Detection/Interdiction of Malware Carried by Application-Layer AMI Protocols
Malware could potentially hide in the payloads of standard application-layer protocols like C12.22 and DLMS/COSEM, which are extensively deployed in the AMI infrastructure. Previous work on this application-level malware detection problem by David M. Nicol and Huaiyu Zhu resulted in the proposal of a policy engine that analyzes both ingress and egress traffic from the application layer using a predefined set of policies or rules that check the packet semantics, analyze entropy levels, and look for ARM executable signatures in DLMS/COSEM protocol payloads. This project extended that approach by formulating a set of rules for analyzing C12.22 protocol payloads with an additional requirement of detecting x86 binary executables hiding in packets. Our approach was to formulate semantic and communication rules to detect anomalies in C12.22 protocol payloads; build a general framework for executing policy rules on C12.22 packets and provide capabilities for extensions; design signature-based policy rules and investigate machine-learning-based approaches to detect x86 binaries that could be in an obfuscated, encrypted, or compressed state inside the packet; evaluate the classification error rate and performance overhead; and integrate the policy engine with an open-source C12.22 library and demonstrate its functionality.