Elektronika 2009-11.pdf - Instytut SystemÃ³w Elektronicznych

More documents

Recommendations

Info

Knowledge in ontology is represented by: • classes - a general concepts; • properties of these concepts; • individuals - basic entities of concepts. Ontology can be created in OWL language, using Protégé application. There are many tools and software to support ontology functionalities. Knowledge enrichment can be improved by rules in SWRL (Semantic Web Rule Language) [11]. Rules in SWRL applied to OWL ontology give possibility to extend existing knowledge with new properties. This option enables individuals to be reclassified and makes process of filling-up properties of new individuals more automatic. Reasoning about ontology concepts can be provided by semantic reasoners. Relevant knowledge is also given by restrictions: relationships or constraints. Proposition of the ontology In this section our ontology approach with special consideration and emphasis on vulnerabilities is presented. Ontology has been created in OWL-DL language using Protégé 3.4. application. SCADA ontology aims at addressing the following key SCADA issues: • what are vulnerabilities of special SCADA components, architecture or protocols, • how these vulnerabilities affect SCADA resources, • which threats/attacks may occur and what damage they can cause? According to ISO/IEC 13335-1:2004 standard [8] vulnerabilities are considered as a part of network security system. In this approach SCADA resources, components have weak points named vulnerabilities. These vulnerabilities can be exploited by threats, leading to attacks. This security system is depicted into a form of classification with properties and relationships among security issues. Main concepts, which compose main classes of proposed ontology following ISO/IEC 13335-1:2004 standard are: • SCADA systems, • SCADA resources, • vulnerabilities, • threats and attacks, • source of attacks, • safeguards. The proposed hierarchy of ontology classes is presented in Fig. 1. These classes are connected properties. Properties show relations, dependence of one class on another or can represent some attributes. Main classes, named also superclasses have sub-classes. Sub-classes are specifications of super-classes and inherit their features. Going down the hierarchy, lower levels of subclasses make ontology information more detailed. Properties of “Vulnerabilities” class created in Protégé are presented in Fig. 2. Visualization of ontology with some relations between different classes is presented in Fig. 3. Subclasses of main classes are also shown there. Classification of key class of ontology - “Vulnerabilities” has been based on vulnerability description given in [12]. Thus SCADA vulnerabilities are grouped into five sub-classes of “Vulnerabilities” class in proposed ontology: • network Vulnerabilities, • platforms Vulnerabilities, • security and Administration Vulnerabilities, • data vulnerabilities, • architecture Vulnerabilities. These areas of vulnerabilities correspond with particular system components and can be connected with design, implementation, misconfiguration and procedural problems. Hi- Fig. 2. Properties of “Vulnerabilities” class created in Protégé Rys. 2. Właściwości klasy “Vulnerabilities” stworzone w aplikacji Protégé Fig. 3. Main classes visualized in Jambalaya plug-in Rys. 3. Główne klasy zwizualizowane w zakładce Jambalaya Fig. 1. Existing class hierarchy Rys. 1. Istniejąca hierarchia klas Fig. 4. Proposed vulnerabilities classification Rys. 4. Proponowana klasyfikacja podatności 36 ELEKTRONIKA 11/<strong>2009</strong>
erarchy of vulnerability classes with first and second subclasses levels is presented in Fig. 4. Subclasses of “Vulnerabilities” class are also presented in Fig. 5. SCADA systems created as an industry system has its own dedicated communication protocols like Modbus, Profibus or DNP3. These special protocols also produce Vulnerabilities characteristic for them. Classification of these protocols is presented in Fig. 6. Knowledge, which is relevant and useful for cooperation with some security management system, in ontology is provided by individuals - basic objects of classes. Main classes, concepts of vulnerability classification should be fulfilled with individuals. Particular vulnerabilities related with SCADA systems in described ontology are based on “D2.2 - Identification of Vulnerabilities” deliverable of the INSPIRE Project [13]. They are instantiated as individuals in proposed ontology. Although our approach is based on [12], vulnerabilities identified in [13] respond with proposed ontology. Some of these individuals are: Application vulnerabilities (referred to Architectural Vulnerabilities in [12] approach): • advisory CA-2001-07 File Globing Vulnerabilities in Various FTP Servers; • denial of Service in Automated Solutions Modbus TCP Slave; • automated Solutions Modbus TCP Slave ActiveX Control Vulnerability; • citect CitectSCADA ODBC service buffer overflow - CVE- 2008-2639; • GE Fanuc Proficy HMI/SCADA iFIX uses insecure authentication techniques. Fig. 5. Subclasses of “Vulnerabilities” class Rys. 5. Podklasy klasy “Vulnerabilities” Operating System Vulnerabilities (referred to Platform Vulnerabilities in [12] approach): • buffer overflows in HP Software Distributor, • privilege escalation in WindowsNT, • buffer overflow in CSAdmin module in CiscoSecure ACS Server 2.4, • injection vulnerability in Solaris 10 and 11. Network Vulnerabilities: • stop alarm events using DNP3 protocol, • unauthorized access to DNP3 devices, • unauthorized access to Modbus server information, • NETxAutomation Vulnerabilities, To improve effectiveness of ontology using we applied also rules in SWRL Language. The sample rule is given below: Resources(?x) Resources_has_Vulnerability(?x, ?y) Attacks_exploit_vulnerabilities(?z, ?y) → Attacks_are_realted_with_reacources(?z, ?x) The above rule can be read as: when individuals of “Resources” has “Vulnerabilities” and some “Attacks” exploit these “Vulnerabilities” it implicates that these “Attacks” are related with “Resources”. Rules act on individuals level, but individuals have to be included in the ontology classes. Rules enable adding knowledge to very complicated and complex ontologies, because some properties of concepts can be filled up automatically by particular individuals. Ontology-based INSPIRE Decision Aid Tooltool Ontology shows complicated relationships among SCADA components and security aspects. That is why ontology can support security solutions. However, the ontology is just a representation of relationships between particular classes (or instances) and as it is, can not provide any knowledge based reasoning or give feedback to its operator. The solution is to develop the decision support tool that will map the proposed ontology into set of rules, which will be the input for the inference engine. The engine can be described as a form of finite state machine with a cycle consisting of three action states: • match rules, • select rules, • execute rules. In the “match rule” state the engine searches all rules that are matching the current content data store, which are also called facts. The single fact represents the single property of the real world e.g.: the operator has SCADA network named “ABC” which has vulnerability “CDF” that is mapped to proper state of engine’s data store. The selected rules are the candidates to be executed, but the engine, by applying some selection strategy, determines which rule will be exactly fired. Finally, when the rule is executed, it is being passed the facts. Fig. 6. Protocols of SCADA systems Rys. 6. Protokoły systemów SCADA Fig. 7. Decision-aid tool - logical diagram Rys. 7. Diagram logiczny narzędzia wspomagającego decyzję ELEKTRONIKA 11/<strong>2009</strong> 37
Page 5 and 6: konstrukcje technologie zastosowani
Page 7 and 8: Streszczenia artykułów • Summar
Page 13 and 14: Medical pattern intelligent recogni
Page 15 and 16: Fig. 2. Start graph Z and the set o
Page 17 and 18: Both models are created of the basi
Page 19 and 20: • in some cases in the methods of
Page 21 and 22: 4. Random operators: three types of
Page 23 and 24: useful. In work [1] is stressed, th
Page 25 and 26: Tabl. 1. Fuzzy sets of the objects,
Page 27 and 28: In addition, one has to remember th
Page 29 and 30: The correction of digital images ob
Page 31 and 32: Tabl. 4. MD error before and after
Page 33 and 34: tionship then determines which indi
Page 35 and 36: this goal. A user’s public key au
Page 37 and 38: a) will be or could be broken, or b
Page 39: Ontology-based approach to scada sy
Page 43 and 44: and the set of tasks is divided int
Page 45 and 46: tasks: T 0 , T 4 , T 5 , T 6 and T
Page 47 and 48: According to presented function CSF
Page 49 and 50: The efficient data authentication i
Page 51 and 52: Fig. 3. Example run of three rounds
Page 53 and 54: Fig. 2. Possible scenarios of data
Page 55 and 56: e necessary, in worst case - also s
Page 57 and 58: dicates the number of tasks at the
Page 59 and 60: • information on their state come
Page 61 and 62: • data regarding their identity (
Page 63 and 64: k = 1, 2, ..., m and m is the numbe
Page 65 and 66: more powerful statistical (algorith
Page 67 and 68: Signal to Noise Ratio (PSNR). We pr
Page 69 and 70: [23] W3C - Web Services Glossary -
Page 71 and 72: Associated with every N-point M-dim
Page 73 and 74: The SMS-B system architecture (Sour
Page 75 and 76: Technika próżni i technologie pr
Page 77 and 78: wniosku i w konsekwencji za rok 200
Page 79 and 80: Poniżej przedstawiono krótki kome
Page 81 and 82: Wspomnienie Edward Leja (1937-2009)
Page 83 and 84: Zastosowanie technik immunoenzymaty
Page 85 and 86: z pasty węglowej, zaś odniesienia
Page 87 and 88: [33] Biani A., Centi S. Tombrlli S.
Page 89 and 90: Problemem bowiem w pracach instytut
Page 91 and 92:
1985 - Zdzisław Dorywalski 1986 -
Page 93 and 94:
Rys. 4. Uroczyste wręczanie świad
Page 95 and 96:
Imię i Nazwisko Patenty Wzory uży
Page 97 and 98:
zadań określonych przez użytkown
Page 99 and 100:
Ocena sugerowanych w ankiecie metod
Page 101:
Zaprenumeruj wiedzę fachową 2010
Page 104 and 105:
Radary pasywne - nowa technika radi
Page 106 and 107:
c) stopniowo przesuwać jeden przeb
Page 108 and 109:
W przypadku wykorzystania nadajnika
Page 110 and 111:
kreślić to, że owale Cassiniego
Page 112 and 113:
Dla każdego kierunku odbieranej fa
Page 114 and 115:
chomych, które w ogólnym przypadk
Page 116 and 117:
Rys. 19. Fragment zobrazowania SS3
Page 118 and 119:
Zbigniew Czekała jest projektantem
Page 120 and 121:
• wytypowaniu statków zobowiąza
Page 122 and 123:
• używanie właściwego osprzęt
Page 124 and 125:
W jednomodowym szklanym włóknie t
Page 126 and 127:
Światłowody scyntylacyjne W środ
Page 128 and 129:
Parametry materiałowe szklanego w
Page 130 and 131:
126 ELEKTRONIKA 11/2009
Page 132 and 133:
Literatura [1] Yamane M., Asahara Y
Page 134 and 135:
Rys.1. Przebiegi testowe na wyprowa
Page 136 and 137:
nież pasmo emisji od około 500 MH
show all

Elektronika 2009-11.pdf - Instytut SystemÃ³w Elektronicznych

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?