Among many hacking attempts carried out in the past few years, the cyber-attacks that could have caused a national-level disaster were the attacks against nuclear facilities including nuclear power plants. The most typical one was the Stuxnet attack against Iranian nuclear facility and the cyber threat targeting one of the facilities operated by Korea Hydro and Nuclear Power Co., Ltd (Republic of Korea; ROK; South Korea). Although the latter was just a threat, it made many Korean people anxious while the former showed that the operation of nuclear plant can be actually stopped by direct cyber-attacks. After these incidents, the possibility of cyber-attacks against industrial control systems has become a reality and the security for these systems has been tightened based on the idea that the operations by network-isolated systems are no longer safe from the cyber terrorism. The ROK government has established a realistic control systems defense concept and in the US, the relevant authorities have set up several security frameworks to prepare for the threats. At the same time, Smart Grids are not an exception any longer. Thus, in this chapter, the security tests have been tested under the Smart Grid environment and several DDoS (Distributed Denial of Service) attack scenarios were developed for experiments.
Top2. Implementation Of Graphic Based Network Intrusion Detection System For Ami Application Using Java
Figure 1 shows the description of UML of our system and here, Tray Class will be executed first in Background once the program has started. At the same time, PacketCapture Class and UI Class will also be called upon internally. For PacketCapture Class, when a packet has been captured, ReceivePacket function will be summoned to analyze the packet. By analyzing IP header, ReceivePacket function reads and stores information such as its version, protocol, source and destination of the packet, and after determining the Flag type, redundancy check will be performed, after which Node Class is generated to store the information. Subsequently, in CheckStrangeIP, if it becomes suspicious that the packet originating from People's Republic of China or North Korea is harmful, the contents will be displayed on the screen to determine the possibility of DDoS attack - the core function of this program. The threshold value can be calculated in Realtime by analyzing all the received packets every 5 seconds using IsFlooding Class. Should the incoming packet has been judged to have exceeded the value, the program will show the user a Warning Window with ShowMessageListener() function of Tray Class (Huh et al, 2015).
Figure 1. Graphic based NIDS’ UML for AMI
For UI Class, total packet send/receive volume of the computer in use, protocol packets mainly used (e.g. TCP, UDP and ICMP) for DDoS attacks, and received volume of the packets judged to be the harmful ones will be generated/displayed with the graphs. In ConnectURL Class, based on the IPs entered on the UI window by the user, locations of suspicious IPs will be displayed on the Google map using IP location tracking service provided by the Korea Internet Security Agency (KISA).
Figure 2 is a user interface of this detection system. This user interface is coded with Java language to carry light amount of resources so that when it interworks with other programs in real-time, the system's operation will not be effected. Additionally, the interface is divided into 8 domains to assist the users with less background knowledge in computer networks. Description of each domain is as follows:
Figure 2. The user interface of the graphic based NIDS for AMI
Domain 1, the interface shows the Send/Receive packet traffic volumes with a graphic mode. To be more specific, Domain 1 generates the volume of all incoming/outgoing packets through servers.
In Domain 2, the graphic chart of the strange IP packet traffic volumes will be indicated. It detects TCP, UDP or ICMP Flooding attack packets during the DDoS attack identifying the patterns and outputs their extent of seriousness with graphs. By analyzing each packet pattern and considering the volume of the packets collected in real-time, the program updates the threshold value periodically. After setting the calculated threshold value as 100%, the server notifies the administrator about the possibility of DDoS attack if the number of collected packets exceed the set value, regarding them as abnormal traffics.