Emmanuele Zambon @ TU/e
Emmanuele Zambon @ TU/e
Home
Projects
Publications
Teaching
Contact
Light
Dark
Automatic
1
A Comparative Study of ICS Honeypot Deployments
This work investigates how interaction level, network type, and geographic location affect the attractiveness of ICS honeypots. We deploy both low-and high-interaction honeypots, alongside a physical device, across corporate and cloud networks in various geographic regions. We collect and analyze network interactions involving HTTP, S7Comm, and Modbus protocols from 16 honeypots with diverse configurations over a three-month period. Our results show that network type has the largest impact on ICS honeypot traffic, while interaction level and geographic location play a minor role. We also find that low-interaction honeypots capture traffic comparable to high-interaction setups, supporting their use for general threat intelligence.
Frederik Ondrikov
,
Denis Donadel
,
Francesco Lupia
,
Massimo Merro
,
Emmanuele Zambon
,
Nicola Zannone
PDF
Cite
Project
POSTER: SuriCap - A Measurement Platform to Study and Evaluate Intrusion Detection Rule Engineering
We propose the SuriCap measurement platform and organize Jeopardy-style workshops in which participants compete to engineer Suricata rules. We collect a rich dataset consisting of over 364 rules from 28 participants. Preliminary results suggest our experimental design is viable and, together with the SuriCap measurement platform, can enable us to answer several research questions surrounding the engineering process of network intrusion detection rules.
Koen Teuwen
,
Emmanuele Zambon
,
Luca Allodi
PDF
Cite
Project
DOI
Ruling the Unruly: Designing Effective, Low-Noise Network Intrusion Detection Rules for Security Operations Centers
In this paper, we characterize the rules in use at a collaborating commercial (managed) SOC serving customers in sectors including education and IT management. During this process, we discover six relevant design principles, which we consolidate through interviews with experienced rule designers at the SOC.We then validate our design principles by quantitatively assessing their effect on rule specificity. We find that several of these design considerations significantly impact unnecessary workload caused by rules. We show that these design principles can be applied successfully at a SOC to reduce workload whilst maintaining coverage despite the prevalence of violations of the principles.
Koen Teuwen
,
Tom Mulders
,
Emmanuele Zambon
,
Luca Allodi
PDF
Cite
Project
DOI
On the Effect of Ruleset Tuning and Data Imbalance on Explainable Network Security Alert Classifications: a Case-Study on DeepCASE
In this work, we evaluate the effect of label imbalance on the classification of network intrusion alerts. As our use-case we employ DeepCASE, the state-of-the-art method for automated alert classification. We show that label imbalance impacts both classification performance and correctness of the classification explanations offered by DeepCASE. We conclude tuning the detection rules used in SOCs can significantly reduce imbalance and may benefit the performance and explainability offered by alert post-processing methods such as DeepCASE. Our findings suggest that traditional methods to improve the quality of input data can benefit automation.
Koen Teuwen
,
Sam Baggen
,
Emmanuele Zambon
,
Luca Allodi
PDF
Cite
Project
DOI
A Security Alert Investigation Tool Supporting Tier 1 Analysts in Contextualizing and Understanding Network Security Events
In this work, we collaborate with a commercial SOC to develop an alert investigation support tool to help inexperienced analysts identify and collect all the information relevant to the investigation of an alert. We evaluate the prototype tool with two qualitative studies. Our findings suggest that employing the tool helps inexperienced analysts form a more accurate understanding of attacks, at no time cost.
Leon Kersten
,
Santiago Darré
,
Tom Mulders
,
Emmanuele Zambon
,
Marco Caselli
,
Chris Snijders
,
Luca Allodi
PDF
Cite
Project
DOI
Unveiling the Operation and Configuration of a Real-World Bulk Substation Network
In this paper, we perform the first in-depth study of the operation of a large (500 KV) real-world substation automation network. Our work provides a deep-dive discussion of these critical networks in a real-world system and sheds light on their operation, configuration and security.
Keerthi Koneru
,
Juan Lozano
,
John Castellanos
,
Emmanuele Zambon
,
Alvaro Cardenas
PDF
Cite
A Methodology to Measure the "Cost" of CPS Attacks: Not all CPS Networks are Created Equal
In this paper, we first define a notion of attack “cost” focusing on the required CPS-specific attacker knowledge. We then identify several context factors that may influence this cost and, finally, provide a methodology to analyze the relation between attack cost and CPS-context factors using past cyberattacks. To validate the methodology in a reproducible way, we apply it to publicly reported CPS incidents with physical impact. Though this constitutes only a small set of attacks, our methodology is able to find correlations between context factors and the attack cost, as well as significant differences in context factors between CPS domains.
Martin Rosso
,
Emmanuele Zambon
,
Luca Allodi
,
Jerry den Hartog
PDF
Cite
Project
Attacking Operational Technology Without Specialized Knowledge: The Unspecialized OT Threat Actor Profile
In this paper, we profile a new threat actor, referred to as the unspecialized OT attacker, who performs targeted, OT-related cyber-attacks with at most basic generic knowledge. We show the relevance of this threat actor by identifying past OT-related cyber-attacks that match this threat actor profile’s capabilities; we do so by mapping the types of tools used during these cyber-attacks and the knowledge required to use them. To further substantiate our analysis, we investigate readily-available tools that can assist threat actors in performing OT-related cyber-attacks. The combination of our findings highlights the present-day lowered entry level requirements to attack OT environments while limiting the scope of current assumptions.
Stash Kempinski
,
Savio Sciancalepore
,
Emmanuele Zambon
,
Luca Allodi
PDF
Cite
Project
A Tale of Two Industroyers: It was the Season of Darkness
In this paper, we study two pieces of malware that attempted to create blackouts in Ukraine. Our findings include new malware behavior not previously documented (such as the detailed algorithm for the MMS protocol payload) and an illustration of how attacking different targets will produce different effects.
Luis Salazar
,
Sebastian Castro
,
Juan Lozano
,
Keerthi Koneru
,
Emmanuele Zambon
,
Bing Huang
,
Ross Baldick
,
Marina Krotofil
,
Alonso Rojas
,
Alvaro Cardenas
PDF
Cite
Project
From Power to Water: Dissecting SCADA Networks Across Different Critical Infrastructures
This paper dissects operational SCADA networks of three essential services: power grids, gas distribution, and water treatment systems. Our analysis reveals some distinct and shared behaviors of these networks, shedding light on their operation and network configuration.
Neil Ortiz
,
Martin Rosso
,
Emmanuele Zambon
,
Jerry den Hartog
,
Alvaro Cardenas
PDF
Cite
Project
»
Cite
×