Autonomic Intelligent Cyber-Sensor to Support Industrial Control Network Awareness
The proliferation of digital devices in a networked in- dustrial ecosystem, along with an exponential growth in complexity and scope, has resulted in elevat ed security concerns and manage- ment complexity issues. This paper describes a novel architecture utilizing concepts of autonomic c omputing and a simple object ac- cess protocol (SOAP)-based inte rface to metadata access points (IF-MAP) external communicatio n layer to create a network secu- rity sensor. This approach simpli fi es integration of legacy software and supports a secure, scalable, and self-managed framework. The contribution of this paper is twofold: 1) A fl exible two-level com- munication layer based on autonomic computing and service ori- ented architecture is detailed and 2) three complementary mod- ules that dynamically recon fi gure in response to a changing envi- ronment are presented. One module utilizes clustering and fuzzy logic to monitor traf fi c for abnormal behavior. Another module passively monitors network traf fi c and deploys deceptive virtual network hosts. These components ofthesensorsystemwereimple- mented in C++ and PERL and utilize a common internal D-Bus communication mechanism. A proof of concept prototype was de- ployed on a mixed-use test network showing the possible real-world applicability. In testing, 45 of the 46 network attached devices were recognized and 10 of the 12 emulated devices were created with speci fi c operating system and port con fi gurations. In addition, the anomaly detection algorithm achieved a 99.9% recognition rate. All output from the modules were correctly distributed using the common communication structure.