The objective of the work is to propose and develop a cyber security monitoring architecture for industrial systems. In this way, a monitoring architecture for industrial systems was developed, which stands out for being modular and for facilitating the coupling of different devices and technologies in the industrial sector. The architecture contributes to cybersecurity in industrial systems and to mitigate the damage caused by cyber attacks and anomalies.
In situations where the alert generated by Ossec is related to external access, as well as HTTP, SSH and FTP connections, it is interesting to know the physical location of the devices involved. The preview reveals the location and link of connections between source and destination addresses. It can be seen in the map in Figure \ ref {fig: mapa_hosts} that a large part of the connections depart from North American regions bound for South Korea. If it is found that such connections are part of a mass attack on a network or device , a palliative measure would be to establish a firewall rule to block any connections coming from the North American region.
The communication model of the ModBus protocol is of the type (master-slave), in which only the master device can perform the data requests to the slaves devices. The visualization allows to observe the communication flow between the devices of the industrial ModBus network. Thus, we can deduce that in the data set used, the IP address "141.81.0.10" is the master device, and that it receives all data flow from the slaves devices. A possible anomaly could be identified if a slave device starts to respond to a malicious master server.
The Figure shows a visualization of time series, in which time is related to the amount of TCP and UDP network traffic. The distribution of the number of packages over time can contribute to identify anomalies of behavioral deviations. For example, cyber attacks that generate large packet flows can be easily identified in such a view.
This public repository contains log records and captures network traffic. Such documents can be used for analysis and study but there is no direct classification of the devices and characteristics of the files. The set of files in this repository is a collection of various files collected from websites and other repositories across the Internet. Link => https://github.com/rmmenezes/logsNetworksHosts