Movatterモバイル変換

[0]ホーム
URL:

Skip to main content

Advertisement

Springer Nature Link
Log in

IM-DISCO: Invariant Mining for Detecting IntrusionS in Critical Operations

  • Conference paper
  • First Online:

Abstract

In today’s interconnected world, robust cybersecurity measures are crucial, especially for Cyber-Physical Systems. While anomaly-based Intrusion Detection Systems can identify abnormal behaviors, interpreting the resulting alarms is challenging. An alternative approach utilizes invariant rules to describe system operations, providing clearer explanations for abnormal behaviors. In this context, invariant rules are conditions that must hold true for a system’s different operational modes. However, defining these rules is time-consuming and costly. This paper presents IM-DISCO, a tool that analyzes operational data to propose inference rules characterizing different modes of system operation. Deviations from these rules indicate anomalies, enabling continuous monitoring with incident detection and response. In our evaluation, focusing on rail transportation, we achieved 99.29% accuracy in detecting and characterizing operational modes using real-world train data. Additionally, we achieved 99.86% accuracy in identifying anomalies during simulated attacks. Notably, our results demonstrate an average detection time of 0.026 ms, enabling swift incident response to prevent catastrophic events.

This is a preview of subscription content,log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 12583
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 15729
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide -see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Similar content being viewed by others

References

  1. Adepu, S., Mathur, A.: From design to invariants: detecting attacks on cyber physical systems. In: 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C), pp. 533–540. IEEE (2017)

    Google Scholar 

  2. Agrawal, R., Imieliński, T., Swami, A.: Mining association rules between sets of items in large databases. In: Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data, pp. 207–216 (1993)

    Google Scholar 

  3. Ahmed, C.M., et al.: NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 483–497. ACM, Incheon ROK (2018)

    Google Scholar 

  4. Ahmed, C.M., Zhou, J., Mathur, A.P.: Noise matters: using sensor and process noise fingerprint to detect stealthy cyber attacks and authenticate sensors in CPS. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 566–581. ACM, San Juan PR USA (2018)

    Google Scholar 

  5. Aliabadi, M.R., Kamath, A.A., Gascon-Samson, J., Pattabiraman, K.: Artinali: dynamic invariant detection for cyber-physical system security. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (2017)

    Google Scholar 

  6. Apolinário, F., Escravana, N., Hervé, É., Pardal, M.L., Correia, M.: Fingerci: generating specifications for critical infrastructures. In: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, pp. 183–186 (2022)

    Google Scholar 

  7. Apolinário, F., et al.: COMSEC: secure communications for baggage handling systems. In: Katsikas, S., et al. Computer Security. ESORICS 2022 International Workshops. ESORICS 2022. Lecture Notes in Computer Science, vol. 13785, pp. 329–345. Springer, Cham (2022).https://doi.org/10.1007/978-3-031-25460-4_19

  8. Brin, S., Motwani, R., Ullman, J.D., Tsur, S.: Dynamic itemset counting and implication rules for market basket data. In: Proceedings of the 1997 ACM SIGMOD international conference on Management of data, pp. 255–264 (1997)

    Google Scholar 

  9. Carvalho, O., Apolinário, F., Escravana, N., Ribeiro, C.: CIIA: critical infrastructure impact assessment. In: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, pp. 124–132 (2022)

    Google Scholar 

  10. Ceccato, M., Driouich, Y., Lucchese, M., Lanotte, R., Merro, M.: Towards reverse engineering of industrial physical processes. In: Katsikas, S., et al. Computer Security. ESORICS 2022 International Workshops. ESORICS 2022. Lecture Notes in Computer Science, vol. 13785. Springer, Cham (2022).https://doi.org/10.1007/978-3-031-25460-4_15

  11. Feng, C., Palleti, V., Mathur, A., Chana, D.: A systematic framework to generate invariants for anomaly detection in industrial control systems. In: NDSS (2019)

    Google Scholar 

  12. Feng, C., Tian, P.: Time series anomaly detection for cyber-physical systems via neural system identification and bayesian filtering. In: Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining. KDD 2021, Association for Computing Machinery, New York, NY, USA (2021)

    Google Scholar 

  13. Fung, C., Srinarasi, S., Lucas, K., Phee, H.B., Bauer, L.: Perspectives from a comprehensive evaluation of reconstruction-based anomaly detection in industrial control systems. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) Computer Security - ESORICS 2022, pp. 493–513. Springer Nature Switzerland, Cham (2022).https://doi.org/10.1007/978-3-031-17143-7_24

    Chapter  Google Scholar 

  14. Grandini, M., Bagli, E., Visani, G.: Metrics for multi-class classification: an overview. arXiv preprintarXiv:2008.05756 (2020)

  15. Hajj, S., El Sibai, R., Bou Abdo, J., Demerjian, J., Makhoul, A., Guyeux, C.: Anomaly-based intrusion detection systems: the requirements, methods, measurements, and datasets. Trans. Emerg. Telecommun. Technol.32(4), e4240 (2021)

    Article  Google Scholar 

  16. Huang, Y.L., Cárdenas, A.A., Amin, S., Lin, Z.S., Tsai, H.Y., Sastry, S.: Understanding the physical and economic consequences of attacks on control systems. Int. J. Crit. Infrastruct. Prot.2(3), 73–83 (2009)

    Article  Google Scholar 

  17. Kaouk, M., Flaus, J.M., Potet, M.L., Groz, R.: A review of intrusion detection systems for industrial control systems. In: 2019 6th International Conference on Control, Decision and Information Technologies (CoDIT), pp. 1699–1704 (2019)

    Google Scholar 

  18. Kiran, R.U., Reddy, P.K.: Novel techniques to reduce search space in multiple minimum supports-based frequent pattern mining algorithms. In: Proceedings of the 14th International Conference on Extending Database Technology (2011)

    Google Scholar 

  19. Kumbhare, T.A., Chobe, S.V.: An overview of association rule mining algorithms. Int. J. Comput. Sci. Inf. Technol.5, 927–930 (2014)

    Google Scholar 

  20. Lee, E.A.: Cyber physical systems: design challenges. In: 2008 11th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC), pp. 363–369 (2008)

    Google Scholar 

  21. Lima, J., Apolinário, F., Escravana, N., Ribeiro, C.: BP-IDS: using business process specification to leverage intrusion detection in critical infrastructures. In: 2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 7–12. IEEE (2020)

    Google Scholar 

  22. Liu, B., Hsu, W., Ma, Y.: Mining association rules with multiple minimum supports. In: Proceedings of the Fifth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 337–341 (1999)

    Google Scholar 

  23. Pal, K., Adepu, S., Goh, J.: Effectiveness of association rules mining for invariants generation in cyber-physical systems. In: 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE), pp. 124–127. IEEE (2017)

    Google Scholar 

  24. Raschka, S.: MLxtend: providing machine learning and data science utilities and extensions to python’s scientific computing stack. J. Open Source Softw.3(24), 638 (2018)

    Article  Google Scholar 

  25. Rubio, J.E., Alcaraz, C., Roman, R., Lopez, J.: Analysis of intrusion detection systems in industrial ecosystems. In: SECRYPT, pp. 116–128 (2017)

    Google Scholar 

  26. Umer, M.A., Mathur, A., Junejo, K.N., Adepu, S.: Generating invariants using design and data-centric approaches for distributed attack detection. Int. J. Crit. Infrastruct. Prot.28, 100341 (2020)

    Article  Google Scholar 

  27. Wolsing, K., Thiemt, L., Sloun, C.v., Wagner, E., Wehrle, K., Henze, M.: Can industrial intrusion detection be simple? In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) Computer Security - ESORICS 2022, vol. 13556, pp. 574–594. Springer Nature Switzerland, Cham (2022).https://doi.org/10.1007/978-3-031-17143-7_28

  28. Yoong, C.H., Palleti, V.R., Maiti, R.R., Silva, A., Poskitt, C.M.: Deriving invariant checkers for critical infrastructure using axiomatic design principles. Cybersecurity4(1), 1–24 (2021)

    Article  Google Scholar 

Download references

Acknowledgement

Work supported by the European Commission through contract 101021797 (H2020 STARLIGHThttps://www.starlight-h2020.eu/).

Author information

Authors and Affiliations

  1. INOV INESC INOVAÇÃO, Lisbon, Portugal

    Guilherme Saraiva & Filipe Apolinário

  2. INESC-ID Instituto Superior Técnico, Universidade de Lisboa, Lisbon, Portugal

    Miguel L. Pardal

Authors
  1. Guilherme Saraiva
  2. Filipe Apolinário
  3. Miguel L. Pardal

Corresponding author

Correspondence toFilipe Apolinário.

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  3. University of Trento, Trento, Italy

    Silvio Ranise

  4. University of Genoa, Genoa, Italy

    Luca Verderame

  5. Consiglio Nazionale delle Ricerche (CNR), Genoa, Italy

    Enrico Cambiaso

  6. SINTEF A.S., Oslo, Norway

    Rita Ugarelli

  7. Instituto Superior de Engenharia do Porto, Porto, Portugal

    Isabel Praça

  8. Hong Kong Polytechnic University, Hong Kong, China

    Wenjuan Li

  9. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  10. University of Nottingham, Nottingham, UK

    Steven Furnell

  11. Norwegian University of Science and Technology, Gjøvik, Norway

    Basel Katt

  12. Norwegian Computing Center, Oslo, Norway

    Sandeep Pirbhulal

  13. Institute for Energy Technology (IFE), Halden, Norway

    Ankur Shukla

  14. University of Calabria, Rende, Italy

    Michele Ianni

  15. University of Verona, Verona, Italy

    Mila Dalla Preda

  16. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  17. University of Lisbon, Lisbon, Portugal

    Miguel Pupo Correia

  18. University of Twente, Enschede, The Netherlands

    Abhishta Abhishta

  19. University of Amsterdam, Amsterdam, The Netherlands

    Giovanni Sileno

  20. Open University in the Netherlands, Heerlen, The Netherlands

    Mina Alishahi

  21. Robert Gordon University, Aberdeen, UK

    Harsha Kalutarage

  22. Osaka University, Osaka, Japan

    Naoto Yanai

Rights and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Saraiva, G., Apolinário, F., Pardal, M.L. (2024). IM-DISCO: Invariant Mining for Detecting IntrusionS in Critical Operations. In: Katsikas, S.,et al. Computer Security. ESORICS 2023 International Workshops. ESORICS 2023. Lecture Notes in Computer Science, vol 14399. Springer, Cham. https://doi.org/10.1007/978-3-031-54129-2_3

Download citation

Publish with us

Access this chapter

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 12583
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 15729
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide -see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

[8]ページ先頭
©2009-2025 Movatter.jp