Dispatching advanced and adaptive intrusion responses for IIoT-based system

Abstract

The ever-increasing number of cyber-attacks poses a serious challenge to incident response teams. Recent cyber-attacks, such as the attack against energy distribution companies in Ukraine, highlight the disruption which can be caused and its consequences. More than 53 % of recorded incidents targeted essential entities, which heavily rely in Industrial Internet of Things (IIoT) devices, according to ENISA. Despite the amount of work in Cyber Threat Intelligence (CTI) and Intrusion Detection Systems (IDSs), automated response systems have been avoided in connected industrial environments mainly due to the criticality of the underlying assets, where a misstep has the potential to result in the disruption of critical processes. This paper therefore presents an Early and Adaptive Automated Intrusion Response Service for industrial environments, named EAIRS, which combines several techniques, including expert systems and reinforcement learning, to classify and mitigate anomalies detected by IDSs. The incidents EAIRS is designed to face range from network to host-based attacks. This paper provides the architecture for the described approach and the evaluation of a proof-of-concept implementation on an experimental testbed.