Grammatikis, Panagiotis Radoglou; Sarigiannidis, Panagiotis; Iturbe, Eider; Rios, Erkuden; Martinez, Saturnino; Sarigiannidis, Antonios; Efstathopoulos, Georgios; Spyridis, Yannis; Sesis, Achilleas; Vakakis, Nikolaos; Tzovaras, Dimitrios; Kafetzakis, Emmanouil; Giannoulakis, Ioannis; Tzifas, Michalis; Giannakoulias, Alkiviadis; Angelopoulos, Michail; Ramos, Francisco
In: Computer Networks, 2021.
The technological leap of smart technologies has brought the conventional electrical grid in a new digital era called Smart Grid (SG), providing multiple benefits, such as two-way communication, pervasive control and self-healing. However, this new reality generates significant cybersecurity risks due to the heterogeneous and insecure nature of SG. In particular, SG relies on legacy communication protocols that have not been implemented having cybersecurity in mind. Moreover, the advent of the Internet of Things (IoT) creates severe cybersecurity challenges. The Security Information and Event Management (SIEM) systems constitute an emerging technology in the cybersecurity area, having the capability to detect, normalise and correlate a vast amount of security events. They can orchestrate the entire security of a smart ecosystem, such as SG. Nevertheless, the current SIEM systems do not take into account the unique SG peculiarities and characteristics like the legacy communication protocols. In this paper, we present the Secure and PrivatE smArt gRid (SPEAR) SIEM, which focuses on SG. The main contribution of our work is the design and implementation of a SIEM system capable of detecting, normalising and correlating cyberattacks and anomalies against a plethora of SG application-layer protocols. It is noteworthy that the detection performance of the SPEAR SIEM is demonstrated with real data originating from four real SG use case (a) hydropower plant, (b) substation, (c) power plant and (d) smart home.
Grammatikis, Panagiotis Radoglou; Sarigiannidis, Panagiotis; Efstathopoulos, George; Lagkas, Thomas; Fragulis, George; Sarigiannidis, Antonios
In: IEEE International Conference on Communications, 2021.
The rapid evolution of the Internet of Medical Things (IoMT) introduces the healthcare ecosystem into a new reality consisting of smart medical devices and applications that provide multiple benefits, such as remote medical assistance, timely administration of medication, real-time monitoring, preventive care and health education. However, despite the valuable advantages, this new reality increases the cybersecurity and privacy concerns since vulnerable IoMT devices can access and handle autonomously patients’ data. Furthermore, the continuous evolution of cyberattacks, malware and zero-day vulnerabilities require the development of the appropriate countermeasures. In the light of the aforementioned remarks, in this paper, we present an Intrusion Detection and Prevention System (IDPS), which can protect the healthcare communications that rely on the Hypertext Transfer Protocol (HTTP) and the Modbus/Transmission Control Protocol (TCP). HTTP is commonly adopted by conventional ICT healthcare-related services, such as web-based Electronic Health Record (EHR) applications, while Modbus/TCP is an industrial protocol adopted by IoMT. Although the Machine Learning (ML) and Deep Learning (DL) methods have already demonstrated their efficacy in detecting intrusions, the rarely available intrusion detection datasets (especially in the healthcare sector) complicate their global application. The main contribution of this work lies in the fact that an active learning approach is modelled and adopted in order to re-train dynamically the supervised classifiers behind the proposed IDPS. The evaluation analysis demonstrates the efficiency of this work against HTTP and Modbus/TCP cyberattacks, showing also how the entire accuracy is increased in the various re-training phases.
Kelli, Vasiliki; Argyriou, Vasileios; Lagkas, Thomas; Fragulis, George; Grigoriou, Elisavet; Sarigiannidis, Panagiotis
In: Sensors, vol. 21, no. 20, pp. 6743, 2021.
Internet of Things (IoT) is a concept adopted in nearly every aspect of human life, leading to an explosive utilization of intelligent devices. Notably, such solutions are especially integrated in the industrial sector, to allow the remote monitoring and control of critical infrastructure. Such global integration of IoT solutions has led to an expanded attack surface against IoT-enabled infrastructures. Artificial intelligence and machine learning have demonstrated their ability to resolve issues that would have been impossible or difficult to address otherwise; thus, such solutions are closely associated with securing IoT. Classical collaborative and distributed machine learning approaches are known to compromise sensitive information. In our paper, we demonstrate the creation of a network flow-based Intrusion Detection System (IDS) aiming to protecting critical infrastructures, stemming from the pairing of two machine learning techniques, namely, federated learning and active learning. The former is utilized for privately training models in federation, while the latter is a semi-supervised approach applied for global model adaptation to each of the participant’s traffic. Experimental results indicate that global models perform significantly better for each participant, when locally personalized with just a few active learning queries. Specifically, we demonstrate how the accuracy increase can reach 7.07% in only 10 queries. View Full-Text
Radoglou-Grammatikis, Panagiotis; Rompolos, Konstantinos; Sarigiannidis, Panagiotis; Argyriou, Vasileios; Lagkas, Thomas; Sarigiannidis, Antonios; Goudos, Sotirios; Wan, Shaohua
In: IEEE Transactions on Industrial Informatics, vol. 18, no. 3, pp. 2041–2052, 2021.
The rise of the Internet of Medical Things introduces the healthcare ecosystem in a new digital era with multiple benefits, such as remote medical assistance, real-time monitoring, and pervasive control. However, despite the valuable healthcare services, this progression raises significant cybersecurity and privacy concerns. In this article, we focus our attention on the IEC 60 870-5-104 protocol, which is widely adopted in industrial healthcare systems. First, we investigate and assess the severity of the IEC 60 870-5-104 cyberattacks by providing a quantitative threat model, which relies on Attack Defence Trees and Common Vulnerability Scoring System v3.1. Next, we introduce an intrusion detection and prevention system (IDPS), which is capable of discriminating and mitigating automatically the IEC 60 870-5-104 cyberattacks. The proposed IDPS takes full advantage of the machine learning (ML) and software defined networking (SDN) technologies. ML is used to detect the IEC 60 870-5-104 cyberattacks, utilizing 1) Transmission Control Protocol/Internet Protocol network flow statistics and 2) IEC 60 870-5-104 payload flow statistics. On the other side, the automated mitigation is transformed into a multiarmed bandit problem, which is solved through a reinforcement learning method called Thomson sampling and SDN. The evaluation analysis demonstrates the efficiency of the proposed IDPS in terms of intrusion detection accuracy and automated mitigation performance. The detection accuracy and the F1 score of the proposed IDPS reach 0.831 and 0.8258, respectively, while the mitigation accuracy is calculated at 0.923.
Radoglou-Grammatikis, Panagiotis; Sarigiannidis, Panagiotis; Efstathopoulos, George; Karypidis, Paris-Alexandros; Sarigiannidis, Antonios
In: Proceedings of the 15th International Conference on Availability, Reliability and Security, Association for Computing Machinery, Virtual Event, Ireland, 2020, ISBN: 9781450388337.
In this paper, an Intrusion Detection and Prevention System (IDPS) for the Distributed Network Protocol 3 (DNP3) Supervisory Control and Data Acquisition (SCADA) systems is presented. The proposed IDPS is called DIDEROT (Dnp3 Intrusion DetEction pReventiOn sysTem) and relies on both supervised Machine Learning (ML) and unsupervised/outlier ML detection models capable of discriminating whether a DNP3 network flow is related to a particular DNP3 cyberattack or anomaly. First, the supervised ML detection model is applied, trying to identify whether a DNP3 network flow is related to a specific DNP3 cyberattack. If the corresponding network flow is detected as normal, then the unsupervised/outlier ML anomaly detection model is activated, seeking to recognise the presence of a possible anomaly. Based on the DIDEROT detection results, the Software Defined Networking (SDN) technology is adopted in order to mitigate timely the corresponding DNP3 cyberattacks and anomalies. The performance of DIDEROT is demonstrated using real data originating from a substation environment.
Lytos, Anastasios; Lagkas, Thomas; Sarigiannidis, Panagiotis; Zervakis, Michalis; Livanos, George
In: Computer Networks, vol. 172, pp. 107147, 2020, ISSN: 1389-1286.
Agriculture is by its nature a complicated scientific field, related to a wide range of expertise, skills, methods and processes which can be effectively supported by computerized systems. There have been many efforts towards the establishment of an automated agriculture framework, capable to control both the incoming data and the corresponding processes. The recent advances in the Information and Communication Technologies (ICT) domain have the capability to collect, process and analyze data from different sources while materializing the concept of agriculture intelligence. The thriving environment for the implementation of different agriculture systems is justified by a series of technologies that offer the prospect of improving agricultural productivity through the intensive use of data. The concept of big data in agriculture is not exclusively related to big volume, but also on the variety and velocity of the collected data. Big data is a key concept for the future development of agriculture as it offers unprecedented capabilities and it enables various tools and services capable to change its current status. This survey paper covers the state-of-the-art agriculture systems and big data architectures both in research and commercial status in an effort to bridge the knowledge gap between agriculture systems and exploitation of big data. The first part of the paper is devoted to the exploration of the existing agriculture systems, providing the necessary background information for their evolution until they have reached the current status, able to support different platforms and handle multiple sources of information. The second part of the survey is focused on the exploitation of multiple sources of information, providing information for both the nature of the data and the combination of different sources of data in order to explore the full potential of ICT systems in agriculture.
Efstathopoulos, Georgios; Grammatikis, Panagiotis Radoglou; Sarigiannidis, Panagiotis; Argyriou, Vasilis; Sarigiannidis, Antonios; Stamatakis, Konstantinos; Angelopoulos, Michail K; Athanasopoulos, Solon K
Operational Data Based Intrusion Detection System for Smart Grid (Inproceedings)
In: 2019 IEEE 24th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), pp. 1-6, 2019.
With the rapid progression of Information and Communication Technology (ICT) and especially of Internet of Things (IoT), the conventional electrical grid is transformed into a new intelligent paradigm, known as Smart Grid (SG). SG provides significant benefits both for utility companies and energy consumers such as the two-way communication (both electricity and information), distributed generation, remote monitoring, self-healing and pervasive control. However, at the same time, this dependence introduces new security challenges, since SG inherits the vulnerabilities of multiple heterogeneous, co-existing legacy and smart technologies, such as IoT and Industrial Control Systems (ICS). An effective countermeasure against the various cyberthreats in SG is the Intrusion Detection System (IDS), informing the operator timely about the possible cyberattacks and anomalies. In this paper, we provide an anomaly-based IDS especially designed for SG utilising operational data from a real power plant. In particular, many machine learning and deep learning models were deployed, introducing novel parameters and feature representations in a comparative study. The evaluation analysis demonstrated the efficacy of the proposed IDS and the improvement due to the suggested complex data representation.