Repository logo
 
Profile Picture
Person

Menoita Henriques, João Pedro

Metadata only
BB15-BFE2-17AA
0000-0001-7380-9511

Filters

2019 - 201912020 - 20224
Reset filters

Settings

Author: Cruz, Tiago ×

Search Results

Now showing 1 - 5 of 5
  • An automated closed-loop framework to enforce security policies from anomaly detection
    Publication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, Paulo
    Due to the growing complexity and scale of IT systems, there is an increasing need to automate and streamline routine maintenance and security management procedures, to reduce costs and improve productivity. In the case of security incidents, the implementation and application of response actions require significant efforts from operators and developers in translating policies to code. Even if Machine Learning (ML) models are used to find anomalies, they need to be regularly trained/updated to avoid becoming outdated. In an evolving environment, a ML model with outdated training might put at risk the organization it was supposed to defend. To overcome those issues, in this paper we propose an automated closed-loop process with three stages. The first stage focuses on obtaining the Decision Trees (DT) that classify anomalies. In the second stage, DTs are translated into security Policies as Code based on languages recognized by the Policy Engine (PE). In the last stage, the translated security policies feed the Policy Engines that enforce them by converting them into specific instruction sets. We also demonstrate the feasibility of the proposed framework, by presenting an example that encompasses the three stages of the closed-loop process. The proposed framework may integrate a broad spectrum of domains and use cases, being able for instance to support the decide and the act stages of the ETSI Zero-touch Network & Service Management (ZSM) framework.
    2022-12Journal article Open access Show more
  • Intrusion and anomaly detection for the next-generation of industrial automation and control systems
    Publication . Rosa, Luis; Cruz, Tiago; Freitas, Miguel Borges de; Quitério, Pedro; Henriques, João; Caldeira, Filipe; Monteiro, Edmundo; Simões, Paulo
    The next-generation of Industrial Automation and Control Systems (IACS) and Supervisory Control and Data Acquisition (SCADA) systems pose numerous challenges in terms of cybersecurity monitoring. We have been witnessing the convergence of OT/IT networks, combined with massively distributed metering and control scenarios such as smart grids. Larger and geographically widespread attack surfaces, and inherently more data to analyse, will become the norm. Despite several advances in recent years, domain-specific security tools have been facing the challenges of trying to catch up with all the existing security flaws from the past, while also accounting for the specific needs of the next-generation of IACS. Moreover, the aggregation of multiple techniques and sources of information into a comprehensive approach has not been explored in depth. Such a holistic perspective is paramount since it enables a global and enhanced analysis enabled by the usage, combination and aggregation of the outputs from multiple sources and techniques. This paper starts by providing a review of the more recent anomaly detection techniques for SCADA systems, focused on both theoretical machine learning approaches and complete frameworks. Afterwards, it proposes a complete framework for an Intrusion and Anomaly Detection System (IADS) composed of specific detection probes, an event processing layer and a core anomaly detection component, amongst others. Finally, the paper presents an evaluation of the framework within a large-scale hybrid testbed, and a comparison of different anomaly detection scenarios based on various machine learning techniques.
    2021-01Journal article Restricted access Show more
  • Combining K-Means and XGBoost Models for Anomaly Detection Using Log Datasets
    Publication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, Paulo
    Abstract: Computing and networking systems traditionally record their activity in log files, which have been used for multiple purposes, such as troubleshooting, accounting, post-incident analysis of security breaches, capacity planning and anomaly detection. In earlier systems those log files were processed manually by system administrators, or with the support of basic applications for filtering, compiling and pre-processing the logs for specific purposes. However, as the volume of these log files continues to grow (more logs per system, more systems per domain), it is becoming increasingly difficult to process those logs using traditional tools, especially for less straightforward purposes such as anomaly detection. On the other hand, as systems continue to become more complex, the potential of using large datasets built of logs from heterogeneous sources for detecting anomalies without prior domain knowledge becomes higher. Anomaly detection tools for such scenarios face two challenges. First, devising appropriate data analysis solutions for effectively detecting anomalies from large data sources, possibly without prior domain knowledge. Second, adopting data processing platforms able to cope with the large datasets and complex data analysis algorithms required for such purposes. In this paper we address those challenges by proposing an integrated scalable framework that aims at efficiently detecting anomalous events on large amounts of unlabeled data logs. Detection is supported by clustering and classification methods that take advantage of parallel computing environments. We validate our approach using the the well known NASA Hypertext Transfer Protocol (HTTP) logs datasets. Fourteen features were extracted in order to train a k-means model for separating anomalous and normal events in highly coherent clusters. A second model, making use of the XGBoost system implementing a gradient tree boosting algorithm, uses the previous binary clustered data for producing a set of simple interpretable rules. These rules represent the rationale for generalizing its application over a massive number of unseen events in a distributed computing environment. The classified anomaly events produced by our framework can be used, for instance, as candidates for further forensic and compliance auditing analysis in security management.
    2020-07-17Journal article Open access Show more
  • On the Use of Ontology Data for Protecting Critical Infrastructures
    Publication . Henriques, João; Caldeira, Filipe; Cruz, Tiago; Simões, Paulo
    Modern societies increasingly depend on products and services provided by Critical Infrastructures (CI). The Security Information and Event Management (SIEM) systems in charge of protecting these CIs usually collect and process data from specialised sources. However, they usually integrate only a small fraction of the whole data sources existing in the CI. Valuable generic data sources are missing in this process, such as human resources databases, staff check clocks, and outsourced service providers. To address this gap, the authors propose a framework that takes a Semantic Web approach for automated collection and processing of corporate data from multiple heterogeneous sources.
    2019Journal article Restricted access Show more
  • Evolving the Security Paradigm for Industrial IoT Environments
    Publication . Rosa, Luis; Freitas, Miguel Borges de; Henriques, João; Quitério, Pedro; Caldeira, Filipe; Cruz, Tiago; Simões, Paulo
    In recent years, IACS (Industrial Automation and Control Systems) have become more complex, due to the increasing number of interconnected devices. This IoT (internet of things)-centric IACS paradigm, which is at the core of the Industry 4.0 concept, expands the infrastructure boundaries beyond the aggregated-plant, mono-operator vision, being dispersed over a large geographic area. From a cybersecurity-centric perspective, the distributed nature of modern IACS makes it difficult not only to understand the nature of incidents but also to assess their progression and threat profile. Defending against those threats is becoming increasingly difficult, requiring orchestrated and collaborative distributed detection, evaluation, and reaction capabilities beyond the scope of a single entity. This chapter presents the Intrusion and Anomaly Detection System platform architecture that was designed and developed within the scope of the ATENA H2020 project, to address the specific needs of distributed IACS while providing (near) real-time cybersecurity awareness.
    2020Book part Restricted access Show more