Graph Convolutional Network-Based Suspicious Communication Pair Estimation for Industrial Control Systems

Presented at Black Hat Europe 2020 Virtual, Dec. 9, 2020, 11:20 a.m. (30 minutes)

Whitelisting is considered an effective security monitoring method for networks used in industrial control systems, where the whitelists consist of observed tuples of the IP address of the server, the TCP/UDP port number, and IP address of the client (communication triplets). However, this method causes frequent false detections. <br /> <br /> To reduce false positives due to a simple whitelist-based judgment, we propose a new framework for scoring communications to judge whether the communications not present in whitelists are normal or anomalous.<br /> <br /> To solve this problem, we developed a graph convolutional network-based suspicious communication pair estimation (GCN SCOPE) using relational graph convolution networks, which are learning based methods that operate on graph domain, and evaluate the performance of this method, and evaluated its performance. <br /> 　　<br /> For this, we collected the network traffic of three factories owned by Panasonic Corporation, Japan. Each factory produces different items, and the installed facilities, communication protocols, and network configurations are completely different depending on the factories. <br /> <br /> The proposed method achieved a receiver operating characteristic area under the curve of 0.957, which outperforms baseline approaches such as DistMult, a method that directly optimizes the node embeddings, and heuristics, which score the triplets using first- and second-order proximities of multigraphs. This method enables security operators to concentrate on significant alerts.

Presenters:

• Tatsumi Oba - Security Researcher, Panasonic Corporation
  Tatsumi Oba is a security researcher at Panasonic. He has five years of experience of developing and applying machine learning algorithms, which can be applied to real-world problems. His current research interests are concerned with anomaly detection, privacy preserving machine learning, and sequential data modeling. He has worked for Panasonic since 2016 and has been responsible for developing malicious or anomalous activity detection algorithms in ICS.

Links:

• https://www.blackhat.com/eu-20/briefings/schedule/#graph-convolutional-network-based-suspicious-communication-pair-estimation-for-industrial-control-systems-21301

Similar Presentations:

• ShellCon 2021 Virtual / Keynote - Advanced Application of Adversarial AI for Scenario Based Hacking
• Black Hat Asia 2021 Virtual / Threat Hunting in Active Directory Environment
• Still Hacking Anyway (SHA2017) / Parkour communications: How you can communicate, free running style, using nothing but the 'fixtures' of the Internet.