We’re excited to announce a new research grant on Semantic Security
Monitoring for Industrial Control Systems that the National Science Foundation has awarded to a team of researchers at the International Computer Science Institute (ICSI), the
National Center for Supercomputing Applications (NCSA), and the University of Illinois. We plan to eventually
integrate the technology developed for this effort into Bro’s open-source distribution.
Industrial control systems differ significantly from standard,
general-purpose computing environments, and they face quite different
security challenges. With physical “air gaps” now the exception, our
critical infrastructure has become vulnerable to a broad range of
potential attackers. In this project we will develop novel network
monitoring approaches that can detect sophisticated semantic attacks:
malicious actions that drive a process into an unsafe state without
however exhibiting any obvious protocol-level red flags. In one
thrust, we will conduct a measurement-centric study of ICS network
activity, aimed at developing a deep understanding of operational
semantics in terms of actors, workloads, dependencies, and state
changes over time. In a second thrust, we will develop domain-specific
behavior models that abstract from low-level protocol activity to
their semantic meaning according to the current state of the processes
under control. Our goal is to integrate these models into
operationally viable, real-time network monitoring that reports
unexpected deviations as indicators of attacks or malfunction. A
separate “Transition to Practice” phase will advance our research results
into deployment-ready technology by integrating it into Bro.
RSS - Posts