Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.1.25

Anomaly Detection Using Visualization-based Network Forensics  

Jo, Woo-yeon (Ajou University)
Kim, Myung-jong (Ajou University)
Park, Keun-ho (Ajou University)
Hong, Man-pyo (Ajou University)
Kwak, Jin (Ajou University)
Shon, Taeshik (Ajou University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.1, 2017 , pp. 25-38 More about this Journal
Abstract
Many security threats are occurring around the world due to the characteristics of industrial control systems that can cause serious damage in the event of a security incident including major national infrastructure. Therefore, the industrial control system network traffic should be analyzed so that it can identify the attack in advance or perform incident response after the accident. In this paper, we research the visualization technique as network forensics to enable reasonable suspicion of all possible attacks on DNP3 control system protocol, and define normal action based rules and derive visualization requirements. As a result, we developed a visualization tool that can detect sudden network traffic changes such as DDoS and attacks that contain anormal behavior from captured packet files on industrial control system network. The suspicious behavior in the industrial control system network can be found using visualization tool with Digital Bond packet.
Keywords
Industrial Control System; Industrial IoT; Visualization; Network Forensics; DNP3;
Citations & Related Records
연도 인용수 순위
  • Reference
1 ICS-CERT, "ICS-CERT Monitor November-December 2015", Nov, 2016.
2 ICS Security Summit, "What's the DFIRe nce for ICS?", https://www.sans.org/event-downloads/42402/agenda.pdf, p.4, Feb. 2016
3 IEEE Power and Energy Society, IEEE Standard for Electric Power Systems Communications.Distributed Network Protocol (DNP3), 2012
4 NETRESEC, NetworkMiner, http://www.netresec.com/?page=NetworkMiner, 2016.
5 FireEye, Industrial Control Systems Health Check, https://www.fireeye.com/services/mandiant-industrial-control-system-gap-assessment.html, 2016.
6 Ahmed, Irfan, et al. "SCADA systems: Challenges for forensic investigators." Computer vol. 45, pp.44-51, Dec. 2012.   DOI
7 Promrit, Nuttachot, et al. "Multi-dimensional visualization for network forensic analysis." Networked Computing (INC), 2011 The 7th International Conference on. IEEE, Sept. 2011.
8 Abeyrathne, K. B., et al. "Visualization Tool for Network Forensics Analysis Using an Intrusion Detection System CyberViZ.", vol. 3, Dec. 2009.
9 van Riel, Jean-Pierre, and Barry Irwin. "InetVis, a visual tool for network telescope traffic analysis." Proceedings of the 4th international conference on Computer graphics, virtual reality, visualisation and interaction in Africa. ACM, pp. 85-89, Jan. 2006.
10 Blue, Ryan, et al. "Visualizing real-time network resource usage." Visualization for Computer Security. Springer Berlin Heidelberg, vol. 5210, pp. 119-135, Sept. 2008.
11 Digital Bond, Download the PCAP files to test the Quickdraw Signatures, http://www.digitalbond.com/tools/quickdraw/download/, 2016