Machine Learning based Anomaly Detection for Cybersecurity Monitoring of Critical Infrastructures

openManaging critical infrastructures requires to increasingly rely on Information and Communi- cation Technologies. The last past years showed an incredible increase in the sophistication of attacks. For this reason, it is necessary to develop new algorithms for monitoring these infrastructures. In this scenario, Machine Learning can represent a very useful ally. After a brief introduction on the issue of cybersecurity in Industrial Control Systems and an overview of the state of the art regarding Machine Learning based cybersecurity monitoring, the present work proposes three approaches that target different layers of the control network architecture. The first one focuses on covert channels based on the DNS protocol, which can be used to establish a command and control channel, allowing attackers to send malicious commands. The second one focuses on the field layer of electrical power systems, proposing a physics-based anomaly detection algorithm for Distributed Energy Resources. The third one proposed a first attempt to integrate physical and cyber security systems, in order to face complex threats. All these three approaches are supported by promising results, which gives hope to practical applications in the next future.openXXXIV CICLO - SCIENZE E TECNOLOGIE PER L'INGEGNERIA ELETTRONICA E DELLE TELECOMUNICAZIONI - Elettromagnetismo, elettronica, telecomunicazioniGaggero, GIOVANNI BATTIST

Verifying and Monitoring IoTs Network Behavior using MUD Profiles

IoT devices are increasingly being implicated in cyber-attacks, raising community concern about the risks they pose to critical infrastructure, corporations, and citizens. In order to reduce this risk, the IETF is pushing IoT vendors to develop formal specifications of the intended purpose of their IoT devices, in the form of a Manufacturer Usage Description (MUD), so that their network behavior in any operating environment can be locked down and verified rigorously. This paper aims to assist IoT manufacturers in developing and verifying MUD profiles, while also helping adopters of these devices to ensure they are compatible with their organizational policies and track devices network behavior based on their MUD profile. Our first contribution is to develop a tool that takes the traffic trace of an arbitrary IoT device as input and automatically generates the MUD profile for it. We contribute our tool as open source, apply it to 28 consumer IoT devices, and highlight insights and challenges encountered in the process. Our second contribution is to apply a formal semantic framework that not only validates a given MUD profile for consistency, but also checks its compatibility with a given organizational policy. We apply our framework to representative organizations and selected devices, to demonstrate how MUD can reduce the effort needed for IoT acceptance testing. Finally, we show how operators can dynamically identify IoT devices using known MUD profiles and monitor their behavioral changes on their network.Comment: 17 pages, 17 figures. arXiv admin note: text overlap with arXiv:1804.0435

Cognitive Machine Individualism in a Symbiotic Cybersecurity Policy Framework for the Preservation of Internet of Things Integrity: A Quantitative Study

This quantitative study examined the complex nature of modern cyber threats to propose the establishment of cyber as an interdisciplinary field of public policy initiated through the creation of a symbiotic cybersecurity policy framework. For the public good (and maintaining ideological balance), there must be recognition that public policies are at a transition point where the digital public square is a tangible reality that is more than a collection of technological widgets. The academic contribution of this research project is the fusion of humanistic principles with Internet of Things (IoT) technologies that alters our perception of the machine from an instrument of human engineering into a thinking peer to elevate cyber from technical esoterism into an interdisciplinary field of public policy. The contribution to the US national cybersecurity policy body of knowledge is a unified policy framework (manifested in the symbiotic cybersecurity policy triad) that could transform cybersecurity policies from network-based to entity-based. A correlation archival data design was used with the frequency of malicious software attacks as the dependent variable and diversity of intrusion techniques as the independent variable for RQ1. For RQ2, the frequency of detection events was the dependent variable and diversity of intrusion techniques was the independent variable. Self-determination Theory is the theoretical framework as the cognitive machine can recognize, self-endorse, and maintain its own identity based on a sense of self-motivation that is progressively shaped by the machine’s ability to learn. The transformation of cyber policies from technical esoterism into an interdisciplinary field of public policy starts with the recognition that the cognitive machine is an independent consumer of, advisor into, and influenced by public policy theories, philosophical constructs, and societal initiatives

Governing by internet architecture

In the past thirty years, the exponential rise in the number of Internet users around the word and the intensive use of the digital networks have brought to light crucial political issues. Internet is now the object of regulations. Namely, it is a policy domain. Yet, its own architecture represents a new regulative structure, one deeply affecting politics and everyday life. This article considers some of the main transformations of the Internet induced by privatization and militarization processes, as well as their consequences on societies and human beings.En los últimos treinta años ha crecido de manera exponencial el número de usuarios de Internet alrededor del mundo y el uso intensivo de conexiones digitales ha traído a la luz cuestiones políticas cruciales. Internet es ahora objeto de regulaciones. Es decir, es un ámbito de la política. Aún su propia arquitectura representa una nueva estructura reguladora, que afecta profundamente la política y la vida cotidiana. Este artículo considera algunas de las principales transformaciones de Internet inducida por procesos de privatización y militarización, como también sus consecuencias en las sociedades y en los seres humanos

KeyForge: Mitigating Email Breaches with Forward-Forgeable Signatures

Email breaches are commonplace, and they expose a wealth of personal, business, and political data that may have devastating consequences. The current email system allows any attacker who gains access to your email to prove the authenticity of the stolen messages to third parties -- a property arising from a necessary anti-spam / anti-spoofing protocol called DKIM. This exacerbates the problem of email breaches by greatly increasing the potential for attackers to damage the users' reputation, blackmail them, or sell the stolen information to third parties. In this paper, we introduce "non-attributable email", which guarantees that a wide class of adversaries are unable to convince any third party of the authenticity of stolen emails. We formally define non-attributability, and present two practical system proposals -- KeyForge and TimeForge -- that provably achieve non-attributability while maintaining the important protection against spam and spoofing that is currently provided by DKIM. Moreover, we implement KeyForge and demonstrate that that scheme is practical, achieving competitive verification and signing speed while also requiring 42% less bandwidth per email than RSA2048

Cyber vulnerabilities in the aviation ecosystem: reducing the attack surface through an international aviation trust framework

Now, at the beginning of the 21st century, the aviation system is well developed, however, the community is at similar juncture as the beginning of the 2oth century, only this time the civil aviation system itself is being rapidly transformed by a wave of digital technologies that hold great promise but could also expose the aviation system to new threats. Certain aspects of the digital transformation of the aviation system, based on network connectivity, must be guided to ensure that it generates ever higher-levels of global interoperability and safety. To address this challenge, it is necessary to go back to fundamental principles. It is necessary to establish a system of identity and trust that integrates the wisdom of the Chicago Convention into the digital world that is already overtaking the aviation industry. Service providers, aircraft manufactures, and avionic producers, are all putting in place their own systems of identity and trust as a matter of necessity. That means, in the near future, an aircraft may need different digital certificates to connect with its satellite communications service provider, retrieve data from the airline operations centre, update its avionics software, download engines monitoring data and other functions. The potential number of proprietary secure links is nearly endless. This patchwork of disparate efforts to reduce the attack surface to air and ground operations will add complexity to the system that will be costly to maintain and will offer a myriad of gaps for adversaries to exploit. In the absence of global direction, different manufactures and different States will take different approaches. However, if a globally acceptable system for identity and trust that can be used by manned and unmanned aircraft indistinctively as well as by different service providers and users is available it would likely be embraced by many or all. As such, based on the new vulnerabilities brought by the evolution of the air navigation system through the intense use of digital and connected technologies, the object of this research relates to the vulnerabilities of the aviation system to a cyber-attack and the objective of this thesis is to propose a concept of operations that allows the implementation of a framework able to provide positive digital identification of all members of the aviation community through specific processes and procedures and a virtual network able to preserve the confidentiality, integrity and availability of the data and information being exchanged at the same time it increases the resilience of operations.Atualmente, no início do século vinte e um, a aviação está em uma situação similar ao início do século vinte, entretanto, desta vez, o sistema de aviação civil está bem consolidado, mas se transformando rapidamente motivado por uma onda de novas tecnologias que apresentam grandes promessas, mas que ao mesmo tempo podem expor a aviação a novas ameaças. Certos aspectos da transformação digital do sistema de aviação civil, baseado em redes que permitem ampla conectividade, devem ser corretamente orientados para garantir níveis globais de segurança e interoperabilidade ainda mais elevados. Para enfrentar esse desafio, necessário se faz o estabelecimento de um sistema de identidades digitais e confiança que integre a sabedoria da Convenção de Chicago ao mundo digital que está invadindo a indústria da aviação. Provedores de serviços, fabricantes de aeronaves e aviônicos estão todos colocando em prática seus próprios sistemas de identificação e confiança por necessidade. Isso significa que em um futuro próximo, uma aeronave poderá precisar de diferentes certificados para conectar-se com seus provedores de comunicações por satélite, receber dados de um centro de coordenação de uma compania aérea, atualizar programas em seus aviônicos, baixar dados para monitoramento do funcionamento de seus motores e outras funções. Esse conjunto de iniciativas isoladas para se reduzir a superfície de ataque cibernético para operações no solo e no ar adicionam complexidade ao sistema considerando que essas iniciativas isoladas tornam o sistema como um todo custoso para se manter e também oferecem uma série de vulnerabilidades a serem exploradas por atores mal intencionados. Na ausência de uma direção global, diferentes fabricantes, provedores de serviços e Estados tomarão direções distintas. Entretanto, se um sistema global de identificação digital e confiança que possa ser usado indistintamente pela aviação tripulada e não tripulada, por provedores de serviços, fabricantes e usuários for posto em prática, é muito provável que o mesmo seja adotado por todos dentro do sistema de aviação civil. Portanto, baseado nas novas vulnerabilidades que a evolução dos sistemas de navegação aérea estão trazendo com o uso intenso de tecnologias digitais e conectadas, o objeto desta tese está relacionado às vulnerabilidades do sistema de aviação civil a um ataque cibernético e o objetivo foi o de propor um conceito operacional que permitisse a implementação de uma estrutura capaz de identificar todos os atores da comunidade de aviação civil através de procedimentos e processos específicos e uma rede virtual para preservar a confidencialidade, a integridade e a disponibilidade das informações e dados sendo intercambiados ao mesmo tempo em que a resiliência do sistema é melhorada através de uma arquitetura específica

Prosumer Nanogrids: A Cybersecurity Assessment

Nanogrids are customer deployments that can generate and inject electricity into the power grid. These deployments are based on behind-the-meter renewable energy resources and are labeled as “prosumer setups”, allowing customers to not only consume electricity, but also produce it. A residential nanogrid is comprised of a physical layer that is a household-scale electric power system, and a cyber layer that is used by manufacturers and/or grid operators to remotely monitor and control the nanogrid. With the increased penetration of renewable energy resources, nanogrids are at the forefront of a paradigm shift in the operational landscape and their correct operation is vital to the electric power grid. In this paper, we perform a cybersecurity assessment of a state-of-the art residential nanogrid deployment. For this purpose, we deployed a real-world experimental nanogrid setup that is based on photovoltaic (PV) generation. We analyzed the security and the resiliency of this system at both the cyber and physical layers. While we noticed improvements in the cybersecurity measures employed in the current nanogrid compared to previous generations, there are still major concerns. Our experiments show that these concerns range from exploiting well-known protocols, such as Secure Shell (SSH) and Domain Name Service (DNS), to the leakage of confidential information, and major shortcomings in the software updating mechanism. While the compromise of multiple nanogrids can have a negative effect on the entire power grid, we focus our analysis on individual households and have determined through Simulink-based simulations the economic loss of a compromised deployment.National Science Foundation under Grant 1850406