This document provides an overview of communications monitoring within the CITADEL framework. It discusses various monitoring methods including signature-based monitoring, white-box anomaly detection, and association rules. Signature-based monitoring specifies known malicious situations as signatures to detect. White-box anomaly detection learns a model of normal communications and flags deviations as anomalous. The document also describes how monitoring interacts with the specification and other CITADEL planes.
The document discusses the Adaptive MILS Evidential Tool Bus (AM-ETB) which is used to create and maintain certification evidence for adaptive MILS systems. The AM-ETB uses assurance case patterns to develop modular assurance cases. It coordinates the execution of verification tools to generate evidence and update assurance cases. The AM-ETB implementation includes a pattern repository, evidence repository, workflow engine, tool agents, and assurance case repository.
This material provides a description of assurance cases, a key element in the
CITADEL System Assurance and Certification. In addition, it also includes a
set of assurance case argument patterns that can be used to develop these
assurance cases. The assurance case patterns are instantiated by using
AM-ETB and the system model in the CITADEL modeling language. As
regards to the evaluation of Adaptive MILS assurance cases. it involves the
analysis of the soundness of the assurance case, the integrity of the evidence
supporting the claims made in the assurance case, and the certification of the
Adaptive MILS system.
CITADEL configuration and reconfiguration synthesisRamnGonzlezRuiz2
This material provides a thorough presentation of the CITADEL Reconfiguration Plane, hereafter denoted XP, from high-level design to low-level implementation and deployment on the CITADEL platform.
This material provides guidelines in form of a presentation of the Context Awareness - component of the Adaptation Plane.
The Context Awareness is a component which implements a mechanism to identify the current context under which the CITADEL framework as well as an application is used/operated.
To identify the current context, the Context Awareness will use run-time data provided by the Monitoring Plane as input on one hand and a pre-defined context model on the other hand.
This document provides an overview of state monitoring in the context of the CITADEL project. It discusses the monitoring plane and how it is used to monitor components in the operational plane and resources in the foundational plane. It also describes how the Kaspersky Security System can be used for state monitoring by specifying monitoring policies and integrating them with the system modeling framework. The document outlines different sources of monitoring data and policies and how a layered implementation approach separates concerns between the monitoring, operational, and foundational planes.
This document discusses software modeling and verification using formal methods. It provides an introduction to formal methods, their motivation and applications. It then discusses the role of formal methods in the CITADEL project, including modeling dynamic architectures, specification of monitors and properties, verification, monitor synthesis, adaptation and assurance case generation. Key aspects of modeling dynamic architectures in CITADEL are parametrized architecture modeling, dynamic architecture modeling, specification of monitors and properties.
This document describes the modeling, testing, and verification of system models which are used by
the MILS Adaptation System. Several example models are provided in this document, with one of
them developed in a step-by-step manner. Video demonstrations which accompany this document
demonstrate the use of supporting tools.
Key elements
Dynamic Distributed MILS platform
Dynamic MILS platform with deterministic networking
Mechanisms for dynamic reconfiguration and configuration introspection
Declarative dynamic architecture modeling and verification
Language to describe reconfigurable systems architecture, component models, failure models and fault propagation
Theory and framework for dynamic reconfiguration
Theory and framework for adaptation
Language to express critical properties to be verified
Compositional verification framework
Monitoring, Adaptation, Configuration, & Certification Assurance Planes
Assurance-based security evaluation methodology and runtime mechanisms for just-in-time certification of adaptive systems
The document discusses the Adaptive MILS Evidential Tool Bus (AM-ETB) which is used to create and maintain certification evidence for adaptive MILS systems. The AM-ETB uses assurance case patterns to develop modular assurance cases. It coordinates the execution of verification tools to generate evidence and update assurance cases. The AM-ETB implementation includes a pattern repository, evidence repository, workflow engine, tool agents, and assurance case repository.
This material provides a description of assurance cases, a key element in the
CITADEL System Assurance and Certification. In addition, it also includes a
set of assurance case argument patterns that can be used to develop these
assurance cases. The assurance case patterns are instantiated by using
AM-ETB and the system model in the CITADEL modeling language. As
regards to the evaluation of Adaptive MILS assurance cases. it involves the
analysis of the soundness of the assurance case, the integrity of the evidence
supporting the claims made in the assurance case, and the certification of the
Adaptive MILS system.
CITADEL configuration and reconfiguration synthesisRamnGonzlezRuiz2
This material provides a thorough presentation of the CITADEL Reconfiguration Plane, hereafter denoted XP, from high-level design to low-level implementation and deployment on the CITADEL platform.
This material provides guidelines in form of a presentation of the Context Awareness - component of the Adaptation Plane.
The Context Awareness is a component which implements a mechanism to identify the current context under which the CITADEL framework as well as an application is used/operated.
To identify the current context, the Context Awareness will use run-time data provided by the Monitoring Plane as input on one hand and a pre-defined context model on the other hand.
This document provides an overview of state monitoring in the context of the CITADEL project. It discusses the monitoring plane and how it is used to monitor components in the operational plane and resources in the foundational plane. It also describes how the Kaspersky Security System can be used for state monitoring by specifying monitoring policies and integrating them with the system modeling framework. The document outlines different sources of monitoring data and policies and how a layered implementation approach separates concerns between the monitoring, operational, and foundational planes.
This document discusses software modeling and verification using formal methods. It provides an introduction to formal methods, their motivation and applications. It then discusses the role of formal methods in the CITADEL project, including modeling dynamic architectures, specification of monitors and properties, verification, monitor synthesis, adaptation and assurance case generation. Key aspects of modeling dynamic architectures in CITADEL are parametrized architecture modeling, dynamic architecture modeling, specification of monitors and properties.
This document describes the modeling, testing, and verification of system models which are used by
the MILS Adaptation System. Several example models are provided in this document, with one of
them developed in a step-by-step manner. Video demonstrations which accompany this document
demonstrate the use of supporting tools.
Key elements
Dynamic Distributed MILS platform
Dynamic MILS platform with deterministic networking
Mechanisms for dynamic reconfiguration and configuration introspection
Declarative dynamic architecture modeling and verification
Language to describe reconfigurable systems architecture, component models, failure models and fault propagation
Theory and framework for dynamic reconfiguration
Theory and framework for adaptation
Language to express critical properties to be verified
Compositional verification framework
Monitoring, Adaptation, Configuration, & Certification Assurance Planes
Assurance-based security evaluation methodology and runtime mechanisms for just-in-time certification of adaptive systems
This document discusses configuring communications monitoring by implementing features and signatures from network traffic and learning a white-box model. It describes extracting feature values from packet fields using Python expressions and gathering them in a feature file. Signatures are defined as Python boolean expressions mapped to alert IDs. A white-box model is learned from a training set and stored in a histograms file, which can be tuned by adjusting likelihood values and bins. The steps are demonstrated on a bottle filling plant use case monitoring Modbus traffic.
This training module overviews the role, interfaces, structure and functionality of the Adaptation Plane, and explains how to start the components which comprise the Adaptation Plane. The module focuses on the information necessary to understand the start-up and operation of the Adaptation
Plane, which is needed in order to deploy the Adaptation Plane as part of the CITADEL Platform.
This document discusses the configuration of a state monitoring module. It describes generating monitors for components, sensors for input ports, and converting monitoring properties into policies. The document also outlines the monitoring library generator, generic and CITADEL APIs, supported SLIM types and operators, and examples of initialization and monitoring loops.
Software engineering in industrial automation state of-the-art reviewTiago Oliveira
This document summarizes recent developments in software engineering for industrial automation systems. It discusses how software is becoming increasingly important and complex in industrial automation, representing 40% of system costs in some cases. The document reviews key areas of software engineering as they relate to industrial automation, including requirements, design, construction, testing, maintenance, and standards/norms. It provides an overview of typical automation system architectures and software functions.
Towards predictive maintenance for marine sector in malaysiaConference Papers
This research uses machine learning on sensor data from ships to predict failures of components and their remaining useful life. Interviews with marine experts identified significant maintenance items to prioritize for ship supply chains. The results were analyzed to provide recommendations to a government company on implementing predictive analytics and supply chain strategies for ship maintenance in Malaysia.
Transformation of simulink models to iec 61499 function blocks for verificati...Tiago Oliveira
This document discusses a new approach to transform Simulink models into IEC 61499 Function Block models. This transformation allows Simulink models to be used for verification of distributed control systems specified using IEC 61499. The transformation is achieved by formally defining the syntax and semantics of both Simulink and IEC 61499 Function Blocks, and establishing a mapping between the two. This enables closed-loop simulation of plant and controller models to validate distributed control systems designs.
Fault tolerance is an important issue in the field of cloud computing which is concerned with the techniques or mechanism needed to enable a system to tolerate the faults that may encounter during its functioning. Fault tolerance policy can be categorized into three categories viz. proactive, reactive and adaptive. Providing a systematic solution the loss can be minimized and guarantee the availability and reliability of the critical services. The purpose and scope of this study is to recommend Support Vector Machine, a supervised machine learning algorithm to proactively monitor the fault so as to increase the availability and reliability by combining the strength of machine learning algorithm with cloud computing.
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...Osama M. Khaled
This document discusses simulating a pervasive software system to predict its reliability. It begins by introducing pervasive computing and its importance. It then describes the reference architecture model, which includes a smart environment conceptual model, smart object model, and pervasive system architecture model. The document outlines the simulation approach, including scenarios, specifications of simulation entities, assumptions, and extreme assumptions. The simulation aims to predict reliability and availability under different scenarios and control variable values. Key metrics like MTBF and MTTR will be measured to calculate reliability and availability.
This software guide describes Overbeck Analitica’s PAM (Predictive Asset Management) solution components. PAM models asset performance at the individual asset (equipment) level for short-term operational maintenance planning and long-term strategic economic planning. It consists of a set of distinct software components and is written using IBM Statistics.
Crosscutting Specification Interference Detection at Aspect Oriented UML-Base...IJERA Editor
This document describes an algorithm called ACDA (Aspect Conflict Detection Algorithm) that detects conflicts among crosscutting specifications in aspect-oriented design models. ACDA uses a relational database schema to map relationships in an aspect-oriented UML-based model. It then extracts potentially interfering pointcuts by running an algorithm over this database. The algorithm checks if two or more pointcuts match in terms of advice, method signature, and parameters to detect conflicts. Pseudo code and SQL statements demonstrate the logic of ACDA, which detects conflicts at the design stage to simplify resolution compared to detection at the code or runtime levels.
Model Driven Architecture and eXecutable UMLelliando dias
The document discusses Model Driven Architecture (MDA) and how executable UML models can support MDA. Key points include:
- MDA uses three primary model viewpoints: computation independent, platform independent, and platform specific models.
- Executable UML models can be used to validate platform independent models by executing acceptance tests on them.
- Model transformations allow automated mappings between models and generation of platform specific models.
Proactive cloud service assurance framework for fault remediation in cloud en...IJECEIAES
Cloud resiliency is an important issue in successful implementation of cloud computing systems. Handling cloud faults proactively, with a suitable remediation technique having minimum cost is an important requirement for a fault management system. The selection of best applicable remediation technique is a decision making problem and considers parameters such as i) Impact of remediation technique ii) Overhead of remediation technique ii) Severity of fault and iv) Priority of the application. This manuscript proposes an analytical model to measure the effectiveness of a remediation technique for various categories of faults, further it demonstrates the implementation of an efficient fault remediation system using a rulebased expert system. The expert system is designed to compute a utility value for each remediation technique in a novel way and select the best remediation technique from its knowledgebase. A prototype is developed for experimentation purpose and the results shows improved availability with less overhead as compared to a reactive fault management system.
Securing the Future Safeguarding 5G Networks with Advanced Security Solutions...SecurityGen1
With the advent of 5G technology, the complexity of network security has increased exponentially. To address this challenge, specialized 5G security services have emerged to provide tailored solutions to protect your network infrastructure. These services encompass a range of offerings, including threat intelligence, risk assessment, firewall management, intrusion detection, and incident response. 5G security services go beyond traditional security measures, taking into account the unique characteristics of 5G networks such as virtualization, network slicing, and edge computing.
Elevate Safety with Security Gen: Unraveling the Power of Signaling SecuritySecurityGen1
The document provides security practices and protocols for protecting 5G networks against threat vectors. It discusses business and organizational challenges, including aligning security with business objectives. It also covers technical considerations like threats specific to 5G architectures and reusing older technologies in 5G. General recommendations include taking a holistic inspection, detection and protection approach to securing networks.
SecurityGen's Pioneering Approach to 5G Security ServicesSecurityGen1
SecurityGen takes a pioneering stance in the realm of 5G security, offering services that redefine the standards of digital protection. Our user-friendly solutions are meticulously crafted to address the unique challenges posed by the 5G landscape. SecurityGen's 5G Security Services encompass real-time threat monitoring, encryption protocols, and adaptive defense mechanisms to keep your network secure in the face of sophisticated cyber threats. By choosing SecurityGen, businesses can embark on their 5G journey with peace of mind, knowing that they have a reliable partner dedicated to staying ahead of the curve in cybersecurity.
Protecting Your Text Messages: SecurityGen's SMS Fraud Detection SolutionsSecurityGen1
In a world where communication via text messages is integral to our daily lives, SMS fraud has become a growing concern. That's where SecurityGen comes into play. Our state-of-the-art SMS fraud detection technology is designed to safeguard your mobile communications. Using advanced algorithms and real-time analysis, SecurityGen's solution identifies and blocks fraudulent SMS messages, protecting you from phishing scams, malware, and other security threats.
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET Journal
This document proposes a secure scheme for cloud-based multimedia content storage. It has two novel components: (1) a method to create signatures for 3D videos that captures depth signals efficiently, and (2) a distributed matching engine for multimedia objects that achieves high scalability. The system was implemented and deployed on Amazon and private clouds. Experiments on over 11,000 3D videos and 1 million images showed the system accurately detects over 98% of copies, outperforming YouTube's protection system which fails to detect most 3D video copies. The system provides cost-efficient, scalable multimedia content protection leveraging cloud infrastructure.
Autonomous Platform with AIML Document Intelligence Capabilities to Handle Se...IRJET Journal
The document discusses how artificial intelligence and machine learning (AIML) capabilities can be used to develop an automated platform to handle sensitive business information during mergers and acquisitions. It proposes using AIML for tasks like identifying and redacting personally identifiable information from documents, determining the context of keywords in long documents, and separating signature blocks from email bodies. The platform would allow small and medium enterprises to benefit from these AIML capabilities at a lower cost than using cloud APIs directly.
The document discusses network infrastructure vulnerabilities and network security concepts. It notes that security services are an integral part of network design and assessing vulnerabilities is important for network planning. Some common network infrastructure vulnerabilities that will be covered include unauthorized access, denial of service attacks, and data interception. Network security concepts like authentication, authorization, confidentiality and integrity will also be analyzed.
This document discusses how conventional cybersecurity approaches like firewalls and SIEM tools monitor for potential threats but do not understand business logic or operations within internal systems. It introduces the concept of monitoring message buses that facilitate internal communications, and using business logic monitoring to detect anomalies or deviations from expected operations that could indicate issues like attacks, defects, or errors. This monitoring of effects within systems is presented as more efficient than monitoring for specific causes or threats.
Managing enterprise networks with cisco prime infrastructure_ 1 of 2Abdullaziz Tagawy
Network Management is define as monitoring, testing, configuring, and troubleshooting network components to meet a set of requirements defined by an organization.
The requirements include the smooth, efficient operation of the network that provides the predefined quality of service for users.
To accomplish this task, a network management system uses hardware, software, and humans.
Topics covered in this presentation:
What is an Embedded system ?
What are MISRA C rules ?
MISRA C conformance and deviations
Tools for MISRA C conformance
Embedded Security Rules
This document discusses configuring communications monitoring by implementing features and signatures from network traffic and learning a white-box model. It describes extracting feature values from packet fields using Python expressions and gathering them in a feature file. Signatures are defined as Python boolean expressions mapped to alert IDs. A white-box model is learned from a training set and stored in a histograms file, which can be tuned by adjusting likelihood values and bins. The steps are demonstrated on a bottle filling plant use case monitoring Modbus traffic.
This training module overviews the role, interfaces, structure and functionality of the Adaptation Plane, and explains how to start the components which comprise the Adaptation Plane. The module focuses on the information necessary to understand the start-up and operation of the Adaptation
Plane, which is needed in order to deploy the Adaptation Plane as part of the CITADEL Platform.
This document discusses the configuration of a state monitoring module. It describes generating monitors for components, sensors for input ports, and converting monitoring properties into policies. The document also outlines the monitoring library generator, generic and CITADEL APIs, supported SLIM types and operators, and examples of initialization and monitoring loops.
Software engineering in industrial automation state of-the-art reviewTiago Oliveira
This document summarizes recent developments in software engineering for industrial automation systems. It discusses how software is becoming increasingly important and complex in industrial automation, representing 40% of system costs in some cases. The document reviews key areas of software engineering as they relate to industrial automation, including requirements, design, construction, testing, maintenance, and standards/norms. It provides an overview of typical automation system architectures and software functions.
Towards predictive maintenance for marine sector in malaysiaConference Papers
This research uses machine learning on sensor data from ships to predict failures of components and their remaining useful life. Interviews with marine experts identified significant maintenance items to prioritize for ship supply chains. The results were analyzed to provide recommendations to a government company on implementing predictive analytics and supply chain strategies for ship maintenance in Malaysia.
Transformation of simulink models to iec 61499 function blocks for verificati...Tiago Oliveira
This document discusses a new approach to transform Simulink models into IEC 61499 Function Block models. This transformation allows Simulink models to be used for verification of distributed control systems specified using IEC 61499. The transformation is achieved by formally defining the syntax and semantics of both Simulink and IEC 61499 Function Blocks, and establishing a mapping between the two. This enables closed-loop simulation of plant and controller models to validate distributed control systems designs.
Fault tolerance is an important issue in the field of cloud computing which is concerned with the techniques or mechanism needed to enable a system to tolerate the faults that may encounter during its functioning. Fault tolerance policy can be categorized into three categories viz. proactive, reactive and adaptive. Providing a systematic solution the loss can be minimized and guarantee the availability and reliability of the critical services. The purpose and scope of this study is to recommend Support Vector Machine, a supervised machine learning algorithm to proactively monitor the fault so as to increase the availability and reliability by combining the strength of machine learning algorithm with cloud computing.
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...Osama M. Khaled
This document discusses simulating a pervasive software system to predict its reliability. It begins by introducing pervasive computing and its importance. It then describes the reference architecture model, which includes a smart environment conceptual model, smart object model, and pervasive system architecture model. The document outlines the simulation approach, including scenarios, specifications of simulation entities, assumptions, and extreme assumptions. The simulation aims to predict reliability and availability under different scenarios and control variable values. Key metrics like MTBF and MTTR will be measured to calculate reliability and availability.
This software guide describes Overbeck Analitica’s PAM (Predictive Asset Management) solution components. PAM models asset performance at the individual asset (equipment) level for short-term operational maintenance planning and long-term strategic economic planning. It consists of a set of distinct software components and is written using IBM Statistics.
Crosscutting Specification Interference Detection at Aspect Oriented UML-Base...IJERA Editor
This document describes an algorithm called ACDA (Aspect Conflict Detection Algorithm) that detects conflicts among crosscutting specifications in aspect-oriented design models. ACDA uses a relational database schema to map relationships in an aspect-oriented UML-based model. It then extracts potentially interfering pointcuts by running an algorithm over this database. The algorithm checks if two or more pointcuts match in terms of advice, method signature, and parameters to detect conflicts. Pseudo code and SQL statements demonstrate the logic of ACDA, which detects conflicts at the design stage to simplify resolution compared to detection at the code or runtime levels.
Model Driven Architecture and eXecutable UMLelliando dias
The document discusses Model Driven Architecture (MDA) and how executable UML models can support MDA. Key points include:
- MDA uses three primary model viewpoints: computation independent, platform independent, and platform specific models.
- Executable UML models can be used to validate platform independent models by executing acceptance tests on them.
- Model transformations allow automated mappings between models and generation of platform specific models.
Proactive cloud service assurance framework for fault remediation in cloud en...IJECEIAES
Cloud resiliency is an important issue in successful implementation of cloud computing systems. Handling cloud faults proactively, with a suitable remediation technique having minimum cost is an important requirement for a fault management system. The selection of best applicable remediation technique is a decision making problem and considers parameters such as i) Impact of remediation technique ii) Overhead of remediation technique ii) Severity of fault and iv) Priority of the application. This manuscript proposes an analytical model to measure the effectiveness of a remediation technique for various categories of faults, further it demonstrates the implementation of an efficient fault remediation system using a rulebased expert system. The expert system is designed to compute a utility value for each remediation technique in a novel way and select the best remediation technique from its knowledgebase. A prototype is developed for experimentation purpose and the results shows improved availability with less overhead as compared to a reactive fault management system.
Securing the Future Safeguarding 5G Networks with Advanced Security Solutions...SecurityGen1
With the advent of 5G technology, the complexity of network security has increased exponentially. To address this challenge, specialized 5G security services have emerged to provide tailored solutions to protect your network infrastructure. These services encompass a range of offerings, including threat intelligence, risk assessment, firewall management, intrusion detection, and incident response. 5G security services go beyond traditional security measures, taking into account the unique characteristics of 5G networks such as virtualization, network slicing, and edge computing.
Elevate Safety with Security Gen: Unraveling the Power of Signaling SecuritySecurityGen1
The document provides security practices and protocols for protecting 5G networks against threat vectors. It discusses business and organizational challenges, including aligning security with business objectives. It also covers technical considerations like threats specific to 5G architectures and reusing older technologies in 5G. General recommendations include taking a holistic inspection, detection and protection approach to securing networks.
SecurityGen's Pioneering Approach to 5G Security ServicesSecurityGen1
SecurityGen takes a pioneering stance in the realm of 5G security, offering services that redefine the standards of digital protection. Our user-friendly solutions are meticulously crafted to address the unique challenges posed by the 5G landscape. SecurityGen's 5G Security Services encompass real-time threat monitoring, encryption protocols, and adaptive defense mechanisms to keep your network secure in the face of sophisticated cyber threats. By choosing SecurityGen, businesses can embark on their 5G journey with peace of mind, knowing that they have a reliable partner dedicated to staying ahead of the curve in cybersecurity.
Protecting Your Text Messages: SecurityGen's SMS Fraud Detection SolutionsSecurityGen1
In a world where communication via text messages is integral to our daily lives, SMS fraud has become a growing concern. That's where SecurityGen comes into play. Our state-of-the-art SMS fraud detection technology is designed to safeguard your mobile communications. Using advanced algorithms and real-time analysis, SecurityGen's solution identifies and blocks fraudulent SMS messages, protecting you from phishing scams, malware, and other security threats.
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET Journal
This document proposes a secure scheme for cloud-based multimedia content storage. It has two novel components: (1) a method to create signatures for 3D videos that captures depth signals efficiently, and (2) a distributed matching engine for multimedia objects that achieves high scalability. The system was implemented and deployed on Amazon and private clouds. Experiments on over 11,000 3D videos and 1 million images showed the system accurately detects over 98% of copies, outperforming YouTube's protection system which fails to detect most 3D video copies. The system provides cost-efficient, scalable multimedia content protection leveraging cloud infrastructure.
Autonomous Platform with AIML Document Intelligence Capabilities to Handle Se...IRJET Journal
The document discusses how artificial intelligence and machine learning (AIML) capabilities can be used to develop an automated platform to handle sensitive business information during mergers and acquisitions. It proposes using AIML for tasks like identifying and redacting personally identifiable information from documents, determining the context of keywords in long documents, and separating signature blocks from email bodies. The platform would allow small and medium enterprises to benefit from these AIML capabilities at a lower cost than using cloud APIs directly.
The document discusses network infrastructure vulnerabilities and network security concepts. It notes that security services are an integral part of network design and assessing vulnerabilities is important for network planning. Some common network infrastructure vulnerabilities that will be covered include unauthorized access, denial of service attacks, and data interception. Network security concepts like authentication, authorization, confidentiality and integrity will also be analyzed.
This document discusses how conventional cybersecurity approaches like firewalls and SIEM tools monitor for potential threats but do not understand business logic or operations within internal systems. It introduces the concept of monitoring message buses that facilitate internal communications, and using business logic monitoring to detect anomalies or deviations from expected operations that could indicate issues like attacks, defects, or errors. This monitoring of effects within systems is presented as more efficient than monitoring for specific causes or threats.
Managing enterprise networks with cisco prime infrastructure_ 1 of 2Abdullaziz Tagawy
Network Management is define as monitoring, testing, configuring, and troubleshooting network components to meet a set of requirements defined by an organization.
The requirements include the smooth, efficient operation of the network that provides the predefined quality of service for users.
To accomplish this task, a network management system uses hardware, software, and humans.
Topics covered in this presentation:
What is an Embedded system ?
What are MISRA C rules ?
MISRA C conformance and deviations
Tools for MISRA C conformance
Embedded Security Rules
Properly designing and managing a computer network is a difficult task that requires planning, analysis, capacity planning, and skills to keep up with changing technology. Network design follows a systematic process called the Systems Development Life Cycle (SDLC) which includes planning, analysis, design, implementation, and maintenance phases. Network models and diagrams are created to demonstrate the current and planned network configuration. Capacity planning determines necessary network bandwidth by analyzing current usage and projecting future needs. Baseline studies measure current network performance to determine future capacity requirements.
IRJET- Smart Mobile Attendance System using Bluetooth TechnologyIRJET Journal
This document proposes a smart mobile attendance system using Bluetooth technology. It aims to simplify and streamline the attendance monitoring process. The system uses Bluetooth on mobile phones and an app to mark attendance and track employees within a company premises. It identifies Bluetooth and databases as tools to efficiently store and retrieve employee and student records for evaluation purposes. The proposed framework generates a one-time password for added security and prevents proxy attendance. It discusses using this system for university student attendance, making the process quicker, more secure, and fully digital while eliminating forgery risks compared to traditional manual attendance marking.
This document discusses integrating webhook support into alert policies for an alert notification system. It begins by introducing alert notifications and their importance for cybersecurity. Webhooks allow applications to automatically send notifications when events occur. The proposed system would allow alert policies to be integrated with webhooks, sending warning messages via email or webhook notifications. Benefits of this approach include customizable messages, automated alerting and responses, simple integration, monitoring and reliability. The methodology describes configuring alert policies with webhook profiles containing URLs and payloads. When alerts trigger, notifications can be sent to webhooks or administrators by email. This provides a way for systems to automatically communicate about security issues. Future work could include categorizing webhook profiles and adding validation and filtering of messages.
IRJET- Machine Learning Processing for Intrusion DetectionIRJET Journal
This document evaluates different machine learning algorithms for network intrusion detection using the KDD dataset. It analyzes the accuracy of logistic regression, naive bayes, support vector machine, K-nearest neighbor, and decision tree classifiers based on their confusion matrices and receiver operating characteristic curves. The results show that the decision tree algorithm achieved the highest accuracy rate of 99.83% on the KDD dataset for intrusion detection.
IoT ( M2M) - Big Data - Analytics: Emulation and DemonstrationCHAKER ALLAOUI
The document discusses Internet of Things (IoT) concepts including emulation and demonstration of IoT platforms, architectures, and technologies. It provides examples of using sensors, MQTT brokers, Node-Red, and IBM IoT platforms to collect, transmit, and analyze IoT data from devices. Sections include presentations on IoT history and monitoring, as well as emulations of Philips Hue lighting and sensors to demonstrate IoT data collection and control capabilities.
An Efficient Framework for Detection & Classification of IoT BotNet.pptxSandeep Maurya
The Internet of Things (IoT) has become an integral requirement to equip common life. According to IDC, the number of IoT devices may increase exponentially up to a trillion in near future. Thus, their cyberspace having inherent vulnerabilities leads to various possible serious cyber-attacks. So, the security of IoT systems becomes the prime concern for its consumers and businesses. Therefore, to enhance the reliability of IoT security systems, a better and real-time approach is required. For this purpose, the creation of a real-time dataset is essential for IoT traffic analysis. In this paper, the experimental testbed has been devised for the generation of a real-time dataset using the IoT botnet traffic in which each of the bots consists of several possible attacks. Besides, an extensive comparative study of the proposed dataset and existing datasets are done using popular Machine Learning (ML) techniques to show its relevance in the real-time scenario.
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Enrique Martin
In this document we propose the ICS Network blueprinting as the method to get the highest availability and security awareness for our critical control assets. (SCADA, PLC, RTU, IED, etc)
ATM fraud detection system using machine learning algorithmsIRJET Journal
This document presents a machine learning-based system for detecting ATM fraud. It examines current types of ATM fraud and proposes using machine learning algorithms to build a detection system. The study evaluates supervised, unsupervised and semi-supervised machine learning approaches for this task. It specifically explores hidden Markov models, support vector machines and decision trees for fraud detection. The document outlines the methodology, including data collection, model training and testing. Charts and figures show sample outputs from the system, including detected fraud over time. The system is found to effectively detect fraud while minimizing false positives. Machine learning is concluded to be well-suited for ATM fraud detection.
This document discusses the concepts and implementation of a Security Operations Center (SOC). It defines the key modules of a SOC as: event generators (E boxes), event collectors (C boxes), message databases (D boxes), analysis engines (A boxes), and reaction management software (R boxes).
The document outlines the challenges with each module, such as performance issues with event collection and ensuring availability of the database. It then proposes a global architecture with these modules, detailing how the knowledge base (K boxes) would store information on systems, vulnerabilities, and security policies to aid analysis. Event filtering strategies are also discussed to balance exhaustiveness of logs with performance.
[White paper] detecting problems in industrial networks though continuous mon...TI Safe
Automation networks offer a range of real-time applications and data, making necessary the continuous monitoring of the quality of services. The parameters of QoS (Quality of Service) seek to address priorities, bandwidth allocation and network latency control. There are several QoS parameters to characterize a computer network, and that can be used for monitoring purposes.
Each SCADA network, in a healthy state, presents a specific QoS which rarely changes given the repetitive process of the IACS operations. The continuous monitoring of QoS parameters of an automation network may anticipate problems such as malware contamination and equipment failures like switches and routers. It is very important to be aware of these changes in behavior in order to receive alerts and promptly handle them, avoiding incidents that could compromise the operation of the network and be financially or environmentally costly.
In addition to the monitoring of network traffic, it is also necessary to monitor resource consumption of critical servers, such as the processing (CPU), memory, storage capacity and hard disk failures, among others.
This work aims to establish a method by which SCADA security professionals can differentiate and qualify any problems that may be occurring through continuous monitoring of the automation network performance parameters giving a more behavioral approach than current signature-based ones.
We presented a series of tests conducted in our laboratories in order to measure the performance of a simulated automation network parameters using a small SCADA network sandbox. First we measured the normal operating parameters of the network and reap its main graphics obtained with the proper tools. In a second step we practiced several attacks against the simulated automation network. During all attacks we collected the operating parameters of the network and its main graphics.
At the conclusion of the work we compared the graphs of the network in healthy state with the graphs of the network with the security incidents described above. We detailed how the network parameters were affected by each kind of incident and built a table showing the way the main parameters of an automation network were affected by the attacks
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...IJECEIAES
Climate change's impact on the planet forced the United Nations and governments to promote green energies and electric transportation. The deployments of photovoltaic (PV) and electric vehicle (EV) systems gained stronger momentum due to their numerous advantages over fossil fuel types. The advantages go beyond sustainability to reach financial support and stability. The work in this paper introduces the hybrid system between PV and EV to support industrial and commercial plants. This paper covers the theoretical framework of the proposed hybrid system including the required equation to complete the cost analysis when PV and EV are present. In addition, the proposed design diagram which sets the priorities and requirements of the system is presented. The proposed approach allows setup to advance their power stability, especially during power outages. The presented information supports researchers and plant owners to complete the necessary analysis while promoting the deployment of clean energy. The result of a case study that represents a dairy milk farmer supports the theoretical works and highlights its advanced benefits to existing plants. The short return on investment of the proposed approach supports the paper's novelty approach for the sustainable electrical system. In addition, the proposed system allows for an isolated power setup without the need for a transmission line which enhances the safety of the electrical network
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...IJECEIAES
Medical image analysis has witnessed significant advancements with deep learning techniques. In the domain of brain tumor segmentation, the ability to
precisely delineate tumor boundaries from magnetic resonance imaging (MRI)
scans holds profound implications for diagnosis. This study presents an ensemble convolutional neural network (CNN) with transfer learning, integrating
the state-of-the-art Deeplabv3+ architecture with the ResNet18 backbone. The
model is rigorously trained and evaluated, exhibiting remarkable performance
metrics, including an impressive global accuracy of 99.286%, a high-class accuracy of 82.191%, a mean intersection over union (IoU) of 79.900%, a weighted
IoU of 98.620%, and a Boundary F1 (BF) score of 83.303%. Notably, a detailed comparative analysis with existing methods showcases the superiority of
our proposed model. These findings underscore the model’s competence in precise brain tumor localization, underscoring its potential to revolutionize medical
image analysis and enhance healthcare outcomes. This research paves the way
for future exploration and optimization of advanced CNN models in medical
imaging, emphasizing addressing false positives and resource efficiency.
Embedded machine learning-based road conditions and driving behavior monitoringIJECEIAES
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELgerogepatton
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Sinan KOZAK
Sinan from the Delivery Hero mobile infrastructure engineering team shares a deep dive into performance acceleration with Gradle build cache optimizations. Sinan shares their journey into solving complex build-cache problems that affect Gradle builds. By understanding the challenges and solutions found in our journey, we aim to demonstrate the possibilities for faster builds. The case study reveals how overlapping outputs and cache misconfigurations led to significant increases in build times, especially as the project scaled up with numerous modules using Paparazzi tests. The journey from diagnosing to defeating cache issues offers invaluable lessons on maintaining cache integrity without sacrificing functionality.
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsVictor Morales
K8sGPT is a tool that analyzes and diagnoses Kubernetes clusters. This presentation was used to share the requirements and dependencies to deploy K8sGPT in a local environment.
2. Prerequisites
Basic knowledge on the Citadel framework
● Only very briefly recalled here.
Knowledge of CITADEL Modeling,
Specifications and Verification Tools for
Related material
This module cover communications monitoring
theory, [9] provides instructions on how to
configure and use the code. Examples are
included with the code.
[1, sec 3] documents the communications
monitoring component.
[2] provides more details on association rules.
Other material and knowledge
TU/e Training – Advanced Technical Module Communication Monitoring 2
3. Overview of communications monitoring
Basics of intrusion detection
Communications monitoring in CITADEL
Communication monitoring methods
`signature’-based monitoring
white-box anomaly detection
association rules
Monitoring and Specification interaction
specifying predicates to be learned
Content
TU/e Training – Advanced Technical Module Communication Monitoring 3
4. TU/e 4
Intrusion detection basics
Distinguish `legitimate’ from `malicious’ cases.
Classification is not perfect; will need to make a trade-
off between detection rate and false positive rate.
False positive rate: % legitimate marked as attack
Detection rate: % malicious marked as attack
Two categories of approaches:
Black listing
● Specify known malicious cases to be prevented
White listing
● Specify allowed `good’ situations.
But `lists’ do not cover all cases; leading to
● false negatives for black listing (new, unknown attacks)
● false positives for white listing (unseen legitimate behaviour).
Traffic: Flagged as normal Flagged as attack
legitimate True negative False positive
malicious False negative True positive (detection)
6. Monitoring Plane gathers & evaluates information from
Operational Plane and, when needed, alerts the Adaptation Plane.
Citadel Planes interaction
TU/e Training – Advanced Technical Module Communication Monitoring 6
Overview of the citadel planes [8]
7. From model to monitoring
Different monitors may be configured for different
(types of) interfaces used for different (types of)
applications.
Model specifies interfaces (part of architecture)
Analysis of the model determines which need to be
monitored (Monitor synthesis).
Model may be useful in the creation of monitors as
well (discussed more below).
Configuration plane activates the required
monitoring.
Monitoring may trigger alerts leading to adaption
of the system (adaption plane)
TU/e Training – Advanced Technical Module Communication Monitoring 7
8. Monitor extracts and analyses messages
features
Monitoring communication
TU/e Training – Advanced Technical Module Communication Monitoring 8
Process
A
Process
B
Monitor
Raw data Parser Message features
Traffic on monitored interface(s)
is also sent to monitor.
Processes use network interfaces to
talk to other processes
10. Basics of monitoring: Features
Features capture specific aspects of
messages.
Connection aspects, e.g.: Sender, Receiver,
ports they use, timestamp, ...
but also content based, e.g. http response
code, function code, setpoint, etc.
● Different protocols will have different content that
can be extracted.
or even composite(metadata) eg. `connection’
which captures both sender receiver and their
ports.
Analysis considers tuples of feature values(*).
I.e. all relevant information is captured by
features.
(*) Feature value: the value (eg 192.168.0.1) a feature (eg source‐ip) takes.
11. Monitors look for indicators of compromise,
risks or problems in the system by finding
specific situations (blacklisting) or deviations
from the norm (whitelisting). We consider:
`signature’-based(*) monitoring (blacklisting)
white-box anomaly detection (whitelisting)
association rules (constraints; whitelisting)
Analysis: What to look for and how
TU/e Training – Advanced Technical Module Communication Monitoring 11
(*) Here we use the term `signature’ for a quite general form of rule based blacklisting.
Other literature may use a much more specific notion of signature.
13. `Signature’-based monitoring
If we know the `bad situation’ we are looking
for (be it an attack, failure, etc.) we can try
to capture it in a signature.
Simply specify which combination of feature
values that indicates the situation.
A signature can be quite specific to capture
exactly the situation we want to detect.
Can combine: High likelihood of detection this
situation with low change of false positives.
Below we show a simple signature and how it
can be used within the CITADEL framework.
14. `Balancer’ B can be configured to use one of two
servers (S1, S2). Currently using S1.
If the configured server fails , B will send out an
internal server error response: An HTTP 500 message.
If this happens, B should be reconfigured to use S2
instead.
`Signature’-based scenario
TU/e Training – Advanced Technical Module Communication Monitoring 14
B
500
15. The CITADEL communications monitoring component
monitors the outgoing connection of balancer B.
The monitor uses a rule:
If response_code == ‘500’ then ALARM_8080
If the message response code is `500’ then raise an
alert called `ALARM_8080’.
`Signature’-based scenario
TU/e Training – Advanced Technical Module Communication Monitoring 15
B
500
CITADEL
monitor
16. Alert id `ALARM_8080’ is defined in the system
model so the adaptation plane recognizes it.
Adaption handles the alarm by instructing the
configuration plane to switch to a configuration
where B uses S2 instead. (See those planes and
[7] for more information on these steps.)
`Signature’- based scenario
TU/e Training – Advanced Technical Module Communication Monitoring 16
B
CITADEL
monitor
ALARM_8080
500
17. We have seen signature using a condition to
trigger an alert; a signature rule consists of:
a condition; which is a boolean expression on
features, e.g.
● response_code == 500
● setpoint1 < 5 OR setpoint1 > 10
an alert identifier; which is a string (its
meaning is given by the system model), e.g.
● ALARM_8080
● SetpointOutOfRange
Note how signature rules may use any of the
features that we have defined, including
those about the content of the
communication, making them quite versatile.
`Signatures’ in general
TU/e Training – Advanced Technical Module Communication Monitoring 17
19. Signatures work well if you know what
you are looking for, but typically not all
attacks/failures will be known.
Monitor for anomalous behaviour that can
indicate attacks/problems.
Need to distinguish between `normal’ and
`anomalous’ traffic.
Learn model of normal traffic from training
data.
Whitelisting; any deviation from normal
model is seen as anomalous.
White-box: informative features &
understandable model.
Anomaly detection
TU/e Training – Advanced Technical Module Communication Monitoring 19
20. Feature binning
Some features with useful information may not be directly suitable
for learning.
Consider for example a timestamp. Trying to learn the exact millisecond
something happens is not meaningful. However, it may be interesting
whether it is during the day or the night.
Binning allows learning the useful part of such features.
needed for features that can take many different values (eg large
numbers, floating point) though it can be used on any feature.
the domain of values is divided into sets called bins
feature is assigned the bin it falls into, rather than the exact value taken.
Examples:
ranges for potentially large numbers, such as the size of a message
● bins could be: 0-499bits, 500-999 bits, etc.
There are many ways to bin a timestamp, e.g.
● ranges like, in which hour does it fall, or which part of the day;
morning/afternoon/evening/night,
● which day is it on; mo-tue-,...-su, or weekday vs weekend.
● What makes most sense depends on the application.
TU/e Training – Advanced Technical Module Communication Monitoring 20
21. Learning based scenario
In this scenario (inspired by [4]) we
consider messages that contain requests
sent to a database.
Examples of features:
time of access, source
query content
● command (eg select, update, delete)
● which tables & fields
● response content (eg #records retrieved)
● combinations of the above.
Database
Monitor
TU/e Training – Advanced Technical Module Communication Monitoring 21
22. Learning based scenario
Bob from accounting needs access to the
database for his job, but we do not know
beforehand how that translates exactly
into the requests he makes.
Learn his profile by monitoring normal
behaviour for some time (training; learning
a model).
Histograms capture behaviour per feature.
For many anomaly‐based approaches, the models and alerts are not very informative (`black box’).
Here models (and alerts as we will see below) are easy to interpret; `whitebox’.
TU/e Training – Advanced Technical Module Communication Monitoring 22
23. Thresholds and Model tuning
After learning normal behaviour, on needs to set which
values (bins) are considered normal and which are
anomalous.
The easiest way is to set a single threshold; anything
that is less likely that the threshold is seen as
anomalous.
The figure shows the effect of setting (an extremely
high) threshold of 26%.
● Insert and delete commands and access to column age are
seen as normal.
TU/e Training – Advanced Technical Module Communication Monitoring 23
24. Thresholds and Model tuning
In addition to a default threshold one can set a threshold per feature
The figure shows that a threshold of 10% will still leave delete as `anomalous’.
We can also tweak the model itself;
If we know this value is ok, we can tweak the model to specifically set it to normal.
Similarly we can mark values as anomalous even when encountered in the training.
(Further) tweaking may occur upon a detection
Upon false positives mark values as normal, tweak thresholds and/or use a sliding
window (discussed below).
Upon true positives one may set a custom alert, and update the system model (more
below).
Being `whitebox’ makes such tweaking possible
TU/e Training – Advanced Technical Module Communication Monitoring 24
25. Alerts on deviations
Alerts are raised when observed queries do not fit
with learned behaviour; a feature value has a
likelihood lower that the threshold.
Alerts indicate why the query is strange; which
features cause the alert.
The alert below shows Sally accesses unusual data
at a strange time.
TU/e Training – Advanced Technical Module Communication Monitoring 25
TU/
26. Context can matter
Bob may need to change the value of days_off
update is a normal value on feature command
Bob may need to read the content of name
name is a normal value for feature column_set
However, normally he would not change the name.
The combination update and name is not normal
The model above cannot detect this; update and name by themselves are normal.
Combined feature command-column_set can detect this
Consider such composite features if features are correlated
Association rules below give another way to specify relationships between features.
having the right features is essential for effective
white‐box anomaly detection, see also [5],[6]
TU/e Training – Advanced Technical Module Communication Monitoring 26
27. From system specification to
anomaly detection and back.
TU/e Training – Advanced Technical Module Communication Monitoring 27
28. Monitoring and Specification
Monitoring can benefit from the system specification
Where to monitor, what to monitor for; interpreting data
(defining features), potentially useful combinations of
features.
Specification can benefit from learning through
monitoring
Learn details of the specification instead of having to
define them by hand.
Alerts may indicate situations not yet considered in the
specification.
Below we detail this interactive approach combining
specification and monitoring, illustrated with a simple
smart manufacturing use case.
TU/e Training – Advanced Technical Module Communication Monitoring 28
29. Monitoring and Specification [3]
Lightweight
specification
learn detect
Data DataData
classification /
visualization
model
features
linked to
predicates
“What is seen”
“What it means”
“What is correct”
TP
FPtuning
completing
providing context
alerts linked to features
uninterpreted predicates
TU/e Training – Advanced Technical Module Communication Monitoring 29
Multiple views on the same system:
30. Bottle Filling Plant (BFP)
A smart manufacturing use case
Remote controlled production facility.
Fills bottles with two ingredients, mixes them & inspects result.
Picture shows main components and communication links.
TU/e Training – Advanced Technical Module Communication Monitoring 30
31. Components of the BFP
Physical Process:
Belt: moves the bottles from station to station, can be started and
stopped.
Stations :
● each station has a sensor (1-4) to detect whether a bottle is present
● Filling stations: with valves that can be opened and closed to control the flow
of liquid
● Mixer: blends the liquids in the bottle, can be started and stopped.
● Quality check station: has sensor (5) to measure amount of liquid in the bottle
Programmable Logic Controller (PLC)
controls `actuators’ (belt, valves, mixer) and sensors.
Uses the Modbus protocol to communicate.
Remote Terminal Unit (RTU)
provides an interface to connect to the PLC from the outside network.
Master (at the factory headquarters)
provides the remote Human machine interface (HMI)
TU/e Training – Advanced Technical Module Communication Monitoring 31
32. `Lightweight’ Specification
In modeling the process we can use `to-
be-learned’ predicates
Interpretation not given by model; but
rather filled in by learning.
Example: liquids in bottle should form a
valid mixture, but what constitutes a valid
mixture? Learning answers that:
G( bottle_ok → ?Valid(ingr1, ingr2) )
Valid is an uninterpreted property
Learn from monitoring what are valid
combinations of ingr1, ingr2.
TU/e Training – Advanced Technical Module Communication Monitoring 32
33. Modbus is very simple protocol,
we can extract:
Function code
register nr, value
Knowing what registers are used for (map them to
notions in the specification), allows extracting
meaningful features:
setpoint_1, setpoint_2, setpoint_mixer, etc.
at_valve_1, at_valve_2, etc.
Create mapping from PLC implementation
documentation (if available), visual inspection (see
next slide) of the traffic and a (partial)
specification of the system.
BFP – Feature building
TU/e Training – Advanced Technical Module Communication Monitoring 33
Data
classif. / vis.
features
LW spec
Data
learn
34. BFP – Feature building
TU/e Training – Advanced Technical Module Communication Monitoring 34
Register values plotted and interpreted using system model (see [1]) and basic process knowledge.
35. BFP –
Feature building
counter like (bottles_started, bottle_done)
are not useful in the whitebox model
(histograms).
but may be used to compute useful ones (eg
compare bottles_on_belt with bottles_started
- bottles_done. If not equal indicates a
problem.)
Specification constraints `total’
reason to consider it as a potential feature
G(¬(bottle_ok ∧ (ingr1= 0 ∨ingr2= 0))) //null
G(¬(bottle_ok ∧ total > k)) //overflowSpecified constraints:
TU/e Training – Advanced Technical Module Communication Monitoring 35
36. Learn and tune model as before and deploy
Raised alerts have context; meaning full features linked to
system specification.
False positives are used to tune the detection model
True positives are added to the specification
Using detection results
TU/e Training – Advanced Technical Module Communication Monitoring 36
120.0
✔
?
?
G(¬(bottle_ok ∧ ingr1 / ingr2 ≠ k))
// composition
total_liquid_in_bottle = 100.0
setpoint_1 = 99.0
setpoint_2 = 1.0
invalid ratio to be prevented
additional `normal’ values
37. Sliding windows
Sometimes a single violation of a rule/deviation from a
model is not necessarily a problem (eg a physical process
that needs to be in a `bad’ state for some time before it
actually becomes a problem) and it may not provide
enough evidence of compromise – in this case you would
want to react to such situations if there are several
instances within a short time period.
Look for multiple deviations within a time window
Sliding window always considers the last T seconds,
and only raises an alarm if it finds at least N deviations
within this window.
duration T
timeline with
anomalies
(3) Alert
(2) no alert
#deviations for alert N = 3
(1) no alert
(1) no alert
TU/e Training – Advanced Technical Module Communication Monitoring 37
38. Systems often have many interrelated variables.
Changes in the relationship instead of only the values of
variables may be relevant indicators of compromise.
White box provides meaningful alerts in form of which
feature(s) exhibit unusual values.
Considers features individually, if combination of fields
is relevant then needs to be captured in a composed
features, like `connection’.
Learning of relationships and efficiently capturing them:
Association rules.
Association Rules are shortly discussed here, see [2] for
more details.
Association rules
39. Association rules steps
Invariant learning requires a training set of states, which are
extracted from a training set of network traffic
Each time a message feature (e.g. at_valve1)shows a change in a system
variable we update the state.
We consider two methods of learning process invariants
Baysian network learning
Association rule mining
We shortly show examples of process invariants that may be learned
and how to use them
Details on how the learning works is beyond the scope of this learning
material; see [2] for details and a comparison of the two methods.
40. Association rule mining
An association rule represents a process invariant;
a combination of values that should occur together
a confidence level that this must be the case.
In for the bottlelab plant we learn the invariants:
valve_1_on → ¬belt_moving
valve_2_on → ¬belt_moving
¬valve_2_on → belt_moving
We can interpret these rules as:
● the belt is off when a valve is open (first two)
● the belt starts moving as soon as valve 2 is off.
(Just several of many rules learned, not all rules are
meaningful/useful-see [2]).
41. Bayesian Network learning
A Bayesian network captures dependencies between variables.
looks at the variables rather than at individual values (see [2]).
Still we can extract the same type of process invariants.
Focusing on valve_2_on we see it depends on belt_moving.
Note that AR learning also found a relation between these two
variables.
A high conditional probability give a rule.
In this case we get two rules:
● ¬valve_2_on → belt_moving
● valve_2_on → ¬belt_moving
We also find that valve_1_on depends on belt_moving
but only value true has a high conditional probability:
● valve_1_on → ¬belt_moving
Baysiannetwork around
variable valve_2_on
42. Using Association Rules
Consider our association rule:
¬valve_2_on→belt_moving
Whenever we see a change to an involved variable we check
that the process variant is preserved
If value 2 is off but belt is not moving this represent a
violation of the invariant.
A rule has a confidence level (or conditional probability) x
We thus expect it to be violated at a rate of at most 1-x.
To test this we use an (event based) sliding window; if the
number of deviations among the last T events is larger than it
should be, an alert is raised.
● Note that if the certainty is 1.0, like for our example rule, we can raise
an alert as soon as a invariant violation is found.
43. Related reading
[1] CITADEL D4.4 MILS Monitoring System
[2] CITADEL D3.3 CITADEL Design Techniques to Specify, Verify, and Synthesize Policies for
Run-Time Monitors
[3] From system specification to anomaly detection (and back) (2017)
Davide Fauri, Daniel Ricardo dos Santos, Elisa Costante, Jerry den Hartog, Sandro Etalle, Stefano Tonetta
Workshop on Cyber-Physical Systems Security and Privacy
[4] A white-box anomaly-based framework for database leakage detection (2017)
E Costante, J den Hartog, M Petković, S Etalle, M Pechenizkiy
Journal of Information Security and Applications 32, 27-46
[5] Towards useful anomaly detection for back office networks (2016)
Ö Yüksel, J den Hartog, S Etalle
International Conference on Information Systems Security, 509-520
[6] Reading between the fields: practical, effective intrusion detection for industrial control
systems (2016)
Ö Yüksel, J den Hartog, S Etalle
Proceedings of the 31st Annual ACM Symposium on Applied Computing, 2063-2070
[7] CITADEL D4.5 Integrated and tested Adaptive MILS Platform
[8] CITADEL. D4.3 MILS adaptation system.
[9] Module Configuring the Mils Monitoring System for Communications monitoring of CITADEL
D6.6 Training Materials for Electronic Delivery