This file was created by the TYPO3 extension bib --- Timezone: CEST Creation date: 2024-05-07 Creation time: 20-21-28 --- Number of references 19 article 2023_lamberts_metrics-sok Journal of Systems Research 2023 10 31 3 1 Industrial systems are increasingly threatened by cyberattacks with potentially disastrous consequences. To counter such attacks, industrial intrusion detection systems strive to timely uncover even the most sophisticated breaches. Due to its criticality for society, this fast-growing field attracts researchers from diverse backgrounds, resulting in 130 new detection approaches in 2021 alone. This huge momentum facilitates the exploration of diverse promising paths but likewise risks fragmenting the research landscape and burying promising progress. Consequently, it needs sound and comprehensible evaluations to mitigate this risk and catalyze efforts into sustainable scientific progress with real-world applicability. In this paper, we therefore systematically analyze the evaluation methodologies of this field to understand the current state of industrial intrusion detection research. Our analysis of 609 publications shows that the rapid growth of this research field has positive and negative consequences. While we observe an increased use of public datasets, publications still only evaluate 1.3 datasets on average, and frequently used benchmarking metrics are ambiguous. At the same time, the adoption of newly developed benchmarking metrics sees little advancement. Finally, our systematic analysis enables us to provide actionable recommendations for all actors involved and thus bring the entire research field forward. internet-of-production, rfc https://www.comsys.rwth-aachen.de/fileadmin/papers/2023/2023-lamberts-metrics-sok.pdf eScholarship Publishing 2770-5501 10.5070/SR33162445 1 OlavLamberts KonradWolsing EricWagner JanPennekamp JanBauer KlausWehrle MartinHenze inproceedings 2023-wagner-lcn-repel 2023 10 https://www.comsys.rwth-aachen.de/fileadmin/papers/2023/2023-wagner-repel.pdf IEEE 48th IEEE Conference on Local Computer Networks (LCN), Daytona Beach, Florida, US Daytona Beach, Florida, US IEEE Conference on Local Computer Networks (LCN) Oktober 1-5, 2023 accepted en 1 EricWagner NilsRothaug KonradWolsing LennartBader KlausWehrle MartinHenze inproceedings 2023-wolsing-xluuvlab 2023 10 Roughly two-thirds of our planet is covered with water, and so far, the oceans have predominantly been used at their surface for the global transport of our goods and commodities. Today, there is a rising trend toward subsea infrastructures such as pipelines, telecommunication cables, or wind farms which demands potent vehicles for underwater work. To this end, a new generation of vehicles, large and Extra-Large Unmanned Underwater Vehicles (XLUUVs), is currently being engineered that allow for long-range, remotely controlled, and semi-autonomous missions in the deep sea. However, although these vehicles are already heavily developed and demand state-of-the-art communi- cation technologies to realize their autonomy, no dedicated test and development environments exist for research, e.g., to assess the implications on cybersecurity. Therefore, in this paper, we present XLab-UUV, a virtual testbed for XLUUVs that allows researchers to identify novel challenges, possible bottlenecks, or vulnerabilities, as well as to develop effective technologies, protocols, and procedures. Maritime Simulation Environment, XLUUV, Cyber Range, Autonomous Shipping, Operational Technology https://www.comsys.rwth-aachen.de/fileadmin/papers/2023/2023-wolsing-xluuvlab.pdf IEEE 1st IEEE LCN Workshop on Maritime Communication and Security (MarCaS) Daytona Beach, Florida, USA 1st IEEE LCN Workshop on Maritime Communication and Security (MarCaS) Oktober 1-5, 2023 accepted en 10.1109/LCN58197.2023.10223405 1 KonradWolsing AntoineSaillard ElmarPadilla JanBauer inproceedings 2023_wolsing_ensemble 2023 9 25 14345 102-122 Industrial Intrusion Detection Systems (IIDSs) play a critical role in safeguarding Industrial Control Systems (ICSs) against targeted cyberattacks. Unsupervised anomaly detectors, capable of learning the expected behavior of physical processes, have proven effective in detecting even novel cyberattacks. While offering decent attack detection, these systems, however, still suffer from too many False-Positive Alarms (FPAs) that operators need to investigate, eventually leading to alarm fatigue. To address this issue, in this paper, we challenge the notion of relying on a single IIDS and explore the benefits of combining multiple IIDSs. To this end, we examine the concept of ensemble learning, where a collection of classifiers (IIDSs in our case) are combined to optimize attack detection and reduce FPAs. While training ensembles for supervised classifiers is relatively straightforward, retaining the unsupervised nature of IIDSs proves challenging. In that regard, novel time-aware ensemble methods that incorporate temporal correlations between alerts and transfer-learning to best utilize the scarce training data constitute viable solutions. By combining diverse IIDSs, the detection performance can be improved beyond the individual approaches with close to no FPAs, resulting in a promising path for strengthening ICS cybersecurity. Lecture Notes in Computer Science (LNCS), Volume 14345 Intrusion Detection; Ensemble Learning; ICS internet-of-production, rfc https://jpennekamp.de/wp-content/papercite-data/pdf/wkw+23.pdf Springer Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS '23), September 25-29, 2023, The Hague, The Netherlands The Hague, The Netherlands 28th European Symposium on Research in Computer Security (ESORICS '23) September 25-29, 2023 978-3-031-51475-3 0302-9743 10.1007/978-3-031-51476-0_6 1 KonradWolsing DominikKus EricWagner JanPennekamp KlausWehrle MartinHenze inproceedings 2022_kus_ensemble 2022 12 8 RWTH-2022-10809 Industrial intrusion detection promises to protect networked industrial control systems by monitoring them and raising an alarm in case of suspicious behavior. Many monolithic intrusion detection systems are proposed in literature. These detectors are often specialized and, thus, work particularly well on certain types of attacks or monitor different parts of the system, e.g., the network or the physical process. Combining multiple such systems promises to leverage their joint strengths, allowing the detection of a wider range of attacks due to their diverse specializations and reducing false positives. We study this concept's feasibility with initial results of various methods to combine detectors. rfc https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-ensemble-poster.pdf RWTH Aachen University 38th Annual Computer Security Applications Conference (ACSAC '22), December 5-9, 2022, Austin, TX, USA RWTH Aachen University Austin, TX, USA 38th Annual Computer Security Applications Conference (ACSAC '22) December 5-9, 2022 10.18154/RWTH-2022-10809 1 DominikKus KonradWolsing JanPennekamp EricWagner MartinHenze KlausWehrle inproceedings 2022-wolsing-ipal 2022 10 26 The increasing interconnection of industrial networks exposes them to an ever-growing risk of cyber attacks. To reveal such attacks early and prevent any damage, industrial intrusion detection searches for anomalies in otherwise predictable communication or process behavior. However, current efforts mostly focus on specific domains and protocols, leading to a research landscape broken up into isolated silos. Thus, existing approaches cannot be applied to other industries that would equally benefit from powerful detection. To better understand this issue, we survey 53 detection systems and find no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenarios in theory. To unlock this potential, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial protocols. After proving IPAL’s correctness in a reproducibility study of related work, we showcase its unique benefits by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols and can perform outside their restricted silos. /fileadmin/papers/2022/2022-wolsing-ipal.pdf Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022) 10.1145/3545948.3545968 1 KonradWolsing EricWagner AntoineSaillard MartinHenze inproceedings 2022-rechenberg-cim 2022 10 Maritime Cybersecurity, Intrusion Detection System, Integrated Bridge System, IEC 61162-450, NMEA 0183 https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-rechenberg-guiding.pdf https://zenodo.org/record/7148794 Zenodo European Workshop on Maritime Systems Resilience and Security (MARESEC 2022) Bremerhaven, Germany 10.5281/zenodo.7148794 1 Merlinvon Rechenberg NinaRößler MariSchmidt KonradWolsing FlorianMotz MichaelBergmann ElmarPadilla JanBauer proceedings 2022-wolsing-radarsec 2022 9 rfc https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-radar.pdf IEEE Edmonton, Canada 47th IEEE Conference on Local Computer Networks (LCN) September 26-29, 2022 10.1109/LCN53696.2022.9843801 1 KonradWolsing AntoineSaillard JanBauer EricWagner Christianvan Sloun Ina BereniceFink MariSchmidt KlausWehrle MartinHenze inproceedings 2022-wolsing-simple 2022 9 978-3-031-17143-7 574--594 Cyberattacks against industrial control systems pose a serious risk to the safety of humans and the environment. Industrial intrusion detection systems oppose this threat by continuously monitoring industrial processes and alerting any deviations from learned normal behavior. To this end, various streams of research rely on advanced and complex approaches, i.e., artificial neural networks, thus achieving allegedly high detection rates. However, as we show in an analysis of 70 approaches from related work, their inherent complexity comes with undesired properties. For example, they exhibit incomprehensible alarms and models only specialized personnel can understand, thus limiting their broad applicability in a heterogeneous industrial domain. Consequentially, we ask whether industrial intrusion detection indeed has to be complex or can be SIMPLE instead, i.e., Sufficient to detect most attacks, Independent of hyperparameters to dial-in, Meaningful in model and alerts, Portable to other industrial domains, Local to a part of the physical process, and computationally Efficient. To answer this question, we propose our design of four SIMPLE industrial intrusion detection systems, such as simple tests for the minima and maxima of process values or the rate at which process values change. Our evaluation of these SIMPLE approaches on four state-of-the-art industrial security datasets reveals that SIMPLE approaches can perform on par with existing complex approaches from related work while simultaneously being comprehensible and easily portable to other scenarios. Thus, it is indeed justified to raise the question of whether industrial intrusion detection needs to be inherently complex. https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-simple.pdf Atluri, Vijayalakshmi and Di Pietro, Roberto and Jensen, Christian D. and Meng, Weizhi Springer Nature Switzerland Proceedings of the 27th European Symposium on Research in Computer Security (ESORICS '22), September 26-30, 2022, Copenhagen, Denmark Copenhagen, Denmark 27th European Symposium on Research in Computer Security (ESORICS) September 26-30, 2022 10.1007/978-3-031-17143-7_28 1 KonradWolsing LeaThiemt Christianvan Sloun EricWagner KlausWehrle MartinHenze proceedings 2022-serror-cset 2022 8 8 5 data sets, network traffic, smart grid security, IDS https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-serror-cset-powerduck.pdf ACM

New York, NY, USA

online Virtual Cyber Security Experimentation and Test Workshop (CSET 2022) August 8, 2022 978-1-4503-9684-4/22/08 10.1145/3546096.3546102 1 SvenZemanek ImmanuelHacker KonradWolsing EricWagner MartinHenze MartinSerror inproceedings 2022_kus_iids_generalizability 2022 5 30 73-84 Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations. As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99 %. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we develop an evaluation methodology and examine multiple approaches from literature for their performance on unknown attacks (excluded from training). Our results highlight an ineffectiveness in detecting unknown attacks, with detection rates dropping to between 3.2 % and 14.7 % for some types of attacks. Moving forward, we derive recommendations for further research on machine learning-based approaches to ensure clarity on their ability to detect unknown attacks. anomaly detection; machine learning; industrial control system internet-of-production, rfc https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-iids-generalizability.pdf ACM Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS '22), co-located with the 17th ACM ASIA Conference on Computer and Communications Security (ASIACCS '22), May 30-June 3, 2022, Nagasaki, Japan 978-1-4503-9176-4/22/05 10.1145/3494107.3522773 1 DominikKus EricWagner JanPennekamp KonradWolsing Ina BereniceFink MarkusDahlmanns KlausWehrle MartinHenze article 2022-wolsing-aistracks Journal of Marine Science and Engineering 2022 1 14 10 1 The automatic identification system (AIS) was introduced in the maritime domain to increase the safety of sea traffic. AIS messages are transmitted as broadcasts to nearby ships and contain, among others, information about the identification, position, speed, and course of the sending vessels. AIS can thus serve as a tool to avoid collisions and increase onboard situational awareness. In recent years, AIS has been utilized in more and more applications since it enables worldwide surveillance of virtually any larger vessel and has the potential to greatly support vessel traffic services and collision risk assessment. Anomalies in AIS tracks can indicate events that are relevant in terms of safety and also security. With a plethora of accessible AIS data nowadays, there is a growing need for the automatic detection of anomalous AIS data. In this paper, we survey 44 research articles on anomaly detection of maritime AIS tracks. We identify the tackled AIS anomaly types, assess their potential use cases, and closely examine the landscape of recent AIS anomaly research as well as their limitations. automatic identification system; AIS; anomaly detection; maritime safety; maritime security; maritime surveillance https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-aistracks.pdf https://www.mdpi.com/2077-1312/10/1/112 en 10.3390/jmse10010112 1 KonradWolsing LinusRoepert JanBauer KlausWehrle inproceedings 2021-hemminghaus-sigmar 2021 11 25 Distributed maritime bridge systems are customary standard equipment on today’s commercial shipping and cruising vessels. The exchange of nautical data, e.g., geographical positions, is usually implemented using multicast network communication without security measures, which poses serious risks to the authenticity and integrity of transmitted data. In this paper, we introduce digital SIGnatures for MARitime systems (SIGMAR), a low-cost solution to seamlessly retrofit authentication of nautical data based on asymmetric cryptography. Extending the existing IEC 61162-450 protocol makes it is possible to build a backward-compatible authentication mechanism that prevents common cyber attacks. The development was successfully accompanied by permanent investigations in a bridge simulation environment, including a maritime cyber attack generator. We demonstrate SIGMAR’s feasibility by introducing a proof-of-concept implementation on low-cost and low-resource hardware and present a performance analysis of our approach. Maritime Cyber Security;Authentication;Integrity;IEC 61162-450;NMEA 0183 IEEE In Proceedings of the International Symposium on Networks, Computers and Communications (ISNCC) Dubai, United Arab Emirates International Symposium on Networks, Computers and Communications 31 Oct.-2 Nov. 2021 10.1109/ISNCC52172.2021.9615738 1 ChristianHemminghaus JanBauer KonradWolsing inproceedings 2020-wolsing-facilitating 2020 11 9 Cyber-physical systems are increasingly threatened by sophisticated attackers, also attacking the physical aspect of systems. Supplementing protective measures, industrial intrusion detection systems promise to detect such attacks. However, due to industrial protocol diversity and lack of standard interfaces, great efforts are required to adapt these technologies to a large number of different protocols. To address this issue, we identify existing universally applicable intrusion detection approaches and propose a transcription for industrial protocols to realize protocol-independent semantic intrusion detection on top of different industrial protocols. Intrusion Detection; IDS; Industrial Protocols; CPS; IEC-60870-5-104; Modbus; NMEA 0183 https://www.comsys.rwth-aachen.de/fileadmin/papers/2020/2020-wolsing-facilitating.pdf ACM

New York, NY, USA

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS ’20), November 9–13, 2020, Virtual Event, USA. Virtual Event, USA November 9-13, 2020 10.1145/3372297.3420019 1 KonradWolsing EricWagner MartinHenze inproceedings 2019-rueth-quic-userstudy 2019 12 maki,reflexes https://www.comsys.rwth-aachen.de/fileadmin/papers/2019/2019-rueth-quic-userstudy.pdf https://arxiv.org/abs/1910.07729 ACM In Proceedings of the 15th International Conference on emerging Networking EXperiments and Technologies (CoNEXT '19) Orlando, Florida, USA International Conference on emerging Networking EXperiments and Technologies 9.12.2019-12.12.2019 10.1145/3359989.3365416 1 JanRüth KonradWolsing KlausWehrle OliverHohlfeld inproceedings 2019-wolsing-quicperf 2019 7 22 maki,reflexes https://www.comsys.rwth-aachen.de/fileadmin/papers/2019/2019-wolsing-quicperf.pdf https://arxiv.org/abs/1906.07415 ACM In Proceedings of the Applied Networking Research Workshop (ANRW '19) Montreal, Quebec, Canada Applied Networking Research Workshop at IETF-105 2019-07-22 10.1145/3340301.3341123 1 KonradWolsing JanRüth KlausWehrle OliverHohlfeld techreport 2019-rueth-blitzstart 2019 5 8 arXiv:1905.03144 [cs.NI] 1--8 https://www.comsys.rwth-aachen.de/fileadmin/papers/2019/2019-rueth-blitzstart.pdf https://arxiv.org/abs/1905.03144 Online COMSYS, RWTH Aachen University

Ahornstr. 55, 52074 Aachen, Germany

COMSYS, RWTH Aachen University Technical Report en JanRüth KonradWolsing MartinSerror KlausWehrle OliverHohlfeld inproceedings 2018-rueth-mining 2018 10 31 maki,internet-measurements http://www.comsys.rwth-aachen.de/fileadmin/papers/2018/2018-rueth-mining.pdf https://arxiv.org/abs/1808.00811 ACM Proceedings of the Internet Measurement Conference (IMC '18) Boston, US Internet Measurement Conference 2018 31.10.18 - 2.11.18 en 10.1145/3278532.3278539 1 JanRüth TorstenZimmermann KonradWolsing OliverHohlfeld inproceedings 2018-tzimmermann-metacdn 2018 3 26 114-128 maki https://www.comsys.rwth-aachen.de/fileadmin/papers/2018/2018-hohlfeld-metacdn.pdf https://arxiv.org/abs/1803.09990 Springer, Cham In Proceedings of the Passive and Active Measurement Conference (PAM '18) Berlin, Germany Passive and Active Measurement Conference (PAM 2018) 26.3.2018 - 27.3.2018 en 978-3-319-76480-1 10.1007/978-3-319-76481-8_9 1 OliverHohlfeld JanRüth KonradWolsing TorstenZimmermann