Section: New Results

Analytics

CPS Security Analytics

Participants : Abdelkader Lahmadi [contact] , Mingxiao Ma, Isabelle Chrisment.

During 2019, we evaluated a novel type of attack, named Measurement as Reference attack (MaR), on the cooperative control and communication layers in microgrids, where the attacker targets the communication links between distributed generators (DGs) and manipulates the reference voltage data exchanged by their controllers. We assessed its impact on reference voltage synchronization at the different control layers of a microgrid. Results and the development of an experimental platform are presented in [18] to demonstrate this attack, in particular the maximum voltage deviation and inaccurate reference voltage synchronization it causes in a microgrid. ML algorithms are also applied on the collected datasets from this platform for the detection of this attack.

Optimal and Verifiable Packet Filtering in Software-Defined Networks

Participants : Abdelkader Lahmadi [contact] , Ahmad Abboud, Michael Rusinowitch [Pesto team] , Miguel Couceiro [Orpailleur team] , Adel Bouhoula [Numeryx] .

Packet filtering is widely used in multiple networking appliances and applications, in particular, to block malicious traffic (protection of network infrastructures through firewalls and intrusion detection systems). It is also widely deployed on routers, switches and load balancers for packet classification. This mechanism relies on the packet’s header fields to filter such traffic by using range rules of IP addresses or ports. However, the set of packet filters has to handle a growing number of connected nodes and many of them are compromised and used as sources of attacks. For instance, IP filter sets available in blacklists may reach several millions of entries, and may require large memory space for their storage in filtering appliances. In [40], [39], we proposed a new method based on a double mask IP prefix representation together with a linear transformation algorithm to build a minimized set of range rules. We have formally defined the double mask representation over range rules and proved that the number of required masks for any range is at most $2w-4$, where $w$ is the length of a field. This representation makes the network more secure, reliable and easier to maintain and configure. We show empirically that the proposed method achieves an average compression ratio of 11% on real-life blacklists and up to 74% on synthetic range rule sets. Finally, we add support of double mask into a real SDN network.

Port Scans Analysis

Participants : Jérôme François [contact] , Frederic Beck, Sofiane Lagraa [University of Luxembourg] , Yutian Chen [Telecom Nancy] , Laurent Evrard [University of Namur] , Jean-Noël Colin [University of Namur] .

TCP/UDP port scanning or sweeping is one of the most common technique used by attackers to discover accessible and potentially vulnerable hosts and applications. Although extracting and distinguishing different port scanning strategies is a challenging task, the identification of dependencies among probed ports is primordial for profiling attacker behaviors, with as a final goal to better mitigate them. In [6], we proposed an approach that allows us to track port scanning behavior patterns among multiple probed ports and identify intrinsic properties of observed group of ports. Our method is fully automated and based on graph modeling and data mining techniques including text mining. It provides to security analysts and operators relevant information about services that are jointly targeted by attackers. This is helpful to assess the strategy of the attacker, such that understanding the types of applications or environment she targets. We applied our method to data collected through a large Internet telescope (or Darknet).

In addition, we decided to leverage this knowledge for improving data analysis techniques applied to network traffic monitoring. Network traffic monitoring is primordial for network operations and management for many purposes such as Quality-of-Service or security. However, one major difficulty when dealing with network traffic data (packets, flows...) is the poor semantic of individual attributes (number of bytes, packets, IP addresses, protocol, TCP/UDP port number...). Many attributes can be represented as numerical values but cannot be mapped to a meaningful metric space. Most notably are application port numbers. They are numerical but comparing them as integers is meaningless. In [13], [12], we propose a fine grained attacker behavior-based network port similarity metric allowing traffic analysis to take into account semantic relations between port numbers. The behavior of attackers is derived from passive observation of a Darknet or telescope, aggregated in a graph model, from which a semantic dissimilarity function is defined. We demonstrated the veracity of this function with real world network data in order to pro-actively block 99% of TCP scans.