% % This file was created by the TYPO3 extension % bib % --- Timezone: CET % Creation date: 2024-03-29 % Creation time: 08-15-22 % --- Number of references % 13 % @Inproceedings { 2022_kus_ensemble, title = {Poster: Ensemble Learning for Industrial Intrusion Detection}, year = {2022}, month = {12}, day = {8}, number = {RWTH-2022-10809}, abstract = {Industrial intrusion detection promises to protect networked industrial control systems by monitoring them and raising an alarm in case of suspicious behavior. Many monolithic intrusion detection systems are proposed in literature. These detectors are often specialized and, thus, work particularly well on certain types of attacks or monitor different parts of the system, e.g., the network or the physical process. Combining multiple such systems promises to leverage their joint strengths, allowing the detection of a wider range of attacks due to their diverse specializations and reducing false positives. We study this concept's feasibility with initial results of various methods to combine detectors.}, tags = {rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-ensemble-poster.pdf}, publisher = {RWTH Aachen University}, booktitle = {38th Annual Computer Security Applications Conference (ACSAC '22), December 5-9, 2022, Austin, TX, USA}, institution = {RWTH Aachen University}, event_place = {Austin, TX, USA}, event_name = {38th Annual Computer Security Applications Conference (ACSAC '22)}, event_date = {December 5-9, 2022}, DOI = {10.18154/RWTH-2022-10809}, reviewed = {1}, author = {Kus, Dominik and Wolsing, Konrad and Pennekamp, Jan and Wagner, Eric and Henze, Martin and Wehrle, Klaus} } @Inproceedings { 2022_pennekamp_cumul, title = {CUMUL \& Co: High-Impact Artifacts for Website Fingerprinting Research}, year = {2022}, month = {12}, day = {8}, number = {RWTH-2022-10811}, abstract = {Anonymous communication on the Internet is about hiding the relationship between communicating parties. At NDSS '16, we presented a new website fingerprinting approach, CUMUL, that utilizes novel features and a simple yet powerful algorithm to attack anonymization networks such as Tor. Based on pattern observation of data flows, this attack aims at identifying the content of encrypted and anonymized connections. Apart from the feature generation and the used classifier, we also provided a large dataset to the research community to study the attack at Internet scale. In this paper, we emphasize the impact of our artifacts by analyzing publications referring to our work with respect to the dataset, feature extraction method, and source code of the implementation. Based on this data, we draw conclusions about the impact of our artifacts on the research field and discuss their influence on related cybersecurity topics. Overall, from 393 unique citations, we discover more than 130 academic references that utilize our artifacts, 61 among them are highly influential (according to SemanticScholar), and at least 35 are from top-ranked security venues. This data underlines the significant relevance and impact of our work as well as of our artifacts in the community and beyond.}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-pennekamp-cumul-artifacts.pdf}, web_url = {https://www.acsac.org/2022/program/artifacts_competition/}, publisher = {ACSA}, booktitle = {Cybersecurity Artifacts Competition and Impact Award at 38th Annual Computer Security Applications Conference (ACSAC '22), December 5-9, 2022, Austin, TX, USA}, event_place = {Austin, TX, USA}, event_name = {38th Annual Computer Security Applications Conference (ACSAC '22)}, event_date = {December 5-9, 2022}, DOI = {10.18154/RWTH-2022-10811}, reviewed = {1}, author = {Pennekamp, Jan and Henze, Martin and Zinnen, Andreas and Lanze, Fabian and Wehrle, Klaus and Panchenko, Andriy} } @Inproceedings { 2022-serror-ccs-inside, title = {Poster: INSIDE - Enhancing Network Intrusion Detection in Power Grids with Automated Facility Monitoring}, year = {2022}, month = {11}, day = {7}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-serror-ccs-inside.pdf}, publisher = {ACM}, howpublished = {online}, booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security}, event_place = {Los Angeles, CA, USA}, event_date = {November 8, 2022}, DOI = {10.1145/3548606.3563500}, reviewed = {1}, author = {Serror, Martin and Bader, Lennart and Henze, Martin and Schwarze, Arne and N{\"u}rnberger, Kai} } @Inproceedings { 2022-wolsing-ipal, title = {IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems}, year = {2022}, month = {10}, day = {26}, abstract = {The increasing interconnection of industrial networks exposes them to an ever-growing risk of cyber attacks. To reveal such attacks early and prevent any damage, industrial intrusion detection searches for anomalies in otherwise predictable communication or process behavior. However, current efforts mostly focus on specific domains and protocols, leading to a research landscape broken up into isolated silos. Thus, existing approaches cannot be applied to other industries that would equally benefit from powerful detection. To better understand this issue, we survey 53 detection systems and find no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenarios in theory. To unlock this potential, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial protocols. After proving IPAL’s correctness in a reproducibility study of related work, we showcase its unique benefits by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols and can perform outside their restricted silos.}, url = {/fileadmin/papers/2022/2022-wolsing-ipal.pdf}, booktitle = {Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022)}, DOI = {10.1145/3545948.3545968}, reviewed = {1}, author = {Wolsing, Konrad and Wagner, Eric and Saillard, Antoine and Henze, Martin} } @Article { 2022-henze-tii-prada, title = {Complying with Data Handling Requirements in Cloud Storage Systems}, journal = {IEEE Transactions on Cloud Computing}, year = {2022}, month = {9}, volume = {10}, number = {3}, pages = {1661-1674}, abstract = {In past years, cloud storage systems saw an enormous rise in usage. However, despite their popularity and importance as underlying infrastructure for more complex cloud services, today’s cloud storage systems do not account for compliance with regulatory, organizational, or contractual data handling requirements by design. Since legislation increasingly responds to rising data protection and privacy concerns, complying with data handling requirements becomes a crucial property for cloud storage systems. We present Prada , a practical approach to account for compliance with data handling requirements in key-value based cloud storage systems. To achieve this goal, Prada introduces a transparent data handling layer, which empowers clients to request specific data handling requirements and enables operators of cloud storage systems to comply with them. We implement Prada on top of the distributed database Cassandra and show in our evaluation that complying with data handling requirements in cloud storage systems is practical in real-world cloud deployments as used for microblogging, data sharing in the Internet of Things, and distributed email storage.}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-henze-tii-prada.pdf}, misc2 = {Online}, language = {en}, ISSN = {2168-7161}, DOI = {10.1109/TCC.2020.3000336}, reviewed = {1}, author = {Henze, Martin and Matzutt, Roman and Hiller, Jens and M{\"u}hmer, Erik and Ziegeldorf, Jan Henrik and van der Giet, Johannes and Wehrle, Klaus} } @Proceedings { 2022-wolsing-radarsec, title = {Network Attacks Against Marine Radar Systems: A Taxonomy, Simulation Environment, and Dataset}, year = {2022}, month = {9}, tags = {rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-radar.pdf}, publisher = {IEEE}, event_place = {Edmonton, Canada}, event_name = {47th IEEE Conference on Local Computer Networks (LCN)}, event_date = {September 26-29, 2022}, DOI = {10.1109/LCN53696.2022.9843801}, reviewed = {1}, author = {Wolsing, Konrad and Saillard, Antoine and Bauer, Jan and Wagner, Eric and van Sloun, Christian and Fink, Ina Berenice and Schmidt, Mari and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2022-wolsing-simple, title = {Can Industrial Intrusion Detection Be SIMPLE?}, year = {2022}, month = {9}, volume = {978-3-031-17143-7}, pages = {574--594}, abstract = {Cyberattacks against industrial control systems pose a serious risk to the safety of humans and the environment. Industrial intrusion detection systems oppose this threat by continuously monitoring industrial processes and alerting any deviations from learned normal behavior. To this end, various streams of research rely on advanced and complex approaches, i.e., artificial neural networks, thus achieving allegedly high detection rates. However, as we show in an analysis of 70 approaches from related work, their inherent complexity comes with undesired properties. For example, they exhibit incomprehensible alarms and models only specialized personnel can understand, thus limiting their broad applicability in a heterogeneous industrial domain. Consequentially, we ask whether industrial intrusion detection indeed has to be complex or can be SIMPLE instead, i.e., Sufficient to detect most attacks, Independent of hyperparameters to dial-in, Meaningful in model and alerts, Portable to other industrial domains, Local to a part of the physical process, and computationally Efficient. To answer this question, we propose our design of four SIMPLE industrial intrusion detection systems, such as simple tests for the minima and maxima of process values or the rate at which process values change. Our evaluation of these SIMPLE approaches on four state-of-the-art industrial security datasets reveals that SIMPLE approaches can perform on par with existing complex approaches from related work while simultaneously being comprehensible and easily portable to other scenarios. Thus, it is indeed justified to raise the question of whether industrial intrusion detection needs to be inherently complex.}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-simple.pdf}, editor = {Atluri, Vijayalakshmi and Di Pietro, Roberto and Jensen, Christian D. and Meng, Weizhi}, publisher = {Springer Nature Switzerland}, booktitle = {Proceedings of the 27th European Symposium on Research in Computer Security (ESORICS '22), September 26-30, 2022, Copenhagen, Denmark}, event_place = {Copenhagen, Denmark}, event_name = {27th European Symposium on Research in Computer Security (ESORICS)}, event_date = {September 26-30, 2022}, DOI = {10.1007/978-3-031-17143-7_28}, reviewed = {1}, author = {Wolsing, Konrad and Thiemt, Lea and van Sloun, Christian and Wagner, Eric and Wehrle, Klaus and Henze, Martin} } @Proceedings { 2022-serror-cset, title = {PowerDuck: A GOOSE Data Set of Cyberattacks in Substations}, year = {2022}, month = {8}, day = {8}, pages = {5}, keywords = {data sets, network traffic, smart grid security, IDS}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-serror-cset-powerduck.pdf}, publisher = {ACM}, address = {New York, NY, USA}, howpublished = {online}, event_place = {Virtual}, event_name = {Cyber Security Experimentation and Test Workshop (CSET 2022)}, event_date = {August 8, 2022}, ISBN = {978-1-4503-9684-4/22/08}, DOI = {10.1145/3546096.3546102}, reviewed = {1}, author = {Zemanek, Sven and Hacker, Immanuel and Wolsing, Konrad and Wagner, Eric and Henze, Martin and Serror, Martin} } @Inproceedings { 2022_dahlmanns_tlsiiot, title = {Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things}, year = {2022}, month = {5}, day = {31}, pages = {252-266}, abstract = {The ongoing trend to move industrial appliances from previously isolated networks to the Internet requires fundamental changes in security to uphold secure and safe operation. Consequently, to ensure end-to-end secure communication and authentication, (i) traditional industrial protocols, e.g., Modbus, are retrofitted with TLS support, and (ii) modern protocols, e.g., MQTT, are directly designed to use TLS. To understand whether these changes indeed lead to secure Industrial Internet of Things deployments, i.e., using TLS-based protocols, which are configured according to security best practices, we perform an Internet-wide security assessment of ten industrial protocols covering the complete IPv4 address space. Our results show that both, retrofitted existing protocols and newly developed secure alternatives, are barely noticeable in the wild. While we find that new protocols have a higher TLS adoption rate than traditional protocols (7.2 \% vs. 0.4 \%), the overall adoption of TLS is comparably low (6.5 \% of hosts). Thus, most industrial deployments (934,736 hosts) are insecurely connected to the Internet. Furthermore, we identify that 42 \% of hosts with TLS support (26,665 hosts) show security deficits, e.g., missing access control. Finally, we show that support in configuring systems securely, e.g., via configuration templates, is promising to strengthen security.}, keywords = {industrial communication; network security; security configuration}, tags = {internet-of-production, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-dahlmanns-asiaccs.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security (ASIACCS '22), May 30-June 3, 2022, Nagasaki, Japan}, event_place = {Nagasaki, Japan}, event_name = {ASIACCS '22}, event_date = {May 30-June 3, 2022}, ISBN = {978-1-4503-9140-5/22/05}, DOI = {10.1145/3488932.3497762}, reviewed = {1}, author = {Dahlmanns, Markus and Lohm{\"o}ller, Johannes and Pennekamp, Jan and Bodenhausen, J{\"o}rn and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2022_kus_iids_generalizability, title = {A False Sense of Security? Revisiting the State of Machine Learning-Based Industrial Intrusion Detection}, year = {2022}, month = {5}, day = {30}, pages = {73-84}, abstract = {Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations. As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99 \%. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we develop an evaluation methodology and examine multiple approaches from literature for their performance on unknown attacks (excluded from training). Our results highlight an ineffectiveness in detecting unknown attacks, with detection rates dropping to between 3.2 \% and 14.7 \% for some types of attacks. Moving forward, we derive recommendations for further research on machine learning-based approaches to ensure clarity on their ability to detect unknown attacks.}, keywords = {anomaly detection; machine learning; industrial control system}, tags = {internet-of-production, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-iids-generalizability.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS '22), co-located with the 17th ACM ASIA Conference on Computer and Communications Security (ASIACCS '22), May 30-June 3, 2022, Nagasaki, Japan}, ISBN = {978-1-4503-9176-4/22/05}, DOI = {10.1145/3494107.3522773}, reviewed = {1}, author = {Kus, Dominik and Wagner, Eric and Pennekamp, Jan and Wolsing, Konrad and Fink, Ina Berenice and Dahlmanns, Markus and Wehrle, Klaus and Henze, Martin} } @Inproceedings { WagnerSWH2022, title = {BP-MAC: Fast Authentication for Short Messages}, year = {2022}, month = {5}, day = {18}, pages = {201-206}, url = {/fileadmin/papers/2022/2022-wagner-bpmac.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '22)}, event_place = {San Antonio, Texas, USA}, event_name = {15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '22)}, ISBN = {978-1-4503-9216-7/22/05}, DOI = {10.1145/3507657.3528554}, reviewed = {1}, author = {Wagner, Eric and Serror, Martin and Wehrle, Klaus and Henze, Martin} } @Inproceedings { WagnerBH2022, title = {Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes}, year = {2022}, month = {5}, day = {18}, pages = {207-221}, url = {/fileadmin/papers/2022/2022-wagner-r2d2.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '22)}, event_place = {San Antonio, Texas, USA}, event_name = {15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '22)}, ISBN = {978-1-4503-9216-7/22/05}, DOI = {10.1145/3507657.3528539}, reviewed = {1}, author = {Wagner, Eric and Bauer, Jan and Henze, Martin} } @Inproceedings { 2022_wagner_ccchain, title = {Scalable and Privacy-Focused Company-Centric Supply Chain Management}, year = {2022}, month = {5}, day = {4}, abstract = {Blockchain technology promises to overcome trust and privacy concerns inherent to centralized information sharing. However, current decentralized supply chain management systems do either not meet privacy and scalability requirements or require a trustworthy consortium, which is challenging for increasingly dynamic supply chains with constantly changing participants. In this paper, we propose CCChain, a scalable and privacy-aware supply chain management system that stores all information locally to give companies complete sovereignty over who accesses their data. Still, tamper protection of all data through a permissionless blockchain enables on-demand tracking and tracing of products as well as reliable information sharing while affording the detection of data inconsistencies. Our evaluation confirms that CCChain offers superior scalability in comparison to alternatives while also enabling near real-time tracking and tracing for many, less complex products.}, keywords = {supply chain management; blockchain; permissionless; deployment; tracing and tracking; privacy}, tags = {internet-of-production}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wagner-ccchain.pdf}, publisher = {IEEE}, booktitle = {Proceedings of the 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC '22), May 2-5, 2022, Shanghai, China}, event_place = {Shanghai, China}, event_date = {May 2-5, 2022}, ISBN = {978-1-6654-9538-7/22}, DOI = {10.1109/ICBC54727.2022.9805503}, reviewed = {1}, author = {Wagner, Eric and Matzutt, Roman and Pennekamp, Jan and Bader, Lennart and Bajelidze, Irakli and Wehrle, Klaus and Henze, Martin} }