Access the full text.
Sign up today, get DeepDyve free for 14 days.
Loading next page...
/lp/association-for-computing-machinery/security-experimentation-using-operational-systems-hB5m1i5bvj
References
References for this paper are not available at this time. We will be adding them shortly, thank you for your patience.
- Datasource
- Association for Computing Machinery
- Copyright
- Copyright © 2011 by ACM Inc.
- ISBN
- 978-1-4503-0945-5
- doi
- 10.1145/2179298.2179388
- Publisher site
- See Article on Publisher Site
Abstract
Security Experimentation Using Operational Systems Ilker Ozcelik and Richard R. Brooks The Holcombe Department of Electrical and Computer Engineering, Clemson University Abstract Computers and Internet have evolved into necessary tools for our professional, personal and social lives. As a result of this growing dependence, there is a concern that these systems remain protected and available. This concern increases exponentially when considering systems such as smart power grids. Therefore, research should be conducted to develop effective ways of detecting system anomalies. To have realistic results, the studies should be tested on real systems. However, it is not possible to test these experiments on the live network. With the recent collaboration of Universities and research labs, a new experiment test bed has been established. As a result, experiments can now be implemented on real networks. In our study, we design an experiment to analyze Distributed Denial of Service Attacks (DDoS Attack) on a real network with real Internet traffic. The approach that we use in our study can easily be generalized to apply to smart power grids. In our study, we use the Global Environment for Network Innovation (GENI) [3] test bed and Openflow [4] open standard to analyze this attack. While GENI make it possible to work on real hardware, Openflow enable us to control low level network devices. This way, we use real Internet traffic as background traffic and test on real network, without jeopardizing the actual network. SCADA Scenario on GENI Experiment Setup We implement this experiment in cooperation with Clemson University ™s IT Department. We use mirrored campus Internet traffic as background traffic. In our experiment, communication between User A and User B is legitimate. Attackers flood the link between 2 Openflow enabled switches. The two NetFPGAs in the setup collect data from the two sides of the link connecting user machines (the server to the clients). In this experiment the only data we collect is the number of packets and bits in a time interval. We mirror the traffic to the NetFPGA ports using Openflow. The NetFPGA on the left of the Figure 1 collects the background traffic and legitimate traffic between user A and B. This is accomplished by mirroring necessary traffic to the different ports of the NetFPGA using remote controller of the openflow enabled switches. This controller is also programmed to split and mirror the background, legitimate, attack and total traffic to the different ports of the NetFPGA on the server side of the network. Figure 3 : SCADA security test on GENI Problem Definition / Solution Proposal Recent security incidents on industrial and energy systems, such as Stuxnet[1] and North East US blackout[2] show effective security methods are necessary to protect Supervisory Control And Data Acquisition (SCADA) systems. To have realistic results, the studies should be tested on real systems. However, it is not possible to test these experiments on the operational systems. Therefore, we mostly verify theoretical studies using computer simulations but; ¢ It is not possible to simulate exact behavior of complex systems. ¢ Sometimes, it is not possible to generate certain parameters of systems; such as internet traffic. In this study we propose mirroring operational network on a parallel network on GENI to perform our experiments. Same way, SCADA systems and its data can be mirrored on GENI test bed at scale and theoretical studies can be verified using real system without jeopardizing the original system. In this study, we showed how to experiment on real network with real data without jeopardizing the network and its functionality. This approach can be generalized to different systems and networks, such as SCADA and smart power grid. Namely, one can create control center, local sites and remote sites of a SCADA system on GENI by reserving necessary resources. This way, a SCADA system can be mirrored on GENI test bed at scale. This approach is illustrated in Figure 3. Also real data collected from original system can be used on mirrored system. Using this approach, developing better security countermeasures and testing worst case scenarios for SCADA systems become possible without jeopardizing the original system. Conclusion Computers and networks are crucial part of the control and coordination part of critical infrastructures. As a result of this growing dependence, we need a better understanding of these systems and their reactions under unexpected conditions. Therefore there is a definite need for research and development of methods to analyze and protect these systems. To develop accurate and effective countermeasures against attacks we need to work on real networks using real data. GENI and Openflow make these studies possible. Figure 1 : DDoS Experiment Setup Figure 2 : DDoS Monitor Switch Design DDoS Experiment on Real Network DDoS Monitor Switch NetFPGA is an open source hardware and software platform for designing network devices[5]. The NetFPGA board has a Xilinx FPGA and 4 Gigabit Ethernet ports on it. Also basic network device reference designs are available. It is also possible to program NetFPGA as different network devices. As a future study, we will use NetFPGA as a DDoS Monitor switch with a parallel DDoS detection state. While NetFPGA works as a switch at the line rate, the computer NetFPGA is connected to, detects anomalies. In our study, we investigate the impact of DDoS attacks on real networks without jeopardizing the operational network. A DDoS attack disables network services to legitimate users by flooding them. The recent attacks on trusted financial websites, Mastercard and PayPal, are an example of the need to develop security against DDoS attacks. One major problem with Distributed Denial of Service attacks is how difficult it is to detect the source of the attack, because of the many components involved. The DDoS Monitor switch design is in Figure 2. RxQ and TxQ are the input and output queue. The Input Arbiter module decides which RxQ to service next and Output Port Lookup module decides packet output ports. The detection module collects statistics from the network traffic which the computer processes while still forwarding the traffic to next module. Therefore the detection state works parallel to the switch without disturbing switch operation. Detection results can either inform the network administrator or signal the switch. 1. D. P. Fidler. Was stuxnet an act of war? decoding a cyber attack. Security Privacy, IEEE, 9(4):56 “59, july-aug. 2011. 2. R. Brooks. Disruptive Security Technologies with Mobile Code and Peer-to-Peer Networks. CRC Press, 2005. 3. Global environment for network innovations (geni), http://www.geni.net/ , 2011. 4. N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. Openflow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev., 38:69 “74, March 2008. 5. Netfpga, http://netfpga.org/ , 2011. Acknowledgement Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CSIIRW '11, October 12-14, Oak Ridge, Tennessee, USA Copyright © 2011 ACM 978-1-4503-0945-5 ISBN ... $5.00