Internet-scale Probing of CPS: Inference, Characterization and Orchestration Analysis

Claude Fachkha, Elias Bou-Harb, Anastasis Keliris, Nasir Memon, Mustaque Ahamad

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Although the security of Cyber-Physical Systems (CPS) has been recently receiving significant attention from the research community, undoubtedly, there still exists a substantial lack of a comprehensive and a holistic understanding of attackers’ malicious strategies, aims and intentions. To this end, this paper uniquely exploits passive monitoring and analysis of a newly deployed network telescope IP address space in a first attempt ever to build broad notions of real CPS maliciousness. Specifically, we approach this problem by inferring, investigating, characterizing and reporting large-scale probing activities that specifically target more than 20 diverse, heavily employed CPS protocols. To permit such analysis, we initially devise and evaluate a novel probabilistic model that aims at filtering noise that is embedded in network telescope traffic. Subsequently, we generate amalgamated statistics, inferences and insights characterizing such inferred scanning activities in terms of their probe types, the distribution of their sources and their packets’ headers, among numerous others, in addition to examining and visualizing the co-occurrence patterns of such events. Further, we propose and empirically evaluate an innovative hybrid approach rooted in time-series analysis and context triggered piecewise hashing to infer, characterize and cluster orchestrated and well-coordinated probing activities targeting CPS protocols, which are generated from Internet-scale unsolicited sources. Our analysis and evaluations, which draw upon extensive network telescope data observed over a recent one month period, demonstrate a staggering 33 thousand probes towards ample of CPS protocols, the lack of interest in UDP-based CPS services, and the prevalence of probes towards the ICCP and Modbus protocols. Additionally, we infer a considerable 74% of CPS probes that were persistent throughout the entire analyzed period targeting prominent protocols such as DNP3 and BACnet. Further, we uncover close to 9 thousand large-scale, stealthy, previously undocumented orchestrated probing events targeting a number of such CPS protocols. We validate the various outcomes through cross-validations against publicly available threat repositories. We concur that the devised approaches, techniques, and methods provide a solid first step towards better comprehending real CPS unsolicited objectives and intents.

Original languageEnglish (US)
Title of host publication24th Annual Network and Distributed System Security Symposium, NDSS 2017
PublisherThe Internet Society
ISBN (Electronic)1891562460, 9781891562464
StatePublished - 2017
Event24th Annual Network and Distributed System Security Symposium, NDSS 2017 - San Diego, United States
Duration: Feb 26 2017Mar 1 2017

Publication series

Name24th Annual Network and Distributed System Security Symposium, NDSS 2017


Conference24th Annual Network and Distributed System Security Symposium, NDSS 2017
Country/TerritoryUnited States
CitySan Diego

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'Internet-scale Probing of CPS: Inference, Characterization and Orchestration Analysis'. Together they form a unique fingerprint.

Cite this