While advanced industrial control systems (ICS) attacks use multiple phases to launch their final attacks, existing security devices can only monitor local data without considering the consequence of attacks on other components. Identifying the causal relationship between events in device logs can provide comprehensive and system-wide visibility in industrial networks.
Changes in a device log may trigger changes in other logs. Therefore, the analysis of causal relationships can be used for the prediction of causal interaction in networks. For example, it can help to predict the next goal of a multi‐step attack scenario. This extracted causal knowledge provides a plan-of-action that can be exploited by non professionals to improve their ICS security.
The causal connection demonstrates that events are conditionally dependent on each other. Various algorithms have been devised to find causal relationships among events that can identify the causes behind system failures and implement remedial actions. The process of finding causal relationships will be reviewed in this project.
In this research project you will:
- identify the state-of-the-art techniques in causality analysis
- implement a causal extraction technique for ICS networks to demonstrate the efficiency of this technique in log analysis.
This project aims to review state-of-the-art techniques of extracting causal relationships among alerts. In addition, a causal extraction technique will be implemented to analyse process logs of ICS systems.
The outcomes of this project will demonstrate how causality analysis can be used to improve the cybersecurity of ICS networks. An example of a causal extraction technique and its MATLAB code are available in this Nature Communication article: Causal decomposition in the mutual causation system.
Skills and experience
Assumed knowledge includes an understanding of computer networks.
You must also have:
- good writing skills
- experience with network devices and software.
Contact the supervisor for more information.