Behavioural Anomaly Detection (BAD) classification models and process   

WP leader: Bjørn Axel Gran, IFE

Incident response and recovery has at least two dimensions, the tactical response based on automatic response (IDS/ fingerprints/patterns), and the strategic plan to mitigate and prevent cyber effects or return to normal operation/recover from an attack. Often the response to a cyber-attack will influence the performance of the system itself. WP3 explores these situations where immediate effects of the detected events are not fully mapped out (Situation with Uncertainty). An exhaustive approach is not practically viable since: (i) not all configurations and behaviours of the system are known, (ii) insufficient data to explain all needed aspects of the system and system effects, (iii) lack of reference data on system behaviours under cyber conditions. To reduce this uncertainty the decision making will therefore need to take into account both (i) threat knowledge, and (ii) operational knowledge (also called plant/process knowledge). A Bayesian approach will be used as it allows for: incomplete data, variability of data (types), expert knowledge/human experience, incorporating different modelling approaches, have a Sensitivity: Internal 5 hierarchy of CPS’s and time tagged o ser ations, of oth continuous (typically physical world) and discrete (typically ICS) nature. The result of the classification is then used as the basis for decision making according to the actual risk criticality schemes.

Tasks:

• A3.1 Combine context-based model of CPS from WP1 with cyber-attack fingerprints from WP2 to extract patterns with uncertainty.
• A3.2 Combine the output from A3.1 with threat knowledge and operational knowledge to reduce the area of uncertainty.
• A3.3 Based on the output from A3.2 generate BAD patterns and decisions support in accordance with the process criticality set based on operational knowhow / stakeholder input.