Improved detection thanks to “Big Data” and advanced statistical analysis
Wherever the theatre of war is located, accurate knowledge of the war zone and good tactical analysis can be decisive well before engaging the enemy. This is just as true in cyber-warfare and economic warfare, where intrusion detection tools have undergone a “revolution” with the arrival of Big Data and advanced statistical analysis.
For just over 30 years, IDS or Intrusion Detection Systems have been used to detect unusual or suspicious activity on a given network or target, whether the intrusions have been successful or not. Currently, intrusion detection technologies combine two types of hardware. First of all, low-level data analysis sensors, using behavioural methods or attack signature recognition. Secondly, event correlation tools used to analyse the data sent by the low-level sensors (i.e. SIEM or Security Information and Event Management). However, none or these tools are fail-safe. Their limitations include: the fact that they generate a large number of alerts; weak correlation features, in particular with regard to “heterogeneous” alerts; incomplete and inaccurate diagnostics requiring frequent administrator interventions; false positives generating false alerts or false negatives, i.e. undetected attacks, such as the so-called Zeroday vulnerabilities. In other words, recent weaknesses that have not yet been described in scientific or technical publications and for which no known counter-measures exist. And new ones are appearing almost daily!
A requirement for Industrial Control Systems
In order to overcome these limitations, and more especially to improve the reliability of the diagnostics and data returned by current intrusion detection technologies, new approaches have been developed. The latter are based on the combined use of Big Data technologies and advanced statistical analysis. Their common aim is to search for and identify any new threats in the ever-increasing mass of data in circulation. These new techniques can both improve available detection techniques (using behavioural analysis) and develop new detection capacity to deal with new threats.
The Cyber CNI Chair is experimenting with the deployment of these kinds of responses in Industrial Control Systems. These systems are becoming increasingly standardised and interconnected, therefore open to the Internet, which increases their vulnerability to cyberattacks, from viruses such as STuxnet, Flame or Duqu… to mention but a few. The research undertaken by the Cyber CNI Chair therefore focuses more specifically on ICS attacks, for instance in the shape of data injections designed to make the system deviate from its normal behaviour.