Scribd Logo
Upload

Welcome to Scribd!

  • Poster Snort Sigs

    Uploaded by

    Febrian Rachmad
    3 views1 page
    This document proposes a method to automatically generate Snort signatures for intrusion detection in industrial control systems. It involves deploying honeypots to mimic real devices and monitor traffic. If a honeypot receives a malicious packet, signatures are generated based on frequent patterns extracted from normal traffic using the SigBox algorithm. Signatures take the form of Snort rules specifying byte sequences, locations, and other payload details. Non-frequent patterns are clustered and used for anomaly detection to identify additional malicious traffic types. The goal is to enhance ICS network security monitoring and alerting.

    Original Description:

    Original Title

    poster-snort-sigs

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document proposes a method to automatically generate Snort signatures for intrusion detection in industrial control systems. It involves deploying honeypots to mimic real devices and monitor traffic. If a honeypot receives a malicious packet, signatures are generated based on frequent patterns extracted from normal traffic using the SigBox algorithm. Signatures take the form of Snort rules specifying byte sequences, locations, and other payload details. Non-frequent patterns are clustered and used for anomaly detection to identify additional malicious traffic types. The goal is to enhance ICS network security monitoring and alerting.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views1 page

    Poster Snort Sigs

    Uploaded by

    Febrian Rachmad
    This document proposes a method to automatically generate Snort signatures for intrusion detection in industrial control systems. It involves deploying honeypots to mimic real devices and monitor traffic. If a honeypot receives a malicious packet, signatures are generated based on frequent patterns extracted from normal traffic using the SigBox algorithm. Signatures take the form of Snort rules specifying byte sequences, locations, and other payload details. Non-frequent patterns are clustered and used for anomaly detection to identify additional malicious traffic types. The goal is to enhance ICS network security monitoring and alerting.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    Generating Snort Signatures based on Honeypots for Industrial

    Control Systems

    Tsung-Chiao Yu, Jyun-Yao Huang, I-En Liao


    Department of Computer Science and Engineering, Taiwan Information Security Center at NCHU, National Chung Hsing University, Taichung, Taiwan

    Abstract—In this research, we propose a method Methodology SigBox is a modified frequent pattern mining algorithm based on Apriori. Its
    outputs are Snort rules which represent signatures of a specific internet service.
    to automatically generate alert signatures based on The proposed system architecture consists of a three-stage procedure as shown in
    The rule would be a form like this:
    honeypots deployed in ICS network. ICS protocols Figure 2. The control (system) network may consist of several controllers e.g.
    <action> <protocol> <ip> <port> -> <ip> <port> (sid: 1000000;
    based on TCP such as Modbus are supported in programmable logic controller (PLC) and workstations. We define target as a device to
    content:"|00 00 00|"; offset:0; depth:3; )
    (1)

    this method and the output of the system would be be protected. There would be at least one peer-honeypot used to mimic the target.
    Content specifies the frequent pattern of byte sequence in payload, offset
    Under this deployment, any attack found by peer-honeypot is regarded an attack to the
    the signatures in Snort rule format. target. indicates the location where content should be. And depth tells the range of
    Keywords—Automatic Signature Generation, location content would fit in.
    Snort Rule, Modbus, Industrial Control System, * Since our frequent patterns are recorded in Snort rule form, these patterns
    will be designated specific location in payload.

    Introduction ● Non-Frequent Pattern Clustering

    Stuxnet, a famous worm targeting ICS that is originally used to stop Iran from We chop off the frequent pattern from original payload to get the non-frequent
    developing nuclear weapon, is typically introduced to the target network via USB pattern. For example, a payload 0x000000010203 and a frequent pattern as (1)
    infection. Thus, even there are firewalls deployed to thwart unauthorized access are given, the non-frequent pattern would be 0x010203. The more normal traffic
    from remote, an attack initiated from internal device would be difficult to prevent. we collect, the more non-frequent patterns we will get. We apply hierarchical
    clustering algorithm to those patterns having the same length. If there are N
    Honeypots are systems applied to lure attacks and reduce attack surface in the end.
    different lengths of patterns, there would be N different clustering results.
    In our application scenario as shown in Figure 1, honeypots are deployed to mimic
    real devices in control system network. If any malicious packet is received by one of
    the honeypots, this honeypot (or traffic monitoring system) would generate Anomaly Detection and Signature Generation
    corresponding signature for that packet.
    Figure 2. System Architecture While honeypot receives a packet, it is assumed to be suspicious. Checks are
    required to clarify whether a packet contains malicious payload. From the
    previous two modules we gets a set of frequent patterns and many sets of
    This system collects flows to target and flows to peer-honeypot separately for the
    pattern clusters, they are used to do anomaly detection and signature generation
    first two stages. Flows coming in target are normal traffic, and flows going to peer-
    as shown in Figure 3.
    honeypot would be suspicious traffic. Protocol-Port Grouper is a module that helps
    divide normal traffic into packet clusters according to destination protocol-port Full-Content
    combination. Our analysis focuses on the payloads of these collected packets. Signature Sliced-Content
    (0x) 5678CDCD1234CDCD Signature
    Normal Model Creation
    A normal model represents normal behaviors of a flow coming in target. (0x) 5678CDCD1234CDCD
    Fail
    ● Frequent Pattern Extraction Malicious
    We feed a certain duration of normal traffic under stable ICS configuration to an Suspicious FP Fail Malicious
    automatic application signature generation method called SigBox, which is proposed Packet check
    Non-FP
    by Shim et al. to extract fine-grained traffic identification of network service. We Suspicious
    Pass check
    take the output Snort rules as the frequent patterns of normal behaviors. Normal
    Pass

    Figure 1. Application Scenario Figure 3. Decision Tree for Anomaly Detection and Signature Generation

    You might also like