O'Gorman, G., & McDonald, G. (2012).Ransomware: A growing menace.SymantecCorporation.

[Roesch,1999] Roesch, M. (1999, November). Snort: Lightweight intrusion detection fornetworks.InLisa(Vol.99,No.1,pp.229-238).

[Sadeghian,2013] Sadeghian,A.,Zamani,M.,&Manaf,A.A.(2013,September).AtaxonomyofSQL injection detection and prevention techniques. In Informatics andCreativeMultimedia (ICICM), 2013 International Conference on (pp. 53-56).IEEE.

[Specht,2004] Specht,S.M.,&Lee,R.B.(2004,September).DistributedDenialofService:TaxonomiesofAttacks,Tools,andCountermeasures. In ISCAPDCS (pp.543-550).

[Song,2013] Song,J.,Takakura,H.,Okabe,Y.,&Nakao,K.(2013).Towardamorepracticalunsupervisedanomalydetectionsystem.InformationSciences,231,4-14.

of39

[Thaker,2016] Thaker, T. (2016,March). ESP8266based implementationofwireless sensornetwork with Linux based web-server. InColossal Data Analysis andNetworking(CDAN),Symposiumon(pp.1-5).IEEE.

[Tsai,2009] Tsai, C. F., Hsu, Y. F., Lin, C. Y., & Lin,W. Y. (2009). Intrusion detection bymachine learning:Areview.ExpertSystemswithApplications,36(10),11994-12000.

[Uma,2013] Uma,M., & Padmavathi, G. (2013). A Survey on Various Cyber Attacks andtheirClassification.IJNetworkSecurity,15(5),390-396.

[Vaccari,2017] Vaccari, I., Cambiaso, E., & Aiello, M. (2017). Remotely Exploiting ATCommand Attacks on ZigBee Networks.Security and CommunicationNetworks,2017.

[Wei,2013] Wei,W.,Chen,F.,Xia,Y.,&Jin,G.(2013).ArankcorrelationbaseddetectionagainstdistributedreflectionDoSattacks.IEEECommunicationsLetters,17(1),173-175.

[Welch,2003] Welch,D.,& Lathrop, S. (2003, June).Wireless security threat taxonomy. InInformationAssuranceWorkshop,2003. IEEESystems,ManandCyberneticsSociety(pp.76-83).IEEE.

20180226 D2.2 CNR V10 - anastacia-h2020.eu · BYOD Bring-your-own-device C&C Command and Control...

Documents

Transcript of 20180226 D2.2 CNR V10 - anastacia-h2020.eu · BYOD Bring-your-own-device C&C Command and Control...