In Proceedings of the First Italian Conference on Cybersecurity (ITASEC17), Venice, Italy. Copyright c 2017 for this paper by its authors. Copying permitted for private and academic purposes. Network Anomaly Detection in Critical Infrastructure Based on Mininet Network Simulator Giuseppe Bernieri1 , Federica Pascucci1 , and Javier Lopez2 1 Department of Engineering University “Roma Tre”, Italy. {gbernieri,fpascucci}@uniroma3.it 2 Network, Information and Computer Security Lab University of Malaga, 29071 Malaga, Spain. jlm@lcc.uma.es Abstract In this paper, a highly-configurable network anomaly detection system for Critical Infrastructure scenarios is presented. The Mininet virtual machine environment has been used in this framework to simulate an Industrial Control System network and to replicate both physical and cyber components. Finally, a cyber-attack has been implemented for showing both the effectiveness and capability of the proposed network security system. 1 Introduction The complex systems providing fundamental services to the societies and contributing to pop- ulation well-being are called Critical Infrastructures (CIs). Examples of these systems are power grids, nuclear plants, telecommunication networks, and water distribution systems. The control architectures for CIs are related to industrial applications on large geographical scale including multiple processing sites. For this reason, the Supervisory Control And Data Acqui- sition (SCADA) system, an Industrial Control System (ICS), represents the preferred remote monitoring and control architecture. Over the past few decades, the ICS evolution follows the Information Technology (IT) trend, resulting in a huge performance improvement as well as the increase of new cyber threats. In the last decade, Stuxnet [1] and DuQu [2] malware and Maroochy Shire [3] cyber-attack represent famous cyber events against CI scenario. More re- cently, a cyber-attack to several power grids in Ukraine led to energy distribution failure [4]. In literature, different solutions, mainly devoted to the protection of the telecommunication infrastructure, have been presented. However, given the several heterogeneous interdependen- cies and the presence of several industrial communication protocols, a general solution for CIs protection, is still far to be achieved. To cope with these problems firewalls and signature-based Intrusion Detection Systems (IDSs) need to be integrated by anomaly-based detection methods. In this paper, an ad hoc Anomaly Detection System (ADS) for SCADA systems in CI scenarios is presented. By performing the CI network behaviour analysis in nominal conditions, it is possible to build a network profile that can be exploited to detect anomalies. The virtual environment Mininet [5] is used for simulating a water distribution system and a cyber-attack against the simulated system is performed for evaluating the proposed security architecture. The paper is organised as follows. In Section 2 related work and contributions are discussed. In Section 3 a basic SCADA system architecture for the simulation with the Mininet environ- ment is presented. In Section 4 the basic case study, a water tower system, is described. The Anomaly Detection System conceived is presented in Section 5 and the experimental set-up with the results are detailed in Section 6. Conclusions and future works are drawn in Section 7. 116 2 Related Work In literature, different approaches have been proposed for network anomaly detection. A first review of anomaly-based IDSs considering the different methodologies applied in generic commu- nication systems has been proposed in [6]. In [7] an analysis of most important anomaly-based IDSs is performed: the Authors propose a taxonomy based on four categories: classification, statistical, clustering, and information theory. In [8] the Authors extend the Snort [9] signature-based IDS by including a preprocessor for anomaly-based detection. A statistical model of the regular traffic is generated by the anomaly-based IDS for detecting deviations from the nominal behaviour. In particular, a cam- pus network traffic is considered. However, no cyber-attacks or industrial control networks are taken into account. In [10] an anomaly-based IDS is proposed considering message repetition and timing information. The Authors exploit data coming from real ICS networks; however they were not able to apply the proposed approach to datasets containing malicious traffic. The authors limit their work to a discussion on general cyber-attacks without performing ex- perimental validation. In [11], the Authors present an anomaly detection system designed to identify irregular deviations in SCADA control register values. The used approach is based on the analysis of real Modbus over Transmission Control Protocol (TCP) traffic collected from SCADA system. No attacks are present against the system network and only the false alert rate is evaluated. In [12] a behaviour-based IDS for Smart Grid based on the IEC 61850 pro- tocol is presented. The Authors adopt real network traffic data captured from South Korean digital substation environment. An auto-associative kernel regression model coupled with the Statistical Probability Ratio Test is used in [13]. A payload analysis method is proposed in [14] where the Bro [15] security monitor is used as network sensor. The aim of this contribution is to provide an ADS and validate it in a simulation environ- ment. Specifically, a CI SCADA networked system is simulated and the proposed tool is tested under a cyber-attack. The added value is represented by the flexibility of the proposed detection scheme. In this paper, preliminary results are presented in the framework of Cyber-Physical security for CI scenarios. 3 SCADA system architecture for Mininet simulation One of the novelties of this paper is represented by the use of Mininet for the simulation of CIs networks. Mininet is a virtual network running on a single machine used for generic communication system simulations and it represents a useful tool for research and development in the cyber domain. With the Mininet Virtual Machine (VM) it is possible to simulate multiple nodes on a network and connect them with virtual links and switches. Every node simulates a stand-alone machine with own network features. Moreover, Mininet is useful to develop and simulate Software-Defined Networking (SDN) systems, an attractive architecture that allows to handle network services in a flexible and dynamic way. The versatility of Mininet grants to simulate complex network systems, using several communication protocols. The peculiar features of the nodes connected to the network are developed in python scripting and all the tools installed on the Mininet host can be used by the simulated network nodes. In Fig. 1 the implemented SCADA architecture is shown. Each component of the archi- tecture is simulated by network nodes on the Mininet VM. In the SCADA system scenario, the Field Layer is represented by the physical process and the Programmable Logic Controller (PLC). The latter is connected to the water level sensors for read operations and it communi- cates with the Control Center by a Local Area Network (LAN). The Control Center is composed 117 Figure 1: SCADA system to Mininet VM, the basic architecture implemented. by a Human Machine Interface (HMI) and Monitors. This simple architecture has been de- signed to verify effectiveness of Mininet in simulating a SCADA system. According to this approach, more complex networked ICSs can be considered. It is worth to highlight that inside a network node it is possible to simulate physical processes in order to emulate the Field Layer of a SCADA system. 4 Case study: water tower simulation In this paper, a water tower system has been simulated using Mininet VM. In [16, 17, 18, 19] the Authors exploit water distribution system testbeds to design cyber security solutions and physical faults detection strategies. In this work, the same approach has been considered. A water tower is a structure located in an elevated place to provide potable water to cos- tumers. This infrastructure is able to provide water also in emergency situation, e.g. without electric energy, since its operation is based on gravity. The system simulation is represented by filling up and emptying the tank according to physical laws (i.e., the law of conservation of mass and the Torricelli law). In Fig. 2, a simplified water tower is shown. The relation describing the process of filling up and emptying the tank are Aḣ(t) = QIN − QOU T (1) p QOU T = a 2gh(t) (2) p QIN a 2gh(t) ḣ(t) = − (3) A A where QIN and QOU T are the incoming and outgoing flows, m3 /s; A and a are respectively the tank and output hole sections; h(t) represents the water level and g is the gravity acceleration. The model of the system has been created using MATLAB/Simulink (see Fig. 3) and later ported into the Mininet virtual machine using python scripting. In order to reproduce the behaviour of a CI scenario, a SCADA system has been considered as monitoring and control architecture for the simulated water system. With the exception of 118 Figure 2: Tank considered for the scenario. Figure 3: Simulink model. analogues reads simulated inside the PLC node, all the communications between the nodes have been implemented using the Modbus over TCP [20]. The Modbus/TCP has been selected and implemented for the communication routines to create a more realistic simulation. The Modbus is widely used as network protocol in the industrial manufacturing environments. In its version that involves the use of TCP, it is possible to take advantage of the easy implementation. 5 Anomaly Detection System (ADS) There are many different tools allowing security solutions on networks. However, in the frame- work of ICS and networked CIs, the classic cyber security methods, adopted in IT, do not represent an ideal solution. Signature-based IDSs, for example, perform a safety check of the traffic based on static rules but are not able to identify a Zero-Day attack since they do not con- 119 Figure 4: ADS schema. sider a dynamic analysis of the network. The Zero-Day attacks, indeed, are cyber-threats that take advantage of vulnerabilities that are not yet identified and represent the highest threat for ICSs. This kind of attacks can be identified by analysing the behaviour of the network that in the case of CIs is repetitive, according to the processes that are carried out (e.g., read sensors, send commands to actuators, etc.): this represents an advantage in terms of anomalies analysis on the network. Unlike traditional IDSs that integrate the entire identification module in a single tool, the ADS presented in this paper includes the following components, as shown in Fig. 4: • Network Analyser Component (NAC): this component analyses and filters the network traffic in order to save the packets of interest into a Packet Capture file (PCAP file) for a predefined period. This module is executed in a nominal condition without undergoing attacks or anomalous situations. Multiple PCAP files of the same operations are stored to better determine the normal behaviour patterns. The time required depends on the period of the system. For example, if control operations of a production chain are repeated daily, it will be necessary to save the 24-hour network behaviour. In a similar way, for a water CI system, if cyclic monitoring and control operations that last one week are identified, it will be necessary to save the network traffic for a week to evaluate the normal behaviour; • Network Profile Generator (NPG): this component uses the network traffic saved by the NAC to generate a profile of the normal network behaviour. The way in which the profile is generated represents the most important aspect of the anomaly detection fulfilment. The more accurate the model, the more it will be possible to identify system faults on the network traffic. In contrast to the anomaly detection tools presented in the literature, the NPG strength is represented by configuration possibilities: this allows to easily adapt the proposed system to any network for the anomalies analysis. Moreover, this module can extract necessary data from the network traffic, in particular, it is possible to select any traffic characteristic of the protocol under analysis in order to provide ad hoc anomaly detection solutions. This feature represents a valuable option for CI security research scenarios due to the adaptability requirements. The NPG input are the PCAP files and the output is a Comma Separated Values (CSV) file containing the network profile data; • Anomaly Detection Engine (ADE): once the creation of the network profile is completed, this is used for the anomaly detection active task. The ADE analyses the traffic and 120 Figure 5: Mininet topology. compares it at regular intervals with the set of parameters generated from the NPG. The ADE generates an alert when: η(i) > η ? (i) + δ(i) (4) where: η(i) is the i-th value of the parameter considered for anomaly detection derived from the analysis of the actual network traffic, η ? (i) represents the i-th value of the relative parameter stored in the profile file, whereas δ(i) is an uncertainty value chosen to mitigate false detection probability. The inputs of this component are the CSV profile file and the up-to-date network traffic. The outputs are the alerts displayed on the monitor for the security human operator, which simultaneously are saved into a log file. The NAC and the NPG modules run before ADE, however it is possible to regenerate the PCAP file and the CSV file, whenever necessary to update the profile of the network. 6 Experimental set-up and results In this section the experimental set-up of Mininet VM used for the simulation of a physical CI process is presented. The ADS for the anomalies analysis is deployed in this network and the results of anomaly detection active phase are evaluated during a cyber-attack. The network topology, including the attacker, is shown in Fig. 5. The network is composed by PLC, configured as Modbus/TCP Server, two Monitors set as Modbus/TCP Clients, and a legacy switch enabling the communications among nodes. The ADS has been implemented on the Mininet host of the VM to analyse traffic without being part of the network. A network security analyser connected to the mirroring port of a switch has been simulated. Concerning the physical process, introduced in Sec. 4, the following parameters have been set: QIN = 10 m3 /s, A = 20 m2 , a = 0.5 m2 . The simulation lasts 60 s and it is depicted in Fig. 6. Concerning the network communications for this experiment, only the water level of the tank is monitored: to this end, industrial level sensors in the field layer are connected to the PLC, which controls the data. The PLC polls every second the value of the level sensor and forwards 121 Figure 6: Water level evolution simulation. Simulation Time (s) Simulation Description 0 PLC Server starts simulating sensor values read operations 5 Monitor 1 starts querying PLC for Read Input Registers data 30 Monitor 2 starts querying PLC for Read Input Registers data 60 Simulation Ends Table 1: Normal behaviour simulation routine. Simulation Time (s) Simulation Description 0 PLC Server starts simulating sensor values read operations 5 Monitor 1 starts querying PLC for Read Input Registers data 20 Attacker starts SYN Flood attack against the PLC 30 Monitor 2 starts querying PLC for Read Input Registers data 60 Simulation Ends Table 2: Attack behaviour simulation routine. them to the Monitors by using Modbus/TCP protocol. Therefore, every second the Clients send a query to the Server in order to receive the sensor reads. The Modbus Function Code implemented for the Query/Response operations is the Read Input Registers. As previously mentioned, the various components of the ADS need to be configured taking into account the particular system at hand. For this experiment, the analysing period of the NAC module is equal to the operating period (t = 60 s). The NPG configuration is the most critical part of the implementation: the parameters to be used for profiling the network need to be carefully chosen. For this experiment, the following parameters have been selected: Packet Timestamp, Read Input Register Query, Read Input Register Response, Total Modbus Packets, Total Packets. Subsequently, it has been decided to create a reference to the normal behaviour of the network considering every second of traffic analysed. In this way, n = 60 entries for the network traffic profile file have been generated with information on the parameters described above. Once the profile file has been created, the ADE is activated: it analyses every second of the network traffic and the parameters data taken into account are compared with those generated by the NPG module. For this experimental phase, a δ = 2 constant value has been chosen by considering the standard deviation of 10 nominal runs. 122 Figure 7: Network normal behaviour. Figure 8: Network under SYN Flood attack with ADS alerting. In order to assess the experimental behaviour of the ADS, cyber-attacks on the experimental network have been carried out to verify the effectiveness of the cyber security system. It is assumed that the attacker has succeeded to gain access to the network so he is connected as a normal node. The SYN Flood Attack has been considered: this cyber-attack represents a Denial-of-Service (DoS) method that exploits the TCP three-way handshake mechanism. Flooding TCP segments to a Server causes the SYN-RECEIVED state to reach the maximum admissible value. In this way, the legitimate clients are not able to connect to the server and this provokes a DoS behaviour [21]. The periodic simulation steps are described in the Tables 1 and 2. The two Monitors start communications at different times and the SYN Flood Attack attempts to avoid the initialisation of new connections between Client and Server, specifically the attacker aims to disconnect Monitor 2 from the Server. In Fig. 7 the SCADA network simulated traffic in nominal conditions is depicted. The blue line represents the packet captured over the time and the red line represents the profile dynamics generated by NPG. The Total Packets parameter is considered for this experiment. As shown, at t = 30 s, the Monitor 2 starts to query the Server and the network detects twice the number of packets/seconds. Once the network data acquisition and profile generation stages are completed, the ADE is 123 activated and starts to compare the actual network traffic with the profile previously created. In Fig. 8, the network traffic of the system under attack is represented. As it can be seen from the graph, at t = 20 s the cyber-attack starts and the actual network traffic exceeds the ADE security thresholds. The ADE module, indeed, compares the traffic every second and generates alerts along the whole period of attack. When the attack ends (t = 40 s), the traffic analysed drops below the ADE threshold. 7 Conclusions and future works In this paper, a network ADS designed for Critical Infrastructure scenarios is presented. This kind of tools generates a dynamic profile of the network and are able to identify cyber Zero-Day attacks. For the development and testing phase, Mininet VM environment has been adopted and it has been proved that industrial networks can be simulated by this software. Some preliminary results on the effectiveness of ADS under a cyber-attack have been presented. The tool proposed in this paper can be regarded as a starting point for the development of advanced cyber-physical protection systems, that are able to exploit classical fault detection approaches and network cyber security techniques. At the same time, it is possible to analyse the physical processes through the network and the ADS can integrate or even replace the classical fault detection tools available in the literature. The aim of this paper is to present preliminary results to validate the proposed architec- ture; hence, the setup considered here is too simple to provide insights on the impact of false positive/false negatives. Future work will be devoted to validate this scheme in a more com- plex environment so to analyse false positive and false negative reactions. Moreover, adaptive profiling methodologies will be used in the NPG module. Finally, software defined network will be adopted to implement software defined security. References [1] N. Falliere, L.O. Murchu, and E. Chien. W32. Stuxnet Dossier. Technical Report 1.4, Symantec, February 2011. [2] Symantec Security Response. W32. Duqu - The Precursor to the Next Stuxnet. Technical Report 1.4, November 2011. [3] J. Slay and M. Miller. Lessons Learned from the Maroochy Water Breach, volume 253 of IFIP, chapter Critical Infrastructure Protection - Part II, pages 73–82. Springer, 2008. [4] SANS and E-ISAC. Analysis of the Cyber Attack on the Ukrainian Power Grid. Technical report, 2016. [5] Mininet, An Instant Virtual Network on your Laptop (or other PC), www.mininet.org. [6] V. Jyothsna, V. V. Rama Prasad, and K. Munivara Prasad. A review of anomaly based intrusion detection systems. International Journal of Computer Applications, 28(7):26–35, 2011. [7] M. Ahmed, A. N. Mahmood, and J. Hu. A survey of network anomaly detection techniques. Journal of Network and Computer Applications, 60:19–31, 2016. [8] M. Szmit, A. Szmit, S. Adamus, and S. Bugala. Usage of Holt-Winters Model and Multilayer Perceptron in Network Traffic Modelling and Anomaly Detection. Informatica, 36(4), 2012. [9] M. Roesch et al. Snort: Lightweight Intrusion Detection for Networks. In LISA, volume 99, pages 229–238, 1999. [10] R. R. R. Barbosa, R. Sadre, and A. Pras. Exploiting traffic periodicity in industrial control networks. International journal of critical infrastructure protection, 13:52–62, 2016. 124 [11] N. Erez and A. Wool. Control variable classification, modeling and anomaly detection in Mod- bus/TCP SCADA systems. International Journal of Critical Infrastructure Protection, 10:59–70, 2015. [12] Y. Kwon, H. K. Kim, Y. H. Lim, and J. I. Lim. A behavior-based intrusion detection technique for smart grid infrastructure. In PowerTech, 2015 IEEE Eindhoven, pages 1–6. IEEE, 2015. [13] D. Yang, A. Usynin, and J. Hines. Anomaly-based intrusion detection for SCADA systems. In 5th intl. topical meeting on nuclear plant instrumentation, control and human machine interface technologies (npic&hmit 05), pages 12–16. Citeseer, 2006. [14] P. Düssel, C. Gehl, P. Laskov, J.-U. Bußer, C. Störmann, and J. Kästner. Cyber-critical infras- tructure protection using real-time payload-based anomaly detection. In International Workshop on Critical Information Infrastructures Security, pages 85–97. Springer, 2009. [15] IDS Bro. Homepage: http://www.bro-ids.org. [16] E. E. Miciolino, F. Pascucci, J. Lopez, M.M. Polycarpou, and R. Setola. FACIES: a Testbed for Distributed Fault and Attack Identification in Interdependent Critical Infrastructures. In 2nd International SCADALab Workshop, Seville (Spain), 2014. [17] E. E. Miciolino, G. Bernieri, F. Pascucci, and R. Setola. Communications network analysis in a SCADA system testbed under cyber-attacks. In Telecommunications Forum Telfor (TELFOR), 2015 23rd, pages 341–344. IEEE, 2015. [18] C. Heracleous, E. Etchevés Miciolino, R. Setola, F. Pascucci, D.G. Eliades, G. Ellinas, C.G. Panayiotou, and M.M. Polycarpou. Critical Infrastructure Online Fault Detection: Application in Water Supply Systems. In 9th CRITIS Conference, Limassol (Cyprus), 2014. [19] G. Bernieri, F. Del Moro, L. Faramondi, and F. Pascucci. A Testbed for Integrated Fault Diagnosis and Cyber Security Investigation. In 3rd International Conference on Control, Decision and Information Technologies, 2016. [20] Modbus Organization Inc. Modbus Messaging on TCP/IP Implementation Guide v.1.0b, 2006. [21] W. M. Eddy. SYN Flood Attack. In Encyclopedia of Cryptography and Security, pages 1273–1274. Springer, 2011. 125