close

Вход

Забыли?

вход по аккаунту

?

ICIEAM.2017.8076474

код для вставкиСкачать
2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM)
Diagnostics and Assessment of the Industrial
Network Security Expert System
Polina Repp
Electrical Engineering Department
Perm National Research Polytechnic University
polina.repp@gmail.com
Abstract—The paper dwells on the design of a diagnostic
system and expert assessment of the significance of threats to the
security of industrial networks. The proposed system is based on a
new cyber-attacks classification and presupposes the existence of
two structural blocks: the industrial network virtual model based
on the scan selected nodal points and the generator of cyberattacks sets. The diagnostic and expert assessment quality is
improved by the use of the Markov chains or the Monte Carlo
numerical method. The numerical algorithm of generating cyberattacks sets is based on the LPIJ -sequence.
Keywords—Cyber-attack; Network Security; Industrial Safety;
Classification; Vulnerability
I.
INTRODUCTION
Currently, providing security is one of the most urgent
problems in all spheres of human activities. In accordance with
the socio-economic requirements the regulatory and the legal
base, technical regulations and control algorithms are changing.
Since modern society cannot exist without information
technology, the protection against cyber threats is an actual
problem.
The design of security algorithms and creation of new ways
of hacking – is a mutually interconnected and dynamic process.
Evolution of cyber danger moves from localized to global
threats. If several years ago a target of the attack was a person
(burglary of bank cards, e-mail, etc.), now cybercriminals are
setting up more ambitious targets. For example, in November
2010 the Belarusian hacker disabled a uranium enrichment
plant centrifuge in Iraq for a week. Using a previously unknown
OS Windows vulnerability, an attacker used a Trojan virus to
access SQL data base management. The investigation of this
case has not been completed. In 2012, the power plant in the
USA was disabled for three weeks. Ten computers of the
control system were infected with a Mariposa virus, which was
brought on the disc by a technician from outside organization.
In Germany, the whole steel plant control system was damaged
in late 2014. The result of the attack by groups of hackers who
used the means of social engineering to get a network access
was blocking the possibility of closing one of the blast furnaces
in the required manner. This is not a fill list of all accidents at
major industrial enterprises and in social infrastructure. Since
2008 there is a special international RISI database [1], which
contains general information on these incidents since 1982.
Typical structure of the automated technological enterprise
process management system includes: production, storage,
distribution, transportation, support and office activities. Each
element has its own sub-network which generates a set of
industrial enterprise network. Despite the fact that each of these
is equally vulnerable to cyber-attacks, the specificity of attacks
influence for each sub-network is different, which is shown in
Table 1.
TABLE I.
THE SPECIFICITY OF CYBER-ATTACKS ACTION ON INDUSTRIAL
ENTERPRISE SUB-NETWORKS
Sub-network
Cyber-threat
Consequences of
attack
Production
Industrial downtime
Delays the product
delivery and output
Storage
Process logic changing
(e.g. recipe changing)
Ecological disaster
Distribution
Deactivation of the
supply management
system
Spoilage
Transportation
Interception of
equipment control
Penalty payment
Support
Leaked data about the
operation algorithm or
characteristics of the
production process
Penalties for violations
of information security
requirements
Office activities
General threats
Reputational damage
A simple solution to the problem is the localization of the
entire information flow within the enterprise or infrastructure.
But modern providers of automation systems require their
customers to have a remote access for the remote support of their
product. This means fabricators are required to have a permanent
channel to the Internet, for example, to access the update servers
for installed software. In Russia, this problem is tried to be
solved by developing own unique software products and
releasing regularly updates which has to actualize this software
independently, in accordance with changes in external
parameters. In addition to the contradictions of the global
unification trend, this approach has additional security issues. In
particular, the human factor is not being considered. In order to
have leverage over the customer’s administration developers
supply their product with backdoors - deliberately altered
fragments of the program, allowing the attacker (in this case the
developer) to carry out unauthorized access to the information
network resources based on changes in the protection system
properties [2].
978-1-5090-5648-417$31.00 ©2017 IEEE
2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM)
Modern IT-market offers a range of turnkey solutions for
enterprise information security at any level and scale: software
and hardware, and outsourcing services. In addition, there are
approved standards, protocols, technical documentation and
certification, designed to regulate the sphere of information
security. Though, among the existing varieties of products there
are no network diagnostics. That means, the company that is
acquiring (or building) their information security system has no
opportunity to test its effectiveness before the actual cyberattack will be carried out.
Thus, due to the obvious danger and the possible catastrophic
consequences of global cyber threats for modern industrial and
social infrastructure, an important challenge is to provide
effective tools to combat them. The proposed system of
identification, diagnosis and expert assessment of the
significance of threats to the security of industrial networks as
such a tool can be considered.
II.
BRIEF SURVEY OF EXISTING RESEARCHES
Practical significance of this problem is emphasized in [3].
The authors describe a number of available simulators of
computer attacks (ARENA, Cohen, Secusim, OPNET Modeler,
Sakhardante, NetENGINE etc.), noting the lack of cooperation
between the private sector and the government (military sector)
in the developments. Also the lack of available simulators with
the “prediction” function of the consequences for a particular
attack for a particular network is mentioned.
Furthermore, foreign scientists have made lots of attempts to
create a unified cyber-attacks classification. One of the main
problems was the lack of universal terminology, as the authors
[4] mark. Moreover, most classifications do not satisfy such
requirements as comprehensible and unambiguous ones. For
example, in [5], the authors used an intuitive approach.
Classifications by a number of authors [6], [7], [8] are
unambiguous, complete and comprehensible. The work by [9]
has undeniable advantages, but it does not meet the requirement
of an exhaustive survey.
In this case, it should be noted that an adequate classification
is a prerequisite for creating both a simulation of cyber-attacks
and an expert system for assessing the safety of industrial
information networks.
III.
PROPOSED CLASSIFICATION OF CYBER-ATTACKS
This paper is dedicated to an attempt of creating a new cyberattack classification.
A. Terms
It is necessary to distinguish between the concepts:
• Cyber-attack is a process/action, aimed to capture the
computer network and/or its destabilization control.
• Cyber-threat is a potential for a cyber-attack success
under certain conditions
• Vulnerability is a lack, a weak point in the system,
inadequate software and hardware as well as its operating
personnel that an attacker can use to accomplish own
tasks g personnel, which an attacker can use to
accomplish their tasks [10].
B. Requirements for classification
A successful taxonomy should satisfy several requirements
for its universal acceptance [4]. Typical requirements include the
following:
•
Accepted – builds on previous work that is well
accepted.
•
Mutually exclusive – each attack can only be classified
into one category, which prevents overlapping.
•
Comprehensible – clear and concise information; able
to be understood by experts and those less familiar.
•
Complete/exhaustive – available categories are
exhaustive within each classification, it is assumed to be
complete.
•
Unambiguous – involves clearly defined classes, with
no doubt of which class an attack belongs.
•
Repeatable – the classification of attack should be
repeatable.
•
Terms well defined – categories should be well defined,
and those terms should consist of established
terminology that is compliant within the security
community.
•
Useful – use and gain insight into a particular field of
study, particularly those having great interest within the
field of study [5].
Furthermore, it should be noted that the correct method of
classification can only be based on a systematic approach.
C. Multilevel classification for cyber-attacks
In general, it is purposed to divide cyber-attacks into two
groups: external and internal. External threats include nine
categories, most of which are divided into subcategories.
Internal threats include two categories: “Vulnerabilities in
software” (which is the responsibility of its vendor) and “Data
leakage” (which is the responsibility of a company’s HR).
The Fig. 1 shows the classification scheme of cyber-attacks.
Due to the fact that computer viruses are the most wide spread
type of cyber-attacks, detailing was made only for the
corresponding block. This is the most common type of cyber
threats. The scheme will allow designing an effective search
form for diagnostics software interface.
IV. PROPOSED DIAGNOSTIC AND ASSESMENT OF
INDUSTRUAL NETWORK SECURITY EXPERT SYSTEM
A. Overview
The main purpose of technical diagnostics is to organize
efficient processes determining the technical condition of the
complex, multi-component objects, which should include
industrial information network of an enterprise. Diagnosis is
performed by hardware or software, internal or external
technical tools implementing a particular algorithm for
diagnosis.
During studying, development and implementation of diagnosis
processes of industrial information network technical
2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM)
Fig. 1 Classification scheme for cyber-attacks
condition it is necessary to solve the same problems, which arise
during the studying, development and implementation of all
management processes. In the first place, it is the task of
studying the physical properties of an information network and
its security vulnerabilities, the problem of constructing
mathematical models and information network vulnerabilities
models. The following are the problems of model information
network analysis, which is needed to obtain necessary data for
the construction of the diagnosis algorithms. The next group
consists of tasks related to the development of construction
principles, pilot testing and commercialization of information
network diagnostic system. Finally, the diagnostic system
design problem in general and the study of its characteristics and
properties (including experimental testing) [11]. The main
subjects of research of the industrial information network system
technical diagnostics design classification tree is shown on Fig.
2.
In this study the problem of determining diagnostic
algorithms is solved.
As experiments of the real existing network of a running
enterprise are not allowed and process technology stops can
cause unwanted effects, the proposed diagnostic system
presupposes the existence of two structural blocks:
•
The industrial network virtual model, based on the scan
selected nodal points/markers (Block 2 on Fig. 3);
•
The generator of cyber-attacks sets (Block 1 on Fig. 3).
Fig. 3 Functional diagram of the technical diagnosis system of the security state
of the industrial enterprise network.
Fig. 2 The main subjects of research of the industrial information network system
technical diagnostics design classification tree
The proposed multilevel classification of internal and
external cyber-attacks allows constructing a model of a safety
diagnostic system that generates test kits to detect attacks
reactions of the industrial network virtual model to these attacks.
Experiments are set with a sufficient sample to provide reliable
statistics. While generating sets of cyber-attacks their weight is
taken into account, which depends on:
2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM)
•
Frequency of cyber-attacks (popularity among hackers).
•
The complexity of implementation (technical and
technological resources used).
•
The possibility of a preventive the attack during its
execution (if detected).
•
The degree of damage (magnitude of the consequences
for the network and whole enterprise).
•
The complexity of remediation.
basis of this diagnostic algorithm is the Markov chain. The
structural scheme for this method is shown on Fig. 5.
Thus, the proposed diagnostic system is also endowed with
expert functions.
B. Mathematical methods
It is possible to build a cyber-attacks model in two ways.
The first method is based on the use of numerical
probabilistic methods (e.g. Monte Carlo). In this case, the sets
(combinations) of attacks are formed by using a random number
generator built on the Sobol sequence (LPIJ sequence).
The examination is conducted by determining the stability
factor (Kstab) for tested network, depending on the detected
vulnerabilities.
j =m
i=n
K stab = ¦ (a i k i ) j
(1)
i −1
j =1
In (1): ai – weight of i-cyber-attack; ki – resistance to i-cyberattack factor; i - the number of cyber-attacks in the set (i=[1; n]);
j – the number of cyber-attack set (j=[1; m]). The stability factor
inversely related to critical vulnerability. This coefficient can be
determined through a standard metric CVSS, estimating critical
vulnerabilities for a given system. The resistance value depends
on: access vector (AV), access complexity (AC), authentication
(Au), confidentiality (C), integrity (I) and availability (A).
As a criterion for the worst-case vulnerability min Kstab. is
chosen. A limit of not more than three attacks at a time is
introduced. The algorithm is shown on Fig. 4.
Fig. 5 Structural scheme for cyber-attack model design based on Markov’s chain
A table of conditional probabilities of correspondence
between cyber-attacks, cyber threats and vulnerabilities is
created for the operations. This table is based on the analysis of
data provided by Data Bank of information security threats. The
fragment of this table is shown on Fig. 6. Conditional
probability describes how likely this cyber-threat will lead to
this cyber-attack for a given vulnerability.
For the calculation of the condition probability of cyberattack (z) success in case of some vulnerability (x), which
characterized the internal attribute/parameter of the studied
system, and some cyber-threat (y), which characterizes the
presence of certain external conditions/factors the expert
analysis of the dataset series, received in practical way, is
performed. The result of the analysis is the determination of
probabilities:
ሺšሻǦ–‘–ƒŽ’”‘„ƒ„‹Ž‹–›‘ˆ˜—Ž‡”ƒ„‹Ž‹–‹‡•š’”‡•‡…‡Ǣ
..୧ ൌ ቐ ሺ›ሻǦ–‘–ƒŽ’”‘„ƒ„‹Ž‹–›‘ˆ…›„‡”Ǧƒ––ƒ…›’‡”ˆ‘”ƒ…‡Ǣ
(2)
ሺœሻǦƒ’”‹‘”›’”‘„ƒ„‹Ž‹–›‘ˆ•›•–‡…›„‡”Ǧ–”‡ƒ–œ’”‡•‡…‡Ǥ..
It is assumed that the vulnerability of x (internal property of
the system) and the cyber-threat y (a set of external factors or
conditions) are independent variables. Then the probability of
their simultaneous occurrence is:
P ( x ∗ y ) = P( x) * P( y)
(3)
The conditional probability of the hypothesis that the cyberthreat (z) allows to successfully implement particular cyberattack (y) in case of system vulnerability (x), is given by Bayes’
formula:
Fig. 4 Structural scheme for cyber-attack model design based on Monte Carlo
method
In the second case, the test is carried out in steps. Test at
each step is determined by the previous results. That means the
first set of attacks determines the most probable vulnerability.
Then other cyber-threats matching this vulnerability are
determined; and for this information a new cyber-attacks test
kit is formed. The dimension of the sets can be increased. The
P ( z | ( x * y )) =
P ( z | ( x * y )) P (( x * y ) | z ) P ( z )
(4)
=
P( x * y)
P( x * y)
In (4): P(z|(x*y)) – the probability of cyber-attack success in
case of simultaneous performance of event x (vulnerability
presence) and event y (cyber-threat presence); P((x*y)|z) – the
probability of presence of particular vulnerability and particular
cyber-threat in case the hypothesis about the cyber-attack
success is true.
2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM)
Fig. 4 The fragment of vulnerability/cyber-attack/cyber threat correspondence table
As a criterion for the worst-case vulnerability max P(z|(x*y))
is chosen.
C. Expected results
The diagnostic results is the passport of the vulnerabilities
(for Russia it is designed in accordance with GOST(State
Standard) R 56545-2015 – that means it should obey the law of
the country). For large industrial objects, this document could
become the basis for making decisions on suspension of the
enterprise in order to prevent major accidents and global
catastrophes.
V.
CONCLUSIONS
The assigned problem of protecting e industrial networks
against cyber threats was proposed to solve with the use of a
system of diagnosis and expert assessment of the significance
of threats. The proposed new classification is important for
building an effective simulation of cyber-attacks. As the
detailing is held only for computer viruses, further research will
be focused on the details of the other attacks. Additionally, the
comparing of the effectiveness of the proposed cyber-attack
generation algorithms is nessary. However, the proposed
algorithms allow achieving the higher diagnostic quality and
safity the industrial networks, than similar models used in
practice.
ACKNOWLEDGMENT
The reported study was done within the postgraduate
research at Perm National Research Polytechnic University
(Russia).
REFERENCES
[1]
The Repository of Industrial Security Incidents. [Online]. Available:
http://www.risidata.com/.
[2] The base model of personal data security threats at their processing within
the information systems of personal data (extract). Federal Service for
Technical and Export Control (FSTEC). FSTEC standard. 2008
[3] S.P. Leblanc, A. Partington, I. Chapman, and M. Bernier, “An Overview
of Cyber Attack and Computer Network Operations Simulation,” in Proc.
of the Military Modeling & Simulation Symposium MMS '11, 2011, pp.
92-100.
[4] J.D. Howard, and A.T. Longstaff, “A Common Language for Computer
Security Incidents,” SANDIA REPORT, SAND98-8667, 1998.
[5] C.B. Simmons, G. Shiva Sajjan, H. Bedi, D. Dasgupta, “AVOIDIT A
Cyber Attack Taxonomy,” in Proc. of 9th Annual Symposium On
Information Assurance -ASIA’14, Albany, 2014.
[6] S. Hansman, and R. Han, “A taxonomy of network and computer attacks,”
Computers and Security, vol. 24, is. 1, pp. 31-43, 2005.
[7] J. King, K. Lakkaraju, and A. Slagell, “A taxonomy and adversarial model
for attacks against network log anonymization,” in Proc. of SAC ’09,
Honolulu, Hawaii, 2009.
[8] M. Kjaerland, “A taxonomy and comparison of computer security
incidents from the commercial and government sectors,” Computers and
Security, vol. 25, is. 7, pp. 522-538, 2006.
[9] J. Mirkovic, and P. Reiher, “A Taxonomy of DDoS Attack and DDoS
Defense Mechanisms,” ACM SIGCOMM Computer Communication
Review, vol. 34, is. 2, pp. 39-53, 2004.
[10] Data Bank of information security threats. Federal Service for Technical
and
Export
Control
(FSTEC).
[Online].
Available:
http://www.bdu.fstec.ru/.
[11] V.V. Karibskiy, P.P. Parkhomenko, E.S. Sogomonyan, V.F. Halchev,
“Technical Diagnostics Fundamentals,” Energy, vol. 1, pp. 18-19, 1976.
Документ
Категория
Без категории
Просмотров
2
Размер файла
556 Кб
Теги
2017, icieam, 8076474
1/--страниц
Пожаловаться на содержимое документа