Data Driven Anomaly Detection and Inference

The detection and subsequent analysis of Industrial Control System (ICS) anomalies, particularly those occurring from cyber incidents, has become increasingly challenging as adversaries employ stealthier Programmable Logic Controller (PLC) attack techniques. The current lack of commercial ICS digital forensic tools and solutions prevents cyber practitioners from rapidly assessing an attack and determining how to restore an ICS to a state of normal, safe operation. As one of the key challenges when detecting PLC anomalies is assessing and determining the type of anomaly, (because different anomalies can present similar observations both physically and virtually), anomalous behaviour resulting from a system fault can produce effects that are indistinguishable from a malicious attack conducted by an advanced cyber adversary.

Research in this theme contributes to a newer and less established field known as anomaly diagnosis, which while drawing on anomaly detection, focuses on the analysis of the anomalous signatures to significantly improve all aspects of incident response. One way we can address this challenge it to devivse novel fingerprinting and provenance algorithms that are optimised for the types of data and operations found within ICS environments. Such approaches enable us to perform normal behaviour profiling and understand the sympomatic behaviours of different anomalies, including how the manipulated data has changed over time.

Publications