Damiano Bolzoni

POSEIDON: a 2-tier anomaly-based network intrusion detection system

We present POSEIDON, a new anomaly-based network intrusion detection system. POSEIDON is payload-based, and has a two-tier architecture: the first stage consists of a self-organizing map, while the second one is a modified PAYL system. Our benchmarks on the 1999 DARPA data set show a higher detection rate and lower number of false positives than PAYL and PHAD

A log mining approach for process monitoring in SCADA

SCADA (supervisory control and data acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.

Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems

Anomaly-based intrusion detection systems are usually criticized because they lack a classification of attacks, thus security teams have to manually inspect any raised alert to classify it. We present a new approach, Panacea, to automatically and systematically classify attacks detected by an anomaly-based network intrusion detection system.

Challenges and opportunities in securing industrial control systems

Industrial Control Systems (ICS) are used for operating and monitoring industrial processes. Recent reports state that current ICS infrastructures are not sufficiently protected against cyber threats. Unfortunately, due to the specific nature of these systems, the application of common security counter-measures is often not effective. This paper summarizes experiences over a series of research efforts for building tools and mechanisms to improve the security and awareness in ICS. In particular, we discuss challenges and opportunities identified during an extensive analysis of ICS data resources. We believe that such insights are valuable for further research in the ICS context.

Model-Based Mitigation of Availability Risks

The assessment and mitigation of risks related to the availability of the IT infrastructure is becoming increasingly important in modern organizations. Unfortunately, present standards for risk assessment and mitigation show limitations when evaluating and mitigating availability risks. This is due to the fact that they do not fully consider the dependencies between the constituents of an IT infrastructure that are paramount in large enterprises. These dependencies make the technical problem of assessing availability issues very challenging. In this paper we define a method and a tool for carrying out a risk mitigation activity which allows us to assess the global impact of a set of risks and to choose the best set of countermeasures to cope with them. To this end, the presence of a tool is necessary, due to the high complexity of the assessment problem. Our approach can be integrated in present risk management methodologies (e.g. COBIT) to provide a more precise risk mitigation activity. We substantiate the viability of this approach by showing that most of the input required by the tool is available as part of a standard business continuity plan, and/or by performing a common tool-assisted risk management.

MELISSA: Towards Automated Detection of Undesirable User Actions in Critical Infrastructures

We address the detection of process-related threats in control systems used in critical infrastructures. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the industrial process. We use logs to detect anomalous patterns of user actions on process control application. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.

Approaches in Anomaly-based Network Intrusion Detection Systems

Anomaly-based network intrusion detection systems (NIDSs) can take into consideration packet headers, the payload, or a combination of both. We argue that payload-based approaches are becoming the most effective methods to detect attacks. Nowadays, attacks aim mainly to exploit vulnerabilities at application level: thus, the payload contains the most important information to differentiate normal traffic from anomalous activity. To support our thesis, we present a comparison between different anomaly-based NIDSs, focusing in particular on the data analyzed by the detection engine to discover possible malicious activities. Furthermore, we present a comparison of two payload and anomaly-based NIDSs: PAYL and POSEIDON.

MEDUSA: mining events to detect undesirable uSer actions in SCADA

Standard approaches for detecting malicious behaviors, e.g. monitoring network traffic, cannot address process-related threats in SCADA(Supervisory Control And Data Acquisition) systems. These threats take place when an attacker gains user access rights and performs actions which look legitimate, but which can disrupt the industrial process. We believe that it is possible to detect such behavior by analysing SCADA system logs. We present MEDUSA, an anomaly-based tool for detecting user actions that may negatively impact the system.