New Doctor in the hood


The Doctoral Thesis titled «Behavioral Modeling for Anomaly Detection in Industrial Control System», written by IÑAKI GARITANO GARITANO was defended last friday,  14th of February 2014, at 11:30 a.m., in the Auditorium of the Pole of Innovation Garaia.

Iñaki worked under the supervision of Dr. Roberto Uribeetxeberria and Dr. Urko Zurutuza, both from the Telematics Research Group of Mondragon University.

On 10th December 2013, the Subcommittee of Doctorate from the Faculty of Engineering admitted the deposit of the above mentioned thesis and attending to what is established in the University’s Academic Regulation, four proposed Doctors were requested to make a reasoned report about the quality of the thesis (Prof. Javier López , Prof. Eduardo Jacob, Prof. Julián Flórez and Prof. Christopher Dennett).

The PhD student wanted to obtain “Doctor Europeus” mention. Therefore, two experts who are not members of the jury also wrote this quality report: Prof. Magnus Almgren (Chalmers University of Technology and University of Gothenburg) and Prof. Marcelo Masera (European Joint Research Centre).

The examining committee was composed by:

  • Dr. Javier López Muñoz, University of Malaga (President)
  • Dr. Eduardo Jacob Taquet, University of the Basque Country
  • Dr. Julián Flórez, Vicomtech-IK4 research centre
  • Dr. Christopher Dennett, University of Wolverhampton
  • Dr. Felix Larrinaga Barrenetxea, Mondragon University (Secretary)

Once the exhibition finished, the President gave the  members of the court and doctors in the audience the opportunity to make comments and questions; which Iñaki answered satisfactorily.

After a short deliberation, the jury decided to award Iñaki with the highest grade possible, i.e.;  First Class grade with ‘CUM LAUDE’ distinction.

From left to right: Dr. Urko Zurutuza, Dr. Roberto Uribeetxeberria, Dr. Julián Flórez, Dr. Christopher Dennett, Dr. Iñaki Garitano, Dr. Javier López, Dr. Eduardo Jacob and Dr. Felix Larrinaga.

 

Here is the abstract of the Thesis:

In 1990s, industry demanded the interconnection of corporate and production networks. Thus, Industrial Control Systems (ICSs) evolved from 1970s proprietary and close hardware and software to nowadays
Commercial Off-The-Shelf (COTS) devices. Although this transformation carries several advantages, such as simplicity and cost-efficiency, the use of COTS hardware and software implies multiple Information Technology vulnerabilities. Specially tailored worms like Stuxnet, Duqu, Night Dragon or Flame showed their potential to damage and get information about ICSs. Anomaly Detection Systems (ADSs), are considered suitable security mechanisms for ICSs due to the repetitiveness and static architecture of industrial processes. ADSs base their operation in behavioral models that require attack-free training data or an extensive description of the process for their creation.

This thesis work proposes a new approach to analyze binary industrial protocols payloads and automatically generate behavioral models synthesized in rules. In the same way, through this work we develop a method to generate realistic network traffic in laboratory conditions without the need of a real ICS installation. This contribution establishes the basis of future ADS as well as it could support experimentation through the recreation of realistic traffic in simulated environments. Furthermore, a new approach to correct delay and jitter issues is proposed. This proposal improves the quality of time-based ADSs by reducing the false positive rate.

We experimentally validate the proposed approaches with several statistical methods, ADSs quality measures and comparing the results with traffic taken from a real installation. We show that a payload-based ADS is possible without needing to understand the payload data, that the generation of realistic network traffic in laboratory conditions is feasible and that delay and jitter correction improves the quality of behavioral models.

As a conclusion, the presented approaches provide both, an ADS able to work with private industrial protocols, together with a method to create behavioral models for open ICS protocols which does not require training data.

 

+ No hay comentarios

Añade el tuyo