% % This file was created by the TYPO3 extension % bib % --- Timezone: CEST % Creation date: 2024-05-20 % Creation time: 13-24-43 % --- Number of references % 15 % @Article { 2023_lamberts_metrics-sok, title = {SoK: Evaluations in Industrial Intrusion Detection Research}, journal = {Journal of Systems Research}, year = {2023}, month = {10}, day = {31}, volume = {3}, number = {1}, abstract = {Industrial systems are increasingly threatened by cyberattacks with potentially disastrous consequences. To counter such attacks, industrial intrusion detection systems strive to timely uncover even the most sophisticated breaches. Due to its criticality for society, this fast-growing field attracts researchers from diverse backgrounds, resulting in 130 new detection approaches in 2021 alone. This huge momentum facilitates the exploration of diverse promising paths but likewise risks fragmenting the research landscape and burying promising progress. Consequently, it needs sound and comprehensible evaluations to mitigate this risk and catalyze efforts into sustainable scientific progress with real-world applicability. In this paper, we therefore systematically analyze the evaluation methodologies of this field to understand the current state of industrial intrusion detection research. Our analysis of 609 publications shows that the rapid growth of this research field has positive and negative consequences. While we observe an increased use of public datasets, publications still only evaluate 1.3 datasets on average, and frequently used benchmarking metrics are ambiguous. At the same time, the adoption of newly developed benchmarking metrics sees little advancement. Finally, our systematic analysis enables us to provide actionable recommendations for all actors involved and thus bring the entire research field forward.}, tags = {internet-of-production, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2023/2023-lamberts-metrics-sok.pdf}, publisher = {eScholarship Publishing}, ISSN = {2770-5501}, DOI = {10.5070/SR33162445}, reviewed = {1}, author = {Lamberts, Olav and Wolsing, Konrad and Wagner, Eric and Pennekamp, Jan and Bauer, Jan and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2023_wolsing_ensemble, title = {One IDS is not Enough! Exploring Ensemble Learning for Industrial Intrusion Detection}, year = {2023}, month = {9}, day = {25}, volume = {14345}, pages = {102-122}, abstract = {Industrial Intrusion Detection Systems (IIDSs) play a critical role in safeguarding Industrial Control Systems (ICSs) against targeted cyberattacks. Unsupervised anomaly detectors, capable of learning the expected behavior of physical processes, have proven effective in detecting even novel cyberattacks. While offering decent attack detection, these systems, however, still suffer from too many False-Positive Alarms (FPAs) that operators need to investigate, eventually leading to alarm fatigue. To address this issue, in this paper, we challenge the notion of relying on a single IIDS and explore the benefits of combining multiple IIDSs. To this end, we examine the concept of ensemble learning, where a collection of classifiers (IIDSs in our case) are combined to optimize attack detection and reduce FPAs. While training ensembles for supervised classifiers is relatively straightforward, retaining the unsupervised nature of IIDSs proves challenging. In that regard, novel time-aware ensemble methods that incorporate temporal correlations between alerts and transfer-learning to best utilize the scarce training data constitute viable solutions. By combining diverse IIDSs, the detection performance can be improved beyond the individual approaches with close to no FPAs, resulting in a promising path for strengthening ICS cybersecurity.}, note = {Lecture Notes in Computer Science (LNCS), Volume 14345}, keywords = {Intrusion Detection; Ensemble Learning; ICS}, tags = {internet-of-production, rfc}, url = {https://jpennekamp.de/wp-content/papercite-data/pdf/wkw+23.pdf}, publisher = {Springer}, booktitle = {Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS '23), September 25-29, 2023, The Hague, The Netherlands}, event_place = {The Hague, The Netherlands}, event_name = {28th European Symposium on Research in Computer Security (ESORICS '23)}, event_date = {September 25-29, 2023}, ISBN = {978-3-031-51475-3}, ISSN = {0302-9743}, DOI = {10.1007/978-3-031-51476-0_6}, reviewed = {1}, author = {Wolsing, Konrad and Kus, Dominik and Wagner, Eric and Pennekamp, Jan and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2022_kus_ensemble, title = {Poster: Ensemble Learning for Industrial Intrusion Detection}, year = {2022}, month = {12}, day = {8}, number = {RWTH-2022-10809}, abstract = {Industrial intrusion detection promises to protect networked industrial control systems by monitoring them and raising an alarm in case of suspicious behavior. Many monolithic intrusion detection systems are proposed in literature. These detectors are often specialized and, thus, work particularly well on certain types of attacks or monitor different parts of the system, e.g., the network or the physical process. Combining multiple such systems promises to leverage their joint strengths, allowing the detection of a wider range of attacks due to their diverse specializations and reducing false positives. We study this concept's feasibility with initial results of various methods to combine detectors.}, tags = {rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-ensemble-poster.pdf}, publisher = {RWTH Aachen University}, booktitle = {38th Annual Computer Security Applications Conference (ACSAC '22), December 5-9, 2022, Austin, TX, USA}, institution = {RWTH Aachen University}, event_place = {Austin, TX, USA}, event_name = {38th Annual Computer Security Applications Conference (ACSAC '22)}, event_date = {December 5-9, 2022}, DOI = {10.18154/RWTH-2022-10809}, reviewed = {1}, author = {Kus, Dominik and Wolsing, Konrad and Pennekamp, Jan and Wagner, Eric and Henze, Martin and Wehrle, Klaus} } @Proceedings { 2022-wolsing-radarsec, title = {Network Attacks Against Marine Radar Systems: A Taxonomy, Simulation Environment, and Dataset}, year = {2022}, month = {9}, tags = {rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-radar.pdf}, publisher = {IEEE}, event_place = {Edmonton, Canada}, event_name = {47th IEEE Conference on Local Computer Networks (LCN)}, event_date = {September 26-29, 2022}, DOI = {10.1109/LCN53696.2022.9843801}, reviewed = {1}, author = {Wolsing, Konrad and Saillard, Antoine and Bauer, Jan and Wagner, Eric and van Sloun, Christian and Fink, Ina Berenice and Schmidt, Mari and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2022_dahlmanns_tlsiiot, title = {Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things}, year = {2022}, month = {5}, day = {31}, pages = {252-266}, abstract = {The ongoing trend to move industrial appliances from previously isolated networks to the Internet requires fundamental changes in security to uphold secure and safe operation. Consequently, to ensure end-to-end secure communication and authentication, (i) traditional industrial protocols, e.g., Modbus, are retrofitted with TLS support, and (ii) modern protocols, e.g., MQTT, are directly designed to use TLS. To understand whether these changes indeed lead to secure Industrial Internet of Things deployments, i.e., using TLS-based protocols, which are configured according to security best practices, we perform an Internet-wide security assessment of ten industrial protocols covering the complete IPv4 address space. Our results show that both, retrofitted existing protocols and newly developed secure alternatives, are barely noticeable in the wild. While we find that new protocols have a higher TLS adoption rate than traditional protocols (7.2 \% vs. 0.4 \%), the overall adoption of TLS is comparably low (6.5 \% of hosts). Thus, most industrial deployments (934,736 hosts) are insecurely connected to the Internet. Furthermore, we identify that 42 \% of hosts with TLS support (26,665 hosts) show security deficits, e.g., missing access control. Finally, we show that support in configuring systems securely, e.g., via configuration templates, is promising to strengthen security.}, keywords = {industrial communication; network security; security configuration}, tags = {internet-of-production, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-dahlmanns-asiaccs.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security (ASIACCS '22), May 30-June 3, 2022, Nagasaki, Japan}, event_place = {Nagasaki, Japan}, event_name = {ASIACCS '22}, event_date = {May 30-June 3, 2022}, ISBN = {978-1-4503-9140-5/22/05}, DOI = {10.1145/3488932.3497762}, reviewed = {1}, author = {Dahlmanns, Markus and Lohm{\"o}ller, Johannes and Pennekamp, Jan and Bodenhausen, J{\"o}rn and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2022_kus_iids_generalizability, title = {A False Sense of Security? Revisiting the State of Machine Learning-Based Industrial Intrusion Detection}, year = {2022}, month = {5}, day = {30}, pages = {73-84}, abstract = {Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations. As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99 \%. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we develop an evaluation methodology and examine multiple approaches from literature for their performance on unknown attacks (excluded from training). Our results highlight an ineffectiveness in detecting unknown attacks, with detection rates dropping to between 3.2 \% and 14.7 \% for some types of attacks. Moving forward, we derive recommendations for further research on machine learning-based approaches to ensure clarity on their ability to detect unknown attacks.}, keywords = {anomaly detection; machine learning; industrial control system}, tags = {internet-of-production, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-iids-generalizability.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS '22), co-located with the 17th ACM ASIA Conference on Computer and Communications Security (ASIACCS '22), May 30-June 3, 2022, Nagasaki, Japan}, ISBN = {978-1-4503-9176-4/22/05}, DOI = {10.1145/3494107.3522773}, reviewed = {1}, author = {Kus, Dominik and Wagner, Eric and Pennekamp, Jan and Wolsing, Konrad and Fink, Ina Berenice and Dahlmanns, Markus and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2021_dahlmanns_entrust, title = {Transparent End-to-End Security for Publish/Subscribe Communication in Cyber-Physical Systems}, year = {2021}, month = {4}, day = {28}, pages = {78–87}, abstract = {The ongoing digitization of industrial manufacturing leads to a decisive change in industrial communication paradigms. Moving from traditional one-to-one to many-to-many communication, publish/subscribe systems promise a more dynamic and efficient exchange of data. However, the resulting significantly more complex communication relationships render traditional end-to-end security futile for sufficiently protecting the sensitive and safety-critical data transmitted in industrial systems. Most notably, the central message brokers inherent in publish/subscribe systems introduce a designated weak spot for security as they can access all communication messages. To address this issue, we propose ENTRUST, a novel solution for key server-based end-to-end security in publish/subscribe systems. ENTRUST transparently realizes confidentiality, integrity, and authentication for publish/subscribe systems without any modification of the underlying protocol. We exemplarily implement ENTRUST on top of MQTT, the de-facto standard for machine-to-machine communication, showing that ENTRUST can integrate seamlessly into existing publish/subscribe systems.}, keywords = {cyber-physical system security; publish-subscribe security; end-to-end security}, tags = {internet-of-production, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2021/2021-dahlmanns-entrust.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 1st ACM Workshop on Secure and Trustworthy Cyber-Physical Systems (SaT-CPS '21), co-located with the 11th ACM Conference on Data and Application Security and Privacy (CODASPY '21), April 26-28, 2021, Virtual Event, USA}, event_place = {Virtual Event, USA}, event_name = {ACM Workshop on Secure and Trustworthy Cyber-Physical Systems}, event_date = {April 28, 2021}, ISBN = {978-1-4503-8319-6/21/04}, DOI = {10.1145/3445969.3450423}, reviewed = {1}, author = {Dahlmanns, Markus and Pennekamp, Jan and Fink, Ina Berenice and Schoolmann, Bernd and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2020-dahlmanns-imc-opcua, title = {Easing the Conscience with OPC UA: An Internet-Wide Study on Insecure Deployments}, year = {2020}, month = {10}, day = {27}, pages = {101-110}, abstract = {Due to increasing digitalization, formerly isolated industrial networks, e.g., for factory and process automation, move closer and closer to the Internet, mandating secure communication. However, securely setting up OPC UA, the prime candidate for secure industrial communication, is challenging due to a large variety of insecure options. To study whether Internet-facing OPC UA appliances are configured securely, we actively scan the IPv4 address space for publicly reachable OPC UA systems and assess the security of their configurations. We observe problematic security configurations such as missing access control (on 24\% of hosts), disabled security functionality (24\%), or use of deprecated cryptographic primitives (25\%) on in total 92\% of the reachable deployments. Furthermore, we discover several hundred devices in multiple autonomous systems sharing the same security certificate, opening the door for impersonation attacks. Overall, in this paper, we highlight commonly found security misconfigurations and underline the importance of appropriate configuration for security-featuring protocols.}, keywords = {industrial communication; network security; security configuration}, tags = {internet-of-production, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2020/2020-dahlmanns-imc-opcua.pdf}, publisher = {ACM}, booktitle = {Proceedings of the Internet Measurement Conference (IMC '20), October 27-29, 2020, Pittsburgh, PA, USA}, event_place = {Pittsburgh, PA, USA}, event_name = {ACM Internet Measurement Conference 2020}, event_date = {October 27-29, 2020}, ISBN = {978-1-4503-8138-3/20/10}, DOI = {10.1145/3419394.3423666}, reviewed = {1}, author = {Dahlmanns, Markus and Lohm{\"o}ller, Johannes and Fink, Ina Berenice and Pennekamp, Jan and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2020_roepert_opcua, title = {Assessing the Security of OPC UA Deployments}, year = {2020}, month = {4}, day = {2}, abstract = {To address the increasing security demands of industrial deployments, OPC UA is one of the first industrial protocols explicitly designed with security in mind. However, deploying it securely requires a thorough configuration of a wide range of options. Thus, assessing the security of OPC UA deployments and their configuration is necessary to ensure secure operation, most importantly confidentiality and integrity of industrial processes. In this work, we present extensions to the popular Metasploit Framework to ease network-based security assessments of OPC UA deployments. To this end, we discuss methods to discover OPC UA servers, test their authentication, obtain their configuration, and check for vulnerabilities. Ultimately, our work enables operators to verify the (security) configuration of their systems and identify potential attack vectors.}, tags = {internet-of-production, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2020/2020-roepert-opcua-security.pdf}, misc2 = {en}, publisher = {University of T{\"u}bingen}, booktitle = {Proceedings of the 1st ITG Workshop on IT Security (ITSec '20), April 2-3, 2020, T{\"u}bingen, Germany}, event_place = {T{\"u}bingen, Germany}, event_date = {April 2-3, 2020}, DOI = {10.15496/publikation-41813}, reviewed = {1}, author = {Roepert, Linus and Dahlmanns, Markus and Fink, Ina Berenice and Pennekamp, Jan and Henze, Martin} } @Inproceedings { 2019_wagner_dispute_resolution, title = {Dispute Resolution for Smart Contract-based Two Party Protocols}, year = {2019}, month = {5}, abstract = {Blockchain systems promise to mediate interactions of mutually distrusting parties without a trusted third party. However, protocols with full smart contract-based security are either limited in functionality or complex, with high costs for secured interactions. This observation leads to the development of protocol-specific schemes to avoid costly dispute resolution in case all participants remain honest. In this paper, we introduce SmartJudge, an extensible generalization of this trend for smart contract-based two-party protocols. SmartJudge relies on a protocol-independent mediator smart contract that moderates two-party interactions and only consults protocol-specific verifier smart contracts in case of a dispute. This way, SmartJudge avoids verification costs in absence of disputes and sustains interaction confidentiality among honest parties. We implement verifier smart contracts for cross-blockchain trades and exchanging digital goods and show that SmartJudge can reduce costs by 46-50\% and 22\% over current state of the art, respectively.}, keywords = {Ethereum,Bitcoin,smart contracts,two-party protocols,dispute resolution,cross-blockchain trades}, tags = {mynedata, impact-digital, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2019/2019-wagner-dispute.pdf}, publisher = {IEEE}, booktitle = {IEEE International Conference on Blockchain and Cryptocurrency 2019 (ICBC 2019)}, event_place = {Seoul, South Korea}, event_name = {IEEE International Conference on Blockchain and Cryptocurrency 2019}, language = {English}, DOI = {10.1109/BLOC.2019.8751312}, reviewed = {1}, author = {Wagner, Eric and V{\"o}lker, Achim and Fuhrmann, Frederik and Matzutt, Roman and Wehrle, Klaus} } @Inproceedings { 2018-bader-ethereum-car-insurance, title = {Smart Contract-based Car Insurance Policies}, year = {2018}, month = {12}, day = {9}, tags = {mynedata, internet-of-production, rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2018/2018-bader-ethereum-car-insurance.pdf}, web_url = {https://ieeexplore.ieee.org/document/8644136}, publisher = {IEEE}, booktitle = {2018 IEEE Globecom Workshops (GC Wkshps)}, event_place = {Abu Dhabi, United Arab Emirates}, event_name = {1st International Workshop on Blockchain in IoT, co-located with IEEE Globecom 2018}, event_date = {2018-12-09}, DOI = {10.1109/GLOCOMW.2018.8644136}, reviewed = {1}, author = {Bader, Lennart and B{\"u}rger, Jens Christoph and Matzutt, Roman and Wehrle, Klaus} } @Article { 2016-fgcs-ziegeldorf-bitcoin, title = {Secure and anonymous decentralized Bitcoin mixing}, journal = {Future Generation Computer Systems}, year = {2018}, month = {3}, volume = {80}, pages = {448-466}, keywords = {Pseudonymity, anonymity, and untraceability}, tags = {rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2018/2018-ziegeldorf-fgcs-bitcoin.pdf}, misc2 = {Online}, publisher = {Elsevier}, language = {en}, ISSN = {0167-739X}, DOI = {10.1016/j.future.2016.05.018}, reviewed = {1}, author = {Ziegeldorf, Jan Henrik and Matzutt, Roman and Henze, Martin and Grossmann, Fred and Wehrle, Klaus} } @Article { 2017-ziegeldorf-bmcmedgenomics-bloom, title = {BLOOM: BLoom filter based Oblivious Outsourced Matchings}, journal = {BMC Medical Genomics}, year = {2017}, month = {7}, day = {26}, volume = {10}, number = {Suppl 2}, pages = {29-42}, abstract = {Whole genome sequencing has become fast, accurate, and cheap, paving the way towards the large-scale collection and processing of human genome data. Unfortunately, this dawning genome era does not only promise tremendous advances in biomedical research but also causes unprecedented privacy risks for the many. Handling storage and processing of large genome datasets through cloud services greatly aggravates these concerns. Current research efforts thus investigate the use of strong cryptographic methods and protocols to implement privacy-preserving genomic computations. We propose FHE-Bloom and PHE-Bloom, two efficient approaches for genetic disease testing using homomorphically encrypted Bloom filters. Both approaches allow the data owner to securely outsource storage and computation to an untrusted cloud. FHE-Bloom is fully secure in the semi-honest model while PHE-Bloom slightly relaxes security guarantees in a trade-off for highly improved performance. We implement and evaluate both approaches on a large dataset of up to 50 patient genomes each with up to 1000000 variations (single nucleotide polymorphisms). For both implementations, overheads scale linearly in the number of patients and variations, while PHE-Bloom is faster by at least three orders of magnitude. For example, testing disease susceptibility of 50 patients with 100000 variations requires only a total of 308.31 s (\(\sigma\)=8.73 s) with our first approach and a mere 0.07 s (\(\sigma\)=0.00 s) with the second. We additionally discuss security guarantees of both approaches and their limitations as well as possible extensions towards more complex query types, e.g., fuzzy or range queries. Both approaches handle practical problem sizes efficiently and are easily parallelized to scale with the elastic resources available in the cloud. The fully homomorphic scheme, FHE-Bloom, realizes a comprehensive outsourcing to the cloud, while the partially homomorphic scheme, PHE-Bloom, trades a slight relaxation of security guarantees against performance improvements by at least three orders of magnitude.}, note = {Proceedings of the 5th iDASH Privacy and Security Workshop 2016}, keywords = {Secure outsourcing; Homomorphic encryption; Bloom filters}, tags = {sscilops; mynedata; rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2017/2017-ziegeldorf-bmcmedgenomics-bloom.pdf}, misc2 = {Online}, publisher = {BioMed Central}, event_place = {Chicago, IL, USA}, event_date = {November 11, 2016}, language = {en}, ISSN = {1755-8794}, DOI = {10.1186/s12920-017-0277-y}, reviewed = {1}, author = {Ziegeldorf, Jan Henrik and Pennekamp, Jan and Hellmanns, David and Schwinger, Felix and Kunze, Ike and Henze, Martin and Hiller, Jens and Matzutt, Roman and Wehrle, Klaus} } @Inproceedings { 2014-ziegeldorf-codaspy-coinparty, title = {CoinParty: Secure Multi-Party Mixing of Bitcoins}, year = {2015}, month = {3}, day = {2}, tags = {rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2015/2015-ziegeldorf-codaspy-coinparty.pdf}, misc2 = {Online}, publisher = {ACM}, booktitle = {The Fifth ACM Conference on Data and Application Security and Privacy (CODASPY 2015), San Antonio, TX, USA}, event_place = {San Antonio, TX, USA}, event_name = {The Fifth ACM Conference on Data and Application Security and Privacy (CODASPY 2015)}, language = {en}, ISBN = {978-1-4503-3191-3}, DOI = {10.1145/2699026.2699100}, reviewed = {1}, author = {Ziegeldorf, Jan Henrik and Grossmann, Fred and Henze, Martin and Inden, Nicolas and Wehrle, Klaus} } @Poster { 2014-wisec-ziegeldorf-ipin, title = {POSTER: Privacy-preserving Indoor Localization}, year = {2014}, month = {7}, day = {23}, tags = {rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2014/2014-ziegeldorf-poster-wisec.pdf}, organization = {7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '14) (Poster)}, language = {en}, DOI = {10.13140/2.1.2847.4886}, reviewed = {1}, author = {Ziegeldorf, Jan Henrik and Viol, Nicolai and Henze, Martin and Wehrle, Klaus} }