2024.bib

@inproceedings{10575161,
  author = {Buchta, Robin and Fritz, Tobias and Kleiner, Carsten and Heine, Felix and Rodosek, Gabi Dreo},
  booktitle = {NOMS 2024-2024 IEEE Network Operations and Management Symposium},
  title = {One-Class Learning on Temporal Graphs for Attack Detection in Cyber-Physical Systems},
  year = {2024},
  volume = {},
  number = {},
  pages = {1-5},
  abstract = {Various domains, including critical infrastructures, industry, and the private sector, deploy cyber-physical systems (CPS). These systems integrate IT and OT components and interact with the environment and therefore differ significantly from pure IT setups. However, CPS often operate as black boxes, hindering effective attack detection. Our research addresses the challenge of detecting attacks in CPS relying on network data and learning on normal behavior. We show the performance of two methods in use for attack detection without attack knowledge. We propose new memory update strategies that can be used in practice. Specifically, we optimize for temporal graphs using graph neural networks (GNN) to capture system behavior. Negative sampling helps to use one-class learning. Our results show that a temporal graph network (TGN), combined with negative sampling, is suitable for one-class learning and can be used for attack detection. Additionally, a simple heuristic suffices for detecting basic attacks. Notably, existing benchmark datasets do not adequately support one-class learning, highlighting the need for tailored evaluation.},
  keywords = {Industries;Image edge detection;Training data;Intrusion detection;Focusing;Cyber-physical systems;Graph neural networks;Anomaly Detection;Temporal Graph Neural Networks;Network Attack Detection;Cyber-Physical Systems},
  doi = {10.1109/NOMS59830.2024.10575161}
}

@inproceedings{10.1007/978-3-031-57540-2_3,
  author = {Gesell, Jan Eske and Buchta, Robin and Dangendorf, Kilian and Franzke, Pascal and Heine, Felix and Kleiner, Carsten},
  editor = {Mosbah, Mohamed and S{\`e}des, Florence and Tawbi, Nadia and Ahmed, Toufik and Boulahia-Cuppens, Nora and Garcia-Alfaro, Joaquin},
  title = {Comparative Analysis of Reduction Methods on Provenance Graphs for APT Attack Detection},
  booktitle = {Foundations and Practice of Security},
  year = {2024},
  publisher = {Springer Nature Switzerland},
  address = {Cham},
  pages = {28--39},
  abstract = {Data reduction is a critical aspect of current research in advanced persistent threat attack detection. The challenge is handling the huge amount of data generated by system logging, which exposes dependencies among system entities, often depicted as provenance graphs. Data reduction methods aim to reduce the data size of provenance graphs, but their evaluation on non-public datasets limits the results' transferability and general applicability. This study compares state-of-the-art reduction methods for APT Attack Detection on publicly available provenance graph datasets, exploring their dependencies on graph characteristics and attack detection methods. One outcome of the work is that the effectiveness of many reduction methods depends highly on the underlying data. And secondly, using a reduction method does not necessarily negatively affect detection quality.},
  isbn = {978-3-031-57540-2}
}