Biblio

Digitization has pioneered to drive exceptional changes across all industries in the advancement of analytics, automation, and Artificial Intelligence (AI) and Machine Learning (ML). However, new business requirements associated with the efficiency benefits of digitalization are forcing increased connectivity between IT and OT networks, thereby increasing the attack surface and hence the cyber risk. Cyber threats are on the rise and securing industrial networks are challenging with the shortage of human resource in OT field, with more inclination to IT/OT convergence and the attackers deploy various hi-tech methods to intrude the control systems nowadays. We have developed an innovative real-time ICS cyber test kit to obtain the OT industrial network traffic data with various industrial attack vectors. In this paper, we have introduced the industrial datasets generated from ICS test kit, which incorporate the cyber-physical system of industrial operations. These datasets with a normal baseline along with different industrial hacking scenarios are analyzed for research purposes. Metadata is obtained from Deep packet inspection (DPI) of flow properties of network packets. DPI analysis provides more visibility into the contents of OT traffic based on communication protocols. The advancement in technology has led to the utilization of machine learning/artificial intelligence capability in IDS ICS SCADA. The industrial datasets are pre-processed, profiled and the abnormality is analyzed with DPI. The processed metadata is normalized for the easiness of algorithm analysis and modelled with machine learning-based latest deep learning ensemble LSTM algorithms for anomaly detection. The deep learning approach has been used nowadays for enhanced OT IDS performances.

The power grid is considered to be the most critical piece of infrastructure in the United States because each of the other fifteen critical infrastructures, as defined by the Cyberse-curity and Infrastructure Security Agency (CISA), require the energy sector to properly function. Due the critical nature of the power grid, the ability to detect anomalies in the power grid is of critical importance to prevent power outages, avoid damage to sensitive equipment and to maintain a working power grid. Over the past few decades, the modern power grid has evolved into a large Cyber Physical System (CPS) equipped with wide area monitoring systems (WAMS) and distributed control. As smart technology advances, the power grid continues to be upgraded with high fidelity sensors and measurement devices, such as phasor measurement units (PMUs), that can report the state of the system with a high temporal resolution. However, this influx of data can often become overwhelming to the legacy Supervisory Control and Data Acquisition (SCADA) system, as well as, the power system operator. In this paper, we propose using a deep learning (DL) convolutional neural network (CNN) as a module within the Automatic Network Guardian for ELectrical systems (ANGEL) Digital Twin environment to detect physical faults in a power system. The presented approach uses high fidelity measurement data from the IEEE 9-bus and IEEE 39-bus benchmark power systems to not only detect if there is a fault in the power system but also applies the algorithm to classify which bus contains the fault.

In the ever evolving Internet threat landscape, Distributed Denial-of-Service (DDoS) attacks remain a popular means to invoke service disruption. DDoS attacks, however, have evolved to become a tool of deceit, providing a smokescreen or distraction while some other underlying attack takes place, such as data exfiltration. Knowing the intent of a DDoS, and detecting underlying attacks which may be present concurrently with it, is a challenging problem. An entity whose network is under a DDoS attack may not have the support personnel to both actively fight a DDoS and try to mitigate underlying attacks. Therefore, any system that can detect such underlying attacks should do so only with a high degree of confidence. Previous work utilizing flow aggregation techniques with multi-class anomaly detection showed promise in both DDoS detection and detecting underlying attacks ongoing during an active DDoS attack. In this work, we head in the opposite direction, utilizing flow segmentation and concurrent flow feature aggregation, with the primary goal of greatly reduced detection times of both DDoS and underlying attacks. Using the same multi-class anomaly detection approach, we show greatly improved detection times with promising detection performance.

Advanced persistent threats (APT’s) are stealthy threat actors with the skills to gain covert control of the computer network for an extended period of time. They are the highest cyber attack risk factor for large companies and states. A successful attack via an APT can cost millions of dollars, can disrupt civil life and has the capabilities to do physical damage. APT groups are typically state-sponsored and are considered the most effective and skilled cyber attackers. Attacks of APT’s are executed in several stages as pointed out in the Lockheed Martin cyber kill chain (CKC). Each of these APT stages can potentially be identified as patterns in network traffic. Using the "APT-2020" dataset, that compiles the characteristics and stages of an APT, we carried out experiments on the detection of anomalous traffic for all APT stages. We compare several artificial intelligence models, like a stacked auto encoder, a recurrent neural network and a one class state vector machine and show significant improvements on detection in the data exfiltration stage. This dataset is the first to have a data exfiltration stage included to experiment on. According to APT-2020’s authors current models have the biggest challenge specific to this stage. We introduce a method to successfully detect data exfiltration by analyzing the payload of the network traffic flow. This flow based deep packet inspection approach improves detection compared to other state of the art methods.

In the industrial control system, in order to solve the problem that the installation of smart devices in a transparent environment are faced with the unknown attack problems, because most of the industrial control equipment to detect unknown risks, Therefore, by studying the security protection of the current industrial control system and the trust mechanism that should be widely used in the Internet of things, this paper presents the abnormal node detection mode based on comprehensive trust applied to the industrial control system scenarios. This model firstly proposes a model, which fuses direct and indirect trust values into current trust values through support algorithm and vector similarity algorithm, and then combines them with historical trust values, and gives the calculation method of each trust value. Finally, a method to determine abnormal nodes based on comprehensive trust degree is given to realize a detection process for all industrial control nodes. By analyzing the real data case provided by Melbourne Water, it is concluded that this model can improve the detection range and detection accuracy of abnormal nodes. It can accurately judge and effectively resist malicious behavior and also have a good resistance to aggression.

Data is one of the most valuable assets of an organization and has a tremendous impact on its long-term success and decision-making processes. Typically, organizational data error and outlier detection processes perform manually and reactively, making them time-consuming and prone to human errors. Additionally, rich data types, unlabeled data, and increased volume have made such data more complex. Accordingly, an automated anomaly detection approach is required to improve data management and quality control processes. This study introduces an unsupervised anomaly detection approach based on models comparison, consensus learning, and a combination of rules of thumb with iterative hyper-parameter tuning to increase data quality. Furthermore, a domain expert is considered a human in the loop to evaluate and check the data quality and to judge the output of the unsupervised model. An experiment has been conducted to assess the proposed approach in the context of a case study. The experiment results confirm that the proposed approach can improve the quality of organizational data and facilitate anomaly detection processes.

With the development of deep learning technology, a large number of new technologies for video anomaly detection have emerged. This paper proposes a video anomaly detection algorithm based on the future frame prediction using Generative Adversarial Network (GAN) and attention mechanism. For the generation model, a U-Net model, is modified and added with an attention module. For the discrimination model, a Markov GAN discrimination model with self-attention mechanism is proposed, which can affect the generator and improve the generation quality of the future video frame. Experiments show that the new video anomaly detection algorithm improves the detection performance, and the attention module plays an important role in the overall detection performance. It is found that the more the attention modules are appliedthe deeper the application level is, the better the detection effect is, which also verifies the rationality of the model structure used in this project.

Advances in artificial intelligence (AI) have provided a variety of solutions in several real-world complex problems. One of the current trends contains the integration of various AI tools to improve the proposed solutions. The question that has to be revisited is how tools may be put together to form efficient systems suitable for the problem at hand. This paper frames itself in the area of nuclear security where an agent uses a radiation sensor to survey an area for radiological threats. The main goal of this application is to identify anomalies in the measured data that designate the presence of nuclear material that may consist of a threat. To that end, we propose the integration of two kernel modeled Gaussian processes (GP) by using a fuzzy inference system. The GP models utilize different types of information to make predictions of the background radiation contribution that will be used to identify an anomaly. The integration of the prediction of the two GP models is performed with means of fuzzy rules that provide the degree of existence of anomalous data. The proposed system is tested on a set of real-world gamma-ray spectra taken with a low-resolution portable radiation spectrometer.

In this conceptual work, we present Deep Convolutional Gaussian Mixture Models (DCGMMs): a new formulation of deep hierarchical Gaussian Mixture Models (GMMs) that is particularly suitable for describing and generating images. Vanilla (i.e., flat) GMMs require a very large number of components to describe images well, leading to long training times and memory issues. DCGMMs avoid this by a stacked architecture of multiple GMM layers, linked by convolution and pooling operations. This allows to exploit the compositionality of images in a similar way as deep CNNs do. DCGMMs can be trained end-to-end by Stochastic Gradient Descent. This sets them apart from vanilla GMMs which are trained by Expectation-Maximization, requiring a prior k-means initialization which is infeasible in a layered structure. For generating sharp images with DCGMMs, we introduce a new gradient-based technique for sampling through non-invertible operations like convolution and pooling. Based on the MNIST and FashionMNIST datasets, we validate the DCGMMs model by demonstrating its superiority over flat GMMs for clustering, sampling and outlier detection.

With the rapid growth of the Internet of Things (IoT) applications in smart regions/cities, for example, smart healthcare, smart homes/offices, there is an increase in security threats and risks. The IoT devices solve real-world problems by providing real-time connections, data and information. Besides this, the attackers can tamper with sensors, add or remove them physically or remotely. In this study, we address the IoT security sensor tampering issue in an office environment. We collect data from real-life settings and apply machine learning to detect sensor tampering using two methods. First, a real-time view of the traffic patterns is considered to train our isolation forest-based unsupervised machine learning method for anomaly detection. Second, based on traffic patterns, labels are created, and the decision tree supervised method is used, within our novel Anomaly Detection using Machine Learning (AD-ML) system. The accuracy of the two proposed models is presented. We found 84% with silhouette metric accuracy of isolation forest. Moreover, the result based on 10 cross-validations for decision trees on the supervised machine learning model returned the highest classification accuracy of 91.62% with the lowest false positive rate.

Wireless sensor networks (WSNs) are underlying network infrastructure for a variety of surveillance applications. The network should be tolerant of unexpected failures of sensor nodes to meet the Quality of Service (QoS) requirements of these applications. One major cause of failure is active security attacks such as Depletion-of-Battery (DoB) attacks. This paper model the problem of detecting such attacks as an anomaly detection problem in a dynamic graph. The problem is addressed by employing a cluster ensemble approach called the K-Means Spectral and Hierarchical ensemble (KSH) approach. The experimental result shows that KSH detected DoB attacks with better accuracy when compared to baseline approaches.

In order to realize Intelligent Disaster Recovery and break the traditional reactive backup mode, it is necessary to forecast the potential system anomalies, and proactively backup the real-time datas and configurations. System logs record the running status as well as the critical events (including errors and warnings), which can help to detect system performance, debug system faults and analyze the causes of anomalies. What's more, with the features of real-time, hierarchies and easy-access, log data can be an ideal source for monitoring system status. To reduce the complexity and improve the robustness and practicability of existing log-based anomaly detection methods, we propose a new anomaly detection mechanism based on hierarchical weights, which can deal with unstable log data. We firstly extract semantic information of log strings, and get the word-level weights by SIF algorithm to embed log strings into vectors, which are then feed into attention-based Long Short-Term Memory(LSTM) deep learning network model. In addition to get sentence-level weight which can be used to explore the interdependence between different log sequences and improve the accuracy, we utilize attention weights to help with building workflow to diagnose the abnormal points in the execution of a specific task. Our experimental results show that the hierarchical weights mechanism can effectively improve accuracy of perdition task and reduce complexity of the model, which provides the feasibility foundation support for Intelligent Disaster Recovery.

The paper considers the issue of recurrent neural networks applicability for detecting industrial process anomalies to detect intrusion in Industrial Control Systems. Cyberattack on Industrial Control Systems often leads to appearing of anomalies in industrial process. Thus, it is proposed to detect such anomalies by forecasting the state of an industrial process using a recurrent neural network and comparing the predicted state with actual process' state. In the course of experimental research, a recurrent neural network with one-dimensional convolutional layer was implemented. The Secure Water Treatment dataset was used to train model and assess its quality. The obtained results indicate the possibility of using the proposed method in practice. The proposed method is characterized by the absence of the need to use anomaly data for training. Also, the method has significant interpretability and allows to localize an anomaly by pointing to a sensor or actuator whose signal does not match the model's prediction.

Industrial Control Systems (ICS) are complex systems made up of many components with different tasks. For a safe and secure operation, each device needs to carry out its tasks correctly. To monitor a system and ensure the correct behavior of systems, anomaly detection is used.Models of expected behavior often rely only on cyber or physical features for anomaly detection. We propose an anomaly detection system that combines both types of features to create a dynamic fingerprint of an ICS. We present how a cyber-physical anomaly detection using sound on the physical layer can be designed, and which challenges need to be overcome for a successful implementation. We perform an initial evaluation for identifying actions of a 3D printer.

Traditionally, Industrial Control Systems (ICS) have been operated as air-gapped networks, without a necessity to connect directly to the Internet. With the introduction of the Internet of Things (IoT) paradigm, along with the cloud computing shift in traditional IT environments, ICS systems went through an adaptation period in the recent years, as the Industrial Internet of Things (IIoT) became popular. ICS systems, also called Cyber-Physical-Systems (CPS), operate on physical devices (i.e., actuators, sensors) at the lowest layer. An anomaly that effect this layer, could potentially result in physical damage. Due to the new attack surfaces that came about with IIoT movement, precise, accurate, and prompt intrusion/anomaly detection is becoming even more crucial in ICS. This paper proposes a novel method for real-time intrusion/anomaly detection based on a cyber-physical system network traffic. To evaluate the proposed anomaly detection method's efficiency, we run our implementation against a network trace taken from a Secure Water Treatment Testbed (SWAT) of iTrust Laboratory at Singapore.

Insider threats are the cyber attacks from the trusted entities within an organization. An insider attack is hard to detect as it may not leave a footprint and potentially cause huge damage to organizations. Anomaly detection is the most common approach for insider threat detection. Lack of real-world data and the skewed class distribution in the datasets makes insider threat analysis an understudied research area. In this paper, we propose a Conditional Generative Adversarial Network (CGAN) to enrich under-represented minority class samples to provide meaningful and diverse data for anomaly detection from the original malicious scenarios. Comprehensive experiments performed on benchmark dataset demonstrates the effectiveness of using CGAN augmented data, and the capability of multi-class anomaly detection for insider activity analysis. Moreover, the method is compared with other existing methods against different parameters and performance metrics.

This paper designs a data anomaly detection method for power grid data centers. The method uses cloud computing architecture to realize the storage and calculation of large amounts of data from power grid data centers. After that, the STL decomposition method is used to decompose the grid data, and then the decomposed residual data is used for anomaly analysis to complete the detection of abnormal data in the grid data. Finally, the feasibility of the method is verified through experiments.

Industrial Control System (ICS) transmits control and monitoring data between devices in an industrial environment that includes smart grids, water and gas distribution, or traffic control. Unlike traditional internet communication, ICS traffic is stable, periodical, and with regular communication patterns that can be described using statistical modeling. By observing selected features of ICS transmission, e.g., packet direction and inter-arrival times, we can create a statistical profile of the communication based on distribution of features learned from the normal ICS traffic. This paper demonstrates that using statistical modeling, we can detect various anomalies caused by irregular transmissions, device or link failures, and also cyber attacks like packet injection, scanning, or denial of service (DoS). The paper shows how a statistical model is automatically created from a training dataset. We present two types of statistical profiles: the master-oriented profile for one-to-many communication and the peer-to-peer profile that describes traffic between two ICS devices. The proposed approach is fast and easy to implement as a part of an intrusion detection system (IDS) or an anomaly detection (AD) module. The proof-of-concept is demonstrated on two industrial protocols: IEC 60870-5-104 (aka IEC 104) and IEC 61850 (Goose).

Bitcoin is a representative cryptocurrency system using a permissionless peer-to-peer (P2P) network as its communication infrastructure. A number of attacks against Bitcoin have been discovered over the past years, including the Eclipse and EREBUS Attacks. In this paper, we present a new attack against Bitcoin’s P2P networking, dubbed ConMan because it leverages connection manipulation. ConMan achieves the same effect as the Eclipse and EREBUS Attacks in isolating a target (i.e., victim) node from the rest of the Bitcoin network. However, ConMan is different from these attacks because it is an active and deterministic attack, and is more effective and efficient. We validate ConMan through proof-of-concept exploitation in an environment that is coupled with real-world Bitcoin node functions. Experimental results show that ConMan only needs a few minutes to fully control the peer connections of a target node, which is in sharp contrast to the tens of days that are needed by the Eclipse and EREBUS Attacks. Further, we propose several countermeasures against ConMan. Some of them would be effective but incompatible with the design principles of Bitcoin, while the anomaly detection approach is positively achievable. We disclosed ConMan to the Bitcoin Core team and received their feedback, which confirms ConMan and the proposed countermeasures.

Insider threat makes enterprises or organizations suffer from the loss of property and the negative influence of reputation. User behavior analysis is the mainstream method of insider threat detection, but due to the lack of fine-grained detection and the inability to effectively capture the behavior patterns of individual users, the accuracy and precision of detection are insufficient. To solve this problem, this paper designs an insider threat detection method based on user historical behavior and attention mechanism, including using Long Short Term Memory (LSTM) to extract user behavior sequence information, using Attention-based on user history behavior (ABUHB) learns the differences between different user behaviors, uses Bidirectional-LSTM (Bi-LSTM) to learn the evolution of different user behavior patterns, and finally realizes fine-grained user abnormal behavior detection. To evaluate the effectiveness of this method, experiments are conducted on the CMU-CERT Insider Threat Dataset. The experimental results show that the effectiveness of this method is 3.1% to 6.3% higher than that of other comparative model methods, and it can detect insider threats in different user behaviors with fine granularity.

With the rapid development of communication net-work, the types and quantities of network traffic data have in-creased substantially. What followed was the frequent occurrence of versatile cyber attacks. As an important part of network security, the network-based intrusion detection system (NIDS) can monitor and protect the network equippments and terminals in real time. The traditional detection methods based on deep learning (DL) are always in supervised manners in NIDS, which can automatically build end-to-end detection model without man-ual feature extraction and selection by domain experts. However, supervised learning methods require large-scale labeled data, yet capturing large labeled datasets is a very cubersome, tedious and time-consuming manual task. Instead, unsupervised learning is an effective way to overcome this problem. Nonetheless, the ex-isting unsupervised methods are prone to low detection efficiency and are difficult to train. In this paper we propose a novel NIDS method called PGAN based on generative adversarial network (GAN) to detect the abnormal traffic from the perspective of Anomaly Detection, which leverage the competitive speciality of adversarial training to learn the normal traffic. Based on the public dataset CICIDS2017, three experimental results show that PGAN can significantly outperform other unsupervised methods like stacked autoencoder (SAE) and isolation forest (IF).

In the era of rapid technological growth, malicious traffic has drawn increased attention. Most well-known offensive security assessment todays are heavily focused on pre-compromise. The amount of anomalous data in today's context is massive. Analyzing the data using primitive methods would be highly challenging. Solution to it is: If we can detect adversary behaviors in the early stage of compromise, one can prevent and safeguard themselves from various attacks including ransomwares and Zero-day attacks. Integration of new technologies Artificial Intelligence & Machine Learning with manual Anomaly Detection can provide automated machine-based detection which in return can provide the fast, error free, simplify & scalable Threat Detection & Response System. Endpoint Detection & Response (EDR) tools provide a unified view of complex intrusions using known adversarial behaviors to identify intrusion events. We have used the EMBER dataset, which is a labelled benchmark dataset. It is used to train machine learning models to detect malicious portable executable files. This dataset consists of features derived from 1.1 million binary files: 900,000 training samples among which 300,000 were malicious, 300,000 were benevolent, 300,000 un-labelled, and 200,000 evaluation samples among which 100K were malicious, 100K were benign. We have also included open-source code for extracting features from additional binaries, enabling the addition of additional sample features to the dataset.

Surveillance videos can capture anomalies in real scenarios and play an important role in security systems. Anomaly events are unpredictable, which reflect the unsupervised nature of the problem. In addition, it is difficult to construct a complete video dataset which contains all normal events. Based on the diversity of normal events, this paper proposes a memory-enhanced unsupervised method for anomaly detection. The proposed method reconstructs video events by combining prototype features and encoded features to detect anomaly events. Furthermore, a memory module is introduced to better store the prototype patterns of normal events. Experimental results in various benchmark datasets demonstrate the effectiveness and robustness of the proposed method.

With current IoT architectures, once a single device in a network is compromised, it can be used to disrupt the behavior of other devices on the same network. Even though system administrators can secure critical devices in the network using best practices and state-of-the-art technology, a single vulnerable device can undermine the security of the entire network. The goal of this work is to limit the ability of an attacker to exploit a vulnerable device on an IoT network and fabricate deceitful messages to co-opt other devices. The approach is to limit attackers by using device proxies that are used to retransmit and control network communications. We present an architecture that prevents deceitful messages generated by compromised devices from affecting the rest of the network. The design assumes a centralized and trustworthy machine that can observe the behavior of all devices on the network. The central machine collects application layer data, as opposed to low-level network traffic, from each IoT device. The collected data is used to train models that capture the normal behavior of each individual IoT device. The normal behavioral data is then used to monitor the IoT devices and detect anomalous behavior. This paper reports on our experiments using both a binary classifier and a density-based clustering algorithm to model benign IoT device behavior with a realistic test-bed, designed to capture normal behavior in an IoT-monitored environment. Results from the IoT testbed show that both the classifier and the clustering algorithms are promising and encourage the use of application-level data for detecting compromised IoT devices.

We propose Cleann, the first end-to-end framework that enables online mitigation of Trojans for embedded Deep Neural Network (DNN) applications. A Trojan attack works by injecting a backdoor in the DNN while training; during inference, the Trojan can be activated by the specific backdoor trigger. What differentiates Cleann from the prior work is its lightweight methodology which recovers the ground-truth class of Trojan samples without the need for labeled data, model retraining, or prior assumptions on the trigger or the attack. We leverage dictionary learning and sparse approximation to characterize the statistical behavior of benign data and identify Trojan triggers. Cleann is devised based on algorithm/hardware co-design and is equipped with specialized hardware to enable efficient real-time execution on resource-constrained embedded platforms. Proof of concept evaluations on Cleann for the state-of-the-art Neural Trojan attacks on visual benchmarks demonstrate its competitive advantage in terms of attack resiliency and execution overhead.