Modelagem e Detecção de Ataques Grayhole ao Protocolo GOOSE usando o Framework ERENO
Resumo
A crescente necessidade de reforçar a segurança cibernética na infraestrutura crítica, especificamente em subestações elétricas que se comunicam através do protocolo Generic Object Oriented Substation Event (GOOSE), requer técnicas efetivas de detecção e prevenção de ameaças. Esse protocolo é definido pelo padrão IEC-61850 e protege dispositivos físicos notificando eventos como faltas elétricas. Entretanto, a sua adoção abre brechas para a exploração de vulnerabilidades através de ataques cujas assinaturas precisam ser mapeadas. Destaca-se uma lacuna na literatura referente à falta de assinaturas do ataque Grayhole. Neste artigo, é proposta a modelagem e implementação de tal ataque ao protocolo GOOSE. Ademais, tal modelagem é incorporada ao ERENO, um framework para geração de datasets de intrusões. A eficácia do dataset resultante é validada através de cinco algoritmos de aprendizado de máquina, com destaque para o algoritmo J48 que obteve 90,68% de F1-Score.
Referências
Abdul, R. M. T., Salman, Y., Yunus, Y., and Roslan, I. (2014). A review of security attacks on IEC61850 substation automation system network. In 6th International Conference on Information Technology and Multimedia, pages 5–10. IEEE.
Almomani, I., Al-Kasasbeh, B., and Al-Akhras, M. (2016). Wsn-ds: A dataset for intrusion detection systems in wireless sensor networks. Journal of Sensors, 2016.
Attia, M., Sedjelmaci, H., Senouci, S. M., and Aglzim, E.-H. (2015). A new intrusion detection approach against lethal attacks in the smart grid:temporal and spatial based detections. In 2015 Global Information Infrastructure and Networking Symposium (GIIS), pages 1–3, Guadalajara, Mexico.
Bohara, A., Ros-Giralt, J., Elbez, G., Valdes, A., Nahrstedt, K., and Sanders, W. H. (2020). Ed4gap: Efficient detection for goose-based poisoning attacks on iec 61850 substations. In 2020 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pages 1–7. IEEE.
Commission, I. E. (2003). Communication networks and systems in substations - ALL PARTS. IET.
Elbez, G., Nahrstedt, K., and Hagenmeyer, V. (2022). Early Detection of GOOSE Denial of Service (DoS) Attacks in IEC 61850 Substations. In 2022 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pages 367–373.
Hahn, A., Sun, C.-C., and Liu, C.-C. (2016). Cybersecurity of SCADA within Substations.
Hong, J., Liu, C., and Govindarasu, M. (2014). Detection of Cyber Intrusions Using Network-Based Multicast Messages for Substation Automation. In Innovative Smart Grid Technologies (ISGT), pages 1–5. IEEE.
Hong, J. and Liu, C.-C. (2019). Intelligent electronic devices with collaborative intrusion detection systems. IEEE Transactions on Smart Grid, 10(1):271–281.
Hoyos, J., Dehus, M., and Brown, T. X. (2012). Exploiting the goose protocol: A practical attack on cyber-infrastructure. In 2012 IEEE Globecom Workshops, pages 1508–1513.
Kush, N., Branagan, M., Foo, E., and Ahmed, E. (2014). Poisoned goose: exploiting the goose protocol. In Proceedings of the Twelfth Australasian Information Security Conference (AISC 2014), pages 17–22. Australian Computer Society, Inc.
McLennan, M., Group, S., and Group, Z. I. (2022). The global risks report 2022 17th edition. Disponível em: [link].
Pal, S., Sikdar, B., and Chow, J. H. (2018). An online mechanism for detection of grayhole attacks on pmu data. IEEE Transactions on Smart Grid, 9(4):2498–2507.
Quincozes, S. (2022). ERENO: An Extensible Tool for Generating Realistic IEC–61850 Intrusion Detection Datasets. PhD thesis, Fluminense Federal University.
Quincozes, S. E., Kazienko, J. F., and Quincozes, V. E. (2023). An extended evaluation on machine learning techniques for Denial-of-Service detection in Wireless Sensor Networks. Internet of Things, 22:100684.
Rajkumar, V. S., Tealane, M., Ştefanov, A., and Palensky, P. (2020). Cyber attacks on protective relays in digital substations and impact analysis. In 2020 8th Workshop on Modeling and Simulation of Cyber-Physical Energy Systems, pages 1–6. IEEE.
Ustun, T. S., Farooq, S. M., and Hussain, S. S. (2019). A Novel Approach for Mitigation of Replay and Masquerade Attacks in Smartgrids Using IEC 61850 Standard. IEEE Access, 7:156044–156053.
Wang, X., Fidge, C., Nourbakhsh, G., Foo, E., Jadidi, Z., and Li, C. (2022). Anomaly detection for insider attacks from untrusted intelligent electronic devices in substation automation systems. IEEE Access, 10:6629–6649.
Witten, I. H. and Frank, E. (2002). Data mining: practical machine learning tools and techniques with Java implementations. ACM Sigmod Record, 31(1):76–77.
Almomani, I., Al-Kasasbeh, B., and Al-Akhras, M. (2016). Wsn-ds: A dataset for intrusion detection systems in wireless sensor networks. Journal of Sensors, 2016.
Attia, M., Sedjelmaci, H., Senouci, S. M., and Aglzim, E.-H. (2015). A new intrusion detection approach against lethal attacks in the smart grid:temporal and spatial based detections. In 2015 Global Information Infrastructure and Networking Symposium (GIIS), pages 1–3, Guadalajara, Mexico.
Bohara, A., Ros-Giralt, J., Elbez, G., Valdes, A., Nahrstedt, K., and Sanders, W. H. (2020). Ed4gap: Efficient detection for goose-based poisoning attacks on iec 61850 substations. In 2020 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pages 1–7. IEEE.
Commission, I. E. (2003). Communication networks and systems in substations - ALL PARTS. IET.
Elbez, G., Nahrstedt, K., and Hagenmeyer, V. (2022). Early Detection of GOOSE Denial of Service (DoS) Attacks in IEC 61850 Substations. In 2022 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pages 367–373.
Hahn, A., Sun, C.-C., and Liu, C.-C. (2016). Cybersecurity of SCADA within Substations.
Hong, J., Liu, C., and Govindarasu, M. (2014). Detection of Cyber Intrusions Using Network-Based Multicast Messages for Substation Automation. In Innovative Smart Grid Technologies (ISGT), pages 1–5. IEEE.
Hong, J. and Liu, C.-C. (2019). Intelligent electronic devices with collaborative intrusion detection systems. IEEE Transactions on Smart Grid, 10(1):271–281.
Hoyos, J., Dehus, M., and Brown, T. X. (2012). Exploiting the goose protocol: A practical attack on cyber-infrastructure. In 2012 IEEE Globecom Workshops, pages 1508–1513.
Kush, N., Branagan, M., Foo, E., and Ahmed, E. (2014). Poisoned goose: exploiting the goose protocol. In Proceedings of the Twelfth Australasian Information Security Conference (AISC 2014), pages 17–22. Australian Computer Society, Inc.
McLennan, M., Group, S., and Group, Z. I. (2022). The global risks report 2022 17th edition. Disponível em: [link].
Pal, S., Sikdar, B., and Chow, J. H. (2018). An online mechanism for detection of grayhole attacks on pmu data. IEEE Transactions on Smart Grid, 9(4):2498–2507.
Quincozes, S. (2022). ERENO: An Extensible Tool for Generating Realistic IEC–61850 Intrusion Detection Datasets. PhD thesis, Fluminense Federal University.
Quincozes, S. E., Kazienko, J. F., and Quincozes, V. E. (2023). An extended evaluation on machine learning techniques for Denial-of-Service detection in Wireless Sensor Networks. Internet of Things, 22:100684.
Rajkumar, V. S., Tealane, M., Ştefanov, A., and Palensky, P. (2020). Cyber attacks on protective relays in digital substations and impact analysis. In 2020 8th Workshop on Modeling and Simulation of Cyber-Physical Energy Systems, pages 1–6. IEEE.
Ustun, T. S., Farooq, S. M., and Hussain, S. S. (2019). A Novel Approach for Mitigation of Replay and Masquerade Attacks in Smartgrids Using IEC 61850 Standard. IEEE Access, 7:156044–156053.
Wang, X., Fidge, C., Nourbakhsh, G., Foo, E., Jadidi, Z., and Li, C. (2022). Anomaly detection for insider attacks from untrusted intelligent electronic devices in substation automation systems. IEEE Access, 10:6629–6649.
Witten, I. H. and Frank, E. (2002). Data mining: practical machine learning tools and techniques with Java implementations. ACM Sigmod Record, 31(1):76–77.
Publicado
18/09/2023
Como Citar
GONÇALVES, Jerusa C.; QUINCOZES, Silvio E.; QUINCOZES, Vagner E.; KAZIENKO, Juliano F..
Modelagem e Detecção de Ataques Grayhole ao Protocolo GOOSE usando o Framework ERENO. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 23. , 2023, Juiz de Fora/MG.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
p. 417-430.
DOI: https://doi.org/10.5753/sbseg.2023.233550.
