Browsing by Author "Cruz, Tiago"
Now showing 1 - 8 of 8
Results Per Page
Sort Options
- An automated closed-loop framework to enforce security policies from anomaly detectionPublication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, PauloDue to the growing complexity and scale of IT systems, there is an increasing need to automate and streamline routine maintenance and security management procedures, to reduce costs and improve productivity. In the case of security incidents, the implementation and application of response actions require significant efforts from operators and developers in translating policies to code. Even if Machine Learning (ML) models are used to find anomalies, they need to be regularly trained/updated to avoid becoming outdated. In an evolving environment, a ML model with outdated training might put at risk the organization it was supposed to defend. To overcome those issues, in this paper we propose an automated closed-loop process with three stages. The first stage focuses on obtaining the Decision Trees (DT) that classify anomalies. In the second stage, DTs are translated into security Policies as Code based on languages recognized by the Policy Engine (PE). In the last stage, the translated security policies feed the Policy Engines that enforce them by converting them into specific instruction sets. We also demonstrate the feasibility of the proposed framework, by presenting an example that encompasses the three stages of the closed-loop process. The proposed framework may integrate a broad spectrum of domains and use cases, being able for instance to support the decide and the act stages of the ETSI Zero-touch Network & Service Management (ZSM) framework.
- Combining K-Means and XGBoost Models for Anomaly Detection Using Log DatasetsPublication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, PauloAbstract: Computing and networking systems traditionally record their activity in log files, which have been used for multiple purposes, such as troubleshooting, accounting, post-incident analysis of security breaches, capacity planning and anomaly detection. In earlier systems those log files were processed manually by system administrators, or with the support of basic applications for filtering, compiling and pre-processing the logs for specific purposes. However, as the volume of these log files continues to grow (more logs per system, more systems per domain), it is becoming increasingly difficult to process those logs using traditional tools, especially for less straightforward purposes such as anomaly detection. On the other hand, as systems continue to become more complex, the potential of using large datasets built of logs from heterogeneous sources for detecting anomalies without prior domain knowledge becomes higher. Anomaly detection tools for such scenarios face two challenges. First, devising appropriate data analysis solutions for effectively detecting anomalies from large data sources, possibly without prior domain knowledge. Second, adopting data processing platforms able to cope with the large datasets and complex data analysis algorithms required for such purposes. In this paper we address those challenges by proposing an integrated scalable framework that aims at efficiently detecting anomalous events on large amounts of unlabeled data logs. Detection is supported by clustering and classification methods that take advantage of parallel computing environments. We validate our approach using the the well known NASA Hypertext Transfer Protocol (HTTP) logs datasets. Fourteen features were extracted in order to train a k-means model for separating anomalous and normal events in highly coherent clusters. A second model, making use of the XGBoost system implementing a gradient tree boosting algorithm, uses the previous binary clustered data for producing a set of simple interpretable rules. These rules represent the rationale for generalizing its application over a massive number of unseen events in a distributed computing environment. The classified anomaly events produced by our framework can be used, for instance, as candidates for further forensic and compliance auditing analysis in security management.
- Evolving the Security Paradigm for Industrial IoT EnvironmentsPublication . Rosa, Luis; Freitas, Miguel Borges de; Henriques, João; Quitério, Pedro; Caldeira, Filipe; Cruz, Tiago; Simões, PauloIn recent years, IACS (Industrial Automation and Control Systems) have become more complex, due to the increasing number of interconnected devices. This IoT (internet of things)-centric IACS paradigm, which is at the core of the Industry 4.0 concept, expands the infrastructure boundaries beyond the aggregated-plant, mono-operator vision, being dispersed over a large geographic area. From a cybersecurity-centric perspective, the distributed nature of modern IACS makes it difficult not only to understand the nature of incidents but also to assess their progression and threat profile. Defending against those threats is becoming increasingly difficult, requiring orchestrated and collaborative distributed detection, evaluation, and reaction capabilities beyond the scope of a single entity. This chapter presents the Intrusion and Anomaly Detection System platform architecture that was designed and developed within the scope of the ATENA H2020 project, to address the specific needs of distributed IACS while providing (near) real-time cybersecurity awareness.
- A forensics and compliance auditing framework for critical infrastructure protectionPublication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, PauloContemporary societies are increasingly dependent on products and services provided by Critical Infrastructure (CI) such as power plants, energy distribution networks, transportation systems and manufacturing facilities. Due to their nature, size and complexity, such CIs are often supported by Industrial Automation and Control Systems (IACS), which are in charge of managing assets and controlling everyday operations. As these IACS become larger and more complex, encompassing a growing number of processes and interconnected monitoring and actuating devices, the attack surface of the underlying CIs increases. This situation calls for new strategies to improve Critical Infrastructure Protection (CIP) frameworks, based on evolved approaches for data analytics, able to gather insights from the CI. In this paper, we propose an Intrusion and Anomaly Detection System (IADS) framework that adopts forensics and compliance auditing capabilities at its core to improve CIP. Adopted forensics techniques help to address, for instance, post-incident analysis and investigation, while the support of continuous auditing processes simplifies compliance management and service quality assessment. More specifically, after discussing the rationale for such a framework, this paper presents a formal description of the proposed components and functions and discusses how the framework can be implemented using a cloud-native approach, to address both functional and non-functional requirements. An experimental analysis of the framework scalability is also provided.
- Intrusion and anomaly detection for the next-generation of industrial automation and control systemsPublication . Rosa, Luis; Cruz, Tiago; Freitas, Miguel Borges de; Quitério, Pedro; Henriques, João; Caldeira, Filipe; Monteiro, Edmundo; Simões, PauloThe next-generation of Industrial Automation and Control Systems (IACS) and Supervisory Control and Data Acquisition (SCADA) systems pose numerous challenges in terms of cybersecurity monitoring. We have been witnessing the convergence of OT/IT networks, combined with massively distributed metering and control scenarios such as smart grids. Larger and geographically widespread attack surfaces, and inherently more data to analyse, will become the norm. Despite several advances in recent years, domain-specific security tools have been facing the challenges of trying to catch up with all the existing security flaws from the past, while also accounting for the specific needs of the next-generation of IACS. Moreover, the aggregation of multiple techniques and sources of information into a comprehensive approach has not been explored in depth. Such a holistic perspective is paramount since it enables a global and enhanced analysis enabled by the usage, combination and aggregation of the outputs from multiple sources and techniques. This paper starts by providing a review of the more recent anomaly detection techniques for SCADA systems, focused on both theoretical machine learning approaches and complete frameworks. Afterwards, it proposes a complete framework for an Intrusion and Anomaly Detection System (IADS) composed of specific detection probes, an event processing layer and a core anomaly detection component, amongst others. Finally, the paper presents an evaluation of the framework within a large-scale hybrid testbed, and a comparison of different anomaly detection scenarios based on various machine learning techniques.
- On the Use of Ontology Data for Protecting Critical InfrastructuresPublication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, PauloModern societies increasingly depend on products and services provided by Critical Infrastructures (CI). The Security Information and Event Management (SIEM) systems in charge of protecting these CIs usually collect and process data from specialised sources. However, they usually integrate only a small fraction of the whole data sources existing in the CI. Valuable generic data sources are missing in this process, such as human resources databases, staff check clocks, and outsourced service providers. To address this gap, the authors propose a framework that takes a Semantic Web approach for automated collection and processing of corporate data from multiple heterogeneous sources.
- A Survey on Forensics and Compliance Auditing for Critical Infrastructure ProtectionPublication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, PauloThe broadening dependency and reliance that modern societies have on essential services provided by Critical Infrastructures is increasing the relevance of their trustworthiness. However, Critical Infrastructures are attractive targets for cyberattacks, due to the potential for considerable impact, not just at the economic level but also in terms of physical damage and even loss of human life. Complementing traditional security mechanisms, forensics and compliance audit processes play an important role in ensuring Critical Infrastructure trustworthiness. Compliance auditing contributes to checking if security measures are in place and compliant with standards and internal policies. Forensics assist the investigation of past security incidents. Since these two areas significantly overlap, in terms of data sources, tools and techniques, they can be merged into unified Forensics and Compliance Auditing (FCA) frameworks. In this paper, we survey the latest developments, methodologies, challenges, and solutions addressing forensics and compliance auditing in the scope of Critical Infrastructure Protection. This survey focuses on relevant contributions, capable of tackling the requirements imposed by massively distributed and complex Industrial Automation and Control Systems, in terms of handling large volumes of heterogeneous data (that can be noisy, ambiguous, and redundant) for analytic purposes, with adequate performance and reliability. The achieved results produced a taxonomy in the field of FCA whose key categories denote the relevant topics in the literature. Also, the collected knowledge resulted in the establishment of a reference FCA architecture, proposed as a generic template for a converged platform. These results are intended to guide future research on forensics and compliance auditing for Critical Infrastructure Protection.
- Towards Protecting Critical InfrastructuresPublication . Caldeira, Filipe; Cruz, Tiago; Simões, Paulo; Monteiro, EdmundoCritical Infrastructures (CIs) such as power distribution are referred to as “Critical” as, in case of failure, the impact on society and economy can be enormous. CIs are exposed to a growing number of threats. ICT security plays a major role in CI protection and risk prevention for single and interconnected CIs were cascading effects might occur. This chapter addresses CI Protection discussing MICIE Project main results, along with the mechanisms that manage the degree of confidence assigned to risk alerts allowing improving the resilience of CIs when faced with inaccurate/inconsistent alerts. The CockpitCI project is also presented, aiming to improve the resilience and dependability of CIs through automatic detection of cyber-threats and the sharing of real-time information about attacks among CIs. CockpitCI addresses one MICIE's shortcoming by adding SCADA-oriented security detection capabilities, providing input for risk prediction models and assessment of the operational status of the Industrial Control Systems.