Abstract

Anomaly detection is a family of analytical techniques that identifies and learns typical properties of a system and reports significant deviations from the typical system's normal properties as outliers. The anomaly detection techniques can provide protection from new zero-day attacks whenever these attacks lead to deviations from typical behaviours of the system, and do not require a balanced training set in which both malicious and benign events are equally represented. These techniques are a better fit for real industrial systems where malicious events are much rarer than benign events. They are important tools to detect abnormalities in the critical financial infrastructures and services. The FINSEC project has developed scalable anomaly detection for cyber-physical integrated security using physical (e.g., cameras) and cyber probes (e.g., Skydive, IDS (Intrusion Detection Systems etc.). The FINSEC anomaly detection analyses events and streams them to an analytics module by capturing a complete cyber-physical behavioural model of the financial sector infrastructures. This chapter presents the FINSEC anomaly detection system for the protection of critical infrastructure. It describes the different models of the system, interactions, validations and test results. It also address the scalability of the solution, the adaptive and intelligent data collection, and the reduction of the false positive rate, which is often the major drawback of anomaly detection techniques. Several methods to address the challenge of reducing the false positive rate are presented: (i) Careful selection of analytics that produce clear meaningful alerts like Data Leakage, Reconnaissance attack, etc., (ii) on-line learning that adaptively learns changes in the system's behaviour, and (iii) alert budgeting that adaptively select a proper threshold to control the number of alerts without missing the most critical ones.