IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems

Wolsing, Konrad; Wagner, Eric; Saillard, Antoine; Henze, Martin

doi:10.1145/3545948.3545968

Cited by 21 publications

(20 citation statements)

References 73 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While we shed light on these two dimensions, IIDSs can fall in between [80], i.e., making use of knowledge-based and behavior-based detection methodologies. This goes to show that not all IIDSs strictly follow the classification presented here and we refer the reader to other surveys which highlight the differences in greater depth [55,59,80,87].…”

Section: Comparisonmentioning

confidence: 53%

“…Even though ICSs rely on researchers to design appropriate countermeasures and test their efficiency in real-world deployments, operators rarely provide such urgently-needed data samples [3,56,74]. While these challenges constitute an opportunity to tackle IIDS research from varying angles, transfer insights across industrial domains, and investigate their efficiency in real-world deployments, they likewise segregate the overall research landscape, resulting in isolated silos [87]. Consequently, sound scientific evaluations remain as the foundation to facilitate coherence and measure the overall progress of the research field.…”

Section: Challenges Of Evaluating Iidsmentioning

confidence: 99%

“…2.3), we identify a range of works discussing and criticizing the current state of IIDS research. First, various surveys provide an overview of the utilized detection methods across that research field [21,31,55,59,69,75,80,87,88], ranging from learning specific communication patterns to analyzing the physical state of the monitored system. In this context, difficulties reproducing results and generalizing IIDSs to related ICS domains beyond those specifically evaluated were reported [22,87].…”

Section: Related Work On Evaluating Iidssmentioning

confidence: 99%

“…Consequently, worthwhile ideas remain hard to identify, and it is unclear which improvements are suitable to close the gap to much-needed production-ready IIDSs. E.g., specific detection methodologies have been independently proposed and evaluated for different ICS domains in the past resulting in work being made twice [87]. While reproducibility studies are worthwhile, in contrast, accidental duplication of results likely leads to less significant overall research output.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

[SoK] Evaluations in Industrial Intrusion Detection Research

Lamberts,

Wolsing,

Wagner

et al. 2023

Journal of Systems Research

Self Cite

View full text Add to dashboard Cite

Industrial systems are increasingly threatened by cyberattacks with potentially disastrous consequences. To counter such attacks, industrial intrusion detection systems strive to timely uncover even the most sophisticated breaches. Due to its criticality for society, this fast-growing field attracts researchers from diverse backgrounds, resulting in 130 new detection approaches in 2021 alone. This huge momentum facilitates the exploration of diverse promising paths but likewise risks fragmenting the research landscape and burying promising progress. Consequently, it needs sound and comprehensible evaluations to mitigate this risk and catalyze efforts into sustainable scientific progress with real-world applicability. In this paper, we therefore systematically analyze the evaluation methodologies of this field to understand the current state of industrial intrusion detection research. Our analysis of 609 publications shows that the rapid growth of this research field has positive and negative consequences. While we observe an increased use of public datasets, publications still only evaluate 1.3 datasets on average, and frequently used benchmarking metrics are ambiguous. At the same time, the adoption of newly developed benchmarking metrics sees little advancement. Finally, our systematic analysis enables us to provide actionable recommendations for all actors involved and thus bring the entire research field forward.

show abstract

Section: Comparisonmentioning

confidence: 53%

Section: Challenges Of Evaluating Iidsmentioning

confidence: 99%

Section: Related Work On Evaluating Iidssmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

[SoK] Evaluations in Industrial Intrusion Detection Research

Lamberts,

Wolsing,

Wagner

et al. 2023

Journal of Systems Research

Self Cite

View full text Add to dashboard Cite

show abstract

“…While recent research provides sophisticated approaches leveraging semantic and process knowledge, these approaches rarely find their way into practice, mainly due to their tight coupling to distinct industrial communication protocols and individual datasets. By leveraging commonalities found in industrial communication, our research lays a common ground for realizing widely applicable industrial intrusion detection systems (Wolsing et al 2022). Furthermore, state-of-the-art industrial intrusion detection systems typically rely on machine learning to detect anomalous behavior.…”

Section: Network Securitymentioning

confidence: 99%

Evolving the Digital Industrial Infrastructure for Production: Steps Taken and the Road Ahead

Pennekamp,

Belova,

Bergs

et al. 2023

Interdisciplinary Excellence Accelerator Series

Self Cite

View full text Add to dashboard Cite

The Internet of Production (IoP) leverages concepts such as digital shadows, data lakes, and a World Wide Lab (WWL) to advance today’s production. Consequently, it requires a technical infrastructure that can support the agile deployment of these concepts and corresponding high-level applications, which, e.g., demand the processing of massive data in motion and at rest. As such, key research aspects are the support for low-latency control loops, concepts on scalable data stream processing, deployable information security, and semantically rich and efficient long-term storage. In particular, such an infrastructure cannot continue to be limited to machines and sensors, but additionally needs to encompass networked environments: production cells, edge computing, and location-independent cloud infrastructures. Finally, in light of the envisioned WWL, i.e., the interconnection of production sites, the technical infrastructure must be advanced to support secure and privacy-preserving industrial collaboration. To evolve today’s production sites and lay the infrastructural foundation for the IoP, we identify five broad streams of research: (1) adapting data and stream processing to heterogeneous data from distributed sources, (2) ensuring data interoperability between systems and production sites, (3) exchanging and sharing data with different stakeholders, (4) network security approaches addressing the risks of increasing interconnectivity, and (5) security architectures to enable secure and privacy-preserving industrial collaboration. With our research, we evolve the underlying infrastructure from isolated, sparsely networked production sites toward an architecture that supports high-level applications and sophisticated digital shadows while facilitating the transition toward a WWL.

show abstract