AI Solutions for MDS: Artificial Intelligence Techniques for Misuse Detection and Localisation in Telecommunication Environments

This report considers the application of Articial Intelligence (AI) techniques to the problem of misuse detection and misuse localisation within telecommunications environments. A broad survey of techniques is provided, that covers inter alia rule based systems, model-based systems, case based reasoning, pattern matching, clustering and feature extraction, articial neural networks, genetic algorithms, arti cial immune systems, agent based systems, data mining and a variety of hybrid approaches. The report then considers the central issue of event correlation, that is at the heart of many misuse detection and localisation systems. The notion of being able to infer misuse by the correlation of individual temporally distributed events within a multiple data stream environment is explored, and a range of techniques, covering model based approaches, `programmed' AI and machine learning paradigms. It is found that, in general, correlation is best achieved via rule based approaches, but that these suffer from a number of drawbacks, such as the difculty of developing and maintaining an appropriate knowledge base, and the lack of ability to generalise from known misuses to new unseen misuses. Two distinct approaches are evident. One attempts to encode knowledge of known misuses, typically within rules, and use this to screen events. This approach cannot generally detect misuses for which it has not been programmed, i.e. it is prone to issuing false negatives. The other attempts to `learn' the features of event patterns that constitute normal behaviour, and, by observing patterns that do not match expected behaviour, detect when a misuse has occurred. This approach is prone to issuing false positives, i.e. inferring misuse from innocent patterns of behaviour that the system was not trained to recognise. Contemporary approaches are seen to favour hybridisation, often combining detection or localisation mechanisms for both abnormal and normal behaviour, the former to capture known cases of misuse, the latter to capture unknown cases. In some systems, these mechanisms even work together to update each other to increase detection rates and lower false positive rates. It is concluded that hybridisation offers the most promising future direction, but that a rule or state based component is likely to remain, being the most natural approach to the correlation of complex events. The challenge, then, is to mitigate the weaknesses of canonical programmed systems such that learning, generalisation and adaptation are more readily facilitated

Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

Improving Attack Trees Analysis using Petri Net modeling of Cyber-Attacks

Publisher Copyright: © 2019 IEEE.Cyber security is one general concern to all network-based organizations. In recent years, by significant increasing cyber-attacks in critical infrastructures (CIs) the need of smart prediction, awareness and protection systems is not deniable. The first step for security assessment is on recognizing and analyzing attacks. In this paper, one of the graphical security assessments named Attack Tree (AT) is used to illustrate one kind of cyber-attacks scenario in Industry 4.0 and the system's behavior is analyzed by Petri Nets.authorsversionpublishe

Evaluating Resilience of Cyber-Physical-Social Systems

Nowadays, protecting the network is not the only security concern. Still, in cyber security, websites and servers are becoming more popular as targets due to the ease with which they can be accessed when compared to communication networks. Another threat in cyber physical social systems with human interactions is that they can be attacked and manipulated not only by technical hacking through networks, but also by manipulating people and stealing users’ credentials. Therefore, systems should be evaluated beyond cy- ber security, which means measuring their resilience as a piece of evidence that a system works properly under cyber-attacks or incidents. In that way, cyber resilience is increas- ingly discussed and described as the capacity of a system to maintain state awareness for detecting cyber-attacks. All the tasks for making a system resilient should proactively maintain a safe level of operational normalcy through rapid system reconfiguration to detect attacks that would impact system performance. In this work, we broadly studied a new paradigm of cyber physical social systems and defined a uniform definition of it. To overcome the complexity of evaluating cyber resilience, especially in these inhomo- geneous systems, we proposed a framework including applying Attack Tree refinements and Hierarchical Timed Coloured Petri Nets to model intruder and defender behaviors and evaluate the impact of each action on the behavior and performance of the system.Hoje em dia, proteger a rede não é a única preocupação de segurança. Ainda assim, na segurança cibernética, sites e servidores estão se tornando mais populares como alvos devido à facilidade com que podem ser acessados quando comparados às redes de comu- nicação. Outra ameaça em sistemas sociais ciberfisicos com interações humanas é que eles podem ser atacados e manipulados não apenas por hackers técnicos através de redes, mas também pela manipulação de pessoas e roubo de credenciais de utilizadores. Portanto, os sistemas devem ser avaliados para além da segurança cibernética, o que significa medir sua resiliência como uma evidência de que um sistema funciona adequadamente sob ataques ou incidentes cibernéticos. Dessa forma, a resiliência cibernética é cada vez mais discutida e descrita como a capacidade de um sistema manter a consciência do estado para detectar ataques cibernéticos. Todas as tarefas para tornar um sistema resiliente devem manter proativamente um nível seguro de normalidade operacional por meio da reconfi- guração rápida do sistema para detectar ataques que afetariam o desempenho do sistema. Neste trabalho, um novo paradigma de sistemas sociais ciberfisicos é amplamente estu- dado e uma definição uniforme é proposta. Para superar a complexidade de avaliar a resiliência cibernética, especialmente nesses sistemas não homogéneos, é proposta uma estrutura que inclui a aplicação de refinamentos de Árvores de Ataque e Redes de Petri Coloridas Temporizadas Hierárquicas para modelar comportamentos de invasores e de- fensores e avaliar o impacto de cada ação no comportamento e desempenho do sistema

Process Aware Host-based Intrusion Detection Model

Nowadays, many organizations use Process Aware Information Systems (PAISs) to automate their business process. As any other information systems, security plays a major role in PAIS to provide a secure state and maintain the system in it. In order to provide security in a PAIS, a Process Aware Host-based Intrusion Detection (PAHID) model is proposed in this paper. The model detects host-based intrusions in a PAIS using process mining techniques.The proposed model uses both anomaly detection and misuse detection techniques for more efficiency, and organizational perspective of process mining is considered (rather than control-flow perspective) to detect more attack types. The model is automated and can deal with large logs and is suitable for flexible application domains. The PAHID model is implemented by the use of ProM framework and Java programming. It is evaluated by using a simulated log based on a real-world organization information system. Results demonstrate that the model provides high accuracy and low false positive rate

BIOLOGICAL INSPIRED INTRUSION PREVENTION AND SELF-HEALING SYSTEM FOR CRITICAL SERVICES NETWORK

With the explosive development of the critical services network systems and Internet, the need for networks security systems have become even critical with the enlargement of information technology in everyday life. Intrusion Prevention System (IPS) provides an in-line mechanism focus on identifying and blocking malicious network activity in real time. This thesis presents new intrusion prevention and self-healing system (SH) for critical services network security. The design features of the proposed system are inspired by the human immune system, integrated with pattern recognition nonlinear classification algorithm and machine learning. Firstly, the current intrusions preventions systems, biological innate and adaptive immune systems, autonomic computing and self-healing mechanisms are studied and analyzed. The importance of intrusion prevention system recommends that artificial immune systems (AIS) should incorporate abstraction models from innate, adaptive immune system, pattern recognition, machine learning and self-healing mechanisms to present autonomous IPS system with fast and high accurate detection and prevention performance and survivability for critical services network system. Secondly, specification language, system design, mathematical and computational models for IPS and SH system are established, which are based upon nonlinear classification, prevention predictability trust, analysis, self-adaptation and self-healing algorithms. Finally, the validation of the system carried out by simulation tests, measuring, benchmarking and comparative studies. New benchmarking metrics for detection capabilities, prevention predictability trust and self-healing reliability are introduced as contributions for the IPS and SH system measuring and validation. Using the software system, design theories, AIS features, new nonlinear classification algorithm, and self-healing system show how the use of presented systems can ensure safety for critical services networks and heal the damage caused by intrusion. This autonomous system improves the performance of the current intrusion prevention system and carries on system continuity by using self-healing mechanism

Cyber risk modeling and attack-resilient control for power grid

The electric power grid is a cyber-physical system (CPS) that forms the lifeline of modern society. Sophisticated control applications that constantly monitor critical power system variables, such as voltage and frequency, enable system operators to deliver reliable and high-quality power. The advanced devices and communication infrastructure of the Supervisory Control and Data Acquisition (SCADA) system enable control applications ranging from substation-level voltage control schemes to system-wide automatic generation control (AGC). However, inherent cyber security vulnerabilities in the infrastructure put system operation at risk by providing an attack surface to cyber threat actors. A smart attacker, that is, a cyber threat actor with expertise in physical power system operation could cause severe damage to the power grid infrastructure and its reliability by stealthily manipulating SCADA operation. This dissertation explores such impacts to power grid operation from cyber attacks and more importantly, introduces novel mitigation schemes to minimize or negate the impacts. It has two primary components - risk modeling of coordinated cyber attacks and attack resilient control. The first component of this thesis focuses on coordinated cyber attacks, that is, attacks target multiple power system components simultaneously. The notion of spatial and temporal coordinated cyber attacks and their impact on power system transmission infrastructure is introduced. The impact from these attacks was captured in terms of traditional power system stability metrics. The results reveal that these extreme events demand a rethink of both power system planning and operations methods by way of including cyber-originated contingencies within the scope. To this end, a systematic risk modeling framework is proposed as mitigation to be used in power systems planning. The risk for a substation is modeled as the product of the vulnerability of its SCADA infrastructure and the impact from its compromise. The vulnerability is obtained by modeling the SCADA network using Stochastic Petri Nets. Impact to system reliability is quantified in terms of transmission line overloads and the resulting forced load shedding. The methodology is applied to a test power system and the attack vectors are ranked according to risk. This methodology could therefore employed by system planners to evaluate infrastructural upgrade requirements and identify security enhancements. An enhancement to the contingency analysis application is proposed as mitigation during online operation. The proposed algorithm efficiently captures impactful coordinated vectors by significantly reducing the number of cases to be evaluated. Results reveal the algorithm\u27s ability to identify almost all impactful attack vectors for a line under review without the need for a complete study. The second component of the thesis explores the impact of data integrity attacks on power system control applications. Specifically, the impact of data integrity attacks on Automatic Generation Control (AGC) is examined and Attack-Resilient Control (ARC) is proposed as mitigation. ARC for AGC proposes the use of physical system information to design algorithms for detect and mitigation of cyber attacks. Specifically, model-based anomaly detection and attack mitigation algorithm was developed for AGC using short-term load forecast data. The performance of AGC was tested on a standard test system with and without ARC. The results show that ARC for AGC is able to detect data integrity attacks, maintain system within stability margins and enhance overall system security by providing defense-in-depth. Future work includes expanding the risk analysis framework to include different types of coordinated attacks and to compare impact expressed in different power system metrics. Mitigation of temporal coordinated attacks and transient stability analysis of spatial and temporal attacks are also a part of future work. Finally, the attack resilient control framework should be enhanced to differentiate abnormal measurements due to cyber attacks from legitimate aberrations due to power system contingencies