Skip to content
/ bonnet-ics-library Public

A library of industrial network traffic anomaly detection methods.

License

View license
4 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nesfit/bonnet-ics-library

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

90 Commits
detano
detano
 
 
hooks
hooks
 
 
imadics
imadics
 
 
statistical_profiling
statistical_profiling
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
setup-environment.sh
setup-environment.sh
 
 

Repository files navigation

ICS detection algorithms software library

A library of ICS network anomaly detection methods.

Introduction

Software library of algorithms, including their demonstration on the attached data for the detection of anomalies in ICS network traffic. The library processes input data in PCAP format and implements various methods for creating a profile of normal communication and detection of possible deviations. The library consists of methods based on various principles of communication modeling, especially automata, statistical methods, and machine learning.

The project is rather than a single software library a collection of a number of software components that implements the different anomaly detection methods that can be applied to the ICS domain. The following methods are implemented:

  • DETANO is an automated method enabling the creation of an ICS communication profile in the form of a probability automaton and uses this automaton to detect deviations from the normal profile.
  • StatProf creates a statistical profile for ICS communication, which is used to detect differences in communication patterns. The method calculates traffic statistics based on selected properties of the monitored communication.
  • IMADICS combines a set of ML-based methods (K-means, PCA, Gaussian, Singular Spectrum Analysis) for profile calculation from network communication of various ICS protocols. The methods provides algoritms for learning the profile and applying it to the observed communication.

Environment

The individual projects can be compiled in Linux OS with installed dependencies.

Dependencies

The solution consists of different methods that the following have dependencies:

Package Documentation
python38 https://www.python.org/downloads/release/python-380/
.NET 5.0 https://docs.microsoft.com/en-us/dotnet/core/install/linux-ubuntu

Linux Machine

This method considers to use Ubuntu 20.04 LTS, but can be modified for other Linux systems too. The necessary dependencies can be installed using the environment installation script setup-environment.sh.

Windows Subsystem for Linux (WSL2) with Visual Studio Code

This method enables to develop on a host running Microsoft Windows 10 with WSL enabled. For instance, it is useful in the combination with Visual Studio Code that enables to remotely connect to the Linux instance . Contrary to Vagrant, it is not necessary to set up file sharing as this is done automatically by the operating system and WSL.

  1. Setup WSL2 and install Ubuntu 20.04 LTS (https://wiki.ubuntu.com/WSL)

  2. Install necessary dependencies (see setup-environment.sh script)

  3. Open WSL shell or run Visual Studio Code in WSL using the Remote WSL extension (https://code.visualstudio.com/docs/remote/wsl-tutorial).

Multipass

Alternatively, it is possible to use Multipass, which provides a virtual Linux environment suitable for development and testing. Steps:

  1. Install multipass for your OS (https://multipass.run/).

  2. Create a VM and see its properties, e.g., assigned IP address:

multipass launch -n bonnet focal

multipass info bonnet
  1. Setup sharing project folder on a host with VM:
multipass mount <PROJECT_FOLDER> bonnet:/mnt/bonnet
  1. Connect to VM and go to the project folder:
multipass shell bonnet
cd /mnt/bonnet
  1. Execute environment setup script:
chmod a+x setup-environment.sh
./setup-environment.sh

When completing all the previous steps, the environment is prepared to compile the library. The project is mounted in the VM at folder /mnt/bonnet. Additionally, it is possible to configure Visual Studio Code Remote Development (https://code.visualstudio.com/docs/remote/ssh#_getting-started). The key step is to enable SSH access to the created VM. When VM is created Multipass generates pair of keys for SSH access. These keys are not located in user folder but in system. Depending on the OS, they are at the following locations:

OS Path
MacOS /var/root/Library/Application\ Support/multipassd/ssh-keys/id_rsa
Windows C:\Windows\System32\config\systemprofile\AppData\Roaming\multipassd\ssh-keys
  1. First, test the SSH connection:
sudo ssh -i /var/root/Library/Application\ Support/multipassd/ssh-keys/id_rsa ubuntu@<VM-IP-ADDRESS>
  1. The private key cannot be used from system location. It is necessary to copy it to .ssh folder and change the owner:
sudo cp /var/root/Library/Application\ Support/multipassd/ssh-keys/id_rsa ~/.ssh/id_rsa_bonnet
sudo chown <USER> ~/.ssh/id_rsa_bonnet
  1. Modify the configuration file ~/.ssh/config of SSH client by adding the following lines:
Host bonnet
  HostName <VM-IP-ADDRESS>
  User ubuntu
  IdentityFile ~/.ssh/id_rsa_bonnet

  1. In Visual Studio Code it is necessary to install Remote Development package (https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.vscode-remote-extensionpack) and select Remote-SSH: Connect to Host... command to establish the connection with VM.

  2. New Visual Studio Code window is opened and connected to bonnet VM. Open folder /mnt/bonnet to access the project.

Acknowledge

This project was supported by grant VI20192022138.

About

A library of industrial network traffic anomaly detection methods.

Topics

network-analysis anomaly-detection industrial-network

Resources

Readme

License

View license
Activity
Custom properties

Stars

4 stars

Watchers

8 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages