With the emergence of comprehensive ICT networks and their increasing interconnection, number of participants and access points, attack surfaces and vectors multiply. Specifically, advanced persistent threats (APTs), which are targeted and highly customized attacks against organizational assets, pose serious security threats. However, typical security systems that are applied in today’s ICT networks, including malware scanners and intrusion detection systems, apply common black-list approaches, which consider only actions and behavior that match to well-known attack patterns and signatures of malware traces. We argue that for future critical infrastructures, a more restrictive approach, that cannot be circumvented by customized malware, will increase the security level tremendously.
Therefore, AECID (“automatic event correlation for incident detection”) applies a smart white-list approach. Our anomaly detection technique keeps track of system events, their dependencies and occurrences, to learn the “normal” system behavior over time and reports all actions that differ from a dynamically created system model. The application of such a system is specifically promising in control networks, as applied in the emerging smart grid, which mostly implement well-specified processes, resulting in rather predictable and static behavior.
- Skopik F., Friedberg I., Fiedler R. (2014): Dealing with Advanced Persistent Threats in Smart Grid ICT Networks. 5th IEEE Innovative Smart Grid Technologies Conference, February 19-22, 2014, Washington DC, USA. IEEE.
- Skopik F., Fiedler R. (2013): Intrusion Detection in Distributed Systems using Fingerprinting and Massive Event Correlation.43. Jahrestagung der Gesellschaft für Informatik e.V. (GI) (INFORMATIK 2013), September 16-20, 2013, Koblenz, Germany. GI.