DOI QR코드

DOI QR Code

Event Log Validity Analysis for Detecting Threats by Insiders in Control System

  • Kim, Jongmin (Department of Convergence Security, Kyonggi University) ;
  • Kang, Jiwon (Department of Information Security, Sejong University) ;
  • Lee, DongHwi (Department of Information Security, Dongshin University)
  • 투고 : 2019.11.15
  • 심사 : 2020.03.25
  • 발행 : 2020.03.31

초록

Owing to the convergence of the communication network with the control system and public network, security threats, such as information leakage and falsification, have become possible through various routes. If we examine closely at the security type of the current control system, the operation of the security system focuses on the threats made from outside to inside, so the study on the detection system of the security threats conducted by insiders is inadequate. Thus, this study, based on "Spotting the Adversary with Windows Event Log Monitoring," published by the National Security Agency, found that event logs can be utilized for the detection and maneuver of threats conducted by insiders, by analyzing the validity of detecting insider threats to the control system with the list of important event logs.

키워드

참고문헌

  1. D. H. Lee and K.H. Choi, "A study of an anomalous event detection using white-list on control networks," Journal of Convergence Security, vol. 12. no. 4, pp. 77-84, 2012.
  2. S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, and A. Valdes, "Using model-based intrusion detection for scada networks," in Proceedings of the SCADA Security Scientific Symposium, Miami Beach: FL, pp. 1-7, 2007.
  3. A. Valdes and S. Cheung, "Communication pattern anomaly detection in process control systems technologies for homeland security," in Proceedings of IEEE International Conference on Technologies for Homeland Security, Boston: MA, pp. 22-29, 2009. DOI: 10.1109/ THS.2009.5168010.
  4. S. Parthasarathy and D. Kundur, "Bloom filter based intrusion detection for smart grid SCADA," in Proceedings of IEEE Canadian Conference on Electrical and Computer Engineering (CCECE), Montreal: QC, pp. 1-6, 2012. DOI: 10.1109/CCECE.2012.6334816.
  5. M. Naedele, D. Dzung and M. Stanimirov, "Network security for substation automation systems", in Proceedings of the 20th International Conference on Computer Safety, Reliability and Security, Berlin: Heidelberg, pp. 25-34, 2001.
  6. J. Hoyos, M. Dehus and T. X. Brown, "Exploiting the GOOSE protocol: A practical attack on Cyber-infrastructure," in Proceedings of IEEE Globecom Workshops, Anaheim: CA, pp. 1508-1513, 2012. DOI: 10.1109/GLOCOMW.2012.6477809.
  7. M. Kalech, "Cyber-attack detection in SCADA systems using temporal pattern recognition techniques," Journal of Computers & Security, vol. 84, pp. 225-238, 2019. DOI: 10.1016/j.cose.2019.03.007.
  8. T. Onoda, "Machine learning based intrusion detection in control system communication," Design and Analysis of Distributed Energy Management Systems, pp. 167-202, 2020, DOI: 10.1007/978-3-030-33672-1_9.
  9. M. Minasi, D. Gibson, A. Finn and B. Henry, Mastering Windows Server 2008 R2, Indianapolis, IN, Wiley, p. 921, 2010.
  10. National Security Agency, Spotting the Adversary with Windows Event Log Monitoring, [Internet], Available: https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/applications/spotting-the-adversary-with-windows-event-log-monitoring.cfm/.
  11. S.T. Ung, "The development of safety and security assessment techniques and their application to port operations," Ph.D. Thesis, School of Engineering, Liverpool John Moores University, UK, 2007.
  12. S.W. Kim, A. Wall and J. Wang, "Application of AHP to fire safety based decision making of a passenger ship," Opsearch, vol. 45, No. 3, pp. 249-262, 2017. DOI: 10.1007/BF03398817.
  13. T.L. Saaty, "Decision making with the analytic hierarchy process," International Journal of Services Sciences, vol. 1. no. 1, pp. 83-98, 2008. DOI: 10.1007/BF03398817.