Giters

lulzzz / bonnet-ics-library

A library of industrial network traffic anomaly detection methods.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ICS detection algorithms software library

A library of ICS network anomaly detection methods.

Introduction

Software library of algorithms, including their demonstration on the attached data for the detection of anomalies in ICS network traffic. The library processes input data in PCAP format and implements various methods for creating a profile of normal communication and detection of possible deviations. The library consists of methods based on various principles of communication modeling, especially automata, statistical methods, and machine learning.

The project is rather than a single software library a collection of a number of software components that implements the different anomaly detection methods that can be applied to the ICS domain. The following methods are implemented:

  • DETANO is an automated method enabling the creation of an ICS communication profile in the form of a probability automaton and uses this automaton to detect deviations from the normal profile.
  • StatProf creates a statistical profile for ICS communication, which is used to detect differences in communication patterns. The method calculates traffic statistics based on selected properties of the monitored communication.
  • IMADICS combines a set of ML-based methods (K-means, PCA, Gaussian, Singular Spectrum Analysis) for profile calculation from network communication of various ICS protocols. The methods provides algoritms for learning the profile and applying it to the observed communication.

Environment

The individual projects can be compiled in Linux OS with installed dependencies.

Dependencies

The solution consists of different methods that the following have dependencies:

Package Documentation
python38 https://www.python.org/downloads/release/python-380/
.NET 5.0 https://docs.microsoft.com/en-us/dotnet/core/install/linux-ubuntu

Linux Machine

This method considers to use Ubuntu 20.04 LTS, but can be modified for other Linux systems too. The necessary dependencies can be installed using the environment installation script setup-environment.sh.

Windows Subsystem for Linux (WSL2) with Visual Studio Code

This method enables to develop on a host running Microsoft Windows 10 with WSL enabled. For instance, it is useful in the combination with Visual Studio Code that enables to remotely connect to the Linux instance . Contrary to Vagrant, it is not necessary to set up file sharing as this is done automatically by the operating system and WSL.

  1. Setup WSL2 and install Ubuntu 20.04 LTS (https://wiki.ubuntu.com/WSL)

  2. Install necessary dependencies (see setup-environment.sh script)

  3. Open WSL shell or run Visual Studio Code in WSL using the Remote WSL extension (https://code.visualstudio.com/docs/remote/wsl-tutorial).

Multipass

Alternatively, it is possible to use Multipass, which provides a virtual Linux environment suitable for development and testing. Steps:

  1. Install multipass for your OS (https://multipass.run/).

  2. Create a VM and see its properties, e.g., assigned IP address:

multipass launch -n bonnet focal

multipass info bonnet
  1. Setup sharing project folder on a host with VM:
multipass mount <PROJECT_FOLDER> bonnet:/mnt/bonnet
  1. Connect to VM and go to the project folder:
multipass shell bonnet
cd /mnt/bonnet
  1. Execute environment setup script:
chmod a+x setup-environment.sh
./setup-environment.sh

When completing all the previous steps, the environment is prepared to compile the library. The project is mounted in the VM at folder /mnt/bonnet. Additionally, it is possible to configure Visual Studio Code Remote Development (https://code.visualstudio.com/docs/remote/ssh#_getting-started). The key step is to enable SSH access to the created VM. When VM is created Multipass generates pair of keys for SSH access. These keys are not located in user folder but in system. Depending on the OS, they are at the following locations:

OS Path
MacOS /var/root/Library/Application\ Support/multipassd/ssh-keys/id_rsa
Windows C:\Windows\System32\config\systemprofile\AppData\Roaming\multipassd\ssh-keys
  1. First, test the SSH connection:
sudo ssh -i /var/root/Library/Application\ Support/multipassd/ssh-keys/id_rsa ubuntu@<VM-IP-ADDRESS>
  1. The private key cannot be used from system location. It is necessary to copy it to .ssh folder and change the owner:
sudo cp /var/root/Library/Application\ Support/multipassd/ssh-keys/id_rsa ~/.ssh/id_rsa_bonnet
sudo chown <USER> ~/.ssh/id_rsa_bonnet
  1. Modify the configuration file ~/.ssh/config of SSH client by adding the following lines:
Host bonnet
  HostName <VM-IP-ADDRESS>
  User ubuntu
  IdentityFile ~/.ssh/id_rsa_bonnet

  1. In Visual Studio Code it is necessary to install Remote Development package (https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.vscode-remote-extensionpack) and select Remote-SSH: Connect to Host... command to establish the connection with VM.

  2. New Visual Studio Code window is opened and connected to bonnet VM. Open folder /mnt/bonnet to access the project.

Acknowledge

This project was supported by grant VI20192022138.

About

A library of industrial network traffic anomaly detection methods.

License:Other

Languages

Language:C# 66.4%Language:Python 29.3%Language:Shell 2.0%Language:PowerShell 1.2%Language:Batchfile 1.1%