Passive inference of attacks on CPS communication protocols

Abstract

The security of Cyber-Physical Systems (CPS) has been recently receiving significant attention from the research community. While the majority of such attention originates from the control theory domain, few approaches have addressed the problem from the practical perspective. In this work, we do not claim that we propose a particular solution to a specific problem related to CPS security, but rather present a first look into what can help shape these solutions in the future. Indeed, our vision and ultimate goal is to attempt to merge or at least diminish the gap between highly theoretical solutions and practical approaches derived from insightful empirical experimentation, for securing CPS. Motivated by the scarcity of malicious empirical data that can be captured, inferred and analyzed from within operational CPS settings, this paper adopts a unique approach to derive notions of CPS maliciousness based on passive measurements and analysis. Indeed, by scrutinizing unsolicited real traffic targeting routable, allocated but unused Internet Protocol (IP) addresses (i.e., darknet traffic), we shed the light on attackers� intentions and actual attacks targeting ample of CPS communication and control protocols. To permit such analysis, we initially devise and evaluate a novel probabilistic model that aims at filtering noise (i.e., misconfiguration traffic) that is embedded in darknet traffic. Subsequently, a near real-time inference algorithm is designed and implemented to detect CPS probing and denial of service activities. To this end, we characterize such misdemeanors in terms of their types, their frequency, their target protocols and possible orchestration behavior. The outcome demonstrate a staggering 16 thousand scanning attempts and close to 8 thousand denial of service attacks on various CPS protocols. Further, the results uncover stealthy probing activities targeting proprietary CPS protocols and clusters of coordinated unsolicited activities. We concur that the devised approaches, techniques, and methods provide a solid first step towards better comprehending real CPS unsolicited objectives and intents. As such, we hope that this paper motivates the literature to design secure and tailored CPS models that leverage tangible attacks and vulnerabilities inferred from empirical measurements, to achieve truly reliable and secure CPS.