Your search keyword '"Paul Tavolato"' showing total 9 results

1. Analytical modelling of cyber-physical systems: applying kinetic gas theory to anomaly detection in networks

Author

Paul Tavolato, Hubert Schölnast, and Christina Tavolato-Wötzl

Subjects

021110 strategic, defence & security studies, Computer science, 0211 other engineering and technologies, Cyber-physical system, Control engineering, Monitoring system, 02 engineering and technology, Kinetic energy, Base (topology), ALARM, Computational Theory and Mathematics, Hardware and Architecture, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Computer Science (miscellaneous), Training phase, Anomaly detection, Actuator, Software

Abstract

In connection with anomaly detection in cyber-physical systems, we suggest in this paper a new way of modelling large systems consisting of a huge number of sensors, actuators and controllers. We base the approach on analytical methods usually used in kinetic gas theory, where one tries to describe the overall behavior of a gas without looking at each molecule separately. We model the system as a multi-agent network and derive predictions on the behavior of the network as a whole. These predictions can then be used to monitor the operation of the system. If the deviation between the predictions and the measured attributes of the operational cyber-physical system is sufficiently large, the monitoring system can raise an alarm. This way of modelling the normal behavior of a cyber-physical system has the advantage over machine learning methods mainly used for this purpose, that it is not based on the effective operation of the system during a training phase, but rather on the specification of the system and its intended use. It will detect anomalies in the system’s operation independent of their source—may it be an attack, a malfunction or a faulty implementation.

Published

2020

2. Anomaly Detection in Communication Networks of Cyber-physical Systems using Cross-over Data Compression

Author

Paul Tavolato, Hubert Schölnast, and Philipp Kreimel

Subjects

Cross over, Computer science, Real-time computing, Cyber-physical system, Anomaly detection, Telecommunications network, Data compression

Published

2020

3. Anomaly detection in substation networks

Author

Paul Tavolato, Philipp Kreimel, Antonella Santone, Francesco Mercaldo, and Oliver Eigner

Subjects

Model checking, Computer Networks and Communications, Computer science, 020209 energy, 02 engineering and technology, Anomaly detection, computer.software_genre, Domain (software engineering), Distribution system, Intrusion, SCADA, 0202 electrical engineering, electronic engineering, information engineering, Formal methods, Neural networks, Substation, Safety, Risk, Reliability and Quality, Artificial neural network, business.industry, Information technology, 020207 software engineering, Data mining, business, computer, Software

Abstract

Fundamental components of the distribution systems of electric energy are primary and secondary substation networks. Considering the incorporation of legacy communication infrastructure in these systems, they often have in- herent cybersecurity vulnerabilities. Moreover, traditional intrusion defence strategies for IT systems are often not applicable. With the aim to improve cybersecurity in substation networks, in this paper we present two methods for monitoring SCADA system: the first one exploiting neural networks, while the second one is based on formal methods. To evaluate the effective- ness of the proposed methods, we conducted experiments on a real test bed representing the substation domain as close to real-world as possible. From this test bed we collect data during normal operation and during situations where the system is under attack. To this end several different types of attack are conducted. The data collected is used to test two versions of the mon- itoring system: one based on machine learning with a neural network and one using a model-checking approach. Moreover, the two proposed models are tested with new data to evaluate their performance. The experiments demonstrate that both methods obtain an accuracy greater than 90%. In particular, the methodology based on formal methods achieves better per- formance if compared to the one based on neural networks.

Published

2020

4. Neural Net-Based Anomaly Detection System in Substation Networks

Author

Paul Tavolato and Philipp Kreimel

Subjects

Artificial neural network, Computer science, Network packet, business.industry, Information technology, computer.software_genre, Domain (software engineering), Distribution system, Electric power system, IEC 61850, Anomaly detection, Data mining, business, computer

Abstract

Important components of the electric energy distribution systems are primary and secondary substations. Due to the incorporation of legacy communication infrastructure in these systems, they often have inherent cyber-security vulnerabilities. Further, traditional intrusion defence strategies for IT systems are often not applicable. In order to improve cyber-security in substation networks, this paper presents a neural net-based monitoring system. Further, to evaluate the applicability of the system, all experiments were conducted on a real test bed, which represents the substation domain as close as possible to reality. The proposed monitoring system covers several tasks. First, relevant network packets are acquired from network traffic and analysed. Based on these packets statistical features are extracted. Then, classes are defined, and a normal behaviour model of the network is trained by the neural net. New network traffic is compared to the model, in order to determine the nature of the traffic and identify potential anomalies. Finally, the monitoring system is evaluated by conducting several supervised and unsupervised network attacks against the test bed.

Published

2019

5. Analytical Modelling of Cyber-physical Systems

Author

Christina Tavolato-Wötzl and Paul Tavolato

Subjects

ALARM, Computer science, Cyber-physical system, Training phase, Monitoring system, Anomaly detection, Control engineering, Base (topology), Actuator, Normal behaviour

Abstract

In connection with anomaly detection in cyber-physical systems, we suggest in this paper a new way of modelling large systems consisting of a huge number of sensors, actuators and controllers. We base the approach on analytical methods usually used in kinetic gas theory, where one tries to describe the overall behaviour of a gas without looking at each molecule separately. We model the system as a multi-agent network and derive predictions on the behaviour of the network as a whole. These predictions can then be used to monitor the operation of the system. If the deviation between the predictions and the measured attributes of the operational cyber-physical system is sufficiently large, the monitoring system can raise an alarm. This way of modelling the normal behaviour of a cyber-physical system has the advantage over machine learning methods mainly used for this purpose, that it is not based on the effective operation of the system during a training phase, but rather on the specification of the system and its intended use. It will detect anomalies in the system’s operation independent of its source – may it be an attack, a malfunction or a faulty implementation.

Published

2019

6. Attacks on Industrial Control Systems - Modeling and Anomaly Detection

Author

Oliver Eigner, Paul Tavolato, and Philipp Kreimel

Subjects

Computer science, Real-time computing, 0202 electrical engineering, electronic engineering, information engineering, 020206 networking & telecommunications, 020201 artificial intelligence & image processing, Anomaly detection, 02 engineering and technology, Industrial control system

Published

2018

7. Anomaly-Based Detection and Classification of Attacks in Cyber-Physical Systems

Author

Philipp Kreimel, Oliver Eigner, and Paul Tavolato

Subjects

Anomaly-based intrusion detection system, Computer science, business.industry, Anomaly (natural sciences), Cyber-physical system, 02 engineering and technology, Machine learning, computer.software_genre, Attack model, Naive Bayes classifier, 020204 information systems, Outlier, 0202 electrical engineering, electronic engineering, information engineering, One-class classification, 020201 artificial intelligence & image processing, Anomaly detection, Data mining, Artificial intelligence, business, computer

Abstract

Cyber-physical systems are found in industrial and production systems, as well as critical infrastructures. Due to the increasing integration of IP-based technology and standard computing devices, the threat of cyber-attacks on cyber-physical systems has vastly increased. Furthermore, traditional intrusion defense strategies for IT systems are often not applicable in operational environments. In this paper we present an anomaly-based approach for detection and classification of attacks in cyber-physical systems. To test our approach, we set up a test environment with sensors, actuators and controllers widely used in industry, thus, providing system data as close as possible to reality. First, anomaly detection is used to define a model of normal system behavior by calculating outlier scores from normal system operations. This valid behavior model is then compared with new data in order to detect anomalies. Further, we trained an attack model, based on supervised attacks against the test setup, using the naive Bayes classifier. If an anomaly is detected, the classification process tries to classify the anomaly by applying the attack model and calculating prediction confidences for trained classes. To evaluate the statistical performance of our approach, we tested the model by applying an unlabeled dataset, which contains valid and anomalous data. The results show that this approach was able to detect and classify such attacks with satisfactory accuracy.

Published

2017

8. Anomaly Detection for Simulated IEC-60870-5-104 Trafiic

Author

Ersi Hodo, Stepan Grebeniuk, Paul Tavolato, and Henri Ruotsalainen

Subjects

Protocol data unit, Computer science, Anomaly-based intrusion detection system, Real-time computing, 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, Man-in-the-middle attack, IEC 60870-5, Protocol stack, Asynchronous communication, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Anomaly detection

Abstract

Substation security plays an important role in the delivery system of electrical energy. During the past years, there has been an increase in the number of attacks on automation systems. In spite of that, there has not been enough focus dedicated to the protection of such networks. In this paper, we introduce a novel machine learning based intrusion detection system targeted at automation networks of substations based on the IEC 60780-5-104 protocol. The novelty of our approach opposed to the state-of-the-art is the monitoring of several features on multiple protocol layers, which enables the identification of multiple types of attacks. Firstly, we simulate the communication between the substation slave and the server based on data gained from real substations and we simulate the systems behaviour under attack, too. Secondly, we observe the system's normal behavior and its behavior under the attack, in order to extract features needed for building an anomaly detection system. Lastly, based on these features we suggest an anomaly detection system for the asynchronous IEC 60870-5-104 protocol. We designed the anomaly detection model by using machine learning from the IEC 60870-5-104 protocol data acquired. The classifier with the highest performance was chosen by comparing 7 different classification algorithms: the Rule Learner classifier algorithm turned out to be the best.

Published

2017

9. Detection of Man-in-the-Middle Attacks on Industrial Control Networks

Author

Paul Tavolato, Oliver Eigner, and Philipp Kreimel

Subjects

Engineering, business.industry, Feature extraction, Real-time computing, Process control, Conveyor belt, Control engineering, Anomaly detection, Intrusion detection system, Industrial control system, Bregman divergence, Man-in-the-middle attack, business

Abstract

In this paper we present a method to detect Man-in-the-Middle attacks on industrial control systems. The approach uses anomaly detection by developing a model of normal behaviour of the industrial control system network. To come as close as possible to reality a simple industrial system, a conveyor belt with sensors and actuators, was set up with controllers widely used in industry. A machine learning approach based on the k-Nearest Neighbors algorithm with Bregman divergence was used to define a model of normal (valid) behaviour. Afterwards Man-in-the-Middle attacks were launched against the system and its behaviour during the attack was compared to the valid behaviour model. The results show that the approach taken was able to detect such attacks with satisfactory accuracy.

Published

2016