Biblio

Detecting process-based attacks on industrial control systems (ICS) is challenging. These cyber-attacks are designed to disrupt the industrial process by changing the state of a system, while keeping the system's behaviour close to the expected behaviour. Such anomalous behaviour can be effectively detected by an event-driven approach. Petri Net (PN) model identification has proved to be an effective method for event-driven system analysis and anomaly detection. However, PN identification-based anomaly detection methods require ICS device logs to be converted into event logs (sequence of events). Therefore, in this paper we present a formalised method for pre-processing and transforming ICS device logs into event logs. The proposed approach outperforms the previous methods of device logs processing in terms of anomaly detection. We have demonstrated the results using two published datasets.

While event logs generated by business processes play an increasingly significant role in business analysis, the quality of data remains a serious problem. Automatic recovery of dirty event logs is desirable and thus receives more attention. However, existing methods only focus on missing event recovery, or fall short of efficiency. To this end, we present Effa, a ProM plugin, to automatically recover event logs in the light of process specifications. Based on advanced heuristics including process decomposition and trace replaying to search the minimum recovery, Effa achieves a balance between repairing accuracy and efficiency.