Browse Prior Art Database

A System to Enable Efficient Forensic Analysis of Industrial Systems Through Classification

IP.com Disclosure Number: IPCOM000234109D
Publication Date: 2014-Jan-13
Document File: 6 page(s) / 220K

Publishing Venue

The IP.com Prior Art Database

Abstract

After a security incident on a computer in an industrial control system ICS such as a hacking attack or a malware infection, forensic analysis is used to determine the nature and the extent of the incident by analyzing the machine’s content. The goal, after having removed the malware, is to determine whether the malicious software (e.g., malware, trojans, viruses) has been completely removed from the system, and whether the installed applications are not affected, i.e., the virus did not spread to additional files. Because many files change during the normal operation of a machine in an ICS environment, this will lead to a significant number of files that will no longer be recognized as being safe and legitimate during a forensic analysis, which in turn requires a significant amount of work to manually verify all files that have been marked as changed, even though these files have changed through normal operations of the system and not through malicious activity. The novel feature is to apply a process with several stages to classify all files on a machine, where each stage uses a different technique to identify and classify files. Files not identified by a stage are sent to the next stage for further processing. As the files being checked progress through the stages, more and more files are identified and classified, and only files which could not be identified by any stage are output by the last stage. This will typically be a fraction of all files, significantly reducing the number of files that need to be further checked manually. This reduces the amount of time required to analyze an infected system, to restore the affected system, reducing downtime and knock-on effects on the industrial process, and also enables detecting possible tampering with legitimate files.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 21% of the total text.

Page 01 of 6

ID CH-1316901

A System to Enable Efficient Forensic Analysis of Industrial Systems Through Classification

1 Background

Computers used in industrial control systems (ICS) such as 800xA are often general- purpose computers running regular operating systems (e.g., Windows) and hence are also susceptible to the same dangers such as hacking attacks, trojans, viruses, etc.

Once a machine in an ICS has been compromised, it needs to be identified, examined, restored to a secure state, and then verified and tested. This can be a lengthy process, and can also affect the industrial process the machine is a part of, up to the point that the industrial process needs to be stopped until the machine has been restored.

2 Statement of problem

After a security incident on a computer in an industrial control system such as a hacking attack or a malware infection, forensic analysis is used to determine the nature and the extent of the incident by analyzing the machine's content. The goal, after having removed the malware, is to determine whether the malicious software (e.g., malware, trojans, viruses) has been completely removed from the system, and whether the installed applications are not affected, i.e., the virus did not spread to additional files.

The procedure in traditional forensic analysis is to inspect the files on a system by verifying their cryptographic signature, if it exists. However, there are a lot of files that do not have such a signature, as it is typically optional. Because it is difficult to determine whether the signature has been removed by the virus or the software vendor did not provide one, another technique is used: Files without a signature are hashed (using cryptographic hashes such as MD5, SHA-1, etc.), and then the hash is compared to a database of hashes of known good files. All files whose hashes are listed in the database are considered safe as they have not been modified.

On a computer in an ICS, however, stored data changes continuously and dynamically; process data is recorded and stored, configuration parameters are changed and events are generated, modifying many legitimate files in the process. One property of cryptographic hashing algorithms such as MD5 or SHA1 is that a difference of only one bit will change the hash significantly, pseudo-randomly flipping half of all bits on average, and a file will no longer be recognized as being a trusted or a known good file.

Because many files change during the normal operation of a machine in an ICS environment, this will lead to a significant number of files that will no longer be recognized as being safe and legitimate during a forensic analysis, which in turn requires a significant amount of work to manually verify all files that have been marked as changed, even though these files have changed through normal operations of the system and not through malicious activity.


Page 02 of 6

The use of simple, regular hashing in the forensic analysis in such an environment...