Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning

Alfan Presekal; Alexandru Stefanov; Vetrivel Subramaniam Rajkumar; Peter Palensky

doi:10.1109/SmartGridComm57358.2023.10333922

Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning

Alfan Presekal^*, Alexandru Stefanov, Vetrivel Subramaniam Rajkumar, Peter Palensky

^*Corresponding author for this work

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

Abstract

The cyber attacks in Ukraine in 2015 and 2016 demonstrated the vulnerability of electrical power grids to cyber threats. They highlighted the significance of Operational Technology (OT) communication-based anomaly detection. Many anomaly detection methods are based on real-time traffic monitoring, i.e., Intrusion Detection Systems (IDS) that may produce false positives and degrade the OT communication performance. Security Operations Center (SOC) needs intelligent tools to conduct forensic analysis on generated IDS alarms and identify the attack locations. Therefore, in this paper, we propose a novel, graph-based forensic analysis method for anomaly detection in power systems using OT communication network traffic throughput. It employs a hybrid deep learning model involving Graph Convolutional Long Short-Term Memory and a Convolutional Neural Network. The proposed method aids SOC with continuous OT security monitoring and post-mortem investigations. Results indicate that the proposed method is able to pinpoint the locations of cyber attacks on power grid OT networks with an AUC score above 75%.

Original language	English
Title of host publication	Proceedings of the IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)
Place of Publication	Piscataway
Publisher	IEEE
Number of pages	7
ISBN (Electronic)	978-1-6654-5556-5
ISBN (Print)	978-1-6654-5557-2
DOIs	https://doi.org/10.1109/SmartGridComm57358.2023.10333922
Publication status	Published - 2023
Event	IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids - Glasgow, United Kingdom Duration: 31 Oct 2023 → 3 Nov 2023

Publication series

Name	2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2023 - Proceedings

Conference

Conference	IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids
Abbreviated title	SmartGridComm
Country/Territory	United Kingdom
City	Glasgow
Period	31/10/23 → 3/11/23

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

Anomaly Detection
Attack Graph
CNN
Cyber Security
Digital Forensics
Graph
GNN
LSTM
Operational Technology

Access to Document

10.1109/SmartGridComm57358.2023.10333922

Cite this

Presekal, A., Stefanov, A., Rajkumar, V. S., & Palensky, P. (2023). Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning. In Proceedings of the IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm) (2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2023 - Proceedings). IEEE. https://doi.org/10.1109/SmartGridComm57358.2023.10333922

Presekal, Alfan ; Stefanov, Alexandru ; Rajkumar, Vetrivel Subramaniam et al. / Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning. Proceedings of the IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). Piscataway : IEEE, 2023. (2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2023 - Proceedings).

@inproceedings{513b5e4f880f42dabcc3b48e0383331d,

title = "Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning",

abstract = "The cyber attacks in Ukraine in 2015 and 2016 demonstrated the vulnerability of electrical power grids to cyber threats. They highlighted the significance of Operational Technology (OT) communication-based anomaly detection. Many anomaly detection methods are based on real-time traffic monitoring, i.e., Intrusion Detection Systems (IDS) that may produce false positives and degrade the OT communication performance. Security Operations Center (SOC) needs intelligent tools to conduct forensic analysis on generated IDS alarms and identify the attack locations. Therefore, in this paper, we propose a novel, graph-based forensic analysis method for anomaly detection in power systems using OT communication network traffic throughput. It employs a hybrid deep learning model involving Graph Convolutional Long Short-Term Memory and a Convolutional Neural Network. The proposed method aids SOC with continuous OT security monitoring and post-mortem investigations. Results indicate that the proposed method is able to pinpoint the locations of cyber attacks on power grid OT networks with an AUC score above 75%.",

keywords = "Anomaly Detection, Attack Graph, CNN, Cyber Security, Digital Forensics, Graph, GNN, LSTM, Operational Technology",

author = "Alfan Presekal and Alexandru Stefanov and Rajkumar, {Vetrivel Subramaniam} and Peter Palensky",

note = "Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.; IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm ; Conference date: 31-10-2023 Through 03-11-2023",

year = "2023",

doi = "10.1109/SmartGridComm57358.2023.10333922",

language = "English",

isbn = "978-1-6654-5557-2",

series = "2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2023 - Proceedings",

publisher = "IEEE",

booktitle = "Proceedings of the IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)",

address = "United States",

}

Presekal, A , Stefanov, A , Rajkumar, VS & Palensky, P 2023, Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning. in Proceedings of the IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). 2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2023 - Proceedings, IEEE, Piscataway, IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, Glasgow, United Kingdom, 31/10/23. https://doi.org/10.1109/SmartGridComm57358.2023.10333922

Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning. / Presekal, Alfan ; Stefanov, Alexandru ; Rajkumar, Vetrivel Subramaniam et al.
Proceedings of the IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). Piscataway: IEEE, 2023. (2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2023 - Proceedings).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning

AU - Presekal, Alfan

AU - Stefanov, Alexandru

AU - Rajkumar, Vetrivel Subramaniam

AU - Palensky, Peter

N1 - Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

PY - 2023

Y1 - 2023

N2 - The cyber attacks in Ukraine in 2015 and 2016 demonstrated the vulnerability of electrical power grids to cyber threats. They highlighted the significance of Operational Technology (OT) communication-based anomaly detection. Many anomaly detection methods are based on real-time traffic monitoring, i.e., Intrusion Detection Systems (IDS) that may produce false positives and degrade the OT communication performance. Security Operations Center (SOC) needs intelligent tools to conduct forensic analysis on generated IDS alarms and identify the attack locations. Therefore, in this paper, we propose a novel, graph-based forensic analysis method for anomaly detection in power systems using OT communication network traffic throughput. It employs a hybrid deep learning model involving Graph Convolutional Long Short-Term Memory and a Convolutional Neural Network. The proposed method aids SOC with continuous OT security monitoring and post-mortem investigations. Results indicate that the proposed method is able to pinpoint the locations of cyber attacks on power grid OT networks with an AUC score above 75%.

AB - The cyber attacks in Ukraine in 2015 and 2016 demonstrated the vulnerability of electrical power grids to cyber threats. They highlighted the significance of Operational Technology (OT) communication-based anomaly detection. Many anomaly detection methods are based on real-time traffic monitoring, i.e., Intrusion Detection Systems (IDS) that may produce false positives and degrade the OT communication performance. Security Operations Center (SOC) needs intelligent tools to conduct forensic analysis on generated IDS alarms and identify the attack locations. Therefore, in this paper, we propose a novel, graph-based forensic analysis method for anomaly detection in power systems using OT communication network traffic throughput. It employs a hybrid deep learning model involving Graph Convolutional Long Short-Term Memory and a Convolutional Neural Network. The proposed method aids SOC with continuous OT security monitoring and post-mortem investigations. Results indicate that the proposed method is able to pinpoint the locations of cyber attacks on power grid OT networks with an AUC score above 75%.

KW - Anomaly Detection

KW - Attack Graph

KW - CNN

KW - Cyber Security

KW - Digital Forensics

KW - Graph

KW - GNN

KW - LSTM

KW - Operational Technology

UR - http://www.scopus.com/inward/record.url?scp=85180795302&partnerID=8YFLogxK

U2 - 10.1109/SmartGridComm57358.2023.10333922

DO - 10.1109/SmartGridComm57358.2023.10333922

M3 - Conference contribution

SN - 978-1-6654-5557-2

T3 - 2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2023 - Proceedings

BT - Proceedings of the IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)

PB - IEEE

CY - Piscataway

T2 - IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids

Y2 - 31 October 2023 through 3 November 2023

ER -

Presekal A , Stefanov A , Rajkumar VS , Palensky P. Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning. In Proceedings of the IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). Piscataway: IEEE. 2023. (2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2023 - Proceedings). doi: 10.1109/SmartGridComm57358.2023.10333922

Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Embargoed Document

Fingerprint

Cite this