En este trabajo se presenta un enfoque novedoso para la representación de información relacionada con servicios de red, para su posterior uso en aplicaciones de aprendizaje automático orientadas a la seguridad en redes de comunicaciones. La mayoría de las propuestas de investigación orientadas a generar sistemas de detección de anomalías o sistemas de detección de intrusiones en redes que se han analizado, codifican el puerto destino y/o el puerto origen de flujos o de paquetes utilizando distintas estrategias, ya sea tratándolos como variables categóricas, numéricas, o utilizando técnicas de codificación one-hot. En este trabajo se propone la generación de embeddings a partir de las descripciones de cada puerto desarrolladas por IANA, enriquecidas con descripciones de los puertos obtenidas a través de IA Generativa. Esta metodología permite capturar el significado semántico subyacente de los servicios asociados a cada puerto, proporcionando representaciones más ricas y contextualizadas para modelos de aprendizaje automático.
@inproceedings{Genua2025Port2Vec,author={Genua, Eñaut and Iturbe, Mikel and Garitano, Iñaki and Etxezarreta, Xabier and Aguirre, Aitor and Zurutuza, Urko},title={Port2Vec: Generación de embeddings a partir de descripciones de servicios de red para su uso en Inteligencia Artificial aplicada a la Ciberseguridad},booktitle={Proceedings of X Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2025)},pages={352--359},address={Zaragoza, Spain},month=jun,year={2025},}
Industrial Control Systems have become increasingly connected under Industry 4.0, raising the risk of sophisticated cyber threats to critical infrastructure. Traditional Intrusion Detection Systems (IDS) that rely on manually crafted static rules struggle to adapt quickly to new attacks, while machine-learning-based detectors face challenges in interpretability and require extensive domain- specific data. This paper proposes a novel framework that leverages Large Language Models (LLMs) to automatically generate IDS rules for Suricata, addressing the gap between static rule-based security and the need for dynamic, adaptive defenses. We integrate advanced LLMs into an automated workflow for rule generation, refinement, and validation. Through experiments, the framework demonstrates that LLM-generated rules can achieve high detection accuracy and low false positive rates while optimized prompt strategies and moderate packet-level details boost rule accuracy and effectiveness. The results highlight the potential of LLMs to enhance cybersecurity in industrial environments by rapidly producing transparent and effective IDS rules.
@inproceedings{Moreno2025Leveraging,author={Moreno, Manez and Saez-de-Cámara, Xabier and Urbieta, Aitor and Iturbe, Mikel},title={Leveraging LLMs for Automated IDS Rule Generation: A Novel Methodology for Securing Industrial Environments},booktitle={Proceedings of X Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2025)},pages={113--120},address={Zaragoza, Spain},month=jun,year={2025},}
The widespread use of the Internet of Things (IoT) has led to a surge in interconnected, resource-constrained embedded systems, which are inherently vulnerable due to limited security mechanisms. This paper presents CARNYX, a framework leveraging power consumption analysis, rooted in Side-Channel Analysis (SCA), to detect vulnerabilities in embedded systems with high accuracy. Designed for pre-deployment vulnerability detection, it offers three key advantages over existing SCA solutions: (1) detailed categorisation of specific vulnerability types beyond binary detection, (2) a methodology validated on the STM32F4 architecture and ARM Cortex-A8 with potential applicability to similar low- and medium-end systems, and (3) reliable detection in resource-constrained devices where power monitoring is practical. We evaluate CARNYX on three platforms: two low-end STM32F4-based platforms (Riscure Piñata and STM NUCLEO-144) and the medium-end ARM Cortex-A8-based BeagleBone Black, analysing 16 arithmetic and memory-related software flaws. Results demonstrate recall rates of 99.69% (Piñata), 86.88% (NUCLEO-144 with serial interface), 51.25% (NUCLEO-144 with Ethernet), and 53.67% (BeagleBone Black)-all with high precision-while measuring the effect of communication peripherals on side-channel leakage, an aspect underexplored in prior vulnerability detection studies. These results highlight CARNYX’s potential to enhance security in constrained IoT devices, even in noisy environments where binary detection methods offer limited value. While validated on STM32F4 and ARM Cortex-A8, its principles may extend to other low- and medium-end systems, subject to further validation.
@article{Barredo2025Carnyx,title={CARNYX: A framework for vulnerability detection via power consumption analysis in embedded systems},author={Barredo, Jorge and Eceiza, Maialen and Flores, Jose Luis and Iturbe, Mikel},journal={International Journal of Information Security},volume={24},number={4},pages={172},year={2025},publisher={Springer},doi={10.1007/s10207-025-01092-2},}
GAFLERNA Ahoy! Integrating EM Side-Channel Analysis into Traditional Fuzzing Workflows
Jorge Barredo, Justyna Petke, David Clark, Daniel Blackwell, Maialen Eceiza, Jose Luis Flores, and Mikel Iturbe
In Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering, Clarion Hotel Trondheim, Trondheim, Norway, Jun 2025
Fuzzing, a powerful tool for vulnerability discovery, is limited by the coarse-grained, binary nature of its crash detection oracle. The use of sanitizers strengthens this oracle but requires recompilation or binary rewriting, and is limited to known patterns of vulnerabilities. We investigate an alternative way to strengthen the implicit oracle that is suitable for small (IoT-sized) devices: electromagnetic (EM) side-channel analysis. By integrating this into a fuzzing campaign we are able to detect anomalous program states through physical execution patterns. GAFLERNA, our EM-enhanced AFL++ framework, achieves a 87% correlation with sanitizer findings in the best case, without modifying the executable, while discovering 104 new paths to known crashes across four real-world programs. This reveals the potential for hardware-level feedback to extend fuzzing and analyse IoT programs where only the binary code is available.
@inproceedings{Barredo2025Gaflerna,author={Barredo, Jorge and Petke, Justyna and Clark, David and Blackwell, Daniel and Eceiza, Maialen and Flores, Jose Luis and Iturbe, Mikel},title={GAFLERNA Ahoy! Integrating EM Side-Channel Analysis into Traditional Fuzzing Workflows},year={2025},isbn={9798400712760},publisher={Association for Computing Machinery},address={New York, NY, USA},url={https://doi.org/10.1145/3696630.3728497},doi={10.1145/3696630.3728497},booktitle={Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering},pages={550–554},numpages={5},location={Clarion Hotel Trondheim, Trondheim, Norway},}
Software-Defined Networking (SDN) offers a global view over the network and the ability of centrally and dynamically managing network flows, making them ideal for creating security threat detection and mitigation solutions. Industrial networks possess specific characteristics that make them well-suited for such solutions, leading to extensive research efforts in this area. However, due to the high economic cost and potential risks associated with real equipment interaction, most studies rely on testbeds for demonstration purposes. Therefore, it becomes crucial to understand the limitations and safe operating ranges of testbed environments to ensure the development of scientifically rigorous experiments and accurate result measurements. This study focuses on analyzing MiniCPS-based testbeds in terms of network performance, experiment replicability, and the effects of different attacker implementation modes. The findings demonstrate that utilizing MiniCPS on actual hardware enables the development of highly replicable and high-performance testbeds, as long as they operate within the predefined safe operating ranges. Additionally, this work provides an in-depth analysis of various attacker implementation techniques and their impact on the network.
@article{Etxezarreta2024Use,author={Etxezarreta, Xabier and Garitano, I\~naki and Iturbe, Mikel and Zurutuza, Urko},title={On the use of MiniCPS for conducting rigorous security experiments in Software-Defined Industrial Control Systems},journal={Wireless Networks},year={2024},doi={10.1007/s11276-023-03647-4},}
Abstract In recent years, education has undergone a profound transformation process, having gone from relying only on the traditional lecture to making full use of digital formats. This gradual process, accelerated by the COVID-19 pandemic in the last years, has triggered innovative changes in the educational process. Within this context, many lecturers have adopted the flipped classroom instructional model, aiming to improve the motivation and involvement of the students. In this model, students must acquire certain theoretical knowledge at home, and the classes, with the help of the lecturer, are used for the more practical part. This article presents the results obtained when the flipped classroom model was implemented in the computer science degree. Specifically, during 2020–2021 and 2021–2022 courses, this instructional model was assessed in 15 subjects. Results show that the flipped classroom instructional model can be stated that it has improved the students’ perception of the learning experience, students’ dedication and engagement has been improved, students’ perception of their understanding of the subject has improved. The faculty considers that the teaching experience has improved and is in favor of continuing with the experience in future courses.
@article{Aldalur2023Experience,author={Aldalur, I\~nigo and Markiegi, Urtzi and Iturbe, Mikel and Roman, Ibai and Illarramendi, Miren},title={An experience in the implementation of the flipped classroom instructional model in the computer science degree},journal={Engineering Reports},volume={n/a},year={2023},number={n/a},pages={e12754},keywords={computer science degree, flipped classroom},doi={https://doi.org/10.1002/eng2.12754},}
IJCIP
Software-Defined Networking approaches for intrusion response in Industrial Control Systems: A survey
Xabier Etxezarreta, Iñaki Garitano, Mikel Iturbe, and Urko Zurutuza
International Journal of Critical Infrastructure Protection, Jun 2023
Industrial Control Systems (ICSs) are a key technology for life-sustainability, social development and economic progress used in a wide range of industrial solutions, including Critical Infrastructures (CIs), becoming the primary target for multiple security attacks. With the increase of personalized and sophisticated attacks, the need for new tailored ICS cybersecurity mechanisms has increased exponentially, complying with specific ICS requirements that Information Technology (IT) security systems fail to meet. In this survey, a comprehensive study of ICS intrusion response is conducted, focusing on the use of Software-Defined Networking (SDN) for the development of intrusion response strategies in ICS. With its centralized control plane, increased programmability and global view of the entire network, SDN enables the development of intrusion response solutions that provide a coordinated response to mitigate attacks. Through the survey, an analysis of ICS security requirements and the applicability of SDN is conducted, identifying the advantages and disadvantages compared to traditional networking and protocols. Furthermore, a taxonomy on intrusion response strategies is presented, where different proposals are discussed and categorized according to intrusion response strategy and deployment environment characteristics. Finally, future research directions and challenges are identified.
@article{Etxezarreta2023Software,title={Software-Defined Networking approaches for intrusion response in Industrial Control Systems: A survey},journal={International Journal of Critical Infrastructure Protection},volume={42},pages={100615},year={2023},issn={1874-5482},doi={https://doi.org/10.1016/j.ijcip.2023.100615},author={Etxezarreta, Xabier and Garitano, Iñaki and Iturbe, Mikel and Zurutuza, Urko}}
Industrial Control Systems are used in a wide variety of industrial facilities, including critical infrastructures, becoming the main target of multiple security attacks. A malicious and successful attack against these infrastructures could cause serious economic and environmental consequences, including the loss of human lives. Static networks configurations and topologies, which characterize Industrial Control Systems, represent an advantage for attackers, allowing them to scan for vulnerable devices or services before carrying out the attack. Identifying active devices and services is often the first step for many attacks. This paper presents a proactive network reconnaissance defense mechanism based on the temporal randomization of network IP addresses, MAC addresses and port numbers. The obtained information distortion minimizes the knowledge acquired by the attackers, hindering any attack that relies on network addressing. The temporal randomization of network attributes is performed in an adaptive way, minimizing the overhead introduced in the network and avoiding any error and latency in communications. The implementation as well as the tests have been carried out in a laboratory with real industrial equipment, demonstrating the effectiveness of the presented solution.
@article{Etxezarreta2023Low,author={Etxezarreta, Xabier and Garitano, I\~naki and Iturbe, Mikel and Zurutuza, Urko},title={Low delay network attributes randomization to proactively mitigate reconnaissance attacks in industrial control systems},journal={Wireless Networks},year={2023},doi={10.1007/s11276-022-03212-5},}
Fuzzing is nowadays one of the most widely used bug hunting techniques. By automatically generating malformed inputs, fuzzing aims to trigger unwanted behavior on its target. While fuzzing research has matured considerably in the last years, the evaluation and comparison of different fuzzing proposals remain challenging, as no standard set of metrics, data, or experimental conditions exist to allow such observation. This paper aims to fill that gap by proposing a standard set of features to allow such comparison. For that end, it first reviews the existing evaluation methods in the literature and discusses all existing metrics by evaluating seven fuzzers under identical experimental conditions. After examining the obtained results, it recommends a set of practices –particularly on the metrics to be used–, to allow proper comparison between different fuzzing proposals.
@article{Eceiza2023Improving,author={Eceiza, Maialen and Flores, Jos\'e Lu\'is and Iturbe, Mikel},title={Improving fuzzing assessment methods through the analysis of metrics and experimental conditions},journal={Computers \& Security},year={2023},pages={102946},volume={124},issn={0167-4048},doi={10.1016/j.cose.2022.102946}}
La educación ha sufrido una gran transformación en las últimas décadas. El alumnado de hoy en día está formado por nativos digitales y la educación tradicional les parece aburrida. Por este motivo, los docentes tratan de aumentar la motivación del alumnado recurriendo a las nuevas tecnologías. Este proceso de digitalización se ha visto acelerado en los últimos años debido a la pandemia del Covid19. Entre los diferentes paradigmas que se han propuesto ante esta situación, la clase invertida toma fuerza como una de las alternativas transformadoras más estudiadas y relevantes. Este trabajo presenta los resultados del caso de estudio de la implantación de clase invertida en el grado de informática. En esta experiencia, 11 asignaturas de diferentes cursos se han visto involucradas (6 asignaturas en el primer semestre y 5 en el segundo semestre) durante el curso 2020/21. Nuestro objetivo es mostrar los pasos utilizados para la implantación de la clase invertida en distintos grados universitarios. Además, mostramos los resultados de los diferentes cuestionarios contestados tanto por el alumnado como por los docentes sobre la experiencia.
@inproceedings{Aldalur2022Implantacion,author={Aldalur, I\~nigo and Illarramendi, Miren and Iturbe, Mikel and Markiegi, Urtzi and Roman, Ibai},title={Implantaci\'on colectiva de la clase invertida en el grado de inform\'atica},booktitle={Actas de las XXVIII Jornadas sobre la Ense\~nanza Universitaria de la Inform\'atica},pages={231--238},address={A Coru\~na, Spain},month=jul,year={2022}}
Los sistemas de control industrial se utilizan en una gran variedad de procesos físicos, incluidas las infraestructuras críticas, convirtiéndose en el principal objetivo de múltiples ataques de seguridad. Un ataque malintencionado y exitoso contra estas infraestructuras podría causar graves consecuencias económicas y ambientales, incluyendo la pérdida de vidas humanas. Las redes estáticas, que caracterizan a los sistemas de control industrial, suponen una ventaja para los atacantes, permitiéndola explorar en busca de dispositivos o servicios vulnerables antes de realizar el ataque. Identificar dispositivos activos suele ser el primer paso para muchos ataques. Este trabajo presenta un sistema de defensa ante reconocimientos de red que se basa en la aleatorización temporal de las direcciones de red. La distorsión de la información obtenida inhabilita el conocimiento adquirido por parte de los atacantes dificultando así cualquier ataque que se apoya en el direccionamiento de la red. La aleatorización temporal de las direcciones de red se realiza de forma adaptativa minimizando así la sobrecarga introducida en la red y evitando cualquier error y latencia en las comunicaciones. La implementación así como las pruebas se han realizado en un laboratorio con equipamiento industrial real, demostrando así la efectividad de la solución presentada.
@inproceedings{Etxezarreta2022Aleatorizacion,author={Etxezarreta, Xabier and Garitano, I\~naki and Iturbe, Mikel and Zurutuza, Urko},title={Aleatorizaci\'on de direcciones IP para mitigar ataques de reconocimiento de forma proactiva en sistemas de control industrial},booktitle={Proceedings of Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2022)},pages={45--54},address={Bilbao, Spain},month=jun,year={2022},}
In the last years, higher education is immersed in the transformation of the teaching experience with the aim of involving students more, as well as motivating them. Nowadays, students are very familiarized with new technologies and media while lecturers have been forced to transform their traditional notes to digital ones. This transformation pace has been accelerated in the last year due to the COVID19 pandemic. One of the main exponents of the said transformation is the adoption of the inverted classroom, a substantially studied teaching methodology where students work on some key concepts before a lecture takes place and face-to-face lecture time is reserved for added value activities. This work presents the results of a case study involving the implementation of the inverted classroom in a computer engineering bachelor’s degree. This experiment involves six different subjects in three courses during the 2020/21 academic year. The paper presents the principal motivation for the study, as well as the preparation process and methodology of the out-of-classroom multimedia materials and training of the faculty. It also covers the methodology used for multimedia content creation. Finally, the evaluation results are presented, gathered from questionnaires directed to students and lecturers.
JENUI 2021
Experiencia colectiva de aplicación de la clase invertida en el grado de informática
Iñigo Aldalur, Miren Illarramendi, Mikel Iturbe, Urtzi Markiegi, and Ibai Roman
In Actas de las XXVII Jornadas sobre la Enseñanza Universitaria de la Informática, Jul 2021
Con el cambio de los hábitos de consumo de información, la educación superior se encuentra frente al desafío de transformar la experiencia docente de cara a maximizar la implicación y motivación del alumnado. Dicha transformación, basada en contenidos multimedia y en el control continuo de adquisición de conocimientos por parte del alumnado, se ha acelerado por la digitalización forzada provocada por la pandemia Covid19. De los diferentes paradigmas, la clase invertida toma fuerza como una de las alternativas transformadoras más estudiadas y relevantes. Este trabajo presenta los resultados preliminares de un caso de estudio de una implantación del aula invertida a escala -en doce asignaturas de diferentes cursos- en un grado de ingeniería informática durante el curso 2020/21. Se expone la principal motivación detrás de la transformación, la capacitación de recursos y formación del profesorado, la metodología docente aplicada (centrada en el contenido multimedia y el control de los conceptos adquiridos) y la evaluación de los resultados obtenidos. Para la evaluación, se han realizado encuestas específicamente diseñadas al profesorado y alumnado involucrado.
With a growing number of embedded devices that create, transform and send data autonomously at its core, the Internet-of-Things (IoT) is a reality in different sectors such as manufacturing, healthcare or transportation. With this expansion, the IoT is becoming more present in critical environments, where security is paramount. Infamous attacks such as Mirai have shown the insecurity of the devices that power the IoT, as well as the potential of such large-scale attacks. Therefore, it is important to secure these embedded systems that form the backbone of the IoT. However, the particular nature of these devices and their resource constraints mean that the most cost-effective manner of securing these devices is to secure them before they are deployed, by minimizing the number of vulnerabilities they ship. To this end, fuzzing has proved itself as a valuable technique for automated vulnerability finding, where specially crafted inputs are fed to programs in order to trigger vulnerabilities and crash the system. In this survey, we link the world of embedded IoT devices and fuzzing. For this end, we list the particularities of the embedded world as far as security is concerned, we perform a literature review on fuzzing techniques and proposals, studying their applicability to embedded IoT devices and, finally, we present future research directions by pointing out the gaps identified in the review.
@article{Eceiza2021Fuzzing,author={Eceiza, Maialen and Flores, Jos\'e Lu\'is and Iturbe, Mikel},title={Fuzzing the Internet of Things: A Review on the Techniques and Challenges for Efficient Vulnerability Discovery in Embedded Systems},journal={IEEE Internet of Things Journal},year={2021},month=jul,issn={2327-4662},pages={10390--10411},volume={8},issue={13},doi={10.1109/JIOT.2021.3056179},}
2020
IGPL
Deep packet inspection for intelligent intrusion detection in software-defined industrial networks: A proof of concept
Markel Sainz, Iñaki Garitano, Mikel Iturbe, and Urko Zurutuza
Specifically tailored industrial control systems (ICSs) attacks are becoming increasingly sophisticated, accentuating the need of ICS cyber security. The nature of these systems makes traditional IT security measures not suitable, requiring expressly developed security countermeasures. Within the past decades, research has been focused in network-based intrusion detection systems. With the appearance of software-defined networks (SDNs), new opportunities and challenges have shown up in the research community. This paper describes the potential benefits of using SDNs in industrial networks with security purposes and presents the set up and results of a pilot experiment carried out in a scaled physical implementation. The experimental set up consists in the detection of ICMP flood and packet payload alteration based on signature comparison. Results point to the potential viability of the technology for intrusion detection and the need of researching in architectural scalability.
2019
Book Ch.
Who’s There? Evaluating Data Source Integrity and Veracity in IIoT Using Multivariate Statistical Process Control
Iñaki Garitano, Mikel Iturbe, Enaitz Ezpeleta, and Urko Zurutuza
The security landscape in Industrial settings has completely changed in the last decades. From the initial primitive setups, industrial networks have evolved into massively interconnected environments, thus developing the Industrial Internet of Things (IIoT) paradigm. In IIoT, multiple, heterogeneous devices collaborate by collecting, sending and processing data. These data-driven environments have made possible to develop added-value services based on data that improve industrial process operation. However, it is necessary to audit incoming data to determine that the decisions are made based on correct data. In this chapter, we present an IIoT Anomaly Detection System (ADS), that audits the integrity and veracity of the data received from incoming connections. For this end, the ADS includes field data (physical qualities based on data) and connection metadata (interval between incoming connections and packet size) in the same anomaly detection model. The approach is based on multivariate statistical process Control and has been validated using data from a real water distribution plant.
DYNA
Análisis de arquitecturas tecnológicas para el nuevo paradigma de la Industria 4.0
Felix Larrinaga, Iñigo Aldalur, Miren Illarramendi, Mikel Iturbe, Txema Perez, Gorka Unamuno, and Inaxio Lazkanoiturburu
El presente trabajo, define una arquitectura interoperable y escalable que permitirá la servitización del sector de máquina herramienta. Las TICs y el concepto de Internet of Things posibilitan interconectar diferentes dispositivos y controladores ofreciendo servicios de valor añadido. Uno de los problemas a resolver es la interoperabilidad entre los diferentes dispositivos IoT. Existen plataformas que posibilitan la interoperabilidad entre dispositivos. Nuestro trabajo se ha centrado en utilizar una de ellas: Arrowhead. Además, con el objetivo de ofrecer soluciones de forma ágil y flexible, se ha optado por usar contenedores (tecnología Docker). Así, esta plataforma de interoperabilidad se gestiona dentro de estos contenedores haciendo una configuración y operación más ágil y flexible. En el caso de uso concreto, se presenta como una máquina herramienta de Danobat puede ofrecer servicios de valor añadido de mantenimiento y eficiencia. Para ello, se adquieren los datos de la propia máquina pero también se consumen datos de otros dispositivos de terceros (dispositivo de ULMA). La interconexión de todos estos datos se hace de forma transparente para el usuario y mediante la plataforma interoperable Arrowhead. Todo este trabajo se ha llevado a cabo dentro del marco del proyecto Productive 4.0.
Recent incidents have shown that Industrial Control Systems (ICS) are becoming increasingly susceptible to sophisticated and targeted attacks initiated by adversaries with high motivation, domain knowledge, and resources. Although traditional security mechanisms can be implemented at the IT-infrastructure level of such cyber-physical systems, the community has acknowledged that it is imperative to also monitor the process-level activity, as attacks on ICS may very well influence the physical process. In this paper, we present PASAD, a novel stealthy-attack detection mechanism that monitors time series of sensor measurements in real time for structural changes in the process behavior. We demonstrate the effectiveness of our approach through simulations and experiments on data from real systems. Experimental results show that PASAD is capable of detecting not only significant deviations in the process behavior, but also subtle attack-indicating changes, significantly raising the bar for strategic adversaries who may attempt to maintain their malicious manipulation within the noise level.
HAIS 2018
A Mood Analysis on Youtube Comments and a Method for Improved Social Spam Detection
Enaitz Ezpeleta, Mikel Iturbe, Iñaki Garitano, Iñaki Velez de Mendizabal, and Urko Zurutuza
In Hybrid Artificial Intelligent Systems, May 2018
In the same manner that Online Social Networks (OSN) usage increases, non-legitimate campaigns over these types of web services are growing. This is the reason why significant number of users are affected by social spam every day and therefore, their privacy is threatened. To deal with this issue in this study we focus on mood analysis, among all content-based analysis techniques. We demonstrate that using this technique social spam filtering results are improved. First, the best spam filtering classifiers are identified using a labeled dataset consisting of Youtube comments, including spam. Then, a new dataset is created adding the mood feature to each comment, and the best classifiers are applied to it. A comparison between obtained results with and without mood information shows that this feature can help to improve social spam filtering results: the best accuracy is improved in two different datasets, and the number of false positives is reduced 13.76% and 11.41% on average. Moreover, the results are validated carrying out the same experiment but using a different dataset.
JNIC 2018
Primer premio al mejor trabajo de estudiante: Detección de anomalías en redes industriales guiada por datos
Mikel Iturbe
In Proceedings of IV Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2018), May 2018
Este artı́ culo resume el trabajo realizado en una tesis doctoral en el campo de la ciberseguridad industrial. Más concretamente, el trabajo realizado se ha centrado en la detección de anomalı́ as guiada por datos en redes industriales. Las redes industriales –entornos interconectados por sistemas dedicados a automatizar, monitorizar y controlar procesos f\’í sicos– han evolucionado enormemente, mientras que los mecanismos de seguridad aplicables no han evolucionado al mismo paso, bien porque no escalan correctamente, bien porque no han tenido en cuenta las particularidades de este tipo de redes. Esta tesis doctoral se centra en desarrollar sistemas de detección de anomalı́ as (SDAs) que utilizan los datos intrı́ nsecamente creados en este tipo de redes (mediciones de campo, tráfico de red, registros...) para detectar eventos de seguridad.
GIoTS 2018
Null is Not Always Empty: Monitoring the Null Space for Field-Level Anomaly Detection in Industrial IoT Environments
Ekhi Zugasti, Mikel Iturbe, Iñaki Garitano, and Urko Zurutuza
In 2018 IEEE Global Internet of Things Summit (GIoTS) Proceedings, May 2018
Industrial environments have vastly changed since the conception of initial primitive and isolated networks. The current full interconnection paradigm, where connectivity between different devices and the Internet has become a business necessity, has driven device interconnectivity towards building the Industrial Internet of Things (IIoT), enabling added value services such as supply chain optimization or improved process control. However, whereas interconnectivity has increased, IIoT security practices has not evolved at the same pace, due partly to inherited security practices from when industrial networks where not connected and the existence of basic hardware with no security functionalities. In this work, we present an Anomaly Detection System for industrial environments that monitors physical quantities to detect intrusions. It is based in the null space detection, which is at the same time, based on Stochastic Subspace Identification (SSI). The approach is validated using the Tennessee-Eastman chemical process.
Industrial Networks (INs) are widespread environments where heterogeneous devices collaborate to control and monitor physical processes. Some of the controlled processes belong to Critical Infrastructures (CIs), and as such, IN protection is an active research field. Among different types of security solutions, IN Anomaly Detection Systems (ADSs) have received wide attention from the scientific community. While INs have grown in size and in complexity, requiring the development of novel, Big Data, solutions for data processing, IN ADSs have not evolved at the same pace. In parallel, the development of Big Data frameworks such as Hadoop or Spark has led the way for applying Big Data analytics to the field of cyber-security, mainly focusing in the Information Technology (IT) domain. However, due to the particularities of INs, it is not feasible to directly apply IT security mechanisms in INs, as IN ADSs face unique characteristics. In this work we introduce three main contributions. First, we survey the area of Big Data ADSs that could be applicable to INs and compare the surveyed works. Second, we develop a novel taxonomy to classify existing IN-based ADSs. And finally, we present a discussion of open problems in the field of Big Data ADSs for INs that can lead to further development.
CISIS 2017
Software Defined Networking Opportunities for Intelligent Security Enhancement of Industrial Control Systems
Markel Sainz, Mikel Iturbe, Iñaki Garitano, and Urko Zurutuza
In Proceedings of the International Joint Conference SOCO’17-CISIS’17-ICEUTE’17, León, Spain, September 6-8, 2017, May 2017
In the last years, cyber security of Industrial Control Systems (ICSs) has become an important issue due to the discovery of sophisticated malware that by attacking Critical Infrastructures, could cause catastrophic safety results. Researches have been developing countermeasures to enhance cyber security for pre-Internet era systems, which are extremely vulnerable to threats. This paper presents the potential opportunities that Software Defined Networking (SDN) provides for the security enhancement of Industrial Control Networks. SDN permits a high level of configuration of a network by the separation of control and data planes. In this work, we describe the affinities between SDN and ICSs and we discuss about implementation strategies.
JNIC 2017
Hacia un conjunto estándar de ataques contra sistemas de control para la evaluación de contramedidas
Mikel Iturbe, Iñaki Garitano, Ignacio Arenaza-Nuño, and Urko Zurutuza
In Proceedings of III Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2017), Jun 2017
On the Feasibility of Distinguishing Between Process Disturbances and Intrusions in Process Control Systems Using Multivariate Statistical Process Control
Mikel Iturbe, José Camacho, Iñaki Garitano, Urko Zurutuza, and Roberto Uribeetxeberria
In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W), Jun 2016
Process Control Systems (PCSs) are the operating core of Critical Infrastructures (CIs). As such, anomaly detection has been an active research field to ensure CI normal operation. Previous approaches have leveraged network level data for anomaly detection, or have disregarded the existence of process disturbances, thus opening the possibility of mislabelling disturbances as attacks and vice versa. In this paper we present an anomaly detection and diagnostic system based on Multivariate Statistical Process Control (MSPC), that aims to distinguish between attacks and disturbances. For this end, we expand traditional MSPC to monitor process level and controller level data. We evaluate our approach using the Tennessee-Eastman process. Results show that our approach can be used to distinguish disturbances from intrusions to a certain extent and we conclude that the proposed approach can be extended with other sources of data for improving results.
JNIC 2016
Diseño de un banco de pruebas híbrido para la investigación de seguridad y resiliencia en redes industriales
Mikel Iturbe, Unai Izagirre, Iñaki Garitano, Ignacio Arenaza-Nuño, Urko Zurutuza, and Roberto Uribeetxeberria
In Proceedings of II Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2016), Jun 2016