ESTGV - DI - Artigo em revista científica, indexada ao WoS/Scopus
Permanent URI for this collection
Browse
Browsing ESTGV - DI - Artigo em revista científica, indexada ao WoS/Scopus by Author "Caldeira, Filipe"
Now showing 1 - 9 of 9
Results Per Page
Sort Options
- An automated closed-loop framework to enforce security policies from anomaly detectionPublication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, PauloDue to the growing complexity and scale of IT systems, there is an increasing need to automate and streamline routine maintenance and security management procedures, to reduce costs and improve productivity. In the case of security incidents, the implementation and application of response actions require significant efforts from operators and developers in translating policies to code. Even if Machine Learning (ML) models are used to find anomalies, they need to be regularly trained/updated to avoid becoming outdated. In an evolving environment, a ML model with outdated training might put at risk the organization it was supposed to defend. To overcome those issues, in this paper we propose an automated closed-loop process with three stages. The first stage focuses on obtaining the Decision Trees (DT) that classify anomalies. In the second stage, DTs are translated into security Policies as Code based on languages recognized by the Policy Engine (PE). In the last stage, the translated security policies feed the Policy Engines that enforce them by converting them into specific instruction sets. We also demonstrate the feasibility of the proposed framework, by presenting an example that encompasses the three stages of the closed-loop process. The proposed framework may integrate a broad spectrum of domains and use cases, being able for instance to support the decide and the act stages of the ETSI Zero-touch Network & Service Management (ZSM) framework.
- Combining K-Means and XGBoost Models for Anomaly Detection Using Log DatasetsPublication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, PauloAbstract: Computing and networking systems traditionally record their activity in log files, which have been used for multiple purposes, such as troubleshooting, accounting, post-incident analysis of security breaches, capacity planning and anomaly detection. In earlier systems those log files were processed manually by system administrators, or with the support of basic applications for filtering, compiling and pre-processing the logs for specific purposes. However, as the volume of these log files continues to grow (more logs per system, more systems per domain), it is becoming increasingly difficult to process those logs using traditional tools, especially for less straightforward purposes such as anomaly detection. On the other hand, as systems continue to become more complex, the potential of using large datasets built of logs from heterogeneous sources for detecting anomalies without prior domain knowledge becomes higher. Anomaly detection tools for such scenarios face two challenges. First, devising appropriate data analysis solutions for effectively detecting anomalies from large data sources, possibly without prior domain knowledge. Second, adopting data processing platforms able to cope with the large datasets and complex data analysis algorithms required for such purposes. In this paper we address those challenges by proposing an integrated scalable framework that aims at efficiently detecting anomalous events on large amounts of unlabeled data logs. Detection is supported by clustering and classification methods that take advantage of parallel computing environments. We validate our approach using the the well known NASA Hypertext Transfer Protocol (HTTP) logs datasets. Fourteen features were extracted in order to train a k-means model for separating anomalous and normal events in highly coherent clusters. A second model, making use of the XGBoost system implementing a gradient tree boosting algorithm, uses the previous binary clustered data for producing a set of simple interpretable rules. These rules represent the rationale for generalizing its application over a massive number of unseen events in a distributed computing environment. The classified anomaly events produced by our framework can be used, for instance, as candidates for further forensic and compliance auditing analysis in security management.
- A forensics and compliance auditing framework for critical infrastructure protectionPublication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, PauloContemporary societies are increasingly dependent on products and services provided by Critical Infrastructure (CI) such as power plants, energy distribution networks, transportation systems and manufacturing facilities. Due to their nature, size and complexity, such CIs are often supported by Industrial Automation and Control Systems (IACS), which are in charge of managing assets and controlling everyday operations. As these IACS become larger and more complex, encompassing a growing number of processes and interconnected monitoring and actuating devices, the attack surface of the underlying CIs increases. This situation calls for new strategies to improve Critical Infrastructure Protection (CIP) frameworks, based on evolved approaches for data analytics, able to gather insights from the CI. In this paper, we propose an Intrusion and Anomaly Detection System (IADS) framework that adopts forensics and compliance auditing capabilities at its core to improve CIP. Adopted forensics techniques help to address, for instance, post-incident analysis and investigation, while the support of continuous auditing processes simplifies compliance management and service quality assessment. More specifically, after discussing the rationale for such a framework, this paper presents a formal description of the proposed components and functions and discusses how the framework can be implemented using a cloud-native approach, to address both functional and non-functional requirements. An experimental analysis of the framework scalability is also provided.
- Improving bluetooth beacon-based indoor location and fingerprintingPublication . Martins, Pedro; Abbasi, Maryam; Sá, Filipe; Cecílio, José; Morgado, Francisco; Caldeira, FilipeThe complex way radio waves propagate indoors, leads to the derivation of location using fngerprinting techniques. In this cases, location is computed relying on WiFi signals strength mapping. Recent Bluetooth low energy (BLE) provides new opportunities to explore positioning. In this work is studied how BLE beacons radio signals can be used for indoor location scenarios, as well as their precision. Additionally, this paper also introduces a method for beacon-based positioning, based on signal strength measurements at key distances for each beacon. This method allows to use diferent beacon types, brands, and location conditions/constraints. Depending on each situation (i.e., hardware and location) it is possible to adapt the distance measuring curve to minimize errors and support higher distances, while at the same time keeping good precision. Moreover, this paper also presents a comparison with traditional positioning method, using formulas for distance estimation, and the position triangulation. The proposed study is performed inside the campus of Viseu Polytechnic Institute, and tested using a group of students, each with his smart-phone, as proof of concept. Experimental results show that BLE allows having < 1.5 m error approximately 90% of the times, and the experimental results using the proposed location detection method show that the proposed position technique has 13.2% better precision than triangulation, for distances up to 10 m.
- Intrusion and anomaly detection for the next-generation of industrial automation and control systemsPublication . Rosa, Luis; Cruz, Tiago; Freitas, Miguel Borges de; Quitério, Pedro; Henriques, João; Caldeira, Filipe; Monteiro, Edmundo; Simões, PauloThe next-generation of Industrial Automation and Control Systems (IACS) and Supervisory Control and Data Acquisition (SCADA) systems pose numerous challenges in terms of cybersecurity monitoring. We have been witnessing the convergence of OT/IT networks, combined with massively distributed metering and control scenarios such as smart grids. Larger and geographically widespread attack surfaces, and inherently more data to analyse, will become the norm. Despite several advances in recent years, domain-specific security tools have been facing the challenges of trying to catch up with all the existing security flaws from the past, while also accounting for the specific needs of the next-generation of IACS. Moreover, the aggregation of multiple techniques and sources of information into a comprehensive approach has not been explored in depth. Such a holistic perspective is paramount since it enables a global and enhanced analysis enabled by the usage, combination and aggregation of the outputs from multiple sources and techniques. This paper starts by providing a review of the more recent anomaly detection techniques for SCADA systems, focused on both theoretical machine learning approaches and complete frameworks. Afterwards, it proposes a complete framework for an Intrusion and Anomaly Detection System (IADS) composed of specific detection probes, an event processing layer and a core anomaly detection component, amongst others. Finally, the paper presents an evaluation of the framework within a large-scale hybrid testbed, and a comparison of different anomaly detection scenarios based on various machine learning techniques.
- A Model for Planning TELCO Work-Field Activities Enabled by Genetic and Ant Colony AlgorithmsPublication . Henriques, J.; Caldeira, FilipeTelecommunication Company’s (TELCO) are continuously delivering their efforts on the effectiveness of their daily work. Planning the activities for their workers is a crucial sensitive, and time-consuming task usually taken by experts. This plan aims to find an optimized solution maximizing the number of activities assigned to workers and minimizing the inherent costs (e.g., labor from workers, fuel, and other transportation costs). This paper proposes a model that allows computing a maximized plan for the activities assigned to their workers, allowing to alleviate the burden of the existing experts, even if supported by software implementing rule-based heuristic models. The proposed model is inspired by nature and relies on two stages supported by Genetic and Ant Colony evolutionary algorithms. At the first stage, a Genetic Algorithms (GA) identifies the optimal set of activities to be assigned to workers as the way to maximize the revenues. At a second step, an Ant Colony algorithm searches for an efficient path among the activities to minimize the costs. The conducted experimental work validates the effectiveness of the proposed model in the optimization of the planning TELCO work-field activities in comparison to a rule-based heuristic model.
- A Survey on Forensics and Compliance Auditing for Critical Infrastructure ProtectionPublication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, PauloThe broadening dependency and reliance that modern societies have on essential services provided by Critical Infrastructures is increasing the relevance of their trustworthiness. However, Critical Infrastructures are attractive targets for cyberattacks, due to the potential for considerable impact, not just at the economic level but also in terms of physical damage and even loss of human life. Complementing traditional security mechanisms, forensics and compliance audit processes play an important role in ensuring Critical Infrastructure trustworthiness. Compliance auditing contributes to checking if security measures are in place and compliant with standards and internal policies. Forensics assist the investigation of past security incidents. Since these two areas significantly overlap, in terms of data sources, tools and techniques, they can be merged into unified Forensics and Compliance Auditing (FCA) frameworks. In this paper, we survey the latest developments, methodologies, challenges, and solutions addressing forensics and compliance auditing in the scope of Critical Infrastructure Protection. This survey focuses on relevant contributions, capable of tackling the requirements imposed by massively distributed and complex Industrial Automation and Control Systems, in terms of handling large volumes of heterogeneous data (that can be noisy, ambiguous, and redundant) for analytic purposes, with adequate performance and reliability. The achieved results produced a taxonomy in the field of FCA whose key categories denote the relevant topics in the literature. Also, the collected knowledge resulted in the establishment of a reference FCA architecture, proposed as a generic template for a converged platform. These results are intended to guide future research on forensics and compliance auditing for Critical Infrastructure Protection.
- Torrent Poisoning Protection with a Reverse Proxy ServerPublication . Godinho, António Augusto Nunes; Rosado, José; Sá, Filipe; Caldeira, Filipe; Cardoso, Filipe GonçalvesA Distributed Denial-of-Service attack uses multiple sources operating in concert to attack a network or site. A typical DDoS flood attack on a website targets a web server with multiple valid requests, exhausting the server’s resources. The participants in this attack are usually compromised/infected computers controlled by the attackers. There are several variations of this kind of attack, and torrent index poisoning is one. A Distributed Denial-of-Service (DDoS) attack using torrent poisoning, more specifically using index poisoning, is one of the most effective and disruptive types of attacks. These web flooding attacks originate from BitTorrent-based file-sharing communities, where the participants using the BitTorrent applications cannot detect their involvement. The antivirus and other tools cannot detect the altered torrent file, making the BitTorrent client target the webserver. The use of reverse proxy servers can block this type of request from reaching the web server, preventing the severity and impact on the service of the DDoS. In this paper, we analyze a torrent index poisoning DDoS to a higher education institution, the impact on the network systems and servers, and the mitigation measures implemented.
- Trust and reputation management for critical infrastructure protectionPublication . Caldeira, Filipe; Monteiro, Edmundo; Simões, PauloToday’s critical infrastructures (CIs) depend on information and communication technologies (ICTs) to deliver their services with the required level of quality and availability. ICT security plays a major role in CI protection and risk prevention for single and also for interconnected CIs were cascading effects might occur because of the interdependencies that exist among different CIs. This work addresses the problem of ICT security in interconnected CIs. Trust and reputation management using the policy-based management paradigm is the proposed solution to be applied at the CI interconnection points for information exchange. The proposed solution is being applied to the Security Mediation Gateway being developed in the scope of the European FP7 MICIE project, to allow information exchange among interconnected CIs.