We present a novel anomaly-based detection approach capable of detecting botnet Command and Control traffic in an enterprise network by estimating the trustworthiness of the traffic destinations. A traffic flow is classified as anomalous if its destination identifier does not origin from: human input, prior traffic from a trusted destination, or a defined set of legitimate applications. This allows for real-time detection of diverse types of Command and Control traffic. The detection approach and its accuracy are evaluated by experiments in a controlled environment.
DOCUMENT
We present a novel architecture for an AI system that allows a priori knowledge to combine with deep learning. In traditional neural networks, all available data is pooled at the input layer. Our alternative neural network is constructed so that partial representations (invariants) are learned in the intermediate layers, which can then be combined with a priori knowledge or with other predictive analyses of the same data. This leads to smaller training datasets due to more efficient learning. In addition, because this architecture allows inclusion of a priori knowledge and interpretable predictive models, the interpretability of the entire system increases while the data can still be used in a black box neural network. Our system makes use of networks of neurons rather than single neurons to enable the representation of approximations (invariants) of the output.
LINK
In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
DOCUMENT
The integration of renewable energy resources, controllable devices and energy storage into electricity distribution grids requires Decentralized Energy Management to ensure a stable distribution process. This demands the full integration of information and communication technology into the control of distribution grids. Supervisory Control and Data Acquisition (SCADA) is used to communicate measurements and commands between individual components and the control server. In the future this control is especially needed at medium voltage and probably also at the low voltage. This leads to an increased connectivity and thereby makes the system more vulnerable to cyber-attacks. According to the research agenda NCSRA III, the energy domain is becoming a prime target for cyber-attacks, e.g., abusing control protocol vulnerabilities. Detection of such attacks in SCADA networks is challenging when only relying on existing network Intrusion Detection Systems (IDSs). Although these systems were designed specifically for SCADA, they do not necessarily detect malicious control commands sent in legitimate format. However, analyzing each command in the context of the physical system has the potential to reveal certain inconsistencies. We propose to use dedicated intrusion detection mechanisms, which are fundamentally different from existing techniques used in the Internet. Up to now distribution grids are monitored and controlled centrally, whereby measurements are taken at field stations and send to the control room, which then issues commands back to actuators. In future smart grids, communication with and remote control of field stations is required. Attackers, who gain access to the corresponding communication links to substations can intercept and even exchange commands, which would not be detected by central security mechanisms. We argue that centralized SCADA systems should be enhanced by a distributed intrusion-detection approach to meet the new security challenges. Recently, as a first step a process-aware monitoring approach has been proposed as an additional layer that can be applied directly at Remote Terminal Units (RTUs). However, this allows purely local consistency checks. Instead, we propose a distributed and integrated approach for process-aware monitoring, which includes knowledge about the grid topology and measurements from neighboring RTUs to detect malicious incoming commands. The proposed approach requires a near real-time model of the relevant physical process, direct and secure communication between adjacent RTUs, and synchronized sensor measurements in trustable real-time, labeled with accurate global time-stamps. We investigate, to which extend the grid topology can be integrated into the IDS, while maintaining near real-time performance. Based on topology information and efficient solving of power flow equation we aim to detect e.g. non-consistent voltage drops or the occurrence of over/under-voltage and -current. By this, centrally requested switching commands and transformer tap change commands can be checked on consistency and safety based on the current state of the physical system. The developed concepts are not only relevant to increase the security of the distribution grids but are also crucial to deal with future developments like e.g. the safe integration of microgrids in the distribution networks or the operation of decentralized heat or biogas networks.
Prompt and timely response to incoming cyber-attacks and incidents is a core requirement for business continuity and safe operations for organizations operating at all levels (commercial, governmental, military). The effectiveness of these measures is significantly limited (and oftentimes defeated altogether) by the inefficiency of the attack identification and response process which is, effectively, a show-stopper for all attack prevention and reaction activities. The cognitive-intensive, human-driven alarm analysis procedures currently employed by Security Operation Centres are made ineffective (as opposed to only inefficient) by the sheer amount of alarm data produced, and the lack of mechanisms to automatically and soundly evaluate the arriving evidence to build operable risk-based metrics for incident response. This project will build foundational technologies to achieve Security Response Centres (SRC) based on three key components: (1) risk-based systems for alarm prioritization, (2) real-time, human-centric procedures for alarm operationalization, and (3) technology integration in response operations. In doing so, SeReNity will develop new techniques, methods, and systems at the intersection of the Design and Defence domains to deliver operable and accurate procedures for efficient incident response. To achieve this, this project will develop semantically and contextually rich alarm data to inform risk-based metrics on the mounting evidence of incoming cyber-attacks (as opposed to firing an alarm for each match of an IDS signature). SeReNity will achieve this by means of advanced techniques from machine learning and information mining and extraction, to identify attack patterns in the network traffic, and automatically identify threat types. Importantly, SeReNity will develop new mechanisms and interfaces to present the gathered evidence to SRC operators dynamically, and based on the specific threat (type) identified by the underlying technology. To achieve this, this project unifies Dutch excellence in intrusion detection, threat intelligence, and human-computer interaction with an industry-leading partner operating in the market of tailored solutions for Security Monitoring.