Maya Cohen
Maimon

Roundtable – Cyber Anomaly – Anomaly Detection for Industrial Control Systems

NEC Israel Research Center

Maimon, Maya

Maya Cohen
Maimon

Roundtable – Cyber Anomaly – Anomaly Detection for Industrial Control Systems

NEC Israel Research Center

Maimon, Maya

Bio

Maya Cohen Maimon, Cyber Architect Innovation Coach at NEC Israel Research Center. I am leading research projects in cyber, deep learning and artificial intelligence. I am doing security products & algorithms R&D over 14 years.

I hold MSc. & BSc. in Computer Science from Haifa University specialized in Computational Neuroscience.
Before NEC I worked for Microsoft, Samsung, Checkpoint and Intel.

Bio

Maya Cohen Maimon, Cyber Architect Innovation Coach at NEC Israel Research Center. I am leading research projects in cyber, deep learning and artificial intelligence. I am doing security products & algorithms R&D over 14 years.

I hold MSc. & BSc. in Computer Science from Haifa University specialized in Computational Neuroscience.
Before NEC I worked for Microsoft, Samsung, Checkpoint and Intel.

Abstract

System data anomaly is not an easy problem. System logs are not a real language and are not easily suitable for NLP models or word embeddings. Models are not necessarily explainable, which is critical for security investigation. Moreover, even if something is found to be different it is not necessarily interesting! We cannot alert users on every change. The latter, is easier for industrial control systems (ICS), such as gas, water or food factories. Since ICS runs well-defined repetitive scenarios, anomalies can locate security issues or unreported operations.

 

Our work on ICS anomaly detection includes a data generation system, relevant data sets along with anomaly models, methods and results explanators. Our dataset generation system is adequate for cyber or normal simulations and multiple sensors were used to collect log data. Different learning models and AI methods were used to allow all various aspects of ICS security health: processes, CPU, memory activity, registry, network, process protocols, file events, dynamic libraries, systems events and malicious activities. Methods and models were developed internally or taken from different fields. For example, machine translation, autoencoders time-sequence or common AI methods. Explanators were developed to explain anomalies and testing was done on real-life malwares. Our models showed excellent results on a wide variety of malware including ‘zero-day’ attacks.

Abstract

System data anomaly is not an easy problem. System logs are not a real language and are not easily suitable for NLP models or word embeddings. Models are not necessarily explainable, which is critical for security investigation. Moreover, even if something is found to be different it is not necessarily interesting! We cannot alert users on every change. The latter, is easier for industrial control systems (ICS), such as gas, water or food factories. Since ICS runs well-defined repetitive scenarios, anomalies can locate security issues or unreported operations.

 

Our work on ICS anomaly detection includes a data generation system, relevant data sets along with anomaly models, methods and results explanators. Our dataset generation system is adequate for cyber or normal simulations and multiple sensors were used to collect log data. Different learning models and AI methods were used to allow all various aspects of ICS security health: processes, CPU, memory activity, registry, network, process protocols, file events, dynamic libraries, systems events and malicious activities. Methods and models were developed internally or taken from different fields. For example, machine translation, autoencoders time-sequence or common AI methods. Explanators were developed to explain anomalies and testing was done on real-life malwares. Our models showed excellent results on a wide variety of malware including ‘zero-day’ attacks.

Discussion Points

  • The round table will focus on practical issues with practical examples.
  • How do we adapt existing language learning models to log data that is not a real language?
  • How do we explain our anomaly results? Security officers need initial leads for further investigations.
  • How to we handle data with low variant? E.g. USB access. How do we handle data that do not change?
  • What about data that changes frequently like memory access or CPU?

Discussion Points

  • The round table will focus on practical issues with practical examples.
  • How do we adapt existing language learning models to log data that is not a real language?
  • How do we explain our anomaly results? Security officers need initial leads for further investigations.
  • How to we handle data with low variant? E.g. USB access. How do we handle data that do not change?
  • What about data that changes frequently like memory access or CPU?

Planned Agenda

Planned Agenda