Towards a Layered Architectural View for Security Analysis in SCADA Systems

Supervisory Control and Data Acquisition (SCADA) systems support and control the operation of many critical infrastructures that our society depend on, such as power grids. Since SCADA systems become a target for cyber attacks and the potential impact of a successful attack could lead to disastrous consequences in the physical world, ensuring the security of these systems is of vital importance. A fundamental prerequisite to securing a SCADA system is a clear understanding and a consistent view of its architecture. However, because of the complexity and scale of SCADA systems, this is challenging to acquire. In this paper, we propose a layered architectural view for SCADA systems, which aims at building a common ground among stakeholders and supporting the implementation of security analysis. In order to manage the complexity and scale, we define four interrelated architectural layers, and uses the concept of viewpoints to focus on a subset of the system. We indicate the applicability of our approach in the context of SCADA system security analysis.Comment: 7 pages, 4 figure

Improving memorability in fisheye views

Interactive fisheye views use distortion to show both local detail and global context in the same display space. Although fisheyes allow the presentation and inspection of large data sets, the distortion effects can cause problems for users. One such problem is lack of memorability – the ability to find and go back to objects and features in the data. This thesis examines the possibility of improving the memorability of fisheye views by adding historical information to the visualization. The historical information is added visually through visit wear, an extension of the concepts of edit wear and read wear. This will answer the question “Where have I been?” through visual instead of cognitive processing by overlaying new visual information on the data to indicate a user’s recent interaction history. This thesis describes general principles of visibility in a space that is distorted by a fisheye lens and defines some parameters of the design space of visit wear. Finally, a test system that applied the principles was evaluated, and showed that adding visit wear to a fisheye system improved the memorability of the information space

Introducing a New Alert Data Set for Multi-Step Attack Analysis

Intrusion detection systems (IDS) reinforce cyber defense by autonomously monitoring various data sources for traces of attacks. However, IDSs are also infamous for frequently raising false positives and alerts that are difficult to interpret without context. This results in high workloads on security operators who need to manually verify all reported alerts, often leading to fatigue and incorrect decisions. To generate more meaningful alerts and alleviate these issues, the research domain focused on multi-step attack analysis proposes approaches for filtering, clustering, and correlating IDS alerts, as well as generation of attack graphs. Unfortunately, existing data sets are outdated, unreliable, narrowly focused, or only suitable for IDS evaluation. Since hardly any suitable benchmark data sets are publicly available, researchers often resort to private data sets that prevent reproducibility of evaluations. We therefore generate a new alert data set that we publish alongside this paper. The data set contains alerts from three distinct IDSs monitoring eight executions of a multi-step attack as well as simulations of normal user behavior. To illustrate the potential of our data set, we experiment with alert prioritization as well as two open-source tools for meta-alert generation and attack graph extraction

A Critical Review of Common Log Data Sets Used for Evaluation of Sequence-based Anomaly Detection Techniques

Log data store event execution patterns that correspond to underlying workflows of systems or applications. While most logs are informative, log data also include artifacts that indicate failures or incidents. Accordingly, log data are often used to evaluate anomaly detection techniques that aim to automatically disclose unexpected or otherwise relevant system behavior patterns. Recently, detection approaches leveraging deep learning have increasingly focused on anomalies that manifest as changes of sequential patterns within otherwise normal event traces. Several publicly available data sets, such as HDFS, BGL, Thunderbird, OpenStack, and Hadoop, have since become standards for evaluating these anomaly detection techniques, however, the appropriateness of these data sets has not been closely investigated in the past. In this paper we therefore analyze six publicly available log data sets with focus on the manifestations of anomalies and simple techniques for their detection. Our findings suggest that most anomalies are not directly related to sequential manifestations and that advanced detection techniques are not required to achieve high detection rates on these data sets

Combining semantic web technologies with evolving fuzzy classifier eClass for EHR-based phenotyping : a feasibility study

In parallel to nation-wide efforts for setting up shared electronic health records (EHRs) across healthcare settings, several large-scale national and international projects are developing, validating, and deploying electronic EHR oriented phenotype algorithms that aim at large-scale use of EHRs data for genomic studies. A current bottleneck in using EHRs data for obtaining computable phenotypes is to transform the raw EHR data into clinically relevant features. The research study presented here proposes a novel combination of Semantic Web technologies with the on-line evolving fuzzy classifier eClass to obtain and validate EHR-driven computable phenotypes derived from 1956 clinical statements from EHRs. The evaluation performed with clinicians demonstrates the feasibility and practical acceptability of the approach proposed

The Cycle of Trust in Mixed Service-Oriented Systems

Many collaboration platforms are realized as service-oriented systems enabling flexible compositions of services and support of interactions. Interactions between entities in such systems do not only span software services, but also human actors. A mixed service-oriented system is therefore composed of human and software services. In open environments, interactions between people and services are highly dynamic and often influenced by the role and reputation of collaboration partners. In this paper we present an architecture for the management of trust in such mixed systems environments. In contrast to traditional solutions that typically focus on the matching of actors’ skills and competencies with collaboration requirements only, we propose a trust-based ’feedback loop’ enabling the inference and consideration of trust relationships based on observed interactions. This cycle, spanning interaction monitoring, trust analysis, trust-enabled collaboration planning, and trust-supported execution of activities and tasks, permits dynamic and trust-aware collaborations in service-oriented environments

Triton photodisintegration with realistic potentials

The photodisintegration of $^{3}$H is treated by means of coupled integral equations using separable versions of the Paris and the Bonn potentials in their kernel. The differential cross section for the inverse reaction is obtained via detailed balance. For the latter process good agreement with the data is found when including final-state interaction, meson exchange currents, higher partial waves in the potential, and electric quadrupole contributions in the electromagnetic interaction.Comment: 5 pages LaTeX and 5 postscript figures included, uses epsfig.sty and espcrc1.sty. Talk given at the XVth International Conference on Few-Body Problems in Physics (22-26 July, 1997, Groningen, The Netherlands). To be published in the conference proceedings in Nucl. Phys.

Photodisintegration of three- and four- nucleon systems

Three- and four-nucleon photodisintegration processes are quite efficiently treated by means of effective two-body integral equations in momentum space. We recall some aspects of their derivation, present previous and most recent results obtained within this framework, and discuss general features, trends and effects observed in these investigations: At low energies final-state interaction plays an important role. Even more pronounced is the effect of meson exchange currents. A considerable potential dependence shows up in the low-energy peak region. The different peak heights are found to be closely correlated with the corresponding binding energies. Above the peak region only the difference between potentials with or without p-wave contributions remains relevant. In the differential cross sections the electric quadrupole contributions have to be taken into account. The remarkable agreement between theory and experiment in $p$-$d$ radiative capture is achieved only when incorporating this contribution, together with most of the above-mentioned effects. In the final part of this report we briefly review also methods developed, and results achieved in three- and four- nucleon electrodisintegration. We, in particular, compare them with a recent access to this problem, based on the construction of nucleon-nucleus potentials via Marchenko inversion theory.Comment: 20 pages LaTeX and 22 postscript figures included, uses epsfig.sty and espcrc1.sty. Invited talk at the XVth International Conference on Few-Body Problems in Physics (22-26 July, 1997, Groningen, The Netherlands). To be published in the conference proceedings in Nucl. Phys.

Photonuclear Reactions of Three-Nucleon Systems

We discuss the available data for the differential and the total cross section for the photodisintegration of $^3$He and $^3$H and the corresponding inverse reactions below $E_\gamma = 100$ MeV by comparing with our calculations using realistic $NN$ interactions. The theoretical results agree within the errorbars with the data for the total cross sections. Excellent agreement is achieved for the angular distribution in case of $^3$He, whereas for $^3$H a discrepancy between theory and experiment is found.Comment: 11 pages (twocolumn), 12 postscript figures included, uses psfig, RevTe