For Publishers
DiscoveryMetadataPeer reviewHostingPublishing
For Researchers
JoinPublishReviewCollect
Register
Blog
About
Search
Advanced search
My ScienceOpen
Search
For Publishers
For Researchers
Blog
About
3,123
views
32
references
 Top references
cited by
2
    
0 reviews
 Review
0
comments
 Comment
0
recommends
+1 Recommend
1 collections
    8
    shares
      184
      similar
       All similar

      Celebrating 65 years of The Computer Journal - free-to-read perspectives - bcs.org/tcj65

      scite_
       
      • Record: found
      • Abstract: found
      • Conference Proceedings: found
      Is Open Access

      SAMIIT: Spiral Attack Model in IIoT Mapping Security Alerts to Attack Life Cycle Phases

      proceedings-article
      Author(s): 1 , 1
      Publication date (Print):
      Conference name: 5th International Symposium for ICS & SCADA Cyber Security Research 2018 (ICS-CSR 2018)
      Conference theme: ICS & SCADA Cyber Security Research
      Conference date: 29 - 30 August 2018
      Keywords: Industrial Internet of Things, Attack Life Cycle, Security Alerts, Machine Learning Classification
      Bookmark

            Abstract

            Sophisticated attacks such as NightDragon and Crashoverride have shown a multi-step multi-domain attack life cycle in Industrial Internet of Things (IIoT). Security analysts use cyber kill chain reference model to describe attack phases and adversary actions at each phase, link individual attacks into broader campaigns, and also identify courses of action. Although the model is widely studied and applied by IT security people, less is known and used in IIoT. In this research, we first review and evaluate several models proposed for attack life cycle in IT and IIoT. Next, a spiral attack model is proposed to map IIoT cyber intrusions to different attack phases and architectural levels of IIoT environments. Finally, we present a machine learning classification approach for mapping security alerts to IIoT attack phases and architectural layers. The results show the accuracy of the mapping mechanism and how it helps analysts in security operation centers to prioritize alerts and derive risk scores corresponding to each alert.

            Content

            Author and article information

            Contributors
            Amin Hassanzadeh
            Robin Burkett
            Conference
            Publication date: August 2018
            Publication date (Print): August 2018
            Pages: 11-20
            Affiliations
            [1 ]Accenture Technology Labs Arlington, Virginia, USA
            Article
            DOI: 10.14236/ewic/ICS2018.2
            SO-VID: fbecb397-2ded-4f66-a42a-dff18bcbd2e8
            Copyright © © Hassanzadeh et al. Published by BCS Learning and Development Ltd. Proceedings of ICS & SCADA 2018
            License:

            This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

            Conference name: 5th International Symposium for ICS & SCADA Cyber Security Research 2018
            Conference acronym: ICS-CSR 2018
            Conference number: 5
            Conference location: University of Hamburg, Germany
            Conference date: 29 - 30 August 2018
            Conference sponsor: Electronic Workshops in Computing (eWiC)
            Conference theme: ICS & SCADA Cyber Security Research
            History
            Product

            1477-9358 BCS Learning & Development

            Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/ICS2018.2
            Self URI (journal page): https://ewic.bcs.org/
            Categories
            Series title: Electronic Workshops in Computing

            ScienceOpen disciplines: Applied computer science,Computer science,Security & Cryptology,Graphics & Multimedia design,General computer science,Human-computer-interaction
            Keywords: Industrial Internet of Things,Machine Learning Classification,Security Alerts,Attack Life Cycle

            REFERENCES

            1. Dragos Inc. “Crashoverride: Analyzing the threat to electric grid operations” Hanover, Maryland 2017

            2. Symantec “Cyberespionage attacks against energy suppliers” Mountain View, California 2014

            3. “The impact of dragonfly malware on industrial control systems” SANS Institute 2016

            4. ICS-CERT “Ongoing sophisticated malware campaign compromising ICS” https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B 2014

            5. “W32. stuxnet dossier” White paper, Symantec Corp., Security Response 5 2011

            6. “Night Dragon” McAfee Found-stone Professional Services and McAfee Labs 2011

            7. Defense Use Case “Analysis of the cyber attack on the ukrainian power grid” Electricity Information Sharing and Analysis Center (E-ISAC) 2016

            8. Accenture Security “Dealing with the threats posed by triton/trisis destructive malware” Industrial Control System Technical Report 2018

            9. “Targeted attacks against the energy sector” Symantec Security Response Mountain View, CA 2014

            10. “Towards effective security control assignment in the industrial internet of things” in IEEE 2nd World Forum on Internet of Things (WF-IoT) IEEE 2015 795 800

            11. “Building a world-class security operations center: A roadmap” SANS Institute May 2015

            12. Ponemon Institute “Challenges to achieving SIEM optimization” Ponemon Institute LLC 2017

            13. “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains” Leading Issues in Information Warfare & Security Research 1 no. 1 p. 80 2011

            14. “Finding cyber threats with ATT&CK-based analytics” Mitre 2017

            15. Mandiant Intelligence Center “APT1: Exposing one of China’s cyber espionage units” Mandiant 2013

            16. and “A novel kill-chain framework for remote security log analysis with SIEM software” computers & security 67 198 210 2017

            17. and “The industrial control system cyber kill chain” SANS Institute InfoSec Reading Room 1 2015

            18. “The industrial control system cyber defence triage process” Computers & Security 70 467 481 2017

            19. US-CERT “Russian government cyber activity targeting energy and other critical infrastructure sectors” https://www.us-cert.gov/ncas/alerts/TA18-074A 2018

            20. “Secure architecture for industrial control systems” SANS Institute InfoSec Reading Room 2015

            21. FireEye “M-trends 2016” http://www2.fireeye.com/M-Trends-2016.html 2016

            22. Microsoft “What threats does ATA look for?” https://docs.microsoft.com/en-us/advanced-threatanalytics/ata-threats 2015

            23. “Using an expanded cyber kill chain model to increase attack resiliency” Blackhat 2016

            24. “Simulating adversarial interactions between intruders and system administrators using OODA-RR” in Proceedings of the 2007 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries ACM 2007 46 55

            25. “A temporal assessment of cyber intrusion chains using multidisciplinary frameworks and methodologies” in International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA) IEEE 2017 1 7

            26. “A user-centric machine learning framework for cyber security operations center” in Intelligence and Security Informatics (ISI), 2017 IEEE International Conference on IEEE 2017 173 175

            27. “Deep learning for prioritizing and responding to intrusion detection alerts” in Military Communications Conference (MILCOM), MILCOM 2017-2017 IEEE IEEE 2017 1 5

            Comments

            Comment on this article