RESUMEN
As cyber-attacks increase in unencrypted communication environments such as the traditional Internet, protected communication channels based on cryptographic protocols, such as transport layer security (TLS), have been introduced to the Internet. Accordingly, attackers have been carrying out cyber-attacks by hiding themselves in protected communication channels. However, the nature of channels protected by cryptographic protocols makes it difficult to distinguish between normal and malicious network traffic behaviors. This means that traditional anomaly detection models with features from packets extracted a deep packet inspection (DPI) have been neutralized. Recently, studies on anomaly detection using artificial intelligence (AI) and statistical characteristics of traffic have been proposed as an alternative. In this review, we provide a systematic review for AI-based anomaly detection techniques over encrypted traffic. We set several research questions on the review topic and collected research according to eligibility criteria. Through the screening process and quality assessment, 30 research articles were selected with high suitability to be included in the review from the collected literature. We reviewed the selected research in terms of dataset, feature extraction, feature selection, preprocessing, anomaly detection algorithm, and performance indicators. As a result of the literature review, it was confirmed that various techniques used for AI-based anomaly detection over encrypted traffic were used. Some techniques are similar to those used for AI-based anomaly detection over unencrypted traffic, but some technologies are different from those used for unencrypted traffic.
RESUMEN
Cyber threats to industrial control systems (ICSs) have increased as information and communications technology (ICT) has been incorporated. In response to these cyber threats, we are implementing a range of security equipment and specialized training programs. Anomaly data stemming from cyber-attacks are crucial for effectively testing security equipment and conducting cyber training exercises. However, securing anomaly data in an ICS environment requires a lot of effort. For this reason, we propose a method for generating anomaly data that reflects cyber-attack characteristics. This method uses systematic sampling and linear regression models in an ICS environment to generate anomaly data reflecting cyber-attack characteristics based on benign data. The method uses statistical analysis to identify features indicative of cyber-attack characteristics and alters their values from benign data through systematic sampling. The transformed data are then used to train a linear regression model. The linear regression model can predict features because it has learned the linear relationships between data features. This experiment used ICS_PCAPS data generated based on Modbus, frequently used in ICS. In this experiment, more than 50,000 new anomaly data pieces were generated. As a result of using some of the new anomaly data generated as training data for the existing model, no significant performance degradation occurred. Additionally, comparing some of the new anomaly data with the original benign and attack data using kernel density estimation confirmed that the new anomaly data pattern was changing from benign data to attack data. In this way, anomaly data that partially reflect the pattern of the attack data were created. The proposed method generates anomaly data like cyber-attack data quickly and logically, free from the constraints of cost, time, and original cyber-attack data required in existing research.