-
P3LI5: Practical and Confidential Lawful Interception on the 5G Core
Authors:
Francesco Intoci,
Julian Sturm,
Daniel Fraunholz,
Apostolos Pyrgelis,
Colin Barschel
Abstract:
Lawful Interception (LI) is a legal obligation of Communication Service Providers (CSPs) to provide interception capabilities to Law Enforcement Agencies (LEAs) in order to gain insightful data from network communications for criminal proceedings, e.g., network identifiers for tracking suspects. With the privacy-enhancements of network identifiers in the 5th generation of mobile networks (5G), LEA…
▽ More
Lawful Interception (LI) is a legal obligation of Communication Service Providers (CSPs) to provide interception capabilities to Law Enforcement Agencies (LEAs) in order to gain insightful data from network communications for criminal proceedings, e.g., network identifiers for tracking suspects. With the privacy-enhancements of network identifiers in the 5th generation of mobile networks (5G), LEAs need to interact with CSPs for network identifier resolution. This raises new privacy issues, as untrusted CSPs are able to infer sensitive information about ongoing investigations, e.g., the identities of their subscribers under suspicion. In this work, we propose P3LI5, a novel system that enables LEAs to privately query CSPs for network identifier resolution leveraging on an information retrieval protocol, SparseWPIR, that is based on private information retrieval and its weakly private version. As such, P3LI5 can be adapted to various operational scenarios with different confidentiality or latency requirements, by selectively allowing a bounded information leakage for improved performance. We implement P3LI5 on the 5G LI infrastructure using well known open-source projects and demonstrate its scalability to large databases while retaining low latency. To the best of our knowledge, P3LI5 is the first proposal for addressing the privacy issues raised by the mandatory requirement for LI on the 5G core network.
△ Less
Submitted 27 August, 2023;
originally announced August 2023.
-
Evaluating Deception and Moving Target Defense with Network Attack Simulation
Authors:
Daniel Reti,
Karina Elzer,
Daniel Fraunholz,
Daniel Schneider,
Hans-Dieter Schotten
Abstract:
In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception has emerged. Starting from the well-known example of honeypots, many other deception strategies have been developed such as honeytokens and moving…
▽ More
In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception has emerged. Starting from the well-known example of honeypots, many other deception strategies have been developed such as honeytokens and moving target defense, all sharing the objective of creating uncertainty for attackers and increasing the chance for the attacker of making mistakes. In this paper a methodology to evaluate the effectiveness of honeypots and moving target defense in a network is presented. This methodology allows to quantitatively measure the effectiveness in a simulation environment, allowing to make recommendations on how many honeypots to deploy and on how quickly network addresses have to be mutated to effectively disrupt an attack in multiple network and attacker configurations. With this optimum, attacks can be detected and slowed down with a minimal resource and configuration overhead. With the provided methodology, the optimal number of honeypots to be deployed and the optimal network address mutation interval can be determined. Furthermore, this work provides guidance on how to optimally deploy and configure them with respect to the attacker model and several network parameters.
△ Less
Submitted 25 January, 2023;
originally announced January 2023.
-
The Global State of Security in Industrial Control Systems: An Empirical Analysis of Vulnerabilities around the World
Authors:
Simon Daniel Duque Anton,
Daniel Fraunholz,
Daniel Krohmer,
Daniel Reti,
Daniel Schneider,
Hans Dieter Schotten
Abstract:
Operational Technology (OT)-networks and -devices, i.e. all components used in industrial environments, were not designed with security in mind. Efficiency and ease of use were the most important design characteristics. However, due to the digitisation of industry, an increasing number of devices and industrial networks is opened up to public networks. This is beneficial for administration and org…
▽ More
Operational Technology (OT)-networks and -devices, i.e. all components used in industrial environments, were not designed with security in mind. Efficiency and ease of use were the most important design characteristics. However, due to the digitisation of industry, an increasing number of devices and industrial networks is opened up to public networks. This is beneficial for administration and organisation of the industrial environments. However, it also increases the attack surface, providing possible points of entry for an attacker. Originally, breaking into production networks meant to break an Information Technology (IT)-perimeter first, such as a public website, and then to move laterally to Industrial Control Systems (ICSs) to influence the production environment. However, many OT-devices are connected directly to the Internet, which drastically increases the threat of compromise, especially since OT-devices contain several vulnerabilities. In this work, the presence of OT-devices in the Internet is analysed from an attacker's perspective. Publicly available tools, such as the search engine Shodan and vulnerability databases, are employed to find commonly used OT-devices and map vulnerabilities to them. These findings are grouped according to country of origin, manufacturer, and number as well as severity of vulnerability. More than 13000 devices were found, almost all contained at least one vulnerability. European and Northern American countries are by far the most affected ones.
△ Less
Submitted 27 November, 2021;
originally announced November 2021.
-
An Adaptive Honeypot Configuration, Deployment and Maintenance Strategy
Authors:
Daniel Fraunholz,
Marc Zimmermann,
Hans D. Schotten
Abstract:
Since honeypots first appeared as an advanced network security concept they suffer from poor deployment and maintenance strategies. State-of-the-Art deployment is a manual process in which the honeypot needs to be configured and maintained by a network administrator. In this paper we present a method for a dynamic honeypot configuration, deployment and maintenance strategy based on machine learnin…
▽ More
Since honeypots first appeared as an advanced network security concept they suffer from poor deployment and maintenance strategies. State-of-the-Art deployment is a manual process in which the honeypot needs to be configured and maintained by a network administrator. In this paper we present a method for a dynamic honeypot configuration, deployment and maintenance strategy based on machine learning techniques. Our method features an identification mechanism for machines and devices in a network. These entities are analysed and clustered. Based on the clusters, honeypots are intelligently deployed in the network. The proposed method needs no configuration and maintenance and is therefore a major advantage for the honeypot technology in modern network security.
△ Less
Submitted 6 November, 2021;
originally announced November 2021.
-
Deep Down the Rabbit Hole: On References in Networks of Decoy Elements
Authors:
Daniel Reti,
Daniel Fraunholz,
Janis Zemitis,
Daniel Schneider,
Hans Dieter Schotten
Abstract:
Deception technology has proven to be a sound approach against threats to information systems. Aside from well-established honeypots, decoy elements, also known as honeytokens, are an excellent method to address various types of threats. Decoy elements are causing distraction and uncertainty to an attacker and help detecting malicious activity. Deception is meant to be complementing firewalls and…
▽ More
Deception technology has proven to be a sound approach against threats to information systems. Aside from well-established honeypots, decoy elements, also known as honeytokens, are an excellent method to address various types of threats. Decoy elements are causing distraction and uncertainty to an attacker and help detecting malicious activity. Deception is meant to be complementing firewalls and intrusion detection systems. Particularly insider threats may be mitigated with deception methods. While current approaches consider the use of multiple decoy elements as well as context-sensitivity, they do not sufficiently describe a relationship between individual elements. In this work, inter-referencing decoy elements are introduced as a plausible extension to existing deception frameworks, leading attackers along a path of decoy elements. A theoretical foundation is introduced, as well as a stochastic model and a reference implementation. It was found that the proposed system is suitable to enhance current decoy frameworks by adding a further dimension of inter-connectivity and therefore improve intrusion detection and prevention.
△ Less
Submitted 8 April, 2021;
originally announced April 2021.
-
A Qualitative Empirical Analysis of Human Post-Exploitation Behavior
Authors:
Daniel Schneider,
Daniel Fraunholz,
Daniel Krohmer
Abstract:
Honeypots are a well-studied defensive measure in network security. This work proposes an effective low-cost honeypot that is easy to deploy and maintain. The honeypot introduced in this work is able to handle commands in a non-standard way by blocking them or replying with an insult to the attacker. To determine the most efficient defense strategy, the interaction between attacker and defender is…
▽ More
Honeypots are a well-studied defensive measure in network security. This work proposes an effective low-cost honeypot that is easy to deploy and maintain. The honeypot introduced in this work is able to handle commands in a non-standard way by blocking them or replying with an insult to the attacker. To determine the most efficient defense strategy, the interaction between attacker and defender is modeled as a Bayesian two-player game. For the empirical analysis, three honeypot instances were deployed, each with a slight variation in its configuration. In total, over 200 distinct sessions were captured, which allows for qualitative evaluation of post-exploitation behavior. The findings show that attackers react to insults and blocked commands in different ways, ranging from ignoring to sending insults themselves. The main contribution of this work lies in the proposed framework, which offers a low-cost alternative to more technically sophisticated and resource-intensive approaches.
△ Less
Submitted 6 January, 2021;
originally announced January 2021.
-
Investigating the Ecosystem of Offensive Information Security Tools
Authors:
Simon D Duque Anton,
Daniel Fraunholz,
Daniel Schneider
Abstract:
The internet landscape is growing and at the same time becoming more heterogeneous. Services are performed via computers and networks, critical data is stored digitally. This enables freedom for the user, and flexibility for operators. Data is easier to manage and distribute. However, every device connected to a network is potentially susceptible to cyber attacks. Security solutions, such as antiv…
▽ More
The internet landscape is growing and at the same time becoming more heterogeneous. Services are performed via computers and networks, critical data is stored digitally. This enables freedom for the user, and flexibility for operators. Data is easier to manage and distribute. However, every device connected to a network is potentially susceptible to cyber attacks. Security solutions, such as antivirus software or firewalls, are widely established. However, certain types of attacks cannot be prevented with defensive measures alone. Offensive security describes the practice of security professionals using methods and tools of cyber criminals. This allows them to find vulnerabilities before they become the point of entry in a real attack. Furthermore, following the methods of cyber criminals enables security professionals to adapt to a criminal's point of view and potentially discover attack angles formerly ignored. As cyber criminals often employ freely available security tools, having knowledge about these provides additional insight for professionals. This work categorises and compares tools regarding metrics concerning maintainability, usability and technical details. Generally, several well-established tools are available for the first phases, while phases after the initial breach lack a variety of tools.
△ Less
Submitted 16 December, 2020;
originally announced December 2020.
-
Creating it from SCRATCh: A Practical Approach for Enhancing the Security of IoT-Systems in a DevOps-enabled Software Development Environment
Authors:
Simon D Duque Anton,
Daniel Fraunholz,
Daniel Krohmer,
Daniel Reti,
Hans D Schotten,
Franklin Selgert,
Marcell Marosvölgyi,
Morten Larsen,
Krishna Sudhakar,
Tobias Koch,
Till Witt,
Cédric Bassem
Abstract:
DevOps describes a method to reorganize the way different disciplines in software engineering work together to speed up software delivery. However, the introduction of DevOps-methods to organisations is a complex task. A successful introduction results in a set of structured process descriptions. Despite the structure, this process leaves margin for error: Especially security issues are addressed…
▽ More
DevOps describes a method to reorganize the way different disciplines in software engineering work together to speed up software delivery. However, the introduction of DevOps-methods to organisations is a complex task. A successful introduction results in a set of structured process descriptions. Despite the structure, this process leaves margin for error: Especially security issues are addressed in individual stages, without consideration of the interdependence. Furthermore, applying DevOps-methods to distributed entities, such as the Internet of Things (IoT) is difficult as the architecture is tailormade for desktop and cloud resources. In this work, an overview of tooling employed in the stages of DevOps processes is introduced. Gaps in terms of security or applicability to the IoT are derived. Based on these gaps, solutions that are being developed in the course of the research project SCRATCh are presented and discussed in terms of benefit to DevOps-environments.
△ Less
Submitted 28 October, 2020;
originally announced October 2020.
-
Using Temporal and Topological Features for Intrusion Detection in Operational Networks
Authors:
Simon D. Duque Anton,
Daniel Fraunholz,
Hans Dieter Schotten
Abstract:
Until two decades ago, industrial networks were deemed secure due to physical separation from public networks. An abundance of successful attacks proved that assumption wrong. Intrusion detection solutions for industrial application need to meet certain requirements that differ from home- and office-environments, such as working without feedback to the process and compatibility with legacy systems…
▽ More
Until two decades ago, industrial networks were deemed secure due to physical separation from public networks. An abundance of successful attacks proved that assumption wrong. Intrusion detection solutions for industrial application need to meet certain requirements that differ from home- and office-environments, such as working without feedback to the process and compatibility with legacy systems. Industrial systems are commonly used for several decades, updates are often difficult and expensive. Furthermore, most industrial protocols do not have inherent authentication or encryption mechanisms, allowing for easy lateral movement of an intruder once the perimeter is breached. In this work, an algorithm for motif discovery in time series, Matrix Profiles, is used to detect outliers in the timing behaviour of an industrial process. This process was monitored in an experimental environment, containing ground truth labels after attacks were performed. Furthermore, the graph representations of a different industrial data set that has been emulated are used to detect malicious activities. These activities can be derived from anomalous communication patterns, represented as edges in the graph. Finally, an integration concept for both methods is proposed.
△ Less
Submitted 9 July, 2019;
originally announced July 2019.
-
Highly Scalable and Flexible Model for Effective Aggregation of Context-based Data in Generic IIoT Scenarios
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Janis Zemitis,
Frederic Pohl,
Hans Dieter Schotten
Abstract:
Interconnectivity of production machines is a key feature of the Industrial Internet of Things (IIoT). This feature allows for many advantages in producing. Configuration and maintenance gets easier, as access to the given production unit is not necessarily coupled to physical presence. Customized production of goods is easily possible, reducing production times and increasing throughput. There ar…
▽ More
Interconnectivity of production machines is a key feature of the Industrial Internet of Things (IIoT). This feature allows for many advantages in producing. Configuration and maintenance gets easier, as access to the given production unit is not necessarily coupled to physical presence. Customized production of goods is easily possible, reducing production times and increasing throughput. There are, however, also dangers to the increasing talkativeness of industrial production machines. The more open a system is, the more points of entry for an attacker exist. Furthermore, the amount of data a production site also increases rapidly due to the integrated intelligence and interconnectivity. To keep track of this data in order to detect attacks and errors in the production site, it is necessary to smartly aggregate and evaluate the data. In this paper, we present a new approach for collecting, aggregating and analysing data from different sources and on three different levels of abstraction. Our model is event-centric, considering every occurrence of information inside the system as an event. In the lowest level of abstraction, singular packets are collected, correlated with log-entries and analysed. On the highest level of abstraction, networks are pictured as a connectivity graph, enriched with information about host-based activities. Furthermore, we describe our work in progress of evaluating our aggregation model on two different system settings. In the first scenario, we verify the usability of our model in a remote maintenance application. In the second scenario, we evaluate our model in the context of network sniffing and correlation with log-files. First results show that our model is a promising solution to cope with increasing amounts of data and to correlate information from different types of sources.
△ Less
Submitted 28 May, 2019;
originally announced June 2019.
-
Implementing SCADA Scenarios and Introducing Attacks to Obtain Training Data for Intrusion Detection Methods
Authors:
Simon Duque Antón,
Michael Gundall,
Daniel Fraunholz,
Hans Dieter Schotten
Abstract:
There are hardly any data sets publicly available that can be used to evaluate intrusion detection algorithms. The biggest threat for industrial applications arises from state-sponsored and criminal groups. Often, formerly unknown exploits are employed by these attackers, so-called 0-day exploits. They cannot be discovered with signature-based intrusion detection. Thus, statistical or machine lear…
▽ More
There are hardly any data sets publicly available that can be used to evaluate intrusion detection algorithms. The biggest threat for industrial applications arises from state-sponsored and criminal groups. Often, formerly unknown exploits are employed by these attackers, so-called 0-day exploits. They cannot be discovered with signature-based intrusion detection. Thus, statistical or machine learning based anomaly detection lends itself readily. These methods especially, however, need a large amount of labelled training data. In this work, an exemplary industrial use case with real-world industrial hardware is presented. Siemens S7 Programmable Logic Controllers are used to control a real world-based control application using the OPC UA protocol: A pump, filling and emptying water tanks. This scenario is used to generate application specific network data. Furthermore, attacks are introduced into this data set. This is done in three ways: First, the normal process is monitored and captured. Common attacks are then synthetically introduced into this data set. Second, malicious behaviour is implemented on the Programmable Logic Controller program and executed live, the traffic is captured as well. Third, malicious behaviour is implemented on the Programmable Logic Controller while still keeping the same output behaviour as in normal operation. An attacker could exploit an application but forge valid sensor output so that no anomaly is detected. Sensors are employed, capturing temperature, sound and flow of water to create data that can be correlated to the network data and used to still detect the attack. All data is labelled, containing the ground truth, meaning all attacks are known and no unknown attacks occur. This makes them perfect for training of anomaly detection algorithms. The data is published to enable security researchers to evaluate intrusion detection solutions.
△ Less
Submitted 28 May, 2019;
originally announced May 2019.
-
Putting Things in Context: Securing Industrial Authentication with Context Information
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Christoph Lipps,
Khurshid Alam,
Hans Dieter Schotten
Abstract:
The development in the area of wireless communication, mobile and embedded computing leads to significant changes in the application of devices. Over the last years, embedded devices were brought into the consumer area creating the Internet of Things. Furthermore, industrial applications increasingly rely on communication through trust boundaries. Networking is cheap and easily applicable while pr…
▽ More
The development in the area of wireless communication, mobile and embedded computing leads to significant changes in the application of devices. Over the last years, embedded devices were brought into the consumer area creating the Internet of Things. Furthermore, industrial applications increasingly rely on communication through trust boundaries. Networking is cheap and easily applicable while providing the possibility to make everyday life more easy and comfortable and industry more efficient and less time-consuming. One of the crucial parts of this interconnected world is sound and secure authentication of entities. Only entities with valid authorisation should be enabled to act on a resource according to an access control scheme. An overview of challenges and practices of authentication is provided in this work, with a special focus on context information as part of security solutions. It can be used for authentication and security solutions in industrial applications. Additional information about events in networks can aid intrusion detection, especially in combination with security information and event management systems. Finally, an authentication and access control approach, based on context information and - depending on the scenario - multiple factors is presented. The combination of multiple factors with context information makes it secure and at the same time case adaptive, so that the effort always matches, but never exceeds, the security demand. This is a common issue of standard cyber security, entities having to obey strict, inflexible and unhandy policies. This approach has been implemented exemplary based on RADIUS. Different scenarios were considered, showing that this approach is capable of providing flexible and scalable security for authentication processes.
△ Less
Submitted 29 May, 2019;
originally announced May 2019.
-
Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Modbus/TCP Data Set
Authors:
Simon Duque Anton,
Suneetha Kanoor,
Daniel Fraunholz,
Hans Dieter Schotten
Abstract:
In the context of the Industrial Internet of Things, communication technology, originally used in home and office environments, is introduced into industrial applications. Commercial off-the-shelf products, as well as unified and well-established communication protocols make this technology easy to integrate and use. Furthermore, productivity is increased in comparison to classic industrial contro…
▽ More
In the context of the Industrial Internet of Things, communication technology, originally used in home and office environments, is introduced into industrial applications. Commercial off-the-shelf products, as well as unified and well-established communication protocols make this technology easy to integrate and use. Furthermore, productivity is increased in comparison to classic industrial control by making systems easier to manage, set up and configure. Unfortunately, most attack surfaces of home and office environments are introduced into industrial applications as well, which usually have very few security mechanisms in place. Over the last years, several technologies tackling that issue have been researched. In this work, machine learning-based anomaly detection algorithms are employed to find malicious traffic in a synthetically generated data set of Modbus/TCP communication of a fictitious industrial scenario. The applied algorithms are Support Vector Machine (SVM), Random Forest, k-nearest neighbour and k-means clustering. Due to the synthetic data set, supervised learning is possible. Support Vector Machine and k-nearest neighbour perform well with different data sets, while k-nearest neighbour and k-means clustering do not perform satisfactorily.
△ Less
Submitted 28 May, 2019;
originally announced May 2019.
-
The Dos and Don'ts of Industrial Network Simulation: A Field Report
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Dennis Krummacker,
Christoph Fischer,
Michael Karrenbauer,
Hans Dieter Schotten
Abstract:
Advances in industrial control lead to increasing incorporation of intercommunication technologies and embedded devices into the production environment. In addition to that, the rising complexity of automation tasks creates demand for extensive solutions. Standardised protocols and commercial off the shelf devices aid in providing these solutions. Still, setting up industrial communication network…
▽ More
Advances in industrial control lead to increasing incorporation of intercommunication technologies and embedded devices into the production environment. In addition to that, the rising complexity of automation tasks creates demand for extensive solutions. Standardised protocols and commercial off the shelf devices aid in providing these solutions. Still, setting up industrial communication networks is a tedious and high effort task. This justifies the need for simulation environments in the industrial context, as they provide cost-, resource- and time-efficient evaluation of solution approaches. In this work, industrial use cases are identified and the according requirements are derived. Furthermore, available simulation and emulation tools are analysed. They are mapped onto the requirements of industrial applications, so that an expressive assignment of solutions to application domains is given.
△ Less
Submitted 28 May, 2019;
originally announced May 2019.
-
A Question of Context: Enhancing Intrusion Detection by Providing Context Information
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Stephan Teuber,
Hans Dieter Schotten
Abstract:
Due to the fourth industrial revolution, and the resulting increase in interconnectivity, industrial networks are more and more opened to publicly available networks. Apart from the huge benefit in manageability and flexibility, the openness also results in a larger attack surface for malicious adversaries. In comparison to office environments, industrial networks have very high volumes of data. I…
▽ More
Due to the fourth industrial revolution, and the resulting increase in interconnectivity, industrial networks are more and more opened to publicly available networks. Apart from the huge benefit in manageability and flexibility, the openness also results in a larger attack surface for malicious adversaries. In comparison to office environments, industrial networks have very high volumes of data. In addition to that, every delay will most likely lead to loss of revenue. Hence, intrusion detection systems for industrial applications have different requirements than office-based intrusion detection systems. On the other hand, industrial networks are able to provide a lot of contextual information due to manufacturing execution systems and enterprise resource planning. Additionally, industrial networks tend to be more uniform, making it easier to determine outliers. In this work, an abstract simulation of industrial network behaviour is created. Malicious actions are introduced into a set of sequences of valid behaviour. Finally, a context-based and context-less intrusion detection system is used to find the attacks. The results are compared and commented. It can be seen that context information can help in identifying malicious actions more reliable than intrusion detection with only one source of information, e.g. the network.
△ Less
Submitted 28 May, 2019;
originally announced May 2019.
-
Two Decades of SCADA Exploitation: A Brief History
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Christoph Lipps,
Frederic Pohl,
Marc Zimmermann,
Hans D. Schotten
Abstract:
Since the early 1960, industrial process control has been applied by electric systems. In the mid 1970's, the term SCADA emerged, describing the automated control and data acquisition. Since most industrial and automation networks were physically isolated, security was not an issue. This changed, when in the early 2000's industrial networks were opened to the public internet. The reasons were mani…
▽ More
Since the early 1960, industrial process control has been applied by electric systems. In the mid 1970's, the term SCADA emerged, describing the automated control and data acquisition. Since most industrial and automation networks were physically isolated, security was not an issue. This changed, when in the early 2000's industrial networks were opened to the public internet. The reasons were manifold. Increased interconnectivity led to more productivity, simplicity and ease of use. It decreased the configuration overhead and downtimes for system adjustments. However, it also led to an abundance of new attack vectors. In recent time, there has been a remarkable amount of attacks on industrial companies and infrastructures. In this paper, known attacks on industrial systems are analysed. This is done by investigating the exploits that are available on public sources. The different types of attacks and their points of entry are reviewed in this paper. Trends in exploitation as well as targeted attack campaigns against industrial enterprises are introduced.
△ Less
Submitted 21 May, 2019;
originally announced May 2019.
-
Time is of the Essence: Machine Learning-based Intrusion Detection in Industrial Time Series Data
Authors:
Simon Duque Anton,
Lia Ahrens,
Daniel Fraunholz,
Hans Dieter Schotten
Abstract:
The Industrial Internet of Things drastically increases connectivity of devices in industrial applications. In addition to the benefits in efficiency, scalability and ease of use, this creates novel attack surfaces. Historically, industrial networks and protocols do not contain means of security, such as authentication and encryption, that are made necessary by this development. Thus, industrial I…
▽ More
The Industrial Internet of Things drastically increases connectivity of devices in industrial applications. In addition to the benefits in efficiency, scalability and ease of use, this creates novel attack surfaces. Historically, industrial networks and protocols do not contain means of security, such as authentication and encryption, that are made necessary by this development. Thus, industrial IT-security is needed. In this work, emulated industrial network data is transformed into a time series and analysed with three different algorithms. The data contains labeled attacks, so the performance can be evaluated. Matrix Profiles perform well with almost no parameterisation needed. Seasonal Autoregressive Integrated Moving Average performs well in the presence of noise, requiring parameterisation effort. Long Short Term Memory-based neural networks perform mediocre while requiring a high training- and parameterisation effort.
△ Less
Submitted 20 September, 2018;
originally announced September 2018.
-
Demystifying Deception Technology:A Survey
Authors:
Daniel Fraunholz,
Simon Duque Anton,
Christoph Lipps,
Daniel Reti,
Daniel Krohmer,
Frederic Pohl,
Matthias Tammen,
Hans Dieter Schotten
Abstract:
Deception boosts security for systems and components by denial, deceit, misinformation, camouflage and obfuscation. In this work an extensive overview of the deception technology environment is presented. Taxonomies, theoretical backgrounds, psychological aspects as well as concepts, implementations, legal aspects and ethics are discussed and compared.
Deception boosts security for systems and components by denial, deceit, misinformation, camouflage and obfuscation. In this work an extensive overview of the deception technology environment is presented. Taxonomies, theoretical backgrounds, psychological aspects as well as concepts, implementations, legal aspects and ethics are discussed and compared.
△ Less
Submitted 17 April, 2018;
originally announced April 2018.
-
Angriffserkennung für industrielle Netzwerke innerhalb des Projektes IUNO
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Hans Dieter Schotten
Abstract:
The increasing interconnectivity of industrial networks is one of the central current hot topics. It is adressed by research institutes, as well as industry. In order to perform the fourth industrial revolution, a full connectivity between production facilities is necessary. Due to this connectivity, however, an abundance of new attack vectors emerges. In the National Reference Project for Industr…
▽ More
The increasing interconnectivity of industrial networks is one of the central current hot topics. It is adressed by research institutes, as well as industry. In order to perform the fourth industrial revolution, a full connectivity between production facilities is necessary. Due to this connectivity, however, an abundance of new attack vectors emerges. In the National Reference Project for Industrial IT-Security (IUNO), these risks and threats are addressed and solutions are developed. These solutions are especially applicable for small and medium sized enterprises that have not as much means in staff as well as money as larger companies. These enterprises should be able to implement the solutions without much effort. The security solutions are derived from four use cases and implemented prototypically. A further topic of this work are the research areas of the German Research Center for Artificial Intelligence that address the given challenges, as well as the solutions developed in the context of IUNO. Aside from the project itself, a method for distributed network data collection aggregation is presented, as a prerequisite for anomaly detection for network security.
△ Less
Submitted 21 November, 2017; v1 submitted 27 September, 2017;
originally announced September 2017.
