Research

A vast literature exists regarding the detection and analysis of Advanced Persistent Threat (APT) in ICS. However, these approaches are still missing enough detection accuracy and they still fail in operational environments by raising a high number of false positives. This is mainly due to the heterogeneity of these environments with a large number of legacy systems and proprietary applications. For instance, in such environments, many safety processes are deployed and may raise alerts by intrusion detection systems since they have irregular behavior when activating an emergency command to stop the industrial system. In addition, false positive alerts may be issued due to device failure or dysfunction. The objective of this work is to build more accurate and very low positive rate detection systems for ICS while considering advanced threats that usually have low activity profiles. We will leverage Machine Learning (ML) techniques, in particular, deep learning algorithms over Graph Neural Networks (GNN) to better contextualize observed alerts and to check whether they are really due to an attack, a failure, or an unobserved legitimate action. We will rely on publicly available datasets in the literature and on our own ones for building and evaluating these models.

Attack mitigation in ICS is a challenging task since these systems have very hard constraints regarding their availability to meet their expected crit- ical tasks. Building such mitigation actions to avoid attacks requires that these actions are timely deployed and have a very low impact on the system operations. Our objective here is to rely on Software-Defined Networks (SDN) and P4-based programmable networks to deploy attack avoidance rules in the network. We will build techniques to automatically generate and deploy remediation rules that will avoid attacks by isolating the compromised communication links or rerouting the traffic to a backup node when a primary node is compromised. We will mainly rely on reinforcement learning (RL) techniques for se- lecting the best mitigation policy to be deployed and the network device where it should be deployed. RL techniques have been widely used for multiple decision-making tasks, however, in this work, we will enhance and validate them to react timely and have a very high confidence in their predicted decisions.

The aforementioned techniques will be evaluated and validated through publicly available datasets and also using experimental platforms (P4 platform and electrical microgrid testbed) available within the RESIST team. During this first year, we will mainly exploit these existing datasets. However, we will also work on the extension of our experimental testbed to integrate more features including simulated failures and more sophisticated attacks (APT) in the microgrid testbed.