New method to protect critical infrastructures against cyberattacks

Cyberattacks are on the rise and malicious actors are shifting focus towards targeting larger companies and organizations, a recent movement known as "big game hunting" in the cybersecurity industry.
In recent years, large companies, organizations, and public institutions have been subject to a wave of blackmail and ransomware threats. As an example, SVT (Swedish Television), recently reported that they had discovered a number of intrusion attempts, and that they are now setting up a special cybersecurity team. Similarly, Norsk Hydro, a multinational company in the process-control industry, lost large sums after an attack in 2019.

In a project financed by the Swedish Civil Contingencies Agency, researchers at the Department of Computer Science and Engineering have proposed a new method for detecting stealthy attacks, tailored in particular to the protection of critical infrastructures. In the movie above, Wissam Auodi, PhD student in the Networks and Systems division, describes the proposed system, PASAD, and how it works. 

PASAD – solving an easier problem

At the basis of the algorithm is an innovative new way of measuring if and when the monitored system departs from its normal dynamics and starts to behave differently. The method works by first capturing the normal behaviour of the underlying system during an analysis phase, and then monitoring the real-time behaviour to detect anomalous changes and raise an alert on suspicion of a potential attack.

Traditional methods are based on historical measurements and try to predict the system's future behaviour based on them, and then compare this with real-time observations and warn when the difference becomes too large. But it is difficult to predict the future. The methods only work to detect obvious attacks and miss more advanced intrusions, where attackers hide their tracks in noise from data.

The now proposed method has significantly better accuracy. Removing the step of predicting future behaviour means that the new method is more sensitive and can thus detect more advanced, stealthy attacks that could previously be hidden in the noise.


Wissam Aoudi, PhD student, Networks and systems.
Magnus Almgren, docent, Networks and systems.

Related projects and publications

"Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems"
Proceedings of the ACM Conference on Computer and Communication Security 2018. 

15th European Dependable Computing Conference, 2019.

Page manager Published: Sun 10 May 2020.