Same Origin Attack Analysis Based on Features of Industrial Control System Function Code

doi:10.19678/j.issn.1000-3428.0057547

Abstract

Abstract: IP traceback is one of the main methods of attack group identification.Industrial Control System(ICS) need accurate IP traceback to improve their self-protection.However,existing IP traceback methods are costly and inefficient in identification of the group a malicious IP belongs to.To address the problem,by collecting and analyzing the honeypot data of ICS,this paper proposes a same origin attack analysis method based on ICS function code features,so as to find out the attack group with similar attack behavior and improve the efficiency and accuracy of IP traceback.This method uses coarse-grained statistical features and fine-grained sequence features of industrial control function codes to quantify the attack behavior.Then the two kinds of features are modeled by using coarse set and clustering model.On this basis,the same origin attacks in honeypot data are analyzed.Experimental results show that the proposed method can use threat intelligence to discover more than 10 malicious groups including shodan in honeypot data with a high accuracy and recall rate.

Key words: IP traceback, Industrial Control System(ICS), function code sequence, same origin attack analysis, malicious group

摘要： IP溯源是追踪攻击者源头的主要方法，工业控制系统（ICS）需要精确的IP溯源以提高其防护能力。现有IP溯源方法存在开销大、恶意IP所属组织识别效率低的问题。为此，通过采集和分析ICS蜜罐数据，提出一种基于工控协议功能码特征的同源攻击分析方法，以识别攻击行为相似的组织并提高IP溯源的效率和准确性。用工控协议功能码的粗粒度统计特征和细粒度序列特征来量化攻击行为，采用粗糙集和聚类模型分别对2类特征进行建模，在此基础上分析蜜罐数据中的同源攻击。实验结果表明，该方法具有较高的准确率和召回率，结合威胁情报后能够在蜜罐数据中发现包括shodan在内的10个恶意组织。

关键词: IP溯源, 工业控制系统, 功能码序列, 同源攻击分析, 恶意组织

CLC Number:

TP393

WANG Jianhua, CHEN Yongle, ZHANG Zhuangzhuang, LIAN Xiaowei, CHEN Junjie. Same Origin Attack Analysis Based on Features of Industrial Control System Function Code[J]. Computer Engineering, 2020, 46(7): 36-42.

王建华, 陈永乐, 张壮壮, 连晓伟, 陈俊杰. 基于工控系统功能码特征的同源攻击分析[J]. 计算机工程, 2020, 46(7): 36-42.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0057547

http://www.ecice06.com/EN/Y2020/V46/I7/36

References

[1] SPITZNER L.Honeypots:catching the insider threat[C]//Proceedings of the 19th Annual Computer Security Applications Conference.Washington D.C.,USA:IEEE Press,2004:15-26.
[2] MCGREW R,VAUGHN R B.Experiences with honeypot systems:development,deployment,and analysis[C]//Proceedings of the 39th Ha-waii International International Conference on Systems Science.Washington D.C.,USA:IEEE Press,2006:256-269.
[3] FRAUNHOLZ D,ZIMMERMANN M,HAFNER A,et al.Data mining in long-term honeypot data[C]//Proceedings of IEEE International Conference on Data Mining.Washington D.C.,USA:IEEE Press,2017:588-596.
[4] QIAO Yanchen,YUN Xiaochun,ZHANG Yongzheng.How to automatically identify the homology of different malware[C]//Proceedings of 2016 IEEE Trust-com/BigDataSE/ISPA.Washington D.C.,USA:IEEE Press,2016:12-36.
[5] WANG Liyan,XUE Jingfeng,CUI Yan,et al.Homology analysis method of worms based on attack and propagation features[M]//AVATANGELOU E,DOMMARCO R F,KLEIN M,et al.Communications in computer and information science.Berlin,Germany:Springer,2017:1-15.
[6] Shodan.Shodan is the world's first search engine for Internet-connected devices[EB/OL].[2020-02-15].https://www.shodan.io/.
[7] ICS security workspace[EB/OL].[2020-02-15].http://plcscan.org/blog/.
[8] SAVAGE S,WETHERALL D,KARLIN A,et al.Practical network support for IP traceback[J].IEEE/ACM Transactions on Networking,2002,9(3):226-237.
[9] SNOEREN A C,PARTRIDGE C,SANCHEZ L A,et al.Singlepacket IP traceback[J].IEEE/ACM Transactions on Networking,2002,10(6):721-734.
[10] TAO Yaodong,LI Ning,ZENG Guangsheng.Overview of industrial control system security[J].Computer Engineering and Applications,2016,52(13):8-18.(in Chinese)陶耀东,李宁,曾广圣.工业控制系统安全综述[J].计算机工程与应用,2016,52(13):8-18.
[11] GUARNIZO J D,TAMBE A,BUNIA S S,et al.SIPHON:to-wards scalable high-interaction physical honeypots[C]//Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security.New York,USA:ACM Press,2017:26-39.
[12] KREIBICH C,CROWCROFT J.Honeycomb-creating intrusion detection signatures using honeypots[J].Computer Communication Review,2004,34(1):51-56.
[13] YEGNESWARAN V,GIFFIN J T,BARFORD P,et al.An architecture for generating semantics-aware signatures[C]//Proceedings of Conference on Usenix Security Symposium.[S.l.]:USENIX Association,2005:97-112.
[14] POUGET F,DACIER M.Honeypot-based forensics[EB/OL].[2020-02-15].http://pdfs.semanticscholar.org/935e/d80c40367c8ccf2155fe66e3e52bc0fcdaad.pdf.
[15] JIA Z,CUI X,LIU Q,et al.Micro-honeypot:using browser fingerprinting to track attackers[C]//Proceedings of 2018 IEEE International Conference on Data Science in Cyberspace.Washington D.C.,USA:IEEE Press,2018:197-204.
[16] LI K,YOU J,WEN H,et al.Collaborative intelligence analysis for industrial control systems threat profiling[C]//Proceedings of Future Technologies Conference.Berlin,Germany:Springer,2018:152-189.
[17] DACIER M,PHAM V H,THONNARD O.The wombat attack attribution method:some results[C]//Proceedings of International Conference on Information Systems Security.Berlin,Germany:Springer,2009:12-26.
[18] SHANG Wenli,ZENG Peng,WAN Ming,et al.Intrusion detection algorithm based on OCSVM in industrial control system[J].Security and Communication Networks,2016,9(10):1040-1049.
[19] MOORE A W,ZUEV D.Internet traffic classification using Bayesian analysis techniques[J].ACM SIGMETRICS Performance Evaluation Review,2005,33(1):50-56.
[20] ZHAO Yonghan,CHEN Bin,LI Mengyu.Parallel K-Medoids improved algorithm based on MapReduce[C]//Proceedings of 2018 International Conference on Advanced Cloud and Big Data.Washington D.C.,USA:IEEE Press,2018:156-168.
[21] TAO Jing.Clustering-based and density outlier detection method[D].Guangzhou:South China University of Technology,2014.(in Chinese)陶晶.基于聚类和密度的离群点检测方法[D].广州:华南理工大学,2014.
[22] AbuseIPDB.Making the Internet safer,one IP at a time[EB/OL].[2020-02-15].https://www.abuseipdb.com/.
[23] IPVOID.IP address tools online[EB/OL].[2020-02-15].https://www.ipvoid.com/ip-blacklist-check/.
[24] IBMX-Force Exchange.IBM security[EB/OL].[2020-02-15].https://exchange.xforce.ibmcloud.com.
[25] LUKAS K,KRUPP J,MAKITA D,et al.AmpPot:monitoring and defending against amplification DDoS attacks[EB/OL].[2020-02-15].https://christian-rossow.de/publications/amppot-raid2015.pdf.
[26] Censys.Actionable security insights about your attack surface[EB/OL].[2020-02-15].https://censys.io/.

Please choose a citation manager

Content to export