Complex attack scenarios
Identifying complex attack scenarios, by Raytheon Technologies
Critical infrastructures encompass Cyber / Physical systems whose functioning is vital for the society. Nowadays, such systems are extensive and multifaceted, and therefore inevitably exposed from a multitude of viewpoints. This scenario has generated novel threats referred as ‘complex attacks’. These attacks are characterized by a set of malicious events that, when analysed in isolation, could not rise the attention to an alert level. But when studied concurrently could reveal novel threats. All this calls for specific techniques. In the following, we describe the approach developed in the InfraStress project.
Identification of complex attack scenarios
The component developed by UTRC is responsible for identifying complex attacks affecting a Critical Infrastructure (CI) at any time throughout its standard operations. The CI can reach a critical state either by an unfortunate sequence of failures or by malicious complex attacks affecting several of its components. The approach considered here aims at identifying the latter.
In order to be effective in the identification task, the detection tool needs to have a broad overview of the current state of the CI, collecting as many information as possible from the CI components and the anomaly detectors deployed on it. Therefore, our ‘Identification of complex attack scenarios (IdCA)’ tool is fed with heterogeneous information originating from components spread throughout the CI. An attack scenario can be represented as a logical graph, as shown in Figure 1.
In this example, to proceed with the next stage of the attack (i.e., to keep traversing the graph): (i) solid lines require that all the connected events are active, (ii) dashed lines require at least one active event, (iii) while dotted lines represent alternative routes in which the attack can evolve. Double-lined octagons are the detector nodes i.e., represent anomaly events detected by the InfraStress framework. Targets of an attack and system responses are respectively represented with (single-lined) octagons and rounded rectangles. The end nodes of the graph (oval) represent the potential loss that the CI will encounter if the attack is successful.
Aggregating, analysing and effectively using all the information gathered from the CI is a challenging and relevant problem in the complex attack identification community.
The framework developed within the InfraStress consortium provides the opportunity to work with big heterogeneous data coming from the CI and perform anomaly detection activities for example from: network, building sensor, card reader and IoT (Internet of Things) device data. In general, every type of data collected from the CI under analysis can be provided to the Infrastress framework and exploited in particular by our IdCA tool.
An internal map representing the status of the CI is built thanks to a heterogeneous information network in which several aggregation layers connect all the available CI components. The aggregation layers (i.e., correlation, physical proximity and connectivity) are learnt from the CI components during its normal operations. Then the IdCA tool will leverage the anomalies detected by other components of the framework. More specifically, in our IdCA tool, complex attacks are modelled through a constraint network (see Figure 2) and used to identify the current state of the CI based on its internal representation and the detected anomalies.
In this example, we can see the relations built between the events “SAccess” and “Cred”, respectively “Access SCADA network” and “Obtain SCADA credentials”. Learning from the normal behaviour of the CI, rectangles represent the relevant features composing the constraint network, while circles represent the values that each of the feature can assume. Lines show which values satisfy the constraint network, and hence represent the normal behaviour for the analysed CI.
Our IdCA tool, other than being effective provides two distinctive features with respect to other approaches: interpretability and adaptability. The constraint network allows a human interpretable set of reasons for the attacks detected by the model, in contrast with black box deep machine learning models. Secondly, our approach is adaptable. This means that CI interested in adopting our IdCA tool could define a set of complex attack scenarios affecting the CI and the component will specifically learn how to identify them to protect the CI.