From System Specification to Anomaly Detection (and back)

Fauri, Davide; Santos, Daniel Rodrigues dos; Costante, Elisa; Hartog, Jerry den; Etalle, Sandro; Tonetta, Stefano

doi:10.1145/3140241.3140250

Cited by 26 publications

(16 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Signature-based Intrusion Detection Signature-based intrusion detection compares pre-defined behavior (known as golden behavior or signature) to identify the the abnormal event during runtime [23]. Though these techniques effectively identify the intrusion with a small number of false positives they require a precisely calibrated signature [93]. Therefore, such techniques are not feasible if designers and IP providers are not trusted.…”

Section: Specificationmentioning

confidence: 99%

A Roadmap Toward the Resilient Internet of Things for Cyber-Physical Systems

et al. 2019

View full text Add to dashboard Cite

The Internet of Things (IoT) is a ubiquitous system connecting many different devices -the things -which can be accessed from the distance. The cyber-physical systems (CPS) monitor and control the things from the distance. As a result, the concepts of dependability and security get deeply intertwined. The increasing level of dynamicity, heterogeneity, and complexity adds to the system's vulnerability, and challenges its ability to react to faults. This paper summarizes state-of-the-art of existing work on anomaly detection, fault-tolerance and self-healing, and adds a number of other methods applicable to achieve resilience in an IoT. We particularly focus on non-intrusive methods ensuring data integrity in the network. Furthermore, this paper presents the main challenges in building a resilient IoT for CPS which is crucial in the era of smart CPS with enhanced connectivity (an excellent example of such a system is connected autonomous vehicles). It further summarizes our solutions, work-in-progress and future work to this topic to enable "Trustworthy IoT for CPS". Finally, this framework is illustrated on a selected use case: A smart sensor infrastructure in the transport domain.

show abstract

Section: Specificationmentioning

confidence: 99%

A Roadmap Toward the Resilient Internet of Things for Cyber-Physical Systems

et al. 2019

View full text Add to dashboard Cite

show abstract

“…By checking the invariance specification c < 10, the counterexample will be the desired trace. The assumption used in previous tests may look too artificial, so we present a real-world example taken from [16] and shown in Fig. 5.…”

Section: Experimental Evaluationmentioning

confidence: 99%

Assumption-Based Runtime Verification with Partial Observability and Resets

Cimatti

Tian

Tonetta

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We consider Runtime Verification (RV) based on Propositional Linear Temporal Logic (LTL) with both future and past temporal operators. We generalize the framework to monitor partially observable systems using models of the system under scrutiny (SUS) as assumptions for reasoning on the non-observable or future behaviors of the SUS. The observations are general predicates over the SUS, thus both static and dynamic sets of observables are supported. Furthermore, the monitors are resettable, i.e. able to evaluate any LTL property at arbitrary positions of the input trace (roughly speaking, [[u, i |= ϕ]] can be evaluated for any u and i with the underlying assumptions taken into account). We present a symbolic monitoring algorithm that can be efficiently implemented using BDD. It is proven correct and the monitor can be double-checked by model checking. As a by-product, we give the first automata-based monitoring algorithm for Past-Time LTL. Beside feasibility and effectiveness of our approach, we also demonstrate that, under certain assumptions the monitors of some properties are predictive.

show abstract

“…Fauri et al [4] presented feature selection based anomaly detection system, where each feature is similar to an event. However, features are extracted from the ICS device logs based on the expert knowledge, which may be prone to error as discussed earlier.…”

Section: A Anomaly Detectionmentioning

confidence: 99%

“…However, detecting process-based attacks is challenging. A stealthy attacker may try to disrupt the industrial process by changing the state of a system such that it does not to raise a safety alarm but does disrupt the process [4]. Fig 1 shows an example of process related attack where attacker "turned off the water pump before tank was full" and then tried to damage the water tank system by rapid "on and off" control of the water pump.…”

Section: Introductionmentioning

confidence: 99%

An Improved Industrial Control System Device Logs Processing Method for Process-Based Anomaly Detection

Hussain

Foo

Suriadi

2019

2019 International Conference on Frontiers of Information Technology (FIT)

View full text Add to dashboard Cite

Detecting process-based attacks on industrial control systems (ICS) is challenging. These cyber-attacks are designed to disrupt the industrial process by changing the state of a system, while keeping the system's behaviour close to the expected behaviour. Such anomalous behaviour can be effectively detected by an event-driven approach. Petri Net (PN) model identification has proved to be an effective method for event-driven system analysis and anomaly detection. However, PN identification-based anomaly detection methods require ICS device logs to be converted into event logs (sequence of events). Therefore, in this paper we present a formalised method for pre-processing and transforming ICS device logs into event logs. The proposed approach outperforms the previous methods of device logs processing in terms of anomaly detection. We have demonstrated the results using two published datasets.

show abstract

From System Specification to Anomaly Detection (and back)

Cited by 26 publications

References 42 publications

A Roadmap Toward the Resilient Internet of Things for Cyber-Physical Systems

A Roadmap Toward the Resilient Internet of Things for Cyber-Physical Systems

Assumption-Based Runtime Verification with Partial Observability and Resets

An Improved Industrial Control System Device Logs Processing Method for Process-Based Anomaly Detection

Contact Info

Product

Resources

About