Connecting, Monitoring and Securing

Manufacturing Assets

1

Yan Chen

Professor, EECS Department

Director, Lab for Internet & Security Technology (LIST)

http://list.cs.northwestern.edu

Northwestern University

DM-Box • Add connection capability to DM

equipment• Easy to integrate• Transmit multiple data streams:

operation data, diagnosis data, control data

• Support flexible interconnection topology

2

DM-Box Design: Real-Time & Reliability

3

TCP/UDP Layer

IP Layer

MAC Layer

NIC/Driver

Set the tx moment

Set the tx rate

Set retry time in a slot

Put the data into the TDMA queue

Disable CTS/RTS

Disable the backoff mechanism of CSMA/CD to send out packets

Immediately when transmission slot comes, reduce the transmission delay

Put the packets into TDMA soft queue, when TDMA slot comes, one packet

will be sent out

Choose a suitable retry time to balance the real-time and reliability of packet

transmission

Fixed transmission rate can get relatively fixed transmission time

Determine the transmission moment by setting the transmission timer, so the data are sent controlled by timer

Wireless

NIC/Driver

MAC Layer

IP Layer

TCP/UDP Layer

Main Works

• The most two important communication features in DM

• Problems: • Wireless data transmission often

encounter competition conflicts. • Currently in the IEEE 802.11

protocol, the MAC layer uses CSMA/CD which can not ensure the real-time or reliability

• DM-Box solution: TDMA over Wi-Fi ensures each IoT

device transmit data only in its own time slot and thus avoid interference.

DM-Box Implementation Specifications

• Support 4 types wireless cards simultaneously, 802.11 a/b/g/n

4

CPU nominal frequency 300/600 MHz

CPU core count 1

Size of RAM 64 MB

Architecture MIPS-BE

10/100 Ethernet ports 3

Supported input voltage 10 V - 28 V

PoE in Yes

PoE out No

Voltage Monitor No

PCB temperature monitor No

CPU temperature monitor No

Operating temperature range -40°C .. +70°C tested

5

NetShield: Massive Semantics-Based Vulnerability Signature Matching

for High-Speed Networks

7

NIDS/NIPS Overview

NIDS/NIPS (Network Intrusion Detection/Prevention System)

Signature DB

NIDS/NIPS `

`

`

Packets

Securityalerts

• Accuracy• Speed

7

NetShield Challenges and Solutions

8

• Challenges– Matching thousands of vulnerability

signatures simultaneously• Sequential matching match multiple sigs.

simultaneously

– High speed protocol parsing

• Solutions (achieving 10s Gps throughput)– An efficient algorithm which matches multiple

sigs simultaneously– A tailored parsing design for high-speed

signature matching– Code & ruleset release at www.nshield.org