The presentation discusses the development of a graph convolutional network-based suspicious communication pair estimation (GCN SCOPE) for industrial control systems to reduce false positives in security monitoring.
- Whitelisting is a common security monitoring method for industrial control systems, but it causes frequent false detections.
- The proposed GCN SCOPE method uses relational graph convolution networks to score communications and judge whether they are normal or anomalous.
- The method was evaluated using network traffic data from three factories owned by Panasonic Corporation and achieved a high receiver operating characteristic area under the curve.
- The GCN SCOPE method outperformed baseline approaches such as DistMult and heuristics.
- The method enables security operators to focus on significant alerts.
The presentation highlights the importance of monitoring and securing industrial control systems to mitigate the threat of cyber attacks. The speaker mentions notorious malware such as Triton and WannaCry, which have caused critical damage to ICS-specific assets. The use of AI and machine learning algorithms to find normality and analyze data is emphasized as an effective approach to monitoring and securing ICS facilities.
Whitelisting is considered an effective security monitoring method for networks used in industrial control systems, where the whitelists consist of observed tuples of the IP address of the server, the TCP/UDP port number, and IP address of the client (communication triplets). However, this method causes frequent false detections.
To reduce false positives due to a simple whitelist-based judgment, we propose a new framework for scoring communications to judge whether the communications not present in whitelists are normal or anomalous.
To solve this problem, we developed a graph convolutional network-based suspicious communication pair estimation (GCN SCOPE) using relational graph convolution networks, which are learning based methods that operate on graph domain, and evaluate the performance of this method, and evaluated its performance.
For this, we collected the network traffic of three factories owned by Panasonic Corporation, Japan. Each factory produces different items, and the installed facilities, communication protocols, and network configurations are completely different depending on the factories.
The proposed method achieved a receiver operating characteristic area under the curve of 0.957, which outperforms baseline approaches such as DistMult, a method that directly optimizes the node embeddings, and heuristics, which score the triplets using first- and second-order proximities of multigraphs. This method enables security operators to concentrate on significant alerts.