Contributions published at Communication Systems Group (Burkhard Stiller)

Nowadays, sustainability is the core of green technologies, being a critical aspect in many industries concerned with reducing carbon emissions and energy consumption optimization. While this concern increases, the number of cyberattacks causing sustainability issues in industries also grows. These cyberattacks impact industrial systems that control and monitor the right functioning of processes and systems. Furthermore, they are very specialized, requiring knowledge about the target industrial processes, and being undetectable for traditional cybersecurity solutions. To overcome this challenge, we present SUSAN, a Deep Learning-based framework, to build anomaly detectors that expose cyberattacks affecting the sustainability of industrial systems. SUSAN follows a modular and flexible design that allows the ensembling of several detectors to achieve more precise detections. To demonstrate the feasibility of SUSAN, we implemented the framework in a water treatment plant using the SWaT testbed. The experiments performed achieved the best recall rate (0.910) and acceptable precision (0.633), resulting in an F1-score of 0.747. Regarding individual cyberattacks that impact the system’s sustainability, our implementation detected all of them, and, concerning the related work, it achieved the most balanced results, with 0.64 as the worst recall rate. Finally, a false-positive rate of 0.000388 makes our solution feasible in real scenarios.

null

The emergence of DDoS attacks posed a paramount problem in the advent of the Internet’s growth. Indeed, DDoS attacks occur regularly and lead to major service outages that incur high costs in various dimensions. Thus, this thesis explores the topic of collaboration between parties to enable a distributed defense approach. Hence, CH2TF proposes a collaborative signaling protocol to enable heavy hitter (HH) traffic filtering. However, while HH are large traffic flows in the network, their global visibility is often unclear. Consequently, this collaborative approach clears up the otherwise opaque visibility of global HH. While related work has continuously been addressing DDoS defense techniques, there currently exists a research gap regarding a collaboration effort to identify HH. A prototype has been designed and implemented to showcase the workings of the signaling protocol. Moreover, the evaluation results of the prototype showed that HH of specific ongoing attack cases (i.e., volumetric attacks) are successfully detected in a collaborative manner with sufficiently high accuracy (0.85), though the prototype does not fare that well in other specific attack detection scenarios (i.e., botnets, 0.42). Additionally, the evaluation results showed that the analyses to detect attacks and HH are performant and are expected to scale well.

Continuous authentication (CA) is a promising approach to authenticate workers and avoid security breaches in the industry, especially in Industry 4.0, where most interaction between workers and devices takes place. However, introducing CA in industries raises the following unsolved questions regarding machine learning (ML) models: its precision and performance; its robustness; and the issue about if or when to retrain the models. To answer these questions, this article explores these issues with a proposed supervised versus nonsupervised ML-based CA system that uses sensors, applications statistics, or speaker data collected by the operator’s devices. Experiments show supervised models with equal error rates of 7.28% using sensors data, 9.29% with statistics, and 0.31% with voice, a significant improvement of 71.97, 62.14, and 97.08%, respectively, over unsupervised models. Voice is the most robust dimension when adding new workers, with less than 2% of false acceptance rate even if workforce size is doubled.

Given the growing increase in the number of blockchain (BC) platforms, cryptocurrencies, and tokens, non-technical individuals face a complex question when selecting a BC that meets their requirements (e.g., performance or security). In addition, current approaches that aid such a selection process present drawbacks (e.g., require specific BC knowledge or are not automated and scalable), which hinders the decision process even further. Fortunately, techniques such as Machine Learning (ML) allow the creation of selection models without human interaction by identifying the BC features that match the requirements provided by the user in an automated and flexible manner. Thus, this work presents the design and implementation of an ML-based BC selection approach that employs five ML models to select the most suitable BC given user requirements (e.g., BC popularity, fast block inclusion, or Smart Contract - SC support). The approach follows an ML-specific data flow and defines a novel equation to quantify the popularity of a BC. Furthermore, it details the models’ accuracy and functionality in two distinct use cases, which shows their good accuracy (>85%). Finally, discussions on (a) the ML usefulness, (b) advantages over rule-based systems, and (c) the most relevant features for the BC selection are presented.

Cybersecurity remains one of the key investments for companies that want to protect their business in a digital era. Therefore, it is essential to understand the different steps required to implement an adequate cybersecurity strategy, which can be viewed as a cybersecurity project to be developed, implemented, and operated. This article proposes SECProject, a practical framework that defines and organizes the technical and economics steps required for the planning and implementation of a cost-effective cybersecurity strategy in Small and Medium-sized Enterprises (SME). As novelty, the SECProject framework allows for a guided and organized cybersecurity planning that considers both technical and economical elements needed for an adequate protection. This helps even companies without technical expertise to optimize their cybersecurity investments while reducing their business risks due to cyberattacks. In order to show the feasibility of the proposed framework, a case study was conducted within a Swiss SME from the pharma sector, highlighting the information and artifacts required for the planning and deployment of cybersecurity strategies. The results show the benefits and effectiveness of risk and cost management as a key element during the planning of cybersecurity projects using the SECProject as a guideline.

null

null

null

Anomaly Detection systems based on Machine and Deep learning are the most promising solutions to detect cyberattacks in the industry. However, these techniques are vulnerable to adversarial attacks that downgrade prediction performance. Several techniques have been proposed to measure the robustness of Anomaly Detection in the literature. However, they do not consider that, although a small perturbation in an anomalous sample belonging to an attack, i.e., Denial of Service, could cause it to be misclassified as normal while retaining its ability to damage, an excessive perturbation might also transform it into a truly normal sample, with no real impact on the industrial system. This paper presents a methodology to calculate the robustness of Anomaly Detection models in industrial scenarios. The methodology comprises four steps and uses a set of additional models called support models to determine if an adversarial sample remains anomalous. We carried out the validation using the Tennessee Eastman process, a simulated testbed of a chemical process. In such a scenario, we applied the methodology to both a Long-Short Term Memory (LSTM) neural network and 1-dimensional Convolutional Neural Network (1D-CNN) focused on detecting anomalies produced by different cyberattacks. The experiments showed that 1D-CNN is significantly more robust than LSTM for our testbed. Specifically, a perturbation of 60% (empirical robustness of 0.6) of the original sample is needed to generate adversarial samples for LSTM, whereas in 1D-CNN the perturbation required increases up to 111% (empirical robustness of 1.11).

he spreading of IoT devices yields new attack vectors for hackers. In addition, the connectivity of IoT devices increases the potential damage to IoT systems. Therefore, detecting malware on such systems is crucial to limit the damage. Some years ago, Machine Learning combined with behavioral fingerprinting which takes information from the devices’ state has superseded file-based malware detection. This thesis concentrates on system call based malware detection and entails the following main contributions: Firstly, it extends malware detection by enabling the classification of specific attack phases of malware. Secondly, it evaluates the potential of Deep Learning models in the area of system call based attack phase detection in IoT devices and compares it with a Neural Network serving as a baseline model. Finally, the thesis assesses a TF-IDF based adapted preprocessing technique (TF-DF) for system calls, that seeks an enhanced representation of the most expressive system calls. For these purposes, a dataset consisting of system calls coming from a Raspberry Pi connected to a radio frequency network has been created. From the system calls of this dataset, eleven different attack phases stemming from four malware types (backdoor, botnet, ransomware, and rootkit) and one benign phase have been deducted. The classification results of the Neural Network model have significantly outscored the results of the implemented DL models. In combination with the proposed preprocessing technique TF-DF, an F1-score of 99.2% has been achieved then applying it on system call sequences with differing lengths. In a final step, the models have been evaluated with receiving equal length system call sequences where TF-IDF outperformed TF-DF and yielded an F1-score of 78.42%.

In the last decade, the rise of Deep Learning (DL) in the development of Artificial Intelligence (AI) has greatly improved the performance of AI models which are becoming increasingly relevant as a support to the human decision-making process. With the ever widening spread of AI applications powered on Big Data, centralized machine learning became challenging due to the existing data silos in many industries where data contain sensitive information. The rising concern for data privacy in AI is promoting the development of privacy-preserving Machine and Deep Learning (ML/DL) techniques such as Federated Learning (FL) where model training is performed collaboratively by distributed data contributors in a decentralized manner. FL enables data privacy by design since local data are not exposed. The increasing interest and adoption of FL systems prompt the need to investigate the ability to trust the decisions made by FL models as compared to centralized machine learning. There is a large body of existing literature on the topic of Trustworthy AI where the requirements are drawn out for an AI system under the five pillars of trust: i) robustness, ii) privacy, iii) fairness, iv) explainability and v) accountability. These pillars were developed in the context of traditional ML/DL systems. As the attention of AI shifts to FL, more efforts are needed to identify trustworthiness pillars and evaluation metrics relevant for FL models. This work analyzed the existing requirements for trustworthiness evaluation in AI and adapted the pillars and metrics for state-of-the-art FL models. A comprehensive taxonomy for Trustworthy FL is proposed as a result of the analysis. Based on the taxonomy, an evaluation algorithm, FederatedTrust, was designed and implemented as a third-party Python library which can be imported as a plugin to an FL development framework to evaluate the trustworthiness level of FL models. The FederatedTrust library harnesses the meta data and configuration settings of FL models gathered from the development framework and generates inputs and outputs for trustworthiness analysis based on the metrics identified in the taxonomy. At the end of an FL training, a report containing the trust scores of each metric and pillar that make up the aggregated trustworthiness level is generated for the FL model created. The report helps to identify the areas impacting trust within the model configuration and execution so that improvements can be made to make the model more trustworthy. Validation of the algorithm was conducted in the form of experiments to test the usefulness of the trustworthiness report generated by FederatedTrust under different FL settings. Observations and discussions were made on the experiment results to analyze what can be improved in the future development of this evaluation framework for Trustworthy FL.

Distributed Denial-of-Service (DDoS) attacks occur daily and are growing in size due to the Internet of Things (IoT) popularity. Since many of these devices are designed to be insecure, botnets can use them to launch large-scale attacks. DDoS attacks are highly distributed; thus, the best counter plan also includes a distributed defense to reduce attacking traffic at several locations that may be closer to their origins. This thesis tries to develop a DDoS signaling network called GossipSub DDoS Signaling System (GoDDSSy), which operates in a trusted environment and is agile and resilient. The reader is first provided with a theoretical overview covering the fundamentals of DDoS attacks and publish-and-subscribe systems. Furthermore, a summary of related work is given. Additionally, the design of GoDDSSy is proposed, which is then later implemented, deployed, and evaluated. Results show that GoDDSSy operates in an agile and resilient way. In addition, we show the limits of the implemented system and how it performs compared to related systems.

In this work, we present Graph Based Liability Analysis Framework (GRALAF) for root cause analysis (RCA) of the microservices. In this Proof-of-Concept (PoC) tool, we keep track of the performance metrics of microservices, such as service response time and CPU level values, to detect anomalies. By injecting faults in the services, we construct a Causal Bayesian Network (CBN) which represents the relation between service faults and metrics. The constructed CBN is used to predict the fault probability of services under given metrics which are assigned discrete values according to their anomaly states.

Information-Centric Network (ICN) architectures, such as Named Data Networking (NDN), can improve content delivery on the Internet by deploying in-network caching techniques. Replacing the entire established Internet with a novel architecture is a non-trivial task, which is why this work develops a layered network architecture consisting of several smaller NDN-based mobile networks (resp., domains), interconnected using a Distributed Hash Table (DHT)-based network running as an overlay on top of existing Internet infrastructures. Using simulations, we model real-world network characteristics to evaluate the proposed architecture’s performance successfully.

This paper presents a security management framework driven by Zero-Touch Network and Service Management (ZSM) paradigm and embedded in the High-Level Architecture (HLA) developed in the INSPIRE-5Gplus project. This project work also included design and implementation of different smart 5G security methods and techniques that are essential for achieving security management in future networks. Moreover, we provide a summary of some lessons learned and guidelines gathered during the practical validation activities for bringing closed loop and smart security management into Beyond 5G systems. Finally, we discuss the key challenges and future work needed to enable integration of closed-loop security management in future networks.

The field of generating movement profiles of individuals is valuable in many real-world applications (e.g., controlling disease spread or evaluating marketing engagement). Existing solutions often rely on global positioning systems (GPS) or similar systems, primarily targeted at outdooruse cases. However, the indoor tracking capabilities of current solutions either lack precision or are available in closed buildings only. The literature proposes sensor fusion approaches,butmany of those are based on specific sensors. These approaches do not reveal implementation details or data to allow for their independent evaluation. Therefore, this article presents FusIon Data Tracking System (FITS) as an approach and proof-of-concept to facilitate the correlation of data from different indoor sensors to movement profiles of different individuals. Functionally, FITS does this by generating synthetic sensor measurement data based on real-world movement data and correlating objects tracked from distinct sensors by effectively solving clustering and position prediction tasks. This correlation is evaluated based on different metrics [multiple object tracker accuracy/precision (MOTA/MOTP)] in four different scenarios, for example, sparse data, high density of sensors, low density of sensors, and a base case. Finally, FITS’s performancewas evaluated by increasing the load test (dataset up to 100 000 measurements and 1000 visitors) to assess whether near real-time processing is feasible under a high workload.