Most of today’s existing security solutions are tailored to protect against a narrow set of security threats and can be applied only to a specific application domain. However, even between essentially different domains there are substantial commonalities, indicating that a generally applicable solution, to achieve advanced protection, is possible. In fact, enterprise IT, embedded systems, smart manufacturing, energy grids, industrial IoT, fintech, and other domains, operate interconnected systems, which follow predefined processes and are employed according to specific usage policies. The events generated by the systems governed by these processes are usually recorded for maintenance, accountability, or auditing purposes. Such records contain valuable information that can be leveraged to detect any inconsistence or deviation in the process, and indicate anomalies potentially caused by attacks, misconfigurations or component failures. However, the syntax, semantics, frequency, information entropy and level of detail of these data records vary dramatically and there is no uniform solution yet that understands all the different dialects and is able to perform reliable anomaly detection on top of these data records.

Today’s advanced process security and protection mechanisms for enterprise IT systems apply whitelisting approaches based on anomaly detection that observe events within a system and automatically establish a baseline of normal user and system behavior. Every deviation from this normal behavior triggers an alert. While there exist numerous behavior-based anomaly detection approaches for enterprise IT security, they are not easily applicable to other domains, such as embedded systems or IoT. The reason for this is that these anomaly detection approaches for IT security are usually highly optimized for very specific application areas, i.e. different approaches exist for CPS, cloud security, etc., but they are not adaptive enough to be generally applicable to other domains. Most of them require detailed expertise of the application area and are costly to set up and maintain. Furthermore, most of them analyze network-traffic only, which relies on investigation of domain-specific protocols and become ineffective due to the wide adoption of end-to-end encryption. This makes it impossible, to track the real system behavior by inspecting net-work traffic only. Thus, generally applicable anomaly detection solutions that utilize unstructured textual event logs, created directly by the entities in an environment (e.g., host, camera, control panel etc.) are a promising means to security.

DECEPT provided a generally applicable cross-domain anomaly detection approach, that monitors unstructured textual event logs, and implements unsupervised self-learning of system behavior processes. A smart parser generator was designed, to build a model of normal system behavior. Furthermore, concepts for an anomaly detection module that applies correlation rules, time series analysis and statistical rules to detect deviations from the normal system behavior was developed, implemented and validated. DECEPT demonstrated in course of a proof of concept the general applicability of the anomaly detection approach in two independent application areas: (i) enterprise IT security, in particular the protection of Web servers, and (ii) Embedded systems security, in particular the protection of modern facility management systems. Since modern attacks often exploit vulnerabilities in different application areas security processes have to be aligned to allow a timely reaction to potential attacks. Some examples for such attacks are for instance the remote manipulation of IP-protocol based access control systems to aid physical intrusion, or the physical access to and manipulation of switches to make them vulnerable to cyber-attacks. Thus, besides the generally applicable anomaly detection system, DECEPT also exemplarily designed, implemented and validated a concept for a combined enterprise IT security and IT-supported facility security control center, which serves as blueprint for the application of the DECEPT approach in further domains. Finally, DECEPT provided legal and privacy guidelines for data usage and storage relevant for anomaly detection with focus on the GDPR.

A project funded under the 7th call of the ICT of the Future program.