Adaptive, Model-Based Monitoring for Cyber Attack Detection

Valdes, Alfonso; Skinner, Keith

doi:10.1007/3-540-39945-3_6

Cited by 217 publications

(126 citation statements)

References 2 publications

Supporting

Mentioning

123

Contrasting

Unclassified

Order By: Relevance

“…Finally, we should note that our approach has some similarity with statistical approaches to intrusion detection based on Bayesian networks (e.g. [27]). The difference from these approaches is that we use Dempster Shafer beliefs to provide measures of the genuineness of individual events and the likelihood of potential rule violations due to some inherent uncertainty about the occurrence or not of specific events which arises by communication delays between event sources and the reasoning system that performs the threat analysis.…”

Section: Related Workmentioning

confidence: 94%

See 1 more Smart Citation

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

Tsigkritis

Spanoudakis

Kloukinas

et al. 2009

Security and Dependability for Ambient Intelligence

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version. Abstract The SERENITY monitoring framework offers mechanisms for diagnosing the causes of violations of security and dependability (S&D) properties and detecting potential violations of such properties, called "threats". Diagnostic information and threat detection are often necessary for deciding what an appropriate reaction to a violation is and taking pre-emptive actions against predicted violations, respectively. In this chapter, we describe the mechanisms of the SERENITY monitoring framework which generate diagnostic information for violations of S&D properties and detecting threats. Permanent

show abstract

Section: Related Workmentioning

confidence: 94%

“…Intrusions are, thus, detected as deviations from the expected normal behaviour of the system. Misuse-based approaches [7,11,27], on the other hand, are based on models of known attacks.…”

Section: Related Workmentioning

confidence: 99%

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

Tsigkritis

Spanoudakis

Kloukinas

et al. 2009

Security and Dependability for Ambient Intelligence

View full text Add to dashboard Cite

show abstract

“…The basic idea is that when an interesting event (e.g., new Modbus unit ID detected or a change in the status of a Modbus service) is observed for the first time, a report is generated for the state transition. To this end, we have implemented two intrusion detection sensors, namely, EMERALD Bayes sensor [12] and EModbus. The former contains a TCP-level service discovery component, which learns active services on a monitored network, and as these are discovered it maintains a Bayes instance that rapidly detects when the service is down.…”

Section: Intrusion Detectionmentioning

confidence: 99%

“…• Bayesian protocol anomaly detection engine [12] • Snort, with a ruleset configured to complement the other components of the EMERALD sensor suite enhanced with the PCS ruleset from Digital Bond (www.digitalbond.com)…”

Section: Intrusion Detectionmentioning

confidence: 99%

Intrusion Monitoring in Process Control Systems

Valdes

Cheung

2009

2009 42nd Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

To protect process control networks from cyber intrusions, preventive security measures such as perimeter defenses (for example, network firewalls and demilitarized zones) and secure versions of process control network protocols have been increasingly adopted or proposed. Although system hardening and fixing known vulnerabilities of existing systems are crucial to secure process control systems, intrusion monitoring is essential to ensure that the preventive measures are not compromised or bypassed. Our approach involves a multilayer security architecture for monitoring process control systems to achieve accurate and effective situational awareness. Also, we leverage some of the characteristics of process control systems such as the regularity of network traffic patterns to perform intrusion detection, with the potential to detect unknown attacks. To facilitate human analysts to gain a better understanding of anomalous network traffic patterns, we present a visualization tool that supports multiple usercustomizable views and animation for analyzing network packet traces.

show abstract

“…This would not be an effective defense against novel attacks or fast spreading worms. Network anomaly detection systems such as ADAM [2], SPADE [3], and eBayes [11], use machine learning approaches to model normal network traffic in order to identify unusual events as suspicious, but they model low-level (firewall-like) features such as addresses and port numbers, rather than application protocols.…”

Section: Introduction and Related Workmentioning

confidence: 99%