With the emergence of comprehensive ICT networks and their increasing interconnection, number of participants and access points, attack surfaces and vectors multiply. Specifically, advanced persistent threats (APTs), which are targeted and highly customized attacks against organizational assets, pose serious security threats. However, typical security systems that are applied in today’s ICT networks, including malware scanners and intrusion detection systems, apply common black-list approaches, which consider only actions and behavior that match to well-known attack patterns and signatures of malware traces. We argue that for future critical infrastructures, a more restrictive approach, that cannot be circumvented by customized malware, will increase the security level tremendously.

Therefore, AECID (“automatic event correlation for incident detection”) applies a smart white-list approach. Our anomaly detection technique keeps track of system events, their dependencies and occurrences, to learn the “normal” system behavior over time and reports all actions that differ from a dynamically created system model. The application of such a system is specifically promising in control networks, as applied in the emerging smart grid, which mostly implement well-specified processes, resulting in rather predictable and static behavior.

Publications