DEtection and Handling of CybEr-Physical Attacks

Duration: 2020 – 2022
Call/Grant: National research project funded by the FFG in course of the ICT of the Future research programme
Role: Contributor

Abstract: While there exist numerous behavior-based anomaly detection approaches for enterprise-IT security, they are not easily applicable to other domains, e.g. embedded systems and IoT. They are usually highly optimized for specific purposes, are tightly bound to domain-specific technologies and rely on a specific syntax of investigated data or events. DECEPT will provide a generally applicable cross-domain anomaly detection approach, that monitors unstructured textual event data (i.e., log data of any form, encoding, size or frequency), and implement unsupervised self-learning, which supports applications in different independent domains. To emphasize general applicability, a parser generator will be developed that applies unsupervised self-learning to establish a model of normal system behavior on top of observed system events, which then can be leveraged to detect anomalies that manifest in deviations from that baseline. Furthermore, a concept for unsupervised anomaly detection will be designed, implemented and validated that applies machine learning techniques, correlation rules, time series analysis and statistical rules that will be automatically generated and afterwards evaluated with a smart rule generator and evaluator. DECEPT’s general and cross-domain applicability will be demonstrated in the domains of (i) Enterprise IT security and (ii) Embedded Systems/IoT security. Concrete proof of concepts to be realized are anomaly detection for Web-server landscape security and IT-supported facility security. In light of the GDPR, technical developments will be supervised by a legal expert to aid the later potential commercial exploitation of DECEPT.