From system specification to anomaly detection (and back)

D. Fauri; D.R. Dos Santos; Elisa Costante; J.J. den Hartog; S. Etalle; S. Tonetta

doi:10.1145/3140241.3140250

From system specification to anomaly detection (and back)

D. Fauri, D.R. Dos Santos, Elisa Costante, J.J. den Hartog, S. Etalle, S. Tonetta

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

23 Citations (Scopus)

3 Downloads (Pure)

Abstract

Industrial control systems have stringent safety and security demands. High safety assurance can be obtained by specifying the system with possible faults and monitoring it to ensure these faults are properly addressed. Addressing security requires considering unpredictable attacker behavior. Anomaly detection, with its data driven approach, can detect simple unusual behavior and system-based attacks like the propagation of malware; on the other hand, anomaly detection is less suitable to detect more complex process-based attacks and it provides little actionability in presence of an alert. The alternative to anomaly detection is to use specification-based intrusion detection, which is more suitable to detect process-based attacks, but is typically expensive to set up and less scalable. We propose to combine a lightweight formal system specification with anomaly detection, providing data-driven monitoring. The combination is based on mapping elements of the specification to elements of the network traffic. This allows extracting locations to monitor and relevant context information from the formal specification, thus semantically enriching the raised alerts and making them actionable. On the other hand, it also allows under-specification of data-based properties in the formal model; some predicates can be left uninterpreted and the monitoring can be used to learn a model for them. We demonstrate our methodology on a smart manufacturing use case

Original language	English
Title of host publication	CPS'17 : Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, 3 November 2017, Dallas, Texas
Place of Publication	New York
Publisher	Association for Computing Machinery, Inc.
Pages	13-24
Number of pages	12
ISBN (Electronic)	978-1-4503-5394-6
ISBN (Print)	978-1-4503-5394-6
DOIs	https://doi.org/10.1145/3140241.3140250
Publication status	Published - 3 Nov 2017
Event	CPS '17, 2017 Workshop on Cyber-Physical Systems Security and Privacy - Dallas, Texas Duration: 3 Nov 2017 → 3 Nov 2017

Conference

Conference	CPS '17, 2017 Workshop on Cyber-Physical Systems Security and Privacy
Abbreviated title	CPS'17
City	Dallas, Texas
Period	3/11/17 → 3/11/17

Keywords

Anomaly detection
Industrial control system
Intrusion detection
Specification

Access to Document

10.1145/3140241.3140250

Cite this

Fauri, D., Dos Santos, D. R., Costante, E., den Hartog, J. J., Etalle, S., & Tonetta, S. (2017). From system specification to anomaly detection (and back). In CPS'17 : Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, 3 November 2017, Dallas, Texas (pp. 13-24). Association for Computing Machinery, Inc.. https://doi.org/10.1145/3140241.3140250

@inproceedings{910b81fe90034948b4fe3691bf3d1cc1,

title = "From system specification to anomaly detection (and back)",

abstract = "Industrial control systems have stringent safety and security demands. High safety assurance can be obtained by specifying the system with possible faults and monitoring it to ensure these faults are properly addressed. Addressing security requires considering unpredictable attacker behavior. Anomaly detection, with its data driven approach, can detect simple unusual behavior and system-based attacks like the propagation of malware; on the other hand, anomaly detection is less suitable to detect more complex process-based attacks and it provides little actionability in presence of an alert. The alternative to anomaly detection is to use specification-based intrusion detection, which is more suitable to detect process-based attacks, but is typically expensive to set up and less scalable. We propose to combine a lightweight formal system specification with anomaly detection, providing data-driven monitoring. The combination is based on mapping elements of the specification to elements of the network traffic. This allows extracting locations to monitor and relevant context information from the formal specification, thus semantically enriching the raised alerts and making them actionable. On the other hand, it also allows under-specification of data-based properties in the formal model; some predicates can be left uninterpreted and the monitoring can be used to learn a model for them. We demonstrate our methodology on a smart manufacturing use case",

keywords = "Anomaly detection, Industrial control system, Intrusion detection, Specification",

author = "D. Fauri and \{Dos Santos\}, D.R. and Elisa Costante and \{den Hartog\}, J.J. and S. Etalle and S. Tonetta",

year = "2017",

month = nov,

day = "3",

doi = "10.1145/3140241.3140250",

language = "English",

isbn = "978-1-4503-5394-6",

pages = "13--24",

booktitle = "CPS'17 : Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, 3 November 2017, Dallas, Texas",

publisher = "Association for Computing Machinery, Inc.",

address = "United States",

note = "CPS '17, 2017 Workshop on Cyber-Physical Systems Security and Privacy <br/>, CPS'17 ; Conference date: 03-11-2017 Through 03-11-2017",

}

Fauri, D, Dos Santos, DR, Costante, E, den Hartog, JJ , Etalle, S & Tonetta, S 2017, From system specification to anomaly detection (and back). in CPS'17 : Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, 3 November 2017, Dallas, Texas. Association for Computing Machinery, Inc., New York, pp. 13-24, CPS '17, 2017 Workshop on Cyber-Physical Systems Security and Privacy
, Dallas, Texas, 3/11/17. https://doi.org/10.1145/3140241.3140250

From system specification to anomaly detection (and back). / Fauri, D.; Dos Santos, D.R.; Costante, Elisa et al.
CPS'17 : Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, 3 November 2017, Dallas, Texas. New York: Association for Computing Machinery, Inc., 2017. p. 13-24.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - From system specification to anomaly detection (and back)

AU - Fauri, D.

AU - Dos Santos, D.R.

AU - Costante, Elisa

AU - den Hartog, J.J.

AU - Etalle, S.

AU - Tonetta, S.

PY - 2017/11/3

Y1 - 2017/11/3

N2 - Industrial control systems have stringent safety and security demands. High safety assurance can be obtained by specifying the system with possible faults and monitoring it to ensure these faults are properly addressed. Addressing security requires considering unpredictable attacker behavior. Anomaly detection, with its data driven approach, can detect simple unusual behavior and system-based attacks like the propagation of malware; on the other hand, anomaly detection is less suitable to detect more complex process-based attacks and it provides little actionability in presence of an alert. The alternative to anomaly detection is to use specification-based intrusion detection, which is more suitable to detect process-based attacks, but is typically expensive to set up and less scalable. We propose to combine a lightweight formal system specification with anomaly detection, providing data-driven monitoring. The combination is based on mapping elements of the specification to elements of the network traffic. This allows extracting locations to monitor and relevant context information from the formal specification, thus semantically enriching the raised alerts and making them actionable. On the other hand, it also allows under-specification of data-based properties in the formal model; some predicates can be left uninterpreted and the monitoring can be used to learn a model for them. We demonstrate our methodology on a smart manufacturing use case

AB - Industrial control systems have stringent safety and security demands. High safety assurance can be obtained by specifying the system with possible faults and monitoring it to ensure these faults are properly addressed. Addressing security requires considering unpredictable attacker behavior. Anomaly detection, with its data driven approach, can detect simple unusual behavior and system-based attacks like the propagation of malware; on the other hand, anomaly detection is less suitable to detect more complex process-based attacks and it provides little actionability in presence of an alert. The alternative to anomaly detection is to use specification-based intrusion detection, which is more suitable to detect process-based attacks, but is typically expensive to set up and less scalable. We propose to combine a lightweight formal system specification with anomaly detection, providing data-driven monitoring. The combination is based on mapping elements of the specification to elements of the network traffic. This allows extracting locations to monitor and relevant context information from the formal specification, thus semantically enriching the raised alerts and making them actionable. On the other hand, it also allows under-specification of data-based properties in the formal model; some predicates can be left uninterpreted and the monitoring can be used to learn a model for them. We demonstrate our methodology on a smart manufacturing use case

KW - Anomaly detection

KW - Industrial control system

KW - Intrusion detection

KW - Specification

UR - http://www.scopus.com/inward/record.url?scp=85037147831&partnerID=8YFLogxK

U2 - 10.1145/3140241.3140250

DO - 10.1145/3140241.3140250

M3 - Conference contribution

SN - 978-1-4503-5394-6

SP - 13

EP - 24

BT - CPS'17 : Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, 3 November 2017, Dallas, Texas

PB - Association for Computing Machinery, Inc.

CY - New York

T2 - CPS '17, 2017 Workshop on Cyber-Physical Systems Security and Privacy <br/>

Y2 - 3 November 2017 through 3 November 2017

ER -

From system specification to anomaly detection (and back)

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this