{"title":"基于时序的SCADA网络隐蔽信道","authors":"A. Lemay, S. Knight","doi":"10.1109/CYCONUS.2017.8167507","DOIUrl":null,"url":null,"abstract":"Industrial Control Systems (ICS) networks are an increasingly attractive for attackers. The case of 2015 Ukraine cyber attack where hackers abused the ICS system to create a blackout is a good illustration of this interest. However, to achieve physical effects, it is necessary for attackers to embed themselves deep within the target network. So, attackers must protect this investment by using covert techniques to avoid detection by defenders. This paper explores the problem of highly covert long-lived command and control channels to gain insight into probable evolution paths for attackers in response to increasing defensive capabilities. In particular, it presents a timing-based covert channel for the Modbus using interference. An implementation of the channel using network man-in-the-middle to modulate timing is built as a proof-of-concept of the approach. A performance analysis of the implementation shows that the implementation performs as low bandwidth, but highly covert command and control channel. Furthermore, an analysis of packet captures from a real production network show that the approach would be likely to work in a production environment.","PeriodicalId":259012,"journal":{"name":"2017 International Conference on Cyber Conflict (CyCon U.S.)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"A timing-based covert channel for SCADA networks\",\"authors\":\"A. Lemay, S. Knight\",\"doi\":\"10.1109/CYCONUS.2017.8167507\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Industrial Control Systems (ICS) networks are an increasingly attractive for attackers. The case of 2015 Ukraine cyber attack where hackers abused the ICS system to create a blackout is a good illustration of this interest. However, to achieve physical effects, it is necessary for attackers to embed themselves deep within the target network. So, attackers must protect this investment by using covert techniques to avoid detection by defenders. This paper explores the problem of highly covert long-lived command and control channels to gain insight into probable evolution paths for attackers in response to increasing defensive capabilities. In particular, it presents a timing-based covert channel for the Modbus using interference. An implementation of the channel using network man-in-the-middle to modulate timing is built as a proof-of-concept of the approach. A performance analysis of the implementation shows that the implementation performs as low bandwidth, but highly covert command and control channel. Furthermore, an analysis of packet captures from a real production network show that the approach would be likely to work in a production environment.\",\"PeriodicalId\":259012,\"journal\":{\"name\":\"2017 International Conference on Cyber Conflict (CyCon U.S.)\",\"volume\":\"2 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 International Conference on Cyber Conflict (CyCon U.S.)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CYCONUS.2017.8167507\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference on Cyber Conflict (CyCon U.S.)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CYCONUS.2017.8167507","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Industrial Control Systems (ICS) networks are an increasingly attractive for attackers. The case of 2015 Ukraine cyber attack where hackers abused the ICS system to create a blackout is a good illustration of this interest. However, to achieve physical effects, it is necessary for attackers to embed themselves deep within the target network. So, attackers must protect this investment by using covert techniques to avoid detection by defenders. This paper explores the problem of highly covert long-lived command and control channels to gain insight into probable evolution paths for attackers in response to increasing defensive capabilities. In particular, it presents a timing-based covert channel for the Modbus using interference. An implementation of the channel using network man-in-the-middle to modulate timing is built as a proof-of-concept of the approach. A performance analysis of the implementation shows that the implementation performs as low bandwidth, but highly covert command and control channel. Furthermore, an analysis of packet captures from a real production network show that the approach would be likely to work in a production environment.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
