![Page 1: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/1.jpg)
Visualizing Network Flows and RelatedAnomalies in Industrial Networks usingChord Diagrams and Whitelisting
M. Iturbe, I. Garitano, U. Zurutuza, R. UribeetxeberriaElectronics & Computing DepartmentFaculty of EngineeringMondragon University
IVAPP 2016, Rome, Italy
![Page 2: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/2.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Agenda
1. Introduction
2. System Description
3. Results
4. Conclusions
2
![Page 3: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/3.jpg)
Introduction.
![Page 4: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/4.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Industrial Control Systems
CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz
4
![Page 5: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/5.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Fieldbus Network
Control Network
Demilitarized Zone
Corporate Network
Internet
PLC PLCPLC
HMI
ControlServer Engineering
Workstation
HistorianData Server
Field equipment
Workstations
CorporateServers
Fiel
d De
vice
sFi
eld
Cont
rolle
rsSu
perv
isor
y De
vice
s
5
![Page 6: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/6.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
ICS vs. IT
Industrial Networks IT Networks
Main Purpose Control of Physical equip-ment
Data processing and trans-mission
Failure Severity High LowReliability Required High ModerateDeterminism High Low
Data Composition Small packets of periodic andaperiodic traffic Large, aperiodic packets
Average Node Complexity Low (simple devices, sensors,actuators)
High (large servers/file sys-tems/databases)
6
![Page 7: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/7.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Whitelisting
Refers to the practice of registering the set of networkflows that are allowed in a network, raising an alarmor disallowing connections that have not beenexplicitly allowed.
7
![Page 8: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/8.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Whitelisting
• Recommended security measure by the industry.• Barbosa et al. [1] demostrated its efficiency to detect flowanomalies.
8
![Page 9: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/9.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Chord diagrams
9
![Page 10: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/10.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Chord diagrams
• Conceived initially for genomics• Previous usage on security visualizations
• ADS visual comparison [4]• Relationships between Phishing websites [3]• Relationships between IT subnets [2]
10
![Page 11: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/11.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Objectives
• Gaps in related literature• No security visualizations for Industrial Networks• Previous works based on whitelisting only detect forbiddenconnections
• Objectives• Provide situational awareness through flow visualizations• Design a visual flow anomaly detection system• Detect flow anomalies through temporal whitelists• Visually highlight detected anomalies
11
![Page 12: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/12.jpg)
System Description.
![Page 13: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/13.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Overview
Industrial Network
FlowCollector
NetworkFlows
TaggedFlows
Whitelists
Chord Diagrams
Flow packets
Learning phase
Flow data Detection phaseVisualization
phase
Online
Offline
13
![Page 14: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/14.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Learning Phase
• Whitelists are formed with the detected network traffic.• Source/Destination IP, Server port, IP protocol and packetnumber
• Whitelists of variable time length.
14
![Page 15: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/15.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Detection Phase
• The system evaluates and tags incoming flows comparingthem to the whitelists
• Types of tags• Legitimate flow• Anomalous flow• Incorrect port• Incorrect protocol• Absent flow• Anomalous flow size
• The system triggers an alarm if a non-legitimate flow isdetected
15
![Page 16: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/16.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Visualization Phase
• The system builds the diagrams based on the taggedflows:
• A host → A section in the circumference• Each host type has a distinctive color group• A bidirectional flow → A chord• Chords inherit the color of the more active host in thecommunication
• Highlights non-legitimate flows:• Missing flows, in black• The rest, in red
16
![Page 17: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/17.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Visualization Phase
(a) Forbidden flow betweenPLC 1 and HMI 2.
(b) Detail of the forbiddenflow.
17
![Page 18: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/18.jpg)
Results.
![Page 19: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/19.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Test network
Switch 2
Switch 1 Gateway
19
![Page 20: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/20.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Tools
• NetFlow v5• Logstash• ElasticSearch• D3
20
![Page 21: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/21.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Denial of Service
21
![Page 22: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/22.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Network scan
22
![Page 23: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/23.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Downed host
23
![Page 24: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/24.jpg)
Conclusions.
![Page 25: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/25.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Conclusions
• We propose a visual monitoring system based onwhitelists and chord diagrams for ICSs.
• Collected flows in a time window are tagged andvisualized.
• Highlighting anomalous ones.
25
![Page 26: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/26.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
Future work
• Distinguish more anomalous flow types.• Research into re-creation of whitelists or its editionconsequences.
26
![Page 27: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/27.jpg)
Thank you.
{miturbe,igaritano,uzurutuza,ruribeetxeberria}
@mondragon.edu
![Page 28: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/28.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
References I
Rafael Ramos Regis Barbosa, Ramin Sadre, and Aiko Pras.Flow Whitelisting in SCADA Networks.International Journal of Critical Infrastructure Protection,6(3):150–158, 2013.Siming Chen, Cong Guo, Xiaoru Yuan, Fabian Merkle, HannaSchaefer, and Thomas Ertl.OCEANS: online collaborative explorative analysis onnetwork security.In Proceedings of the Eleventh Workshop on Visualizationfor Cyber Security, pages 1–8. ACM, 2014.
28
![Page 29: VisualizingNetworkFlowsandRelated … · 2020-05-09 · - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting Author: M. Iturbe,](https://reader034.vdocuments.net/reader034/viewer/2022050513/5f9d8a517785664c4b58f128/html5/thumbnails/29.jpg)
. . . . . . . .Introduction
. . . .System Description
. . . . .Results Conclusions
References II
Robert Layton, Paul Watters, and Richard Dazeley.Unsupervised authorship analysis of phishing webpages.In Communications and Information Technologies (ISCIT),2012 International Symposium on, pages 1104–1109. IEEE,2012.Johan Mazel, Romain Fontugne, and Kensuke Fukuda.Visual comparison of network anomaly detectors withchord diagrams.In Proceedings of the 29th Annual ACM Symposium onApplied Computing, pages 473–480. ACM, 2014.
29