Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting

Mikel Iturbe, Iñaki Garitano, Urko Zurutuza, Roberto Uribeetxeberria

Abstract

Industrial Control Systems are the set of specialized elements that monitor and control physical processes. Those systems are normally interconnected forming environments known as industrial networks. The particularities of these networks disallow the usage of traditional IT security mechanisms, while allowing other security strategies not suitable for IT networks. As industrial network traffic flows follow constant and repetitive patterns, whitelisting has been proved a viable approach for anomaly detection in industrial networks. In this paper, we present a network flow and related alert visualization system based on chord diagrams. The system represents the detected network flows within a time interval, highlighting the ones that do not comply the whitelisting rules. Moreover, it also depicts the network flows that, even if they are registered in the whitelist, have not been detected on the selected time interval (e.g. a host is down). Finally, the visualization system is tested with network data coming from a real industrial network.

References

  1. Barbosa, R. R. R., Sadre, R., and Pras, A. (2013). Flow Whitelisting in SCADA Networks. International Journal of Critical Infrastructure Protection, 6(3):150-158.
  2. Bostock, M., Ogievetsky, V., and Heer, J. (2011). D3 data-driven documents. Visualization and Computer Graphics, IEEE Transactions on, 17(12):2301-2309.
  3. Cárdenas, A., Amin, S., and Sastry, S. (2008). Research Challenges for the Security of Control Systems. In HotSec.
  4. Cheminod, M., Durante, L., and Valenzano, A. (2013). Review of Security Issues in Industrial Networks. IEEE Transactions on Industrial Informatics, 9(1):277-293.
  5. Chen, S., Guo, C., Yuan, X., Merkle, F., Schaefer, H., and Ertl, T. (2014). OCEANS: online collaborative explorative analysis on network security. In Proceedings of the Eleventh Workshop on Visualization for Cyber Security, pages 1-8. ACM.
  6. Duggan, D., Berg, M., Dillinger, J., and Stamp, J. (2005). Penetration testing of industrial control systems. Technical Report SAND2005-2846P, Sandia National Laboratories.
  7. Falliere, N., Murchu, L. O., and Chien, E. (2011). W32.Stuxnet dossier. White paper, Symantec Corp., Security Response.
  8. Galloway, B. and Hancke, G. (2012). Introduction to Industrial Control Networks. IEEE Communications Surveys & Tutorials, 15(2):860-880.
  9. Hentunen, D. and Tikkanen, A. (2014). Havex Hunts For ICS/SCADA Systems. [Online]. Available: http://www.f-secure.com/weblog/archives/ 00002718.html (Retrieved: 2015-11-19).
  10. Krzywinski, M., Schein, J., Birol, I., Connors, J., Gascoyne, R., Horsman, D., Jones, S. J., and Marra, M. A. (2009). Circos: an information aesthetic for comparative genomics. Genome Research, 19(9):1639-1645.
  11. Layton, R., Watters, P., and Dazeley, R. (2012). Unsupervised authorship analysis of phishing webpages. In Communications and Information Technologies (ISCIT), 2012 International Symposium on, pages 1104-1109. IEEE.
  12. Mazel, J., Fontugne, R., and Fukuda, K. (2014). Visual comparison of network anomaly detectors with chord diagrams. In Proceedings of the 29th Annual ACM Symposium on Applied Computing, pages 473-480. ACM.
  13. McAfee (2011). Global Energy Cyberattacks: “Night Dragon” (white paper). Technical report, McAfee.
  14. Miller, B. and Rowe, D. (2012). A survey of SCADA and Critical Infrastructure incidents. In Proceedings of the 1st Annual conference on Research in information technology, pages 51-56. ACM.
  15. Norwegian Oil and Gas Association (2009). 104 - Recommended guidelines for information security baseline requirements for process control, safety and support ICT systems.
  16. Stouffer, K., Falco, J., and Scarfone, K. (2011). Guide to Industrial Control Systems (ICS) Security, Special publication 800-82. Technical report, National Institute of Standards and Technology.
  17. Tack, T., Maier, A., and Niggemann, O. (2014). On Visual Analytics in Plant Monitoring. In Informatics in Control, Automation and Robotics, pages 19-33. Springer.
  18. Zeng, W., Fu, C.-W., Arisona, S. M., and Qu, H. (2013). Visualizing interchange patterns in massive movement data. In Eurographics Conference on Visualization (EuroVis), volume 32, pages 271-280.
Download


Paper Citation


in Harvard Style

Iturbe M., Garitano I., Zurutuza U. and Uribeetxeberria R. (2016). Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting . In Proceedings of the 11th Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications - Volume 2: IVAPP, (VISIGRAPP 2016) ISBN 978-989-758-175-5, pages 99-106. DOI: 10.5220/0005670000990106


in Bibtex Style

@conference{ivapp16,
author={Mikel Iturbe and Iñaki Garitano and Urko Zurutuza and Roberto Uribeetxeberria},
title={Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting},
booktitle={Proceedings of the 11th Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications - Volume 2: IVAPP, (VISIGRAPP 2016)},
year={2016},
pages={99-106},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005670000990106},
isbn={978-989-758-175-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 11th Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications - Volume 2: IVAPP, (VISIGRAPP 2016)
TI - Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting
SN - 978-989-758-175-5
AU - Iturbe M.
AU - Garitano I.
AU - Zurutuza U.
AU - Uribeetxeberria R.
PY - 2016
SP - 99
EP - 106
DO - 10.5220/0005670000990106