2022
Panagiotis Radoglou Grammatikis; Panagiotis Sarigiannidis; Panagiotis Diamantoulakis; Thomas Lagkas; Theocharis Saoulidis; Eleftherios Fountoukidis; George Karagiannidis
Strategic Honeypot Deployment in Ultra-Dense Beyond 5G Networks: A Reinforcement Learning Approach Journal Article
In: IEEE Transactions on Emerging Topics in Computing, 2022, ISSN: 2168-6750.
Abstract | BibTeX | Tags: Honeypot, Intrusion detection, ReinforcementLearning, Wireless communication | Links:
@article{articledb,
title = {Strategic Honeypot Deployment in Ultra-Dense Beyond 5G Networks: A Reinforcement Learning Approach},
author = {Panagiotis Radoglou Grammatikis and Panagiotis Sarigiannidis and Panagiotis Diamantoulakis and Thomas Lagkas and Theocharis Saoulidis and Eleftherios Fountoukidis and George Karagiannidis},
url = {https://www.researchgate.net/publication/361139812_Strategic_Honeypot_Deployment_in_Ultra-Dense_Beyond_5G_Networks_A_Reinforcement_Learning_Approach},
doi = {10.1109/TETC.2022.3184112},
issn = {2168-6750},
year = {2022},
date = {2022-06-01},
urldate = {2022-01-01},
journal = {IEEE Transactions on Emerging Topics in Computing},
abstract = {The progression of Software Defined Networking (SDN) and the virtualisation technologies lead to the beyond 5G era, providing multiple benefits in the smart economies. However, despite the advantages, security issues still remain. In particular, SDN/NFV and cloud/edge computing are related to various security issues. Moreover, due to the wireless nature of the entities, they are prone to a wide range of cyberthreats. Therefore, the presence of appropriate intrusion detection mechanisms is critical. Although both Machine Learning (ML) and Deep Learning (DL) have optimised the typical rule-based detection systems, the use of ML and DL requires labelled pre-existing datasets. However, this kind of data varies based on the nature of the respective environment. Another smart solution for detecting intrusions is to use honeypots. A honeypot acts as a decoy with the goal to mislead the cyberatatcker and protect the real assets. In this paper, we focus on Wireless Honeypots (WHs) in ultradense networks. In particular, we introduce a strategic honeypot deployment method, using two Reinforcement Learning (RL) techniques: (a) e−Greedy and (b) Q−Learning. Both methods aim to identify the optimal number of honeypots that can be deployed for protecting the actual entities. The experimental results demonstrate the efficacy of both methods.},
keywords = {Honeypot, Intrusion detection, ReinforcementLearning, Wireless communication},
pubstate = {published},
tppubtype = {article}
}
The progression of Software Defined Networking (SDN) and the virtualisation technologies lead to the beyond 5G era, providing multiple benefits in the smart economies. However, despite the advantages, security issues still remain. In particular, SDN/NFV and cloud/edge computing are related to various security issues. Moreover, due to the wireless nature of the entities, they are prone to a wide range of cyberthreats. Therefore, the presence of appropriate intrusion detection mechanisms is critical. Although both Machine Learning (ML) and Deep Learning (DL) have optimised the typical rule-based detection systems, the use of ML and DL requires labelled pre-existing datasets. However, this kind of data varies based on the nature of the respective environment. Another smart solution for detecting intrusions is to use honeypots. A honeypot acts as a decoy with the goal to mislead the cyberatatcker and protect the real assets. In this paper, we focus on Wireless Honeypots (WHs) in ultradense networks. In particular, we introduce a strategic honeypot deployment method, using two Reinforcement Learning (RL) techniques: (a) e−Greedy and (b) Q−Learning. Both methods aim to identify the optimal number of honeypots that can be deployed for protecting the actual entities. The experimental results demonstrate the efficacy of both methods.
Vasiliki Kelli; Panagiotis Radoglou-Grammatikis; Achilleas Sesis; Thomas Lagkas; Eleftherios Fountoukidis; Emmanouil Kafetzakis; Ioannis Giannoulakis; Panagiotis Sarigiannidis
Attacking and Defending DNP3 ICS/SCADA Systems Conference
2022 18th International Conference on Distributed Computing in Sensor Systems (DCOSS), 2022, ISBN: 978-1-6654-9512-7.
Abstract | BibTeX | Tags: cyberattack, DNP3, ICS, Intrusion detection, SCADA | Links:
@conference{9881726,
title = {Attacking and Defending DNP3 ICS/SCADA Systems},
author = {Vasiliki Kelli and Panagiotis Radoglou-Grammatikis and Achilleas Sesis and Thomas Lagkas and Eleftherios Fountoukidis and Emmanouil Kafetzakis and Ioannis Giannoulakis and Panagiotis Sarigiannidis},
doi = {10.1109/DCOSS54816.2022.00041},
isbn = {978-1-6654-9512-7},
year = {2022},
date = {2022-05-30},
booktitle = {2022 18th International Conference on Distributed Computing in Sensor Systems (DCOSS)},
pages = {183-190},
abstract = {The highly beneficial contribution of intelligent systems in the industrial domain is undeniable. Automation, supervision, remote control, and fault reduction are some of the various advantages new technologies offer. A protocol demonstrating high utility in industrial settings, and specifically, in smart grids, is Distributed Network Protocol 3 (DNP3), a multi-tier, application layer protocol. Notably, multiple industrial protocols are not as securely designed as expected, considering the highly critical operations occurring in their application domain. In this paper, we explore the internal vulnerabilities-by-design of DNP3, and proceed with the implementation of the attacks discovered, demonstrated through 8 DNP3 attack scenarios. Finally, we design and demonstrate a Deep Neural Network (DNN)-based, multi-model Intrusion Detection Systems (IDS), trained with our experimental network flow cyberattack dataset, and compare our solution with multiple machine learning algorithms used for classification. Our solution demonstrates a high efficiency in the classification of DNP3 cyberattacks, showing an accuracy of 99.0%.},
keywords = {cyberattack, DNP3, ICS, Intrusion detection, SCADA},
pubstate = {published},
tppubtype = {conference}
}
The highly beneficial contribution of intelligent systems in the industrial domain is undeniable. Automation, supervision, remote control, and fault reduction are some of the various advantages new technologies offer. A protocol demonstrating high utility in industrial settings, and specifically, in smart grids, is Distributed Network Protocol 3 (DNP3), a multi-tier, application layer protocol. Notably, multiple industrial protocols are not as securely designed as expected, considering the highly critical operations occurring in their application domain. In this paper, we explore the internal vulnerabilities-by-design of DNP3, and proceed with the implementation of the attacks discovered, demonstrated through 8 DNP3 attack scenarios. Finally, we design and demonstrate a Deep Neural Network (DNN)-based, multi-model Intrusion Detection Systems (IDS), trained with our experimental network flow cyberattack dataset, and compare our solution with multiple machine learning algorithms used for classification. Our solution demonstrates a high efficiency in the classification of DNP3 cyberattacks, showing an accuracy of 99.0%.
2021
P. Radoglou-Grammatikis; P. Sarigiannidis; E. Iturbe; E. Rios; S. Martinez; A. Sarigiannidis; G. Eftathopoulos; I. Spyridis; A. Sesis; N. Vakakis; D. Tzovaras; E. Kafetzakis; I. Giannoulakis; M. Tzifas; A. Giannakoulias; M. Angelopoulos; F. Ramos
SPEAR SIEM: A Security Information and Event Management system for the Smart Grid Journal Article
In: Computer Networks, pp. 108008, 2021.
Abstract | BibTeX | Tags: Anomaly Detection, Cybersecurity, Deep Learning, Intrusion detection, machine learning, SCADA, Security Information and Event Management, Smart Grid | Links:
@article{RadoglouGrammatikis2021,
title = {SPEAR SIEM: A Security Information and Event Management system for the Smart Grid},
author = { P. Radoglou-Grammatikis and P. Sarigiannidis and E. Iturbe and E. Rios and S. Martinez and A. Sarigiannidis and G. Eftathopoulos and I. Spyridis and A. Sesis and N. Vakakis and D. Tzovaras and E. Kafetzakis and I. Giannoulakis and M. Tzifas and A. Giannakoulias and M. Angelopoulos and F. Ramos},
url = {https://www.researchgate.net/publication/350287201_SPEAR_SIEM_A_Security_Information_and_Event_Management_system_for_the_Smart_Grid},
doi = {10.1016/j.comnet.2021.108008},
year = {2021},
date = {2021-04-01},
journal = {Computer Networks},
pages = {108008},
publisher = {Elsevier BV},
abstract = {The technological leap of smart technologies has brought the conventional electrical grid in a new digital era called Smart Grid (SG), providing multiple benefits, such as two-way communication, pervasive control and self-healing. However, this new reality generates significant cybersecurity risks due to the heterogeneous and insecure nature of SG. In particular, SG relies on legacy communication protocols that have not been implemented having cybersecurity in mind. Moreover, the advent of the Internet of Things (IoT) creates severe cybersecurity challenges. The Security Information and Event Management (SIEM) systems constitute an emerging technology in the cybersecurity area, having the capability to detect, normalise and correlate a vast amount of security events. They can orchestrate the entire security of a smart ecosystem, such as SG. Nevertheless, the current SIEM systems do not take into account the unique SG peculiarities and characteristics like the legacy communication protocols. In this paper, we present the Secure and PrivatE smArt gRid (SPEAR) SIEM, which focuses on SG. The main contribution of our work is the design and implementation of a SIEM system capable of detecting, normalising and correlating cyberattacks and anomalies against a plethora of SG application-layer protocols. It is noteworthy that the detection performance of the SPEAR SIEM is demonstrated with real data originating from four real SG use case (a) hydropower plant, (b) substation, (c) power plant and (d) smart home.},
keywords = {Anomaly Detection, Cybersecurity, Deep Learning, Intrusion detection, machine learning, SCADA, Security Information and Event Management, Smart Grid},
pubstate = {published},
tppubtype = {article}
}
The technological leap of smart technologies has brought the conventional electrical grid in a new digital era called Smart Grid (SG), providing multiple benefits, such as two-way communication, pervasive control and self-healing. However, this new reality generates significant cybersecurity risks due to the heterogeneous and insecure nature of SG. In particular, SG relies on legacy communication protocols that have not been implemented having cybersecurity in mind. Moreover, the advent of the Internet of Things (IoT) creates severe cybersecurity challenges. The Security Information and Event Management (SIEM) systems constitute an emerging technology in the cybersecurity area, having the capability to detect, normalise and correlate a vast amount of security events. They can orchestrate the entire security of a smart ecosystem, such as SG. Nevertheless, the current SIEM systems do not take into account the unique SG peculiarities and characteristics like the legacy communication protocols. In this paper, we present the Secure and PrivatE smArt gRid (SPEAR) SIEM, which focuses on SG. The main contribution of our work is the design and implementation of a SIEM system capable of detecting, normalising and correlating cyberattacks and anomalies against a plethora of SG application-layer protocols. It is noteworthy that the detection performance of the SPEAR SIEM is demonstrated with real data originating from four real SG use case (a) hydropower plant, (b) substation, (c) power plant and (d) smart home.
2020
P. Radoglou-Grammatikis; P. Sarigiannidis; E. Iturbe; E. Rios; A. Sarigiannidis; O. Nikolis; D. Ioannidis; V. Machamint; M. Tzifas; A. Giannakoulias; M. Angelopoulos; A. Papadopoulos; F. Ramos
Secure and private smart grid: The SPEAR architecture Conference
2020 6th IEEE Conference on Network Softwarization (NetSoft), IEEE, 2020.
Abstract | BibTeX | Tags: Anomaly Detection, Anonymity, Cybersecurity, Forensics, Honeypots, Intrusion detection, Privacy, Smart Grid | Links:
@conference{Grammatikis2020450,
title = {Secure and private smart grid: The SPEAR architecture},
author = { P. Radoglou-Grammatikis and P. Sarigiannidis and E. Iturbe and E. Rios and A. Sarigiannidis and O. Nikolis and D. Ioannidis and V. Machamint and M. Tzifas and A. Giannakoulias and M. Angelopoulos and A. Papadopoulos and F. Ramos},
url = {https://www.researchgate.net/publication/343621502_Secure_and_Private_Smart_Grid_The_SPEAR_Architecture?_sg=ajSET8e8bb-KvKba1e9QHd7a7IFuKtI-72RhxDMcm-yozF1Q-5Jx4b8jAVrAhVncE1vtLBx2eVdgcx4},
doi = {10.1109/NetSoft48620.2020.9165420},
year = {2020},
date = {2020-06-01},
booktitle = {2020 6th IEEE Conference on Network Softwarization (NetSoft)},
journal = {Proceedings of the 2020 IEEE Conference on Network Softwarization: Bridging the Gap Between AI and Network Softwarization, NetSoft 2020},
pages = {450-456},
publisher = {IEEE},
abstract = {Information and Communication Technology (ICT) is an integral part of Critical Infrastructures (CIs), bringing both significant pros and cons. Focusing our attention on the energy sector, ICT converts the conventional electrical grid into a new paradigm called Smart Grid (SG), providing crucial benefits such as pervasive control, better utilisation of the existing resources, self-healing, etc. However, in parallel, ICT increases the attack surface of this domain, generating new potential cyberthreats. In this paper, we present the Secure and PrivatE smArt gRid (SPEAR) architecture which constitutes an overall solution aiming at protecting SG, by enhancing situational awareness, detecting timely cyberattacks, collecting appropriate forensic evidence and providing an anonymous cybersecurity information-sharing mechanism. Operational characteristics and technical specifications details are analysed for each component, while also the communication interfaces among them are described in detail. © 2020 IEEE.},
keywords = {Anomaly Detection, Anonymity, Cybersecurity, Forensics, Honeypots, Intrusion detection, Privacy, Smart Grid},
pubstate = {published},
tppubtype = {conference}
}
Information and Communication Technology (ICT) is an integral part of Critical Infrastructures (CIs), bringing both significant pros and cons. Focusing our attention on the energy sector, ICT converts the conventional electrical grid into a new paradigm called Smart Grid (SG), providing crucial benefits such as pervasive control, better utilisation of the existing resources, self-healing, etc. However, in parallel, ICT increases the attack surface of this domain, generating new potential cyberthreats. In this paper, we present the Secure and PrivatE smArt gRid (SPEAR) architecture which constitutes an overall solution aiming at protecting SG, by enhancing situational awareness, detecting timely cyberattacks, collecting appropriate forensic evidence and providing an anonymous cybersecurity information-sharing mechanism. Operational characteristics and technical specifications details are analysed for each component, while also the communication interfaces among them are described in detail. © 2020 IEEE.
P. Radoglou-Grammatikis; P. Sarigiannidis; G. Efstathopoulos; P.-A. Karypidis; A. Sarigiannidis
DIDEROT: An intrusion detection and prevention system for DNP3-based SCADA systems Conference
2020.
Abstract | BibTeX | Tags: Anomaly Detection, Autonencoder, Intrusion detection, machine learning, SCADA, SDN, Smart Grid | Links:
@conference{Radoglou-Grammatikis2020b,
title = {DIDEROT: An intrusion detection and prevention system for DNP3-based SCADA systems},
author = { P. Radoglou-Grammatikis and P. Sarigiannidis and G. Efstathopoulos and P.-A. Karypidis and A. Sarigiannidis},
url = {https://www.researchgate.net/publication/343853580_DIDEROT_an_intrusion_detection_and_prevention_system_for_DNP3-based_SCADA_systems},
doi = {10.1145/3407023.3409314},
year = {2020},
date = {2020-01-01},
journal = {ACM International Conference Proceeding Series},
abstract = {In this paper, an Intrusion Detection and Prevention System (IDPS) for the Distributed Network Protocol 3 (DNP3) Supervisory Control and Data Acquisition (SCADA) systems is presented. The proposed IDPS is called DIDEROT (Dnp3 Intrusion DetEction pReventiOn sysTem) and relies on both supervised Machine Learning (ML) and unsupervised/outlier ML detection models capable of discriminating whether a DNP3 network flow is related to a particular DNP3 cyberattack or anomaly. First, the supervised ML detection model is applied, trying to identify whether a DNP3 network flow is related to a specific DNP3 cyberattack. If the corresponding network flow is detected as normal, then the unsupervised/outlier ML anomaly detection model is activated, seeking to recognise the presence of a possible anomaly. Based on the DIDEROT detection results, the Software Defined Networking (SDN) technology is adopted in order to mitigate timely the corresponding DNP3 cyberattacks and anomalies. The performance of DIDEROT is demonstrated using real data originating from a substation environment. © 2020 ACM.},
keywords = {Anomaly Detection, Autonencoder, Intrusion detection, machine learning, SCADA, SDN, Smart Grid},
pubstate = {published},
tppubtype = {conference}
}
In this paper, an Intrusion Detection and Prevention System (IDPS) for the Distributed Network Protocol 3 (DNP3) Supervisory Control and Data Acquisition (SCADA) systems is presented. The proposed IDPS is called DIDEROT (Dnp3 Intrusion DetEction pReventiOn sysTem) and relies on both supervised Machine Learning (ML) and unsupervised/outlier ML detection models capable of discriminating whether a DNP3 network flow is related to a particular DNP3 cyberattack or anomaly. First, the supervised ML detection model is applied, trying to identify whether a DNP3 network flow is related to a specific DNP3 cyberattack. If the corresponding network flow is detected as normal, then the unsupervised/outlier ML anomaly detection model is activated, seeking to recognise the presence of a possible anomaly. Based on the DIDEROT detection results, the Software Defined Networking (SDN) technology is adopted in order to mitigate timely the corresponding DNP3 cyberattacks and anomalies. The performance of DIDEROT is demonstrated using real data originating from a substation environment. © 2020 ACM.
2019
G. Loukas; E. Karapistoli; E. Panaousis; P. Sarigiannidis; A. Bezemskij; T. Vuong
A taxonomy and survey of cyber-physical intrusion detection approaches for vehicles Journal Article
In: Ad Hoc Networks, vol. 84, pp. 124-147, 2019.
Abstract | BibTeX | Tags: Aircraft, Automobiles, Cyber security, Cyber-physical systems, Driverless pods, Intrusion detection, Robotic land vehicles, unmanned aerial vehicles, VANET, Vehicles, Vehicular networks | Links:
@article{Loukas2019124,
title = {A taxonomy and survey of cyber-physical intrusion detection approaches for vehicles},
author = { G. Loukas and E. Karapistoli and E. Panaousis and P. Sarigiannidis and A. Bezemskij and T. Vuong},
url = {https://www.researchgate.net/publication/328025147_A_taxonomy_and_survey_of_cyber-physical_intrusion_detection_approaches_for_vehicles},
doi = {10.1016/j.adhoc.2018.10.002},
year = {2019},
date = {2019-01-01},
journal = {Ad Hoc Networks},
volume = {84},
pages = {124-147},
abstract = {With the growing threat of cyber and cyber-physical attacks against automobiles, drones, ships, driverless pods and other vehicles, there is also a growing need for intrusion detection approaches that can facilitate defence against such threats. Vehicles tend to have limited processing resources and are energy-constrained. So, any security provision needs to abide by these limitations. At the same time, attacks against vehicles are very rare, often making knowledge-based intrusion detection systems less practical than behaviour-based ones, which is the reverse of what is seen in conventional computing systems. Furthermore, vehicle design and implementation can differ wildly between different types or different manufacturers, which can lead to intrusion detection designs that are vehicle-specific. Equally importantly, vehicles are practically defined by their ability to move, autonomously or not. Movement, as well as other physical manifestations of their operation may allow cyber security breaches to lead to physical damage, but can also be an opportunity for detection. For example, physical sensing can contribute to more accurate or more rapid intrusion detection through observation and analysis of physical manifestations of a security breach. This paper presents a classification and survey of intrusion detection systems designed and evaluated specifically on vehicles and networks of vehicles. Its aim is to help identify existing techniques that can be adopted in the industry, along with their advantages and disadvantages, as well as to identify gaps in the literature, which are attractive and highly meaningful areas of future research. © 2018 Elsevier B.V.},
keywords = {Aircraft, Automobiles, Cyber security, Cyber-physical systems, Driverless pods, Intrusion detection, Robotic land vehicles, unmanned aerial vehicles, VANET, Vehicles, Vehicular networks},
pubstate = {published},
tppubtype = {article}
}
With the growing threat of cyber and cyber-physical attacks against automobiles, drones, ships, driverless pods and other vehicles, there is also a growing need for intrusion detection approaches that can facilitate defence against such threats. Vehicles tend to have limited processing resources and are energy-constrained. So, any security provision needs to abide by these limitations. At the same time, attacks against vehicles are very rare, often making knowledge-based intrusion detection systems less practical than behaviour-based ones, which is the reverse of what is seen in conventional computing systems. Furthermore, vehicle design and implementation can differ wildly between different types or different manufacturers, which can lead to intrusion detection designs that are vehicle-specific. Equally importantly, vehicles are practically defined by their ability to move, autonomously or not. Movement, as well as other physical manifestations of their operation may allow cyber security breaches to lead to physical damage, but can also be an opportunity for detection. For example, physical sensing can contribute to more accurate or more rapid intrusion detection through observation and analysis of physical manifestations of a security breach. This paper presents a classification and survey of intrusion detection systems designed and evaluated specifically on vehicles and networks of vehicles. Its aim is to help identify existing techniques that can be adopted in the industry, along with their advantages and disadvantages, as well as to identify gaps in the literature, which are attractive and highly meaningful areas of future research. © 2018 Elsevier B.V.
Address
Internet of Things and Applications Lab
Department of Electrical and Computer Engineering
University of Western Macedonia Campus
ZEP Area, Kozani 50100
Greece
Contact Information
tel: +30 2461 056527
Email: ithaca@uowm.gr
