Understanding Indicators of Compromise against Cyber-attacks in Industrial Control Systems: A Security Perspective

Asiri, Mohammed; Saxena, Neetesh; Gjomemo, Rigel; Burnap, Pete

doi:10.1145/3587255

Cited by 21 publications

(14 citation statements)

References 108 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Designing rule-based anomaly detection requires process knowledge and engineering effort [46], so automated approaches have emerged to address this difficulty [6], [22], [43]. Engineered rules can also serve as features for MLbased ICS anomaly-detection [39], [43], [53]: when rules are sufficiently complex, their values can be used as explanations or indicators of compromise [6], [13]. Rule-based and MLbased anomaly-detection have been compared for ICS [22], [36], [68]; this work focuses on exploring ML-based anomalydetection attributions for ICS that rely on such techniques.…”

Section: Rule-based Anomaly Detectionmentioning

confidence: 99%

See 1 more Smart Citation

Attributions for ML-based ICS Anomaly Detection: From Theory to Practice

Fung,

Zeng,

Bauer

2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Industrial Control Systems (ICS) govern critical infrastructure like power plants and water treatment plants. ICS can be attacked through manipulations of its sensor or actuator values, causing physical harm. A promising technique for detecting such attacks is machine-learning-based anomaly detection, but it does not identify which sensor or actuator was manipulated and makes it difficult for ICS operators to diagnose the anomaly's root cause. Prior work has proposed using attribution methods to identify what features caused an ICS anomaly-detection model to raise an alarm, but it is unclear how well these attribution methods work in practice. In this paper, we compare state-of-the-art attribution methods for the ICS domain with real attacks from multiple datasets. We find that attribution methods for ICS anomaly detection do not perform as well as suggested in prior work and identify two main reasons. First, anomaly detectors often detect attacks either immediately or significantly after the attack start; we find that attributions computed at these detection points are inaccurate. Second, attribution accuracy varies greatly across attack properties, and attribution methods struggle with attacks on categorical-valued actuators. Despite these challenges, we find that ensembles of attributions can compensate for weaknesses in individual attribution methods. Towards practical use of attributions for ICS anomaly detection, we provide recommendations for researchers and practitioners, such as the need to evaluate attributions with diverse datasets and the potential for attributions in non-real-time workflows.

show abstract

Section: Rule-based Anomaly Detectionmentioning

confidence: 99%

“…A key part of ICS operators' response to an attack is identifying its cause [13]. However, most proposals for using ML-based anomaly detection in ICS only identify whether an ICS as a whole is in a normal or anomalous state [72].…”

Section: Introductionmentioning

confidence: 99%

Attributions for ML-based ICS Anomaly Detection: From Theory to Practice

Fung,

Zeng,

Bauer

2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…For CTI to be effective, organisations need to cooperate by sharing threat information which may affect them all, however, this is not always possible due to confidentiality or reputation (Mohaisen et al, 2017). Moreover, the quality of the shared information or indicators is crucial for effective CTI (Asiri et al, 2023).…”

Section: Related Workmentioning

confidence: 99%

Untitled

2023

JISIS

View full text Add to dashboard Cite

The growing frequency of cyberattacks invokes the need to develop and implement more efficient security strategies. Traditional preventive security measures are not able to counter incident threats effectively. These traditional approaches are usually based on heuristic, default or periodic signature rules that cannot efficiently prevent and repel more dynamic modern attacks. Threat hunting (TH) is gaining popularity because it helps to uncover the presence of attacker tactics, techniques and procedures (TTPs) within an environment that has not already been discovered by existing technologies. Threat hunting and threat intelligence are two distinct security disciplines, but they have the capacity to be complimentary. Hence, using cyber threat intelligence (CTI) to reinforce the traditional cybersecurity strategies by generating indicators of compromise (IoCs) feeds of the recent emerging cyberattacks can help the organisation mitigate the attacks more effectively and efficiently.The primary aim of this paper is to design an approach that, based on cyber threat intelligence, will improve the cybersecurity defence strategies adopted by organisations. This goal will be achieved through the presentation of an architecture that collects threat information and feeds to security tools. This proposed architecture contains four main components: data aggregation, normalisation and enrichment, integration with the security operation centre (SOC) tools and real-time monitoring of security information and event management (SIEM).After developing and implementing this architecture, we have conducted tests using Malware Information Sharing Platform (MISP) as a CTI platform to collect the threat information regarding the indicators and the Tactics, Techniques and Procedures (TTPs) of the known attack (Muddy Water threat actor). Subsequent tests were also conducted on emerging cyberattacks (SVBMv3 vulnerability and Covid19 themed cyberattacks campaign). The results obtained provide a defence of the in-depth approach of cybersecurity, which mitigates cyberattacks by efficiently using threat intelligence capabilities for emerging cyberattacks and when threat actors are targeting organisations, using the IoCs collected and the tactics, techniques and procedures.

show abstract

“…The landscape of cybersecurity is continually evolving, with malware presenting a significant and persistent threat to systems and networks globally. The process of reverse engineering malware, which involves deconstructing and analyzing malicious code to understand its functionality and develop countermeasures, is critical in mitigating such threats [1,2]. However, the inherent complexity and obfuscation techniques employed by modern malware make the reverse engineering process highly challenging, often resulting in outputs that are difficult f or even e xperienced a nalysts to interpret [3][4][5].…”

Section: Introductionmentioning

confidence: 99%

Malware Reverse Engineering with Large Language Model for Superior Code Comprehensibility and IoC Recommendations

Williamson,

Beauparlant

2024

Preprint

View full text Add to dashboard Cite

Malware reverse engineering, the process of dissecting malicious software to understand its functionality and behavior, faces significant challenges due to the complexity and obfuscation techniques employed by modern malware. The application of Gemini Pro for interpreting reverse-engineered malware code introduces a novel and significant approach to enhancing the understanding of complex malware behaviors. By leveraging advanced natural language processing capabilities, the model provides detailed and accurate explanations of malware's functional components, offering substantial improvements over traditional analysis methods. The study demonstrates the model's proficiency in identifying key operational mechanisms and recommending relevant indicators of compromise, which are crucial for effective threat detection and mitigation. A comprehensive comparative analysis reveals that Gemini Pro outperforms conventional static and dynamic analysis tools in terms of clarity, coherence, and time efficiency. Detailed case studies of various malware samples, including Ramnit, Kelihos, and Lollipop, illustrate the model's ability to generate clear and actionable insights, thereby facilitating better decision-making in cybersecurity contexts. The findings underscore the potential of integrating advanced natural language processing models into cybersecurity workflows to significantly enhance the efficiency and effectiveness of malware analysis and mitigation efforts.

show abstract

Understanding Indicators of Compromise against Cyber-attacks in Industrial Control Systems: A Security Perspective

Cited by 21 publications

References 108 publications

Attributions for ML-based ICS Anomaly Detection: From Theory to Practice

Attributions for ML-based ICS Anomaly Detection: From Theory to Practice

Untitled

Malware Reverse Engineering with Large Language Model for Superior Code Comprehensibility and IoC Recommendations

Contact Info

Product

Resources

About