% % This file was created by the TYPO3 extension % bib % --- Timezone: CET % Creation date: 2024-03-28 % Creation time: 15-11-41 % --- Number of references % 9 % @Inproceedings { 2022_kus_ensemble, title = {Poster: Ensemble Learning for Industrial Intrusion Detection}, year = {2022}, month = {12}, day = {8}, number = {RWTH-2022-10809}, abstract = {Industrial intrusion detection promises to protect networked industrial control systems by monitoring them and raising an alarm in case of suspicious behavior. Many monolithic intrusion detection systems are proposed in literature. These detectors are often specialized and, thus, work particularly well on certain types of attacks or monitor different parts of the system, e.g., the network or the physical process. Combining multiple such systems promises to leverage their joint strengths, allowing the detection of a wider range of attacks due to their diverse specializations and reducing false positives. We study this concept's feasibility with initial results of various methods to combine detectors.}, tags = {rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-ensemble-poster.pdf}, publisher = {RWTH Aachen University}, booktitle = {38th Annual Computer Security Applications Conference (ACSAC '22), December 5-9, 2022, Austin, TX, USA}, institution = {RWTH Aachen University}, event_place = {Austin, TX, USA}, event_name = {38th Annual Computer Security Applications Conference (ACSAC '22)}, event_date = {December 5-9, 2022}, DOI = {10.18154/RWTH-2022-10809}, reviewed = {1}, author = {Kus, Dominik and Wolsing, Konrad and Pennekamp, Jan and Wagner, Eric and Henze, Martin and Wehrle, Klaus} } @Inproceedings { 2022-wolsing-ipal, title = {IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems}, year = {2022}, month = {10}, day = {26}, abstract = {The increasing interconnection of industrial networks exposes them to an ever-growing risk of cyber attacks. To reveal such attacks early and prevent any damage, industrial intrusion detection searches for anomalies in otherwise predictable communication or process behavior. However, current efforts mostly focus on specific domains and protocols, leading to a research landscape broken up into isolated silos. Thus, existing approaches cannot be applied to other industries that would equally benefit from powerful detection. To better understand this issue, we survey 53 detection systems and find no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenarios in theory. To unlock this potential, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial protocols. After proving IPAL’s correctness in a reproducibility study of related work, we showcase its unique benefits by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols and can perform outside their restricted silos.}, url = {/fileadmin/papers/2022/2022-wolsing-ipal.pdf}, booktitle = {Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022)}, DOI = {10.1145/3545948.3545968}, reviewed = {1}, author = {Wolsing, Konrad and Wagner, Eric and Saillard, Antoine and Henze, Martin} } @Proceedings { 2022-wolsing-radarsec, title = {Network Attacks Against Marine Radar Systems: A Taxonomy, Simulation Environment, and Dataset}, year = {2022}, month = {9}, tags = {rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-radar.pdf}, publisher = {IEEE}, event_place = {Edmonton, Canada}, event_name = {47th IEEE Conference on Local Computer Networks (LCN)}, event_date = {September 26-29, 2022}, DOI = {10.1109/LCN53696.2022.9843801}, reviewed = {1}, author = {Wolsing, Konrad and Saillard, Antoine and Bauer, Jan and Wagner, Eric and van Sloun, Christian and Fink, Ina Berenice and Schmidt, Mari and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2022-wolsing-simple, title = {Can Industrial Intrusion Detection Be SIMPLE?}, year = {2022}, month = {9}, volume = {978-3-031-17143-7}, pages = {574--594}, abstract = {Cyberattacks against industrial control systems pose a serious risk to the safety of humans and the environment. Industrial intrusion detection systems oppose this threat by continuously monitoring industrial processes and alerting any deviations from learned normal behavior. To this end, various streams of research rely on advanced and complex approaches, i.e., artificial neural networks, thus achieving allegedly high detection rates. However, as we show in an analysis of 70 approaches from related work, their inherent complexity comes with undesired properties. For example, they exhibit incomprehensible alarms and models only specialized personnel can understand, thus limiting their broad applicability in a heterogeneous industrial domain. Consequentially, we ask whether industrial intrusion detection indeed has to be complex or can be SIMPLE instead, i.e., Sufficient to detect most attacks, Independent of hyperparameters to dial-in, Meaningful in model and alerts, Portable to other industrial domains, Local to a part of the physical process, and computationally Efficient. To answer this question, we propose our design of four SIMPLE industrial intrusion detection systems, such as simple tests for the minima and maxima of process values or the rate at which process values change. Our evaluation of these SIMPLE approaches on four state-of-the-art industrial security datasets reveals that SIMPLE approaches can perform on par with existing complex approaches from related work while simultaneously being comprehensible and easily portable to other scenarios. Thus, it is indeed justified to raise the question of whether industrial intrusion detection needs to be inherently complex.}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-simple.pdf}, editor = {Atluri, Vijayalakshmi and Di Pietro, Roberto and Jensen, Christian D. and Meng, Weizhi}, publisher = {Springer Nature Switzerland}, booktitle = {Proceedings of the 27th European Symposium on Research in Computer Security (ESORICS '22), September 26-30, 2022, Copenhagen, Denmark}, event_place = {Copenhagen, Denmark}, event_name = {27th European Symposium on Research in Computer Security (ESORICS)}, event_date = {September 26-30, 2022}, DOI = {10.1007/978-3-031-17143-7_28}, reviewed = {1}, author = {Wolsing, Konrad and Thiemt, Lea and van Sloun, Christian and Wagner, Eric and Wehrle, Klaus and Henze, Martin} } @Proceedings { 2022-serror-cset, title = {PowerDuck: A GOOSE Data Set of Cyberattacks in Substations}, year = {2022}, month = {8}, day = {8}, pages = {5}, keywords = {data sets, network traffic, smart grid security, IDS}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-serror-cset-powerduck.pdf}, publisher = {ACM}, address = {New York, NY, USA}, howpublished = {online}, event_place = {Virtual}, event_name = {Cyber Security Experimentation and Test Workshop (CSET 2022)}, event_date = {August 8, 2022}, ISBN = {978-1-4503-9684-4/22/08}, DOI = {10.1145/3546096.3546102}, reviewed = {1}, author = {Zemanek, Sven and Hacker, Immanuel and Wolsing, Konrad and Wagner, Eric and Henze, Martin and Serror, Martin} } @Inproceedings { 2022_kus_iids_generalizability, title = {A False Sense of Security? Revisiting the State of Machine Learning-Based Industrial Intrusion Detection}, year = {2022}, month = {5}, day = {30}, pages = {73-84}, abstract = {Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations. As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99 \%. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we develop an evaluation methodology and examine multiple approaches from literature for their performance on unknown attacks (excluded from training). Our results highlight an ineffectiveness in detecting unknown attacks, with detection rates dropping to between 3.2 \% and 14.7 \% for some types of attacks. Moving forward, we derive recommendations for further research on machine learning-based approaches to ensure clarity on their ability to detect unknown attacks.}, keywords = {anomaly detection; machine learning; industrial control system}, tags = {internet-of-production, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-iids-generalizability.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS '22), co-located with the 17th ACM ASIA Conference on Computer and Communications Security (ASIACCS '22), May 30-June 3, 2022, Nagasaki, Japan}, ISBN = {978-1-4503-9176-4/22/05}, DOI = {10.1145/3494107.3522773}, reviewed = {1}, author = {Kus, Dominik and Wagner, Eric and Pennekamp, Jan and Wolsing, Konrad and Fink, Ina Berenice and Dahlmanns, Markus and Wehrle, Klaus and Henze, Martin} } @Inproceedings { WagnerSWH2022, title = {BP-MAC: Fast Authentication for Short Messages}, year = {2022}, month = {5}, day = {18}, pages = {201-206}, url = {/fileadmin/papers/2022/2022-wagner-bpmac.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '22)}, event_place = {San Antonio, Texas, USA}, event_name = {15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '22)}, ISBN = {978-1-4503-9216-7/22/05}, DOI = {10.1145/3507657.3528554}, reviewed = {1}, author = {Wagner, Eric and Serror, Martin and Wehrle, Klaus and Henze, Martin} } @Inproceedings { WagnerBH2022, title = {Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes}, year = {2022}, month = {5}, day = {18}, pages = {207-221}, url = {/fileadmin/papers/2022/2022-wagner-r2d2.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '22)}, event_place = {San Antonio, Texas, USA}, event_name = {15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '22)}, ISBN = {978-1-4503-9216-7/22/05}, DOI = {10.1145/3507657.3528539}, reviewed = {1}, author = {Wagner, Eric and Bauer, Jan and Henze, Martin} } @Inproceedings { 2022_wagner_ccchain, title = {Scalable and Privacy-Focused Company-Centric Supply Chain Management}, year = {2022}, month = {5}, day = {4}, abstract = {Blockchain technology promises to overcome trust and privacy concerns inherent to centralized information sharing. However, current decentralized supply chain management systems do either not meet privacy and scalability requirements or require a trustworthy consortium, which is challenging for increasingly dynamic supply chains with constantly changing participants. In this paper, we propose CCChain, a scalable and privacy-aware supply chain management system that stores all information locally to give companies complete sovereignty over who accesses their data. Still, tamper protection of all data through a permissionless blockchain enables on-demand tracking and tracing of products as well as reliable information sharing while affording the detection of data inconsistencies. Our evaluation confirms that CCChain offers superior scalability in comparison to alternatives while also enabling near real-time tracking and tracing for many, less complex products.}, keywords = {supply chain management; blockchain; permissionless; deployment; tracing and tracking; privacy}, tags = {internet-of-production}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wagner-ccchain.pdf}, publisher = {IEEE}, booktitle = {Proceedings of the 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC '22), May 2-5, 2022, Shanghai, China}, event_place = {Shanghai, China}, event_date = {May 2-5, 2022}, ISBN = {978-1-6654-9538-7/22}, DOI = {10.1109/ICBC54727.2022.9805503}, reviewed = {1}, author = {Wagner, Eric and Matzutt, Roman and Pennekamp, Jan and Bader, Lennart and Bajelidze, Irakli and Wehrle, Klaus and Henze, Martin} }