This file was created by the TYPO3 extension bib --- Timezone: CEST Creation date: 2023-06-05 Creation time: 05-50-37 --- Number of references 15 inproceedings 2022_kus_ensemble 2022 12 8 RWTH-2022-10809 Industrial intrusion detection promises to protect networked industrial control systems by monitoring them and raising an alarm in case of suspicious behavior. Many monolithic intrusion detection systems are proposed in literature. These detectors are often specialized and, thus, work particularly well on certain types of attacks or monitor different parts of the system, e.g., the network or the physical process. Combining multiple such systems promises to leverage their joint strengths, allowing the detection of a wider range of attacks due to their diverse specializations and reducing false positives. We study this concept's feasibility with initial results of various methods to combine detectors. https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-ensemble-poster.pdf RWTH Aachen University 38th Annual Computer Security Applications Conference (ACSAC '22), December 5-9, 2022, Austin, TX, USA RWTH Aachen University Austin, TX, USA 38th Annual Computer Security Applications Conference (ACSAC '22) December 5-9, 2022 10.18154/RWTH-2022-10809 1 DominikKus KonradWolsing JanPennekamp EricWagner MartinHenze KlausWehrle inproceedings 2022-wolsing-ipal 2022 10 26 The increasing interconnection of industrial networks exposes them to an ever-growing risk of cyber attacks. To reveal such attacks early and prevent any damage, industrial intrusion detection searches for anomalies in otherwise predictable communication or process behavior. However, current efforts mostly focus on specific domains and protocols, leading to a research landscape broken up into isolated silos. Thus, existing approaches cannot be applied to other industries that would equally benefit from powerful detection. To better understand this issue, we survey 53 detection systems and find no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenarios in theory. To unlock this potential, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial protocols. After proving IPAL’s correctness in a reproducibility study of related work, we showcase its unique benefits by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols and can perform outside their restricted silos. /fileadmin/papers/2022/2022-wolsing-ipal.pdf Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022) 10.1145/3545948.3545968 1 KonradWolsing EricWagner AntoineSaillard MartinHenze inproceedings 2022-rechenberg-cim 2022 10 Maritime Cybersecurity, Intrusion Detection System, Integrated Bridge System, IEC 61162-450, NMEA 0183 https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-rechenberg-guiding.pdf https://zenodo.org/record/7148794 Zenodo European Workshop on Maritime Systems Resilience and Security (MARESEC 2022) Bremerhaven, Germany 10.5281/zenodo.7148794 1 Merlinvon Rechenberg NinaRößler MariSchmidt KonradWolsing FlorianMotz MichaelBergmann ElmarPadilla JanBauer proceedings 2022-wolsing-radarsec 2022 9 IEEE Edmonton, Canada 47th IEEE Conference on Local Computer Networks (LCN) September 26-29, 2022 10.1109/LCN53696.2022.9843801 1 KonradWolsing AntoineSaillard JanBauer EricWagner Christianvan Sloun Ina BereniceFink MariSchmidt KlausWehrle MartinHenze proceedings 2022-wolsing-simple 2022 9 978-3-031-17143-7 574--594 Cyberattacks against industrial control systems pose a serious risk to the safety of humans and the environment. Industrial intrusion detection systems oppose this threat by continuously monitoring industrial processes and alerting any deviations from learned normal behavior. To this end, various streams of research rely on advanced and complex approaches, i.e., artificial neural networks, thus achieving allegedly high detection rates. However, as we show in an analysis of 70 approaches from related work, their inherent complexity comes with undesired properties. For example, they exhibit incomprehensible alarms and models only specialized personnel can understand, thus limiting their broad applicability in a heterogeneous industrial domain. Consequentially, we ask whether industrial intrusion detection indeed has to be complex or can be SIMPLE instead, i.e., Sufficient to detect most attacks, Independent of hyperparameters to dial-in, Meaningful in model and alerts, Portable to other industrial domains, Local to a part of the physical process, and computationally Efficient. To answer this question, we propose our design of four SIMPLE industrial intrusion detection systems, such as simple tests for the minima and maxima of process values or the rate at which process values change. Our evaluation of these SIMPLE approaches on four state-of-the-art industrial security datasets reveals that SIMPLE approaches can perform on par with existing complex approaches from related work while simultaneously being comprehensible and easily portable to other scenarios. Thus, it is indeed justified to raise the question of whether industrial intrusion detection needs to be inherently complex. https://www.martinhenze.de/wp-content/papercite-data/pdf/wts+22.pdf Atluri, Vijayalakshmi and Di Pietro, Roberto and Jensen, Christian D. and Meng, Weizhi Springer Nature Switzerland Copenhagen, Denmark 27th European Symposium on Research in Computer Security (ESORICS) September 26-30, 2022 10.1007/978-3-031-17143-7_28 1 KonradWolsing LeaThiemt Christianvan Sloun EricWagner KlausWehrle MartinHenze proceedings 2022-serror-cset 2022 8 8 5 data sets, network traffic, smart grid security, IDS https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-serror-cset-powerduck.pdf ACM

New York, NY, USA

online Virtual Cyber Security Experimentation and Test Workshop (CSET 2022) August 8, 2022 978-1-4503-9684-4/22/08 10.1145/3546096.3546102 1 SvenZemanek ImmanuelHacker KonradWolsing EricWagner MartinHenze MartinSerror inproceedings 2022_kus_iids_generalizability 2022 5 30 73-84 Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations. As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99 %. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we develop an evaluation methodology and examine multiple approaches from literature for their performance on unknown attacks (excluded from training). Our results highlight an ineffectiveness in detecting unknown attacks, with detection rates dropping to between 3.2 % and 14.7 % for some types of attacks. Moving forward, we derive recommendations for further research on machine learning-based approaches to ensure clarity on their ability to detect unknown attacks. anomaly detection; machine learning; industrial control system internet-of-production https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-iids-generalizability.pdf ACM Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS '22), co-located with the 17th ACM ASIA Conference on Computer and Communications Security (ASIACCS '22), May 30-June 3, 2022, Nagasaki, Japan 978-1-4503-9176-4/22/05 10.1145/3494107.3522773 1 DominikKus EricWagner JanPennekamp KonradWolsing Ina BereniceFink MarkusDahlmanns KlausWehrle MartinHenze article 2022-wolsing-aistracks Journal of Marine Science and Engineering 2022 1 14 10 1 The automatic identification system (AIS) was introduced in the maritime domain to increase the safety of sea traffic. AIS messages are transmitted as broadcasts to nearby ships and contain, among others, information about the identification, position, speed, and course of the sending vessels. AIS can thus serve as a tool to avoid collisions and increase onboard situational awareness. In recent years, AIS has been utilized in more and more applications since it enables worldwide surveillance of virtually any larger vessel and has the potential to greatly support vessel traffic services and collision risk assessment. Anomalies in AIS tracks can indicate events that are relevant in terms of safety and also security. With a plethora of accessible AIS data nowadays, there is a growing need for the automatic detection of anomalous AIS data. In this paper, we survey 44 research articles on anomaly detection of maritime AIS tracks. We identify the tackled AIS anomaly types, assess their potential use cases, and closely examine the landscape of recent AIS anomaly research as well as their limitations. automatic identification system; AIS; anomaly detection; maritime safety; maritime security; maritime surveillance https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-aistracks.pdf https://www.mdpi.com/2077-1312/10/1/112 en 10.3390/jmse10010112 1 KonradWolsing LinusRoepert JanBauer KlausWehrle inproceedings 2021-hemminghaus-sigmar 2021 11 25 Distributed maritime bridge systems are customary standard equipment on today’s commercial shipping and cruising vessels. The exchange of nautical data, e.g., geographical positions, is usually implemented using multicast network communication without security measures, which poses serious risks to the authenticity and integrity of transmitted data. In this paper, we introduce digital SIGnatures for MARitime systems (SIGMAR), a low-cost solution to seamlessly retrofit authentication of nautical data based on asymmetric cryptography. Extending the existing IEC 61162-450 protocol makes it is possible to build a backward-compatible authentication mechanism that prevents common cyber attacks. The development was successfully accompanied by permanent investigations in a bridge simulation environment, including a maritime cyber attack generator. We demonstrate SIGMAR’s feasibility by introducing a proof-of-concept implementation on low-cost and low-resource hardware and present a performance analysis of our approach. Maritime Cyber Security;Authentication;Integrity;IEC 61162-450;NMEA 0183 IEEE In Proceedings of the International Symposium on Networks, Computers and Communications (ISNCC) Dubai, United Arab Emirates International Symposium on Networks, Computers and Communications 31 Oct.-2 Nov. 2021 10.1109/ISNCC52172.2021.9615738 1 ChristianHemminghaus JanBauer KonradWolsing inproceedings 2020-wolsing-facilitating 2020 11 9 Cyber-physical systems are increasingly threatened by sophisticated attackers, also attacking the physical aspect of systems. Supplementing protective measures, industrial intrusion detection systems promise to detect such attacks. However, due to industrial protocol diversity and lack of standard interfaces, great efforts are required to adapt these technologies to a large number of different protocols. To address this issue, we identify existing universally applicable intrusion detection approaches and propose a transcription for industrial protocols to realize protocol-independent semantic intrusion detection on top of different industrial protocols. Intrusion Detection; IDS; Industrial Protocols; CPS; IEC-60870-5-104; Modbus; NMEA 0183 https://www.comsys.rwth-aachen.de/fileadmin/papers/2020/2020-wolsing-facilitating.pdf ACM

New York, NY, USA

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS ’20), November 9–13, 2020, Virtual Event, USA. Virtual Event, USA November 9-13, 2020 10.1145/3372297.3420019 1 KonradWolsing EricWagner MartinHenze inproceedings 2019-rueth-quic-userstudy 2019 12 maki,reflexes https://www.comsys.rwth-aachen.de/fileadmin/papers/2019/2019-rueth-quic-userstudy.pdf https://arxiv.org/abs/1910.07729 ACM In Proceedings of the 15th International Conference on emerging Networking EXperiments and Technologies (CoNEXT '19) Orlando, Florida, USA International Conference on emerging Networking EXperiments and Technologies 9.12.2019-12.12.2019 10.1145/3359989.3365416 1 JanRüth KonradWolsing KlausWehrle OliverHohlfeld inproceedings 2019-wolsing-quicperf 2019 7 22 maki,reflexes https://www.comsys.rwth-aachen.de/fileadmin/papers/2019/2019-wolsing-quicperf.pdf https://arxiv.org/abs/1906.07415 ACM In Proceedings of the Applied Networking Research Workshop (ANRW '19) Montreal, Quebec, Canada Applied Networking Research Workshop at IETF-105 2019-07-22 10.1145/3340301.3341123 1 KonradWolsing JanRüth KlausWehrle OliverHohlfeld techreport 2019-rueth-blitzstart 2019 5 8 arXiv:1905.03144 [cs.NI] 1--8 https://www.comsys.rwth-aachen.de/fileadmin/papers/2019/2019-rueth-blitzstart.pdf https://arxiv.org/abs/1905.03144 Online COMSYS, RWTH Aachen University

Ahornstr. 55, 52074 Aachen, Germany

COMSYS, RWTH Aachen University Technical Report en JanRüth KonradWolsing MartinSerror KlausWehrle OliverHohlfeld inproceedings 2018-rueth-mining 2018 10 31 maki,internet-measurements http://www.comsys.rwth-aachen.de/fileadmin/papers/2018/2018-rueth-mining.pdf https://arxiv.org/abs/1808.00811 ACM Proceedings of the Internet Measurement Conference (IMC '18) Boston, US Internet Measurement Conference 2018 31.10.18 - 2.11.18 en 10.1145/3278532.3278539 1 JanRüth TorstenZimmermann KonradWolsing OliverHohlfeld inproceedings 2018-tzimmermann-metacdn 2018 3 26 114-128 maki https://www.comsys.rwth-aachen.de/fileadmin/papers/2018/2018-hohlfeld-metacdn.pdf https://arxiv.org/abs/1803.09990 Springer, Cham In Proceedings of the Passive and Active Measurement Conference (PAM '18) Berlin, Germany Passive and Active Measurement Conference (PAM 2018) 26.3.2018 - 27.3.2018 en 978-3-319-76480-1 10.1007/978-3-319-76481-8_9 1 OliverHohlfeld JanRüth KonradWolsing TorstenZimmermann