This file was created by the TYPO3 extension
bib
--- Timezone: CEST
Creation date: 2024-09-15
Creation time: 15-01-48
--- Number of references
15
article
2023_lamberts_metrics-sok
SoK: Evaluations in Industrial Intrusion Detection Research
Journal of Systems Research
2023
10
31
3
1
Industrial systems are increasingly threatened by cyberattacks with potentially disastrous consequences. To counter such attacks, industrial intrusion detection systems strive to timely uncover even the most sophisticated breaches. Due to its criticality for society, this fast-growing field attracts researchers from diverse backgrounds, resulting in 130 new detection approaches in 2021 alone. This huge momentum facilitates the exploration of diverse promising paths but likewise risks fragmenting the research landscape and burying promising progress. Consequently, it needs sound and comprehensible evaluations to mitigate this risk and catalyze efforts into sustainable scientific progress with real-world applicability. In this paper, we therefore systematically analyze the evaluation methodologies of this field to understand the current state of industrial intrusion detection research. Our analysis of 609 publications shows that the rapid growth of this research field has positive and negative consequences. While we observe an increased use of public datasets, publications still only evaluate 1.3 datasets on average, and frequently used benchmarking metrics are ambiguous. At the same time, the adoption of newly developed benchmarking metrics sees little advancement. Finally, our systematic analysis enables us to provide actionable recommendations for all actors involved and thus bring the entire research field forward.
internet-of-production, rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2023/2023-lamberts-metrics-sok.pdf
eScholarship Publishing
2770-5501
10.5070/SR33162445
1
OlavLamberts
KonradWolsing
EricWagner
JanPennekamp
JanBauer
KlausWehrle
MartinHenze
inproceedings
2023_wolsing_ensemble
One IDS is not Enough! Exploring Ensemble Learning for Industrial Intrusion Detection
2023
9
25
14345
102-122
Industrial Intrusion Detection Systems (IIDSs) play a critical role in safeguarding Industrial Control Systems (ICSs) against targeted cyberattacks. Unsupervised anomaly detectors, capable of learning the expected behavior of physical processes, have proven effective in detecting even novel cyberattacks. While offering decent attack detection, these systems, however, still suffer from too many False-Positive Alarms (FPAs) that operators need to investigate, eventually leading to alarm fatigue. To address this issue, in this paper, we challenge the notion of relying on a single IIDS and explore the benefits of combining multiple IIDSs. To this end, we examine the concept of ensemble learning, where a collection of classifiers (IIDSs in our case) are combined to optimize attack detection and reduce FPAs. While training ensembles for supervised classifiers is relatively straightforward, retaining the unsupervised nature of IIDSs proves challenging. In that regard, novel time-aware ensemble methods that incorporate temporal correlations between alerts and transfer-learning to best utilize the scarce training data constitute viable solutions. By combining diverse IIDSs, the detection performance can be improved beyond the individual approaches with close to no FPAs, resulting in a promising path for strengthening ICS cybersecurity.
Lecture Notes in Computer Science (LNCS), Volume 14345
Intrusion Detection; Ensemble Learning; ICS
internet-of-production, rfc
https://jpennekamp.de/wp-content/papercite-data/pdf/wkw+23.pdf
Springer
Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS '23), September 25-29, 2023, The Hague, The Netherlands
The Hague, The Netherlands
28th European Symposium on Research in Computer Security (ESORICS '23)
September 25-29, 2023
978-3-031-51475-3
0302-9743
10.1007/978-3-031-51476-0_6
1
KonradWolsing
DominikKus
EricWagner
JanPennekamp
KlausWehrle
MartinHenze
inproceedings
2022_kus_ensemble
Poster: Ensemble Learning for Industrial Intrusion Detection
2022
12
8
RWTH-2022-10809
Industrial intrusion detection promises to protect networked industrial control systems by monitoring them and raising an alarm in case of suspicious behavior. Many monolithic intrusion detection systems are proposed in literature. These detectors are often specialized and, thus, work particularly well on certain types of attacks or monitor different parts of the system, e.g., the network or the physical process. Combining multiple such systems promises to leverage their joint strengths, allowing the detection of a wider range of attacks due to their diverse specializations and reducing false positives. We study this concept's feasibility with initial results of various methods to combine detectors.
rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-ensemble-poster.pdf
RWTH Aachen University
38th Annual Computer Security Applications Conference (ACSAC '22), December 5-9, 2022, Austin, TX, USA
RWTH Aachen University
Austin, TX, USA
38th Annual Computer Security Applications Conference (ACSAC '22)
December 5-9, 2022
10.18154/RWTH-2022-10809
1
DominikKus
KonradWolsing
JanPennekamp
EricWagner
MartinHenze
KlausWehrle
proceedings
2022-wolsing-radarsec
Network Attacks Against Marine Radar Systems: A Taxonomy, Simulation Environment, and Dataset
2022
9
rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-radar.pdf
IEEE
Edmonton, Canada
47th IEEE Conference on Local Computer Networks (LCN)
September 26-29, 2022
10.1109/LCN53696.2022.9843801
1
KonradWolsing
AntoineSaillard
JanBauer
EricWagner
Christianvan Sloun
Ina BereniceFink
MariSchmidt
KlausWehrle
MartinHenze
inproceedings
2022_dahlmanns_tlsiiot
Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things
2022
5
31
252-266
The ongoing trend to move industrial appliances from previously isolated networks to the Internet requires fundamental changes in security to uphold secure and safe operation. Consequently, to ensure end-to-end secure communication and authentication, (i) traditional industrial protocols, e.g., Modbus, are retrofitted with TLS support, and (ii) modern protocols, e.g., MQTT, are directly designed to use TLS. To understand whether these changes indeed lead to secure Industrial Internet of Things deployments, i.e., using TLS-based protocols, which are configured according to security best practices, we perform an Internet-wide security assessment of ten industrial protocols covering the complete IPv4 address space.
Our results show that both, retrofitted existing protocols and newly developed secure alternatives, are barely noticeable in the wild. While we find that new protocols have a higher TLS adoption rate than traditional protocols (7.2 % vs. 0.4 %), the overall adoption of TLS is comparably low (6.5 % of hosts). Thus, most industrial deployments (934,736 hosts) are insecurely connected to the Internet. Furthermore, we identify that 42 % of hosts with TLS support (26,665 hosts) show security deficits, e.g., missing access control. Finally, we show that support in configuring systems securely, e.g., via configuration templates, is promising to strengthen security.
industrial communication; network security; security configuration
internet-of-production, rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-dahlmanns-asiaccs.pdf
ACM
Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security (ASIACCS '22), May 30-June 3, 2022, Nagasaki, Japan
Nagasaki, Japan
ASIACCS '22
May 30-June 3, 2022
978-1-4503-9140-5/22/05
10.1145/3488932.3497762
1
MarkusDahlmanns
JohannesLohmöller
JanPennekamp
JörnBodenhausen
KlausWehrle
MartinHenze
inproceedings
2022_kus_iids_generalizability
A False Sense of Security? Revisiting the State of Machine Learning-Based Industrial Intrusion Detection
2022
5
30
73-84
Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations. As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99 %. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we develop an evaluation methodology and examine multiple approaches from literature for their performance on unknown attacks (excluded from training). Our results highlight an ineffectiveness in detecting unknown attacks, with detection rates dropping to between 3.2 % and 14.7 % for some types of attacks. Moving forward, we derive recommendations for further research on machine learning-based approaches to ensure clarity on their ability to detect unknown attacks.
anomaly detection; machine learning; industrial control system
internet-of-production, rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-iids-generalizability.pdf
ACM
Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS '22), co-located with the 17th ACM ASIA Conference on Computer and Communications Security (ASIACCS '22), May 30-June 3, 2022, Nagasaki, Japan
978-1-4503-9176-4/22/05
10.1145/3494107.3522773
1
DominikKus
EricWagner
JanPennekamp
KonradWolsing
Ina BereniceFink
MarkusDahlmanns
KlausWehrle
MartinHenze
inproceedings
2021_dahlmanns_entrust
Transparent End-to-End Security for Publish/Subscribe Communication in Cyber-Physical Systems
2021
4
28
78–87
The ongoing digitization of industrial manufacturing leads to a decisive change in industrial communication paradigms. Moving from traditional one-to-one to many-to-many communication, publish/subscribe systems promise a more dynamic and efficient exchange of data. However, the resulting significantly more complex communication relationships render traditional end-to-end security futile for sufficiently protecting the sensitive and safety-critical data transmitted in industrial systems. Most notably, the central message brokers inherent in publish/subscribe systems introduce a designated weak spot for security as they can access all communication messages. To address this issue, we propose ENTRUST, a novel solution for key server-based end-to-end security in publish/subscribe systems. ENTRUST transparently realizes confidentiality, integrity, and authentication for publish/subscribe systems without any modification of the underlying protocol. We exemplarily implement ENTRUST on top of MQTT, the de-facto standard for machine-to-machine communication, showing that ENTRUST can integrate seamlessly into existing publish/subscribe systems.
cyber-physical system security; publish-subscribe security; end-to-end security
internet-of-production, rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2021/2021-dahlmanns-entrust.pdf
ACM
Proceedings of the 1st ACM Workshop on Secure and Trustworthy Cyber-Physical Systems (SaT-CPS '21), co-located with the 11th ACM Conference on Data and Application Security and Privacy (CODASPY '21), April 26-28, 2021, Virtual Event, USA
Virtual Event, USA
ACM Workshop on Secure and Trustworthy Cyber-Physical Systems
April 28, 2021
978-1-4503-8319-6/21/04
10.1145/3445969.3450423
1
MarkusDahlmanns
JanPennekamp
Ina BereniceFink
BerndSchoolmann
KlausWehrle
MartinHenze
inproceedings
2020-dahlmanns-imc-opcua
Easing the Conscience with OPC UA: An Internet-Wide Study on Insecure Deployments
2020
10
27
101-110
Due to increasing digitalization, formerly isolated industrial networks, e.g., for factory and process automation, move closer and closer to the Internet, mandating secure communication. However, securely setting up OPC UA, the prime candidate for secure industrial communication, is challenging due to a large variety of insecure options. To study whether Internet-facing OPC UA appliances are configured securely, we actively scan the IPv4 address space for publicly reachable OPC UA systems and assess the security of their configurations. We observe problematic security configurations such as missing access control (on 24% of hosts), disabled security functionality (24%), or use of deprecated cryptographic primitives (25%) on in total 92% of the reachable deployments. Furthermore, we discover several hundred devices in multiple autonomous systems sharing the same security certificate, opening the door for impersonation attacks. Overall, in this paper, we highlight commonly found security misconfigurations and underline the importance of appropriate configuration for security-featuring protocols.
industrial communication; network security; security configuration
internet-of-production, rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2020/2020-dahlmanns-imc-opcua.pdf
ACM
Proceedings of the Internet Measurement Conference (IMC '20), October 27-29, 2020, Pittsburgh, PA, USA
Pittsburgh, PA, USA
ACM Internet Measurement Conference 2020
October 27-29, 2020
978-1-4503-8138-3/20/10
10.1145/3419394.3423666
1
MarkusDahlmanns
JohannesLohmöller
Ina BereniceFink
JanPennekamp
KlausWehrle
MartinHenze
inproceedings
2020_roepert_opcua
Assessing the Security of OPC UA Deployments
2020
4
2
To address the increasing security demands of industrial deployments, OPC UA is one of the first industrial protocols explicitly designed with security in mind. However, deploying it securely requires a thorough configuration of a wide range of options. Thus, assessing the security of OPC UA deployments and their configuration is necessary to ensure secure operation, most importantly confidentiality and integrity of industrial processes. In this work, we present extensions to the popular Metasploit Framework to ease network-based security assessments of OPC UA deployments. To this end, we discuss methods to discover OPC UA servers, test their authentication, obtain their configuration, and check for vulnerabilities. Ultimately, our work enables operators to verify the (security) configuration of their systems and identify potential attack vectors.
internet-of-production, rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2020/2020-roepert-opcua-security.pdf
en
University of Tübingen
Proceedings of the 1st ITG Workshop on IT Security (ITSec '20), April 2-3, 2020, Tübingen, Germany
Tübingen, Germany
April 2-3, 2020
10.15496/publikation-41813
1
LinusRoepert
MarkusDahlmanns
Ina BereniceFink
JanPennekamp
MartinHenze
inproceedings
2019_wagner_dispute_resolution
Dispute Resolution for Smart Contract-based Two Party Protocols
2019
5
Blockchain systems promise to mediate interactions of mutually distrusting parties without a trusted third party. However, protocols with full smart contract-based security are either limited in functionality or complex, with high costs for secured interactions. This observation leads to the development of protocol-specific schemes to avoid costly dispute resolution in case all participants remain honest. In this paper, we introduce SmartJudge, an extensible generalization of this trend for smart contract-based two-party protocols. SmartJudge relies on a protocol-independent mediator smart contract that moderates two-party interactions and only consults protocol-specific verifier smart contracts in case of a dispute. This way, SmartJudge avoids verification costs in absence of disputes and sustains interaction confidentiality among honest parties. We implement verifier smart contracts for cross-blockchain trades and exchanging digital goods and show that SmartJudge can reduce costs by 46-50% and 22% over current state of the art, respectively.
Ethereum,Bitcoin,smart contracts,two-party protocols,dispute resolution,cross-blockchain trades
mynedata, impact-digital, rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2019/2019-wagner-dispute.pdf
IEEE
IEEE International Conference on Blockchain and Cryptocurrency 2019 (ICBC 2019)
Seoul, South Korea
IEEE International Conference on Blockchain and Cryptocurrency 2019
English
10.1109/BLOC.2019.8751312
1
EricWagner
AchimVölker
FrederikFuhrmann
RomanMatzutt
KlausWehrle
inproceedings
2018-bader-ethereum-car-insurance
Smart Contract-based Car Insurance Policies
2018
12
9
mynedata, internet-of-production, rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2018/2018-bader-ethereum-car-insurance.pdf
https://ieeexplore.ieee.org/document/8644136
IEEE
2018 IEEE Globecom Workshops (GC Wkshps)
Abu Dhabi, United Arab Emirates
1st International Workshop on Blockchain in IoT, co-located with IEEE Globecom 2018
2018-12-09
10.1109/GLOCOMW.2018.8644136
1
LennartBader
Jens ChristophBürger
RomanMatzutt
KlausWehrle
article
2016-fgcs-ziegeldorf-bitcoin
Secure and anonymous decentralized Bitcoin mixing
Future Generation Computer Systems
2018
3
80
448-466
Pseudonymity, anonymity, and untraceability
rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2018/2018-ziegeldorf-fgcs-bitcoin.pdf
Online
Elsevier
en
0167-739X
10.1016/j.future.2016.05.018
1
Jan HenrikZiegeldorf
RomanMatzutt
MartinHenze
FredGrossmann
KlausWehrle
article
2017-ziegeldorf-bmcmedgenomics-bloom
BLOOM: BLoom filter based Oblivious Outsourced Matchings
BMC Medical Genomics
2017
7
26
10
Suppl 2
29-42
Whole genome sequencing has become fast, accurate, and cheap, paving the way towards the large-scale collection and processing of human genome data. Unfortunately, this dawning genome era does not only promise tremendous advances in biomedical research but also causes unprecedented privacy risks for the many. Handling storage and processing of large genome datasets through cloud services greatly aggravates these concerns. Current research efforts thus investigate the use of strong cryptographic methods and protocols to implement privacy-preserving genomic computations. We propose FHE-Bloom and PHE-Bloom, two efficient approaches for genetic disease testing using homomorphically encrypted Bloom filters. Both approaches allow the data owner to securely outsource storage and computation to an untrusted cloud. FHE-Bloom is fully secure in the semi-honest model while PHE-Bloom slightly relaxes security guarantees in a trade-off for highly improved performance. We implement and evaluate both approaches on a large dataset of up to 50 patient genomes each with up to 1000000 variations (single nucleotide polymorphisms). For both implementations, overheads scale linearly in the number of patients and variations, while PHE-Bloom is faster by at least three orders of magnitude. For example, testing disease susceptibility of 50 patients with 100000 variations requires only a total of 308.31 s (σ=8.73 s) with our first approach and a mere 0.07 s (σ=0.00 s) with the second. We additionally discuss security guarantees of both approaches and their limitations as well as possible extensions towards more complex query types, e.g., fuzzy or range queries. Both approaches handle practical problem sizes efficiently and are easily parallelized to scale with the elastic resources available in the cloud. The fully homomorphic scheme, FHE-Bloom, realizes a comprehensive outsourcing to the cloud, while the partially homomorphic scheme, PHE-Bloom, trades a slight relaxation of security guarantees against performance improvements by at least three orders of magnitude.
Proceedings of the 5th iDASH Privacy and Security Workshop 2016
Secure outsourcing; Homomorphic encryption; Bloom filters
sscilops; mynedata; rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2017/2017-ziegeldorf-bmcmedgenomics-bloom.pdf
Online
BioMed Central
Chicago, IL, USA
November 11, 2016
en
1755-8794
10.1186/s12920-017-0277-y
1
Jan HenrikZiegeldorf
JanPennekamp
DavidHellmanns
FelixSchwinger
IkeKunze
MartinHenze
JensHiller
RomanMatzutt
KlausWehrle
inproceedings
2014-ziegeldorf-codaspy-coinparty
CoinParty: Secure Multi-Party Mixing of Bitcoins
2015
3
2
rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2015/2015-ziegeldorf-codaspy-coinparty.pdf
Online
ACM
The Fifth ACM Conference on Data and Application Security and Privacy (CODASPY 2015), San Antonio, TX, USA
San Antonio, TX, USA
The Fifth ACM Conference on Data and Application Security and Privacy (CODASPY 2015)
en
978-1-4503-3191-3
10.1145/2699026.2699100
1
Jan HenrikZiegeldorf
FredGrossmann
MartinHenze
NicolasInden
KlausWehrle
poster
2014-wisec-ziegeldorf-ipin
POSTER: Privacy-preserving Indoor Localization
2014
7
23
rfc
https://www.comsys.rwth-aachen.de/fileadmin/papers/2014/2014-ziegeldorf-poster-wisec.pdf
7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '14) (Poster)
en
10.13140/2.1.2847.4886
1
Jan HenrikZiegeldorf
NicolaiViol
MartinHenze
KlausWehrle