Corpus ID: 36706910

A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin

  title={A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin},
  author={J. Rrushi and H. Farhangi and C. Howey and K. Carmichael and Joey Dabell},
While most of the current research focus is rightfully put on finding and mitigating vulnerabilities in industrial control systems (ICS), the opposite angle, namely researching operational weaknesses or unintelligent decisions of ICS malware that make them susceptible to detection, defensive entrapment, and forensics at large, is lesser explored. In this paper we perform a quantitative evaluation of the ability of Havex ICS malware plugin to correctly discover and query its target industrial… Expand

Figures from this paper

ProvUSB: Block-level Provenance-Based Data Protection for USB Storage Devices
This work presents ProvUSB, an architecture for fine-grained provenance collection and tracking on smart USB devices that imposes a one-time 850 ms overhead during USB enumeration, but approaches nearly-bare-metal runtime performance on larger files during normal execution, and less than 0.1% storage overhead for provenance in real-world workloads. Expand
Control Behavior Integrity for Distributed Cyber-Physical Systems
Scadman is presented, a novel control-logic aware anomaly detection system for distributed cyber-physical systems that can detect a wide range of attacks–including attacks that have previously been undetectable by typical state estimation techniques–while causing no false-positive warning for nominal threshold values. Expand
Tell Me More Than Just Assembly! Reversing Cyber-Physical Execution Semantics of Embedded IoT Controller Software Binaries
MISMO performs semantic-matching at an algorithmic level that can help with the understanding of any possible cyber-physical security flaws and can accurately extract the algorithm-level semantics of the embedded binary code and data regions. Expand
MimePot: a Model-based Honeypot for Industrial Control Networks
Compared to classic honeypots, MimePot offers a model-based approach: it is able to simulate physical processes to lure skilled attackers targeting industrial plants and uses the Software Defined Networking (SDN) technology to provide a consistent future proof security approach. Expand
CPAC: securing critical infrastructure with cyber-physical access control
CPAC is presented, a cyber-physical access control solution to manage complexity and mitigate threats in cyber- physical environments, with a focus on the electrical smart grid and can analyze potential component failures for arbitrary component failures, far beyond the capabilities of currently deployed systems. Expand
Watch Me, but Don't Touch Me! Contactless Control Flow Monitoring via Electromagnetic Emanations
Zeus, a contactless embedded controller security monitor, is presented to ensure its execution control flow integrity and was able to distinguish between different legitimate and malicious executions with 98.9% accuracy and with zero overhead on PLC execution by design. Expand
A11 Your PLCs Belong to Me: ICS Ransomware Is Realistic
ICS-BROCK is presented, a full-fledged ICS ransomware that can compromise a real-world water treatment environment and some suggestions are given to aid in future study and defenses. Expand
PAtt: Physics-based Attestation of Control Systems
PAtt is presented, a system that combines re-mote software attestation with control process validation that enables the detection of attackers that manipulate the PLC logic to change process state and/or report spoofed sensor readings (with an accuracy of 97% against tested attacks). Expand
Physical System ( Power Grid ) Central Control HMI Operator Sensor / Actuator HMI : Human-Machine Interface
Trustworthy operation of industrial control systems (ICS) depends on secure code execution on the embedded programmable logic controllers (PLCs). The controllers monitor and control the underlyingExpand
A multilevel cybersecurity and safety monitor for embedded cyber-physical systems: WIP abstract
This work presents a multilevel monitor architecture cybersecurity approach applied to a flight control system (FCS), and develops formal framework for the architecture using Event Calculus to define the interactions among the monitors and the system under observation. Expand


Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware
This work has undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods, which is used to characterize the prevalence of these avoidance methods, to generate a novel fingerprinting method that can assist malware propagation, and to create an effective new technique to protect production systems. Expand
Detecting System Emulators
A number of possibilities to detect system emulators are analyzed and it is shown that emulation can be successfully detected, mainly because the task of perfectly emulating real hardware is complex. Expand
Pragmatics of measuring recognition memory: applications to dementia and amnesia.
Four theoretical models of yes-no recognition memory are described and their associated measures of discrimination and response bias are presented and the indices from the acceptable models are used to characterize recognition memory deficits in dementia and amnesia. Expand
Signal detection theory as data analysis method and psychological decision model
This novel representation of a floating point number allows a large trade-off to be made between accuracy and exponent range within the bounds of a single fixed-length data word. Expand
Alternatives to a table of criterion values in signal detection theory
A short computer program is provided to calculate β and the sensitivity indexd’, which summarizes the criteria values related to hit and false-alarm rates in signal detection theory. Expand
Havex, It’s Down With OPC”, Available online at 2014/07/havex-its-down-with-opc.html
  • 2014
Detection and Estimation Theory