Increasing resilience of ATM networks using traffic monitoring and automated anomaly analysis

Systematic network monitoring can be the cornerstone for the dependable operation of safety-critical distributed systems. In this paper, we present our vision for informed anomaly detection through network monitoring and resilience measurements to increase the operators' visibility of ATM communication networks. We raise the question of how to determine the optimal level of automation in this safety-critical context, and we present a novel passive network monitoring system that can reveal network utilisation trends and traffic patterns in diverse timescales. Using network measurements, we derive resilience metrics and visualisations to enhance the operators' knowledge of the network and traffic behaviour, and allow for network planning and provisioning based on informed what-if analysis

Improving SIEM for critical SCADA water infrastructures using machine learning

Network Control Systems (NAC) have been used in many industrial processes. They aim to reduce the human factor burden and efficiently handle the complex process and communication of those systems. Supervisory control and data acquisition (SCADA) systems are used in industrial, infrastructure and facility processes (e.g. manufacturing, fabrication, oil and water pipelines, building ventilation, etc.) Like other Internet of Things (IoT) implementations, SCADA systems are vulnerable to cyber-attacks, therefore, a robust anomaly detection is a major requirement. However, having an accurate anomaly detection system is not an easy task, due to the difficulty to differentiate between cyber-attacks and system internal failures (e.g. hardware failures). In this paper, we present a model that detects anomaly events in a water system controlled by SCADA. Six Machine Learning techniques have been used in building and evaluating the model. The model classifies different anomaly events including hardware failures (e.g. sensor failures), sabotage and cyber-attacks (e.g. DoS and Spoofing). Unlike other detection systems, our proposed work helps in accelerating the mitigation process by notifying the operator with additional information when an anomaly occurs. This additional information includes the probability and confidence level of event(s) occurring. The model is trained and tested using a real-world dataset

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Autonomic computing architecture for SCADA cyber security

Cognitive computing relates to intelligent computing platforms that are based on the disciplines of artificial intelligence, machine learning, and other innovative technologies. These technologies can be used to design systems that mimic the human brain to learn about their environment and can autonomously predict an impending anomalous situation. IBM first used the term ‘Autonomic Computing’ in 2001 to combat the looming complexity crisis (Ganek and Corbi, 2003). The concept has been inspired by the human biological autonomic system. An autonomic system is self-healing, self-regulating, self-optimising and self-protecting (Ganek and Corbi, 2003). Therefore, the system should be able to protect itself against both malicious attacks and unintended mistakes by the operator

An anomaly detector with immediate feedback to hunt for planets of Earth mass and below by microlensing

(abridged) The discovery of OGLE 2005-BLG-390Lb, the first cool rocky/icy exoplanet, impressively demonstrated the sensitivity of the microlensing technique to extra-solar planets below 10 M_earth. A planet of 1 M_earth in the same spot would have provided a detectable deviation with an amplitude of ~ 3 % and a duration of ~ 12 h. An early detection of a deviation could trigger higher-cadence sampling which would have allowed the discovery of an Earth-mass planet in this case. Here, we describe the implementation of an automated anomaly detector, embedded into the eSTAR system, that profits from immediate feedback provided by the robotic telescopes that form the RoboNet-1.0 network. It went into operation for the 2007 microlensing observing season. As part of our discussion about an optimal strategy for planet detection, we shed some new light on whether concentrating on highly-magnified events is promising and planets in the 'resonant' angular separation equal to the angular Einstein radius are revealed most easily. Given that sub-Neptune mass planets can be considered being common around the host stars probed by microlensing (preferentially M- and K-dwarfs), the higher number of events that can be monitored with a network of 2m telescopes and the increased detection efficiency for planets below 5 M_earth arising from an optimized strategy gives a common effort of current microlensing campaigns a fair chance to detect an Earth-mass planet (from the ground) ahead of the COROT or Kepler missions. The detection limit of gravitational microlensing extends even below 0.1 M_earth, but such planets are not very likely to be detected from current campaigns. However, these will be within the reach of high-cadence monitoring with a network of wide-field telescopes or a space-based telescope.Comment: 13 pages, 4 figures and 1 table. Accepted for publication in MNRA