D4.6 Protocol Learning for AMI Environments
Transcription
D4.6 Protocol Learning for AMI Environments
SEVENTH FRAMEWORK PROGRAMME Theme SEC-2011.2.5-1 (Cyber attacks against critical infrastructures) D4.6 Protocol Learning for AMI Environments Contract No. FP7-SEC-285477-CRISALIS Workpackage Author Version Date of delivery Actual Date of Delivery Dissemination level Responsible WP4 - System Discovery Corrado Leita 1.0 M24 M25 Public SYM The research leading to these results has received funding from the European Community’s Seventh Framework Programme (FP7/2007-2013) under grant agreement n°285477. SEVENTH FRAMEWORK PROGRAMME Theme SEC-2011.2.5-1 (Cyber attacks against critical infrastructures) The CRISALIS Consortium consists of: Symantec Ltd. Alliander Chalmers University ENEL Ingegneria e Innovazione EURECOM Security Matters BV Siemens AG Universiteit Twente Project coordinator Contact information: Dr. Matthew Elder Symantec Limited Ballycoolin Business Park (GA11-35) Blanchardstown Dublin 15 Ireland e-mail: [email protected] Ireland Netherlands Sweden Italy France Netherlands Germany Netherlands Contents 1 Introduction 6 2 Heuristics-Based Protocol Learning 2.1 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7 9 3 Results of Protocol Learning for AMI Environments 3.1 Alliander AMI Network Data - DLMS/COSEM Protocol . 3.1.1 Analysis of TCP Data . . . . . . . . . . . . . . . . 3.1.2 Analysis of DLMS/COSEM Data . . . . . . . . . . 3.2 AMI Command Network Data - M-Bus Protocol . . . . . 3.3 Discussion and Conclusions . . . . . . . . . . . . . . . . . 4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 14 14 17 25 28 30 3 4 Abstract This deliverable presents the research on protocol learning, applied in this work to Advanced Metering Infrastructure (AMI) environments. The previous work on protocol learning, as applied to ICS/SCADA environments in deliverable D4.3, highlighted a number of challenges in our existing approaches to protocol learning in the context of critical infrastructure environments. Based on this experience, we have devised a heuristics-based protocol learning algorithm in an attempt to address the domain-specific challenges identified. We explore the approach on data collected from two AMI network environments containing two AMI protocols, DLMS/COSEM and M-Bus, and present the results of the analyses. 1 Introduction Monitoring critical infrastructure environments, including those in industrial control systems (ICS) and advanced metering infrastructure (AMI), requires tools capable of generating semantics about system events. Previously, in deliverable D4.3 “Protocol learning in SCADA environments”, we identified the need to monitor the systems and interactions from the network level in the face of malicious adversaries. However, there are numerous challenges in monitoring critical infrastructure environments from the network, including the use of proprietary, evolving, and/or undocumented protocols and the frequency of traffic generated. To address the challenges, we explored two approaches to protocol learning, applied in the context of ICS/SCADA environments: protocol parsers (“protocol aware”) and automated analysis of protocol payloads (“protocol agnostic”). The investigation in deliverable D4.3 identified a number of challenges in those protocol learning approaches as applied to ICS/SCADA networks. For example, the network traffic exhibited long-lived sessions and the absence of separators, which was problematic for the protocol-agnostic approach analyzing the network traffic in order to extract the protocol semantics in particular. Building upon our previous approaches and adapting based upon the findings of the previous investigation, we propose and explore a heuristics-based protocol learning algorithm in this deliverable. The next chapter presents the challenges that have been encountered in protocol learning as applied to critical infrastructure networks and provides a description of and rationale for the heuristics-based algorithm. The following chapter presents the results of applying the heuristics-based protocol learning approach to network data from two AMI environments, containing two AMI network protocols: DLMS/COSEM and M-Bus. 6 2 Heuristics-Based Protocol Learning We have seen in Deliverable D4.3, “Protocol learning in SCADA environments”, that the task of manually generating protocol descriptions is a tedious one, both when a protocol specification is available but even more when the protocol specification is closed. At the same time, it is of utmost importance to be able to get in-depth insights into the network exchanges, being that the network is the only perspective where it is possible to monitor the activity of closed devices such as PLCs, as well smart meters in Advanced Metering Infrastructure (AMI) environments. 2.1 Challenges When applying protocol learning to SCADA/ICS protocols, we have identified already a number of domain-specific challenges that required us to revisit existing techniques and adapt them to this specific scenario. More specifically, three core challenges had been identified: • Long-lived sessions A core problem in most protocol learning approaches consists in the “semantic clustering”, the ability to group together messages having a similar semantic meaning in order to perform correct and useful guesses on the invariants that characterize a specific type of message. For instance, in the HTTP case we want to ensure HTTP GET messages are analyzed separately from HTTP POST messages. If structurally different messages are mixed together in the same cluster, the outcome of the analysis is likely to have inacceptable quality. When looking at methods such as ScriptGen [4, 5, 6, 7], RolePlayer [3], or Netzob [2], we can see that their clustering approach mostly relies on the contextualization of the message with respect to the TCP session. The intuition is that the position of a message in a TCP session gives insights on its semantics, e.g., a login message is likely to come at the very beginning of the TCP conversation. We have seen this assumption not to hold in the SCADA/DCS case, where some protocols were reusing a single TCP session for a number of independent exchanges. • Absence of separators Protocol learning approaches typically attempt to discover the structure of a protocol messages by means of bioinformatics algorithms 7 2 Heuristics-Based Protocol Learning aiming at the alignment of messages. The most common global alignment algorithm used in protocol learning is the Needleman-Wunsch [8] algorithm. It is a dynamic programming algorithm aiming at achieving the best alignment of two sequences S1 and S2 according to a given scoring function. For every couple of bytes belonging to the two sequences, a different score is associated with identical values (Iscore ), differing values (Dscore ), or insertion of a gap in one of the two (Gscore ). The algorithm is usually applied in a “greedy” fashion [1, 3, 4], by giving no penalization to the insertion of gaps in the sequences or to the presence of mismatching bytes, and attempting to simply obtain the maximum possible overlap among the two sequences. The identified overlaps are converted into a regular expression that is then used to match instances of the same message. Differently from the generic case, most ICS protocols are binary and tend to be very compact by trying to encode all the information in the minimum amount of bytes as possible. This copes badly with the intuition underneath alignment: alignment algorithms expect to find throughout a given message large portions of unique, invariant byte regions that can be used to delimit the variable portions of the field (e.g., “GET /(.*).html HTTP/1.0\r\n”). This expectation is not met in ICS protocols. • Protocol structure Most IT protocols have a relatively “flat” structure: a header, followed by an optional payload whose semantics may depend from the header value. ICS protocols such as MODBUS instead tend to be much more structured: an initial framing header specifies information such as the transaction ID, the process ID, and the length of the payload; then, by means of one-byte function codes, one or more payloads can be queued. Function codes can incorporate multiple sub-payloads: for instance, function code 23 is associated to a read-write registers command, and is followed first by parameters to perform a read operation from a specific memory location and then by parameters to perform a write operation to another memory location of a variable number of bytes that is included at the end of the payload. Within a given protocol message, the semantics of a specific protocol byte tend to depend on the value of other preceding bytes. Previous work done by the crisalis consortium on protocol learning has devised better ways to cope with the first challenge, by exploring more effective ways to perform semantic clustering and to group messages sharing similar structure. However, no major modification was made to the second phase of the protocol learning algorithm, that in charge of identifying common patterns and structure in a set of messages and extracting a model (e.g., a regular expression) that could be used to later label the messages. All the proposed algorithms invoked the standard ScriptGen region analysis in order to identify 8 SEVENTH FRAMEWORK PROGRAMME 2.2 Approach invariant segments of the protocol message, and later generate a regular expression that could match the invariant segments in unlabeled messages and identify further instances of a given message type. This approach proved in fact to be sufficient to correctly cope with SCADA/DCS protocols. When looking more in general at ICS protocols and when including for instance AMI protocols such as DLMS/COSEM, further considerations need to be made. First and foremost, AMI protocols often rely on encryption schema to protect Personal Identifiable Information (PII). Secondly, binary ICS protocols pose challenges that clash with the property of standard alignment approaches: the absence of separators and the nested structure make the generation of “useful” and robust regular expressions particularly complex, leading us to question the use of regular expressions as a tool to model the structure of a protocol. 2.2 Approach Differently from previously investigated techniques, we try here to look into an approach specific to the problem under analysis and that is not necessarily generically applicable to any protocol of any type. We address instead the specific case of binary, compact and structured protocols that are typically observed in industrial control systems. The core idea is that of reconstructing the protocol by moving sequentially from the first byte of the message towards the last and performing the analysis concurrently on a large amount of protocol messages, similarly to the operation of a parser (as represented in Figure 2.1). By means of heuristics, we then identify values holding special value for the parser (opcodes, length fields) and when applicable we branch the analysis into subgroups associated to different opcode values. The resulting approach proves to be significantly faster than state of the art approaches for the reconstruction of protocol structure, and obtains significantly better accuracy when dealing with the specific challenges offered by ICS protocols. As previously explained, the purpose of the approach consists in generating labeling information that can be used to discriminate among different message “types” pertaining to a specific ICS protocol. We achieve this objective by proceeding sequentially from the first byte until the end of each message, mimicking the operation of a protocol parser, and gradually building a decision tree as shown in Figure 2.1. A protocol parser would start from the beginning of the header, parsing field by field, obtaining information on the overall message length, and then would proceed to identify the different opcodes and understanding their semantics according to specification. Differently from a protocol parser, we do not have access to the protocol specification. We can however proceed FP7-SEC-285477-CRISALIS 9 Le ins ngth va tanc field ov lue e es t : in era nc he al ll m od by l es e to tes sa ge the OP len so Cod gth me meh e b ss ow yte: ag e l asso the v en gth ciate alue dt o t is he Fix e db yte 2 Heuristics-Based Protocol Learning AA 00 0C 28 01 32 2C 06 80 19 22 A3 AA 00 0C 28 32 03 2C 06 80 19 22 A3 AA 00 0C 28 22 43 2C 06 80 19 22 A3 AA 00 0C 28 14 67 2C 06 80 19 22 A3 AA 00 07 02 22 AA 2C AA 00 07 02 12 1C 2C After the opcode byte the analysis is branched into several children, each associated to each OPcode value. The algorithm recursively proceed to each branch Byte 3 = 28 Byte 0 = AA Byte 1,2 = length … Byte 3 = OPcode values in {28,02} Byte 3 = 02 … Figure 2.1: Intuitive representation of the approach 10 SEVENTH FRAMEWORK PROGRAMME 2.2 Approach sequentially over the bytes of a large amount of messages, and apply heuristics to identify bytes of particular relevance to the protocol: 1. Random bytes: by considering a large amount of messages (several thousands) we can immediately identify random bytes (e.g., transaction IDs) as they are actually covering uniformly most of the 256 possible byte values. These bytes are ignored from a protocol parsing standpoint. 2. Fixed bytes: similarly, it is immediately possible to identify bytes whose value is fixed throughout all the message samples. These bytes have validation semantics: it is expectable for a well formed protocol message to expose exactly the same value as the message seen in the training set. 3. Length fields: we identify length fields by interpreting a sequence of bytes (char, short, or word) as a numerical value (encoded in little or big endian) and identifying a linear dependence between the decoded value and the length of the associated message. Similarly to fixed bytes, length fields have validation semantics and can be used to verify the correctness of a specific protocol message. 4. OPcodes: the real challenge in the proposed approach is that of correctly identifying bytes whose semantics has an influence on the overall structure of the protocol message. OPcodes assign specific “semantics” to the content of a given message, and allow us to discern, for instance, the standard reply of a PLC (containing the value of the PLC registers) from an error message that may be associated to a problem or anomaly. We have discovered that there is a “correlation” between the value of an opcode byte and certain high level characteristics of a message. For instance, we often find correlation between the opcode value and the overall message length: different OPcodes carry different information, and require a different number of bytes to carry it. In other cases, we have identified a “correlation” between the OPcode byte value and the role of the device in the network (e.g., source or destination IP address). Intuitively, certain devices (DCS servers) are only interested in generating “read” requests towards the control system, while the control system devices are usually responding to the requests providing the requested data. All these “correlations” between the values of a given byte and the size of the message, or the involved endpoints are discovered by leveraging a commonly accepted information theory measure, the mutual information. It important to underline that once an OPcode byte is identified, the protocol inference is “forked”: the sequential analysis of the subsequent bytes is recursively split into different sub-analyses, where the content of the messages associated to different OPcode values is analyzed separately. FP7-SEC-285477-CRISALIS 11 2 Heuristics-Based Protocol Learning 5. Parameters: values that do not belong to any of the above classes are likely to be message parameters, e.g., the value of the registers read from a given PLC. Overall, the process described above starts from the analysis of a set of training messages, sequentially analyzes the nature of each byte, and whenever an OPcode is identified the sequential analysis is branched recursively for the bytes following the opcode, and different opcode values are analyzed separately. In practice, the outcome of the above process is the creation of a decision tree: identified OPcode bytes branch the decision tree in multiple sub-branches, and the interaction of a new message with this decision tree inherently labels the message, also allowing us to extract parameters. 12 SEVENTH FRAMEWORK PROGRAMME 2.2 Approach START Generate message group Initialize position X to first element of the message group (X=0) Analyze message values at position X Are message values constant? yes Move X to the right (e.g. increase X) Mark X as constant no Are message values randomly distributed? yes Mark X as random no Are message values expressing the length of the message? yes Mark X as length no Are message values correlated with the structure of the rest of the message? yes Mark X as opcode no Mark X as parameter Subdivide message group into separate groups according to value of X and recursively proceed for each group Figure 2.2: Block diagram explaining the algorithm FP7-SEC-285477-CRISALIS 13 3 Results of Protocol Learning for AMI Environments In deliverable D4.3, we examined the use of protocol learning on two protocols from the Digital Control System (DCS) environment, PP and OPC. In this section, we explore the results from applying the modified protocol learning approach described in the previous section to packet captures from two data sources that include Advanced Metering Infrastructure (AMI) network data including two AMI protocols, DLMS/COSEM and M-Bus. 3.1 Alliander AMI Network Data - DLMS/COSEM Protocol In order to experiment and evaluate the protocol learning approach on AMI network data, we collected packet traces from the Alliander AMI network testbed. The packet traces and high-level descriptions of the associated hosts, flows, and interaction maps were described in deliverable D4.5. The packet trace consisted of 21,621 packets and it contained a variety of traffic types, including some DLMS/COSEM protocol traffic going from the AMI head end server to various smart meters. 3.1.1 Analysis of TCP Data In this first exploration we analyze all the TCP data traffic to present an overview of the approach. The TCP data is most interesting when analyzing AMI network data, given the long-lived sessions and the inclusion of DLMS/COSEM data in the TCP data. However, given the variety of protocols included across all TCP data it is reasonable to assume that the protocol learning algorithm might not be able to find much commonality. For the exploration, we vary (1) the number of packets analyzed by the protocol learning algorithm and (2) the number of bytes in each packet that is analyzed. By varying both of these parameters, this gives the algorithm more data to consider for matching, at the expense of tractability of the analyses. We first consider all TCP data traffic in the packet capture, but only matching on the first 24 bytes of each packet. This is reasonable given that we know that at least some of 14 3.1 Alliander AMI Network Data - DLMS/COSEM Protocol the traffic is encrypted, but perhaps the protocol packet header data for some protocols will be unencrypted in the first 24 bytes of the TCP data. Figure 3.1 shows the results of running the protocol learning algorithm on a very small amount of data, just the first 20 packets with TCP data, primarily to show the output of the analysis when commonality is found. In this analysis, the protocol learning algorithm believes that the first byte could be treated as an opcode with 10 possible values. However, when the first byte is 0 the pattern produced is a string of mostly random bytes, meaning that the algorithm found minimal overlap or alignment when the first byte is 0 – this line indicates some number of the first 20 packets only matched on a few bytes with a few “0” bytes and one “101” byte. At a high level, finding 10 packet sequences across the first 20 packets is not very informative, especially when one of those sequences is mostly random bytes. (Note that there are a number of short packets with less than 24 bytes of TCP data, indicated by the shorter sequences.) Figure 3.2 shows the results of running the protocol learning algorithm on the first 50 packets with TCP data. This pattern of all random bytes indicates that the protocol learning algorithm failed to find an alignment match across 50 packets, and this results remains consistent when increasing the number of packets analyzed to 100, 500, and 1,000 packets containing TCP data. The inability to find alignment across even just 50 packets is a disappointing result. Next, we increase the number of bytes analyzed to 50 within each packet. Looking at only the first 20 packets with TCP data, Figure 3.3 produces a consistent result with that of Figure 3.1, which used the first 24 bytes. The analysis again interprets the first byte as a possible opcode with 10 possible values. Again, when the first byte is 0 the algorithm fails to find significant overlap or alignment, detecting mostly random bytes to match a few “0” bytes and the single “101” byte. Using the first 50 bytes did not change the fundamental result of finding 10 patterns across 20 packets, which does not indicate much matching. Similarly, when we look at the first 50 bytes of the first 50 packets, we get the same result as depicted previously in Figure 3.2: a pattern of all random bytes, indicating the failure of the algorithm to find overlap or alignment. This result is again consistent when extended across the first 100, 500, and 1,000 packets of TCP data. Moving to analysis using the first 100 bytes of each packet, when looking at only the first 20 packets with TCP data using the first 100 bytes produces a consistent result with those when analyzing 24 bytes (Figure 3.1) and 50 bytes (Figure 3.3). The result is basically the same as when using 50 bytes, meaning that the longer sequences that matched for 50 bytes also had more than 100 bytes in their packets. Interestingly, analysis of the first 100 bytes of the first 50 packets produces a different result from the previous analyses using the first 24 bytes and 50 bytes. A magnified FP7-SEC-285477-CRISALIS 15 3 Results of Protocol Learning for AMI Environments Figure 3.1: Analysis of first 24 bytes using first 20 packets with TCP data 16 SEVENTH FRAMEWORK PROGRAMME 3.1 Alliander AMI Network Data - DLMS/COSEM Protocol Figure 3.2: Analysis of first 24 bytes using first 50 packets with TCP data image of the initial bytes sequences is shown in Figure 3.4. When giving the protocol learning algorithm 50 packets with the first 100 bytes, the matching threshold is satisfied differently and the analysis produces 26 patterns from those first 50 packets. This is still not a great result but it does show that with some exploration of threshold parameters the analysis might be able to find some amount of commonality. As one might expect when using the first 100, 500, and 1,000 packets, the analysis fails to match anything and a single string of random bytes is produced similar to that in Figure 3.2. Finally, we conclude with an exploration of the analyzing the first 200 bytes of each packet. This analysis largely corresponds to that when using the first 100 bytes. The results using the first 20 packets matches those results for the previous analyses using 50 bytes (Figure 3.3) and 100 bytes, only with longer string sequences. Similarly, the results using the first 50 packets for the most part matches that of Figure 3.4, where 26 patterns are discovered across those 50 packets. Lastly, using the first 100, 500, and 1,000 packets produces the single string of random bytes, failing to match anything. 3.1.2 Analysis of DLMS/COSEM Data The results of the protocol learning algorithm when analyzing all TCP data in an AMI environment were largely underwhelming, as one might expect given the diversity of protocols present and challenges identified in the previous chapter. In this section we focus on a more tractable problem: analysis of only DLMS/COSEM traffic on port 4059 from the packet capture in the Alliander AMI environment. There are only 419 packets of this traffic across the packet capture. We conduct the same type of exploration, varying the number of bytes in each packet analyzed (24, 50, 100, 200) and the number of packets analyzed (20, 50, 100, all). The results are fairly consistent when looking at a certain number of packets, as the number of bytes analyzed are varied. FP7-SEC-285477-CRISALIS 17 3 Results of Protocol Learning for AMI Environments Figure 3.3: Analysis of first 50 bytes using first 20 packets with TCP data 18 SEVENTH FRAMEWORK PROGRAMME 3.1 Alliander AMI Network Data - DLMS/COSEM Protocol Figure 3.4: Magnified analysis of first 100 bytes using first 50 packets with TCP data FP7-SEC-285477-CRISALIS 19 3 Results of Protocol Learning for AMI Environments Figure 3.5: Analysis of first 24 bytes using first 20 packets on port 4059 Figure 3.5 shows the result from analyzing the first 20 packets on port 4059. The figure is for the analysis of the first 24 bytes, but when looking at the first 50, 100, and 200 bytes of these first 20 packets on port 4059, the same 5 packet sequences are extracted from the protocol learning algorithm with a presumed opcode in the same position, with one sequence containing a number of random bytes. The results from analyzing the first 50 packets on port 4059 show two fundamentally different analyses, depending upon number of bytes analyzed. When only looking at the first 24 or 50 bytes, the results are similar to that in Figure 3.5 when analyzing the first 20 packets, except that there are now 7 packet sequences detected across those 50 packets, with four containing significant random byte sequences. However, when using 100 or 200 bytes for the analysis, the alignment changes and Figure 3.6 is produced. In this analysis, what was taken as the opcode previously is now detected as a length field, the subsequent byte is now considered an opcode for five of the patterns, and a second length and opcode field sequence is produced. These conflicting analyses show the sensitivity of the protocol learning algorithm to the data being analyzed. The results from analyzing the first 100 packets on port 4059 yield yet another interpretation of the data, made possible by the doubling the amount of data being analyzed again. Figure 3.7 shows the result for 24 bytes analyzed, a more complex structure, given the additional data. This result is generally consist across the number of bytes analyzed (50, 100, or 200). What was detected as a possible length field in Figure 3.6 is now presumed to be an opcode, as it was in earlier analyses such as Figure 3.5. Finally, we consider all of the packets seen on port 4059 in the AMI packet capture. The analysis depicted in Figure 3.8 for 24 bytes analyzed is relatively consistent across 50, 100, and 200 bytes analyzed. The first opcode is presumed to be in the same place as in most previous analyses (with the exception of Figure 3.6), and as one might expect, given all of the additional data many additional types of conversations were detected by the protocol learning analysis. In order to address the length anomaly noticed in a few specific situations, we explored an additional, alternate modification to the algorithm in which we provided the real 20 SEVENTH FRAMEWORK PROGRAMME 3.1 Alliander AMI Network Data - DLMS/COSEM Protocol Figure 3.6: Magnified analysis of first 100 bytes using first 50 packets on port 4059 FP7-SEC-285477-CRISALIS 21 3 Results of Protocol Learning for AMI Environments Figure 3.7: Analysis of first 24 bytes using first 100 packets on port 4059 length of the packet to the algorithm instead of just relying upon the truncated length for the heuristic analysis. Figure 3.9 shows an example of this analysis when the first 24 bytes are analyzed across all 419 packets. The primary observation is that one byte is detected as a length field prior to the first opcode detected, as was observed in the anomalous analyses before. This byte is detected as a length field across all parameters of the analysis (24/50/100/200 bytes and first 20/50/100/all 419 packets) when using the modified algorithm. This has a “cascading” effect on the interpretation of the next few bytes when compared with Figure 3.8, but the two analyses converge further into the packet stream again when the other levels of opcode are detected. This general decision tree structure is consistent across the number of bytes analyzed when using all packets on port 4059 in the packet capture. As one final investigation using the AMI network data, we analyzed the port 4059 traffic on a per flow basis. As shown in the D4.5 interaction modeling deliverable, there were only six flows between the AMI head end server and the smart meters using DLMS/COSEM (on port 4059). One of them had only 8 packets and was thus uninteresting. Four of the other flows had 21, 24, 31, and 32 packets, so again a fairly small number of packets, and the sixth flow had 300 packets. The analyses from these last five flows 22 SEVENTH FRAMEWORK PROGRAMME 3.1 Alliander AMI Network Data - DLMS/COSEM Protocol Figure 3.8: Analysis of first 24 bytes using all 419 packets on port 4059 FP7-SEC-285477-CRISALIS 23 3 Results of Protocol Learning for AMI Environments Figure 3.9: Analysis of first 24 bytes using all 419 packets on port 4059 with length modification to the algorithm 24 SEVENTH FRAMEWORK PROGRAMME 3.2 AMI Command Network Data - M-Bus Protocol generally mimic the structure of the analyses presented previously. 3.2 AMI Command Network Data - M-Bus Protocol For a second, more controlled set of experiments, we tested the protocol learning approach on AMI network data containing M-Bus protocol data, collected by Chalmers. The packet traces were small captures associated with four individual M-Bus commands, ranging from 15 to 48 packets. For ground truth, we can compare the results generated by the protocol learning algorithm to the M-Bus protocol specification, which is an official standard that can be obtained and/or found on-line in various places (e.g., www.m-bus.com). Figure 3.10 shows the result of running the protocol learning algorithm on a packet capture that includes a request for data from the master to the slave. Two distinct packets with commonality in the packet capture were detected, with an opcode in the first data byte corresponding to either 16 or 104. The 16 (0x10 hex) opcode corresponds to a short telegram in M-Bus, while the 104 (0x68 hex) opcode corresponds to a long telegram in M-Bus. The protocol learning algorithm successfully detected the opcode in the first byte of the packet, as verified in the M-Bus specification. It should be noted, however, that a third value for the opcode, 0xe5 hex, was not detected by the algorithm, although this was seen in two packets of the capture. This opcode corresponds to a single character telegram, used to acknowledge other telegrams received. The short M-Bus telegram with opcode 16 matched the M-Bus protocol specification: the second byte (91, or 0x5b hex) is the control field specifying the data request from master to slave, the third byte (254, or 0xfe) is the address field specifying to transmit to all participants in the M-Bus system, the fourth byte is the checksum field that is a simple arithmetic sum of the previous bytes, and the fifth byte is the stop byte (22, or 0x16 hex). The long M-Bus telegram with opcode 104 was not able to match very many of the bytes, because in this small packet capture there were only two long telegram packets and most bytes were not common. The protocol learning algorithm was able to detect that the second and third bytes of the packets correspond to two length bytes (a single byte repeated in fact), which is confirmed to be correct in the M-Bus protocol specification. The other common byte in these two long M-Bus telegram packets is a 0 byte, which corresponds to the address field and denotes a value of the default address given by the manufacturer. However, this byte is detected to be one position later than it should be, according to both the specification and the actual packet capture: a byte of value 104 (repeating the opcode value) should have been included immediately after the two length FP7-SEC-285477-CRISALIS 25 3 Results of Protocol Learning for AMI Environments Figure 3.10: Analysis of M-Bus request data command traffic Figure 3.11: Analysis of second M-Bus request data command traffic capture bytes. Also, the “P” byte between the length bytes and “0” byte should have been split into another opcode byte corresponding to either 0x73 or 0x08, the master sending data to the slave or the slave transferring data to the master, respectively. With a longer packet capture that includes repetition of these long M-Bus telegrams, the algorithm should have split that single line in the decision tree into two with that second opcode of 0x08 or 0x73. (This will be elaborated upon and confirmed later in this subsection.) Figure 3.11 shows the result of running the protocol learning algorithm on another packet capture that includes a request for data from the master to the slave. The results are very similar to those shown in Figure 3.10, with the opcode detected in the first byte and two opcode values detected. The only difference is that the second byte of the short M-Bus telegram is 123 (0x7b hex), which also corresponds to a data request from master to slave, and the checksum byte is changed accordingly. The M-Bus specification confirms that this is a correct construction in the protocol as well. The long M-Bus telegram packet analysis yields the same results as in the previous packet capture, with the same shortcomings: a missing repeated opcode byte of 104 in the fourth position, and insufficient duplication to split the long M-Bus telegram line into two, with a second opcode in the fifth byte of either 0x08 or 0x73. Figure 3.12 shows the result of running the protocol learning algorithm on a third packet capture that includes a request for data from the master to the slave. The MBus-specific results - corresponding to rows two and four of the decision tree - are the same as those shown in Figure 3.10, both positive and negative, as explained previously. However, this packet capture included some NetBIOS traffic in addition to the M-Bus traffic, resulting in two additional lines added to the decision tree generated from this packet capture. If the protocol learning algorithm is run on traffic filtered to only include the M-Bus protocol port (6021), the results would match Figure 3.10 exactly. (For the 26 SEVENTH FRAMEWORK PROGRAMME 3.2 AMI Command Network Data - M-Bus Protocol Figure 3.12: Analysis of third M-Bus request data command traffic capture, with NetBIOS traffic previous two packet captures, the full packet capture and the port 6021 filtered results have been identical, given the lack of other, non-M-Bus protocol traffic in those two previous packet captures.) This third packet capture shows the ability of the protocol learning to recognize commonality in another network protocol, in this packet capture. Finally, Figure 3.13 shows the result of running the protocol learning algorithm on a fourth packet capture that includes a request for data from the master to the slave. In this packet capture, the short M-Bus telegram packets exhibited both 0x5b and 0x7b in the second byte, following the opcode byte of 16 (0x10 hex), but not with sufficient repetition to denote the second byte as another opcode, so the second byte is denoted with a “P”. More interestingly, the packet capture includes multiple packets consisting of a data transfer from slave to master, and these three packets are split using a second opcode further into the packet, with detected values of 44, 45, and 46. However, comparing this decision tree with the M-Bus specification yields mixed results. The first issue is that there are now three bytes missing after the two length bytes (as opposed to just one missing byte previously): the repeated opcode byte of 104, the control field of 8 specifying the data transfer from slave to master, and the address field of 0 specifying the default address. On the positive side, the next ten bytes are detected correctly. 114 (0x72 hex) is the common control information field across these packets, denoting a telegram containing data from the master. Following that, the next eight bytes are the same across these packets: four bytes for the M-Bus interface identification number (17 65 71 0), two bytes for the manufacturer ID (66 4), one byte for the version number of the firmware (6), and one byte for the medium (2, denoting “Electricity”). The second issue is that the next byte, detected as an opcode, is the “access number” according to the M-Bus specification. These three unique values could possibly be interpreted as an opcode; more data is required to validate. Lastly, it should be noted that the analysis yielded on the entire packet capture and on filtering for just the M-Bus protocol port (6021) yielded the same result. The last investigation that we conducted using the M-Bus protocol traffic was to aggregate all four packet captures and run the protocol learning algorithm against that FP7-SEC-285477-CRISALIS 27 3 Results of Protocol Learning for AMI Environments Figure 3.13: Analysis of fourth M-Bus request data command traffic capture Figure 3.14: Analysis of aggregated M-Bus protocol traffic higher volume of data, the results of which are shown in Figure 3.14. As was alluded to earlier, with more data the protocol learning algorithm was better able to differentiate the packets that sent data from the master to the slave versus those that sent data from the slave to the master, and the corresponding opcode was detected properly in the fourth byte with values of 8 and 115, respectively. Being able to split on that second opcode enabled more commonality to be determined in the bytes of the master to slave data packets (whereas in previous results there had been a large number of “P” bytes). Furthermore, with the additional data the algorithm was able to combine values for the third “opcode” across the four packet captures (corresponding to the access number in the M-Bus specification, to be precise). However, the additional data did not correct the issue with the missing repeated opcode byte of 104 in the fourth position, and the short M-Bus telegram is not split into two cases (with a second opcode of either 91 or 123), as one might have expected. 3.3 Discussion and Conclusions At a high level, analysis of the DLMS/COSEM protocol traffic and M-Bus protocol command traffic indicate that the heuristics-based protocol learning algorithm is capable of finding commonality across network traffic for these particular AMI protocols. Obviously, further analysis using more data is still required (as well as a comparison to some sort of ground truth for DLMS/COSEM). In the case of the M-Bus protocol traffic, the 28 SEVENTH FRAMEWORK PROGRAMME 3.3 Discussion and Conclusions heuristics-based approach performed generally well when compared to the ground truth of the protocol specification, though there were some issues identified. In the case of the DLMS/COSEM protocol traffic, it was found that the TCP sessions were generally very short and included one or two commands at most. While this was not true of the ICS/SCADA protocol sessions, the protocol learning algorithm could potentially take advantage of this. Also, the position of the message within the TCP session is not reliable for all protocols, and the heuristics-based learning algorithm does not rely upon this anymore. Further investigation of a protocol learning approach that combines the results of both the previous scriptgen approach and the new heuristics-based approach could be interesting when experimenting further with both ICS/SCADA and AMI network data. In our exploration of analysis parameters, the new algorithm is often capable of detecting what appear to be some of the “important” bytes from a relatively small number of packets, though more packet data continues to refine and expand on the initial analyses. Generally speaking, truncating the number of bytes used in the analysis makes the problem more tractable and also enables more readable visualization of the decision tree. It should be noted, however, that when analyzing more bytes from each packet, sometimes commonality is found further into the packet. In terms of readability, there are optimizations that be explored for collapsing the longer strings of random bytes in order to focus attention on the more important opcode bytes where the tree is split. Finally, as a next step, given a decision tree for these protocols, it should then be possible to generate an implementation that would check traffic against this structure. FP7-SEC-285477-CRISALIS 29 4 Conclusion This work extends the protocol learning research conducted previously and presented earlier in deliverable D4.3 (as applied to ICS/SCADA environments) with a heuristicsbased protocol learning approach applied to AMI traffic from two environments containing two AMI protocols, DLMS/COSEM and M-Bus. The challenges discovered in applying protocol-agnostic analysis of network traffic in critical infrastructure contexts are identified and utilized to formulate a different protocol learning approach for these environments. The heuristics-based protocol learning algorithm proceeds sequentially over the bytes of some number of messages in order to identify bytes of relevance to the procotol, such as OPcodes, length fields, and fixed bytes. We explore the approach by analyzing captured network traffic from two AMI environments and present the results of the analyses on different traffic types, including the AMI protocols DLMS/COSEM and M-Bus. When analyzing specifically AMI traffic of the DLMS/COSEM protocol, the heuristics-based analysis produces generally consistent decision trees that help to understand the protocol and associated interactions. When analyzing the AMI traffic of the M-Bus protocol, the heuristics-based analysis identifies a great deal of commonality correctly, when compared to the M-Bus protocol specification, though some issues were uncovered as well. Further validation would be required as part of the incorporation of these analyses for the purposes of network-driven attack detection in work package WP6. 30 Bibliography [1] M. A. Beddoe. Network protocol analysis using bioinformatics algorithms, 2005. [2] G. Bossert, F. Guihéry, G. Hiet, et al. Netzob: un outil pour la rétro-conception de protocoles de communication. In Actes du Symposium sur la sécurité des technologies de l’information et des communications, 2012. [3] W. Cui, V. Paxson, N. Weaver, and R. H. Katz. Protocol-independent adaptive replay of application dialog. In NDSS, 2006. [4] C. Leita. SGNET: automated protocol learning for the observation of malicious threats. PhD thesis, University of Nice-Sophia Antipolis, December 2008. [5] C. Leita and M. Dacier. SGNET: a worldwide deployable framework to support the analysis of malware threat models. In 7th European Dependable Computing Conference (EDCC 2008), May 2008. [6] C. Leita, M. Dacier, and F. Massicotte. Automatic handling of protocol dependencies and reaction to 0-day attacks with scriptgen based honeypots. In Recent Advances in Intrusion Detection, pages 185–205. Springer, 2006. [7] C. Leita, K. Mermoud, and M. Dacier. Scriptgen: an automated script generation tool for honeyd. In Computer Security Applications Conference, 21st Annual, pages 12–pp. IEEE, 2005. [8] S. B. Needleman and C. D. Wunsch. A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of molecular biology, 48(3):443–453, 1970. 31