Threat Detective: Cyber Physical Protection
The Navy faces cyber threats from adversaries who grow more capableand persistent every day. The stakes are high: if an attacker targets a critical control system, the consequences could be millions of dollars in damage, injury, or even loss of life. In order to develop defenses against these attacks we developed a rapidtesting network security platform. The platform has three components: simulation, data collection, and threat detection. After selecting a system to test,simulation is accomplished by constructing a threat detection model using Node-Red software. Next, realistic network traffic can be collected and logged in a database using the ELK stack. Our demonstration showcases a model communicating by Modbus protocol, which is a legacy networking protocol that is still widely used despite glaring security vulnerabilities. We collect and analyze network traffic generated from simulated attacks. Our example uses the TCP SYN flood denial of service attack. The last step is threat detection, which we plan to accomplish via machine learning using the Amazon SageMaker service. By training the machine learning agent using network traffic generated from the model, we can establish a baseline for normal network activity, and raise alarms when anomalies are detected.