Preemptive: an integrated approach to intrusion detection and prevention in industrial control systems

Cyber-security of industrial control systems (ICSs) is notoriously hard due to the peculiar constraints of the specific context. At the same time, the use of specifically crafted malware to target ICSs is an established offensive mean for opposing organisations, groups, or countries. We provide an overview of the results attained by the Preemptive project to improve the cyber-security of ICSs. Preemptive devised several integrated tools for detection and prevention of intrusions in this context. It also provides a way to correlate many small events giving rise to more significant ones, and shows the whole cybersecurity state to the user by means of specific human-machine interfaces.

[1]  Andrew J. Clark,et al.  Data preprocessing for anomaly based network intrusion detection: A review , 2011, Comput. Secur..

[2]  Giovanni Vigna,et al.  A Topological Characterization of TCP/IP Security , 2003, FME.

[3]  Frederic Massicotte,et al.  Passive Network Discovery for Real Time Situation Awareness , 2004 .

[4]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[5]  Sergey Bratus,et al.  Intrusion detection for resource-constrained embedded control systems in the power grid , 2012, Int. J. Crit. Infrastructure Prot..

[6]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Salvatore J. Stolfo,et al.  Anagram: A Content Anomaly Detector Resistant to Mimicry Attack , 2006, RAID.

[8]  Alex Clemm,et al.  A Data Model for Network Topologies , 2015 .

[9]  Xinghuo Yu,et al.  A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection , 2009, IEEE Network.

[10]  Anna Sperotto,et al.  Flow-based intrusion detection , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[11]  Giuseppe Di Battista,et al.  Authenticated Relational Tables and Authenticated Skip Lists , 2007, DBSec.

[12]  Pieter H. Hartel,et al.  POSEIDON: a 2-tier anomaly-based network intrusion detection system , 2006, Fourth IEEE International Workshop on Information Assurance (IWIA'06).

[13]  Jürgen Schönwälder Common YANG Data Types , 2010, RFC.

[14]  Alfonso Valdes,et al.  Communication pattern anomaly detection in process control systems , 2009, 2009 IEEE Conference on Technologies for Homeland Security.

[15]  Jiankun Hu,et al.  A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns , 2014, IEEE Transactions on Computers.

[16]  Salvatore J. Stolfo,et al.  One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses , 2003 .

[17]  Christian Borgelt,et al.  Induction of Association Rules: Apriori Implementation , 2002, COMPSTAT.

[18]  V Jyothsna,et al.  A Review of Anomaly based Intrusion Detection Systems , 2011 .

[19]  Jaideep Srivastava,et al.  Intrusion Detection: A Survey , 2005 .

[20]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[21]  Lui Sha,et al.  On-chip control flow integrity check for real time embedded systems , 2013, 2013 IEEE 1st International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA).

[22]  Qin Wu,et al.  A YANG Data Model for Layer 2 Network Topologies , 2020, RFC.

[23]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[24]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[25]  Alexander Clemm,et al.  A YANG Data Model for Layer 3 Topologies , 2018, RFC.

[26]  Cheng Zhang,et al.  Native API based Windows anomaly intrusion detection method using SVM , 2006, IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC'06).

[27]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[28]  Vipin Kumar,et al.  Anomaly Detection for Discrete Sequences: A Survey , 2012, IEEE Transactions on Knowledge and Data Engineering.

[29]  Wenke Lee,et al.  McPAD: A multiple classifier system for accurate payload-based anomaly detection , 2009, Comput. Networks.

[30]  Alessia Valentini,et al.  PREEMPTIVE PREventivE Methodology and Tools to protect utilitIEs , 2016, SAFECOMP 2016.

[31]  Maurizio Pizzonia,et al.  Securing promiscuous use of untrusted USB thumb drives in Industrial Control Systems , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[32]  Maurizio Pizzonia,et al.  USBCheckIn: Preventing BadUSB attacks by forcing human-device interaction , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[33]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[34]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[35]  Salvatore J. Stolfo,et al.  Defending Embedded Systems with Software Symbiotes , 2011, RAID.

[36]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.