Attack Detection in Critical Infrastructures on the Base of Analysis of States
Abstract
An approach to revelation of attacks in critical infrastructures by means of graphoriented modeling methods is disclosed in the article. The approach has two main steps. At the preliminary step through the use of machine learning methods, it performs a processing of logs, i.e. primary information characterizing the operation of the infrastructure in order to build the graph of states and transitions of the infrastructure. At the exploitation step, the constructed graph is traversed to detect those states in which the system is under attack of a certain type. During the functioning, wrong transitions between the correct states of the infrastructure are detected, which in turn can be used to deduce a fact of an attack. The conducted experiments on data from datasets describing the exploitation of two industrial critical systems confirmed the soundness of the developed attack revelation mechanism, and demonstrated the large stability degree of the mechanism to possible losses of data fragments containing primary data from the system for the attack detection.
References
F. Wilkens, F. Ortmann, S.Haas, M. Vallentin, and M. Fischer, “Multi-Stage Attack Detection via Kill Chain State Machines,” in Proc. of the 3rd Workshop on Cyber-Security Arms Race, 2021 (CYSARM ’21), pp. 13–24б 2021; doi:10.1145/3474374.3486918
X. Zhang et al., “Multi-Step Attack Detection Based on Pre-Trained Hidden Markov Models,” Sensors,vol. 22, no. 8, p. 2874, 2022; doi:10.3390/s22082874
M. Husak, J. Kom ˊ arkov ˊ a, E. Bou-Harb, and P. ˊ Celeda, “Survey of Attack Projection, Prediction, and ˆForecasting in Cyber Security,” IEEE Communications Surveys & Tutorials, vol. 21, no. 1, pp. 640–660, 2019; doi:10.1109/comst.2018.2871866
M. S. Barik, A. Sengupta, and C. Mazumdar, “Attack Graph Generation and Analysis Techniques,” Defence Science Journal, vol. 66, no. 6, p. 559, 2016; doi:10.14429/dsj.66.10795
I. Ray and N. Poolsapassit, “Using Attack Trees to Identify Malicious Attacks from Authorized Insiders” in Lecture Notes in Computer Science, pp. 231–246, 2005, doi:10.1007/11555827_14
J. Zeng, S. Wu, Y. Chen, R. Zeng, and C. Wu, “Survey of Attack Graph Analysis Methods from the Perspective of Data and Knowledge Processing,” Security and Communication Networks, vol. 2019, pp. 1–16, 2019; doi:10.1155/2019/2031063
P. Holgado, V. A. Villagra, and L. Vazquez, “Real-Time Multistep Attack Prediction Based on Hidden Markov Models,” IEEE Transactions on Dependable and Secure Computing, vol. 17, no. 1, pp. 134–147, 2020; doi:10.1109/tdsc.2017.2751478
I. Zografopoulos, A. P. Kuruvila, K. Basu, and C. Konstantinou, “Time series-based detection and impact analysis of firmware attacks in microgrids,” Energy Reports, vol. 8, pp. 11221–11234, 2022;doi:10.1016/j.egyr.2022.08.270
M. Najafimehr, S. Zarifzadeh, and S. Mostafavi, “DDoS attacks and machine-learning-based detection methods: A survey and taxonomy,” Engineering Reports, no. 12697, pp. 1–29, 2023; doi:10.1002/eng2.12697
V. Desnitsky, A. Chechulin, and I. Kotenko, “Multi-Aspect Based Approach to Attack Detection in IoT Clouds,” Sensors, vol. 22, no. 5, p. 1831, 2022; doi:10.3390/s22051831
R. Paturi, L. Swathi, K. S. Pavithra, R. Mounika, and Ch. Alekhya, “Detection of Phishing Attacks using Visual Similarity Model,” in 2022 International Conference on Applied Artificial Intelligence and Computing (ICAAIC), pp. 1355-1361, 2022; doi:10.1109/icaaic53929.2022.9793231
Y. Wang et al., “An evolutionary computation-based machine learning for network attack detection in big data traffic,” Applied Soft Computing, vol. 138, p. 110184, 2023; doi:10.1016/j.asoc.2023.110184
A. L. Perales G ˊ omez et al., “On the Generation of Anomaly Detection Datasets in Industrial Control ˊSystems,” IEEE Access, vol. 7, pp. 177460–177473, 2019; doi:10.1109/access.2019.2958284
S. Mokhtari, A. Abbaspour, K. K. Yen, and A. Sargolzaei, “A Machine Learning Approach for Anomaly Detection in Industrial Control Systems Based on Measurement Data,” Electronics, vol. 10, no. 4, p. 407, 2021; doi:10.3390/electronics10040407
O. Herman-Saffar, “An Approach for Choosing Number of Clusters for K-Means,” in Towards Data Science, 2021. [Online]. Available: https://towardsdatascience.com/an-approach-for-choosing-number-ofclusters-for-k-means-c28e614ecb2c
R. K. Chouhan, M. Atulkar, and N. K. Nagwani, “An Unsupervised Attack Detection Approach for Software Defined Networks,” in Proc. of 2022 International Conference on Augmented Intelligence and Sustainable Systems (ICAISS), pp. 1025–1030, 2022; doi:10.1109/icaiss55157.2022.10010577
K. Lamsh¨oft, T. Neubert, C. Kr¨atzer, C. Vielhauer, and J. Dittmann, “Information Hiding in Cyber Physical Systems: Challenges for Embedding, Retrieval and Detection using Sensor Data of the SWAT Dataset,” in Proc. of the 2021 ACM Workshop on Information Hiding and Multimedia Security, pp. 113–124, 2021; doi:10.1145/3437880.3460413
This work is licensed under a Creative Commons Attribution 4.0 International License.