Exploration of the Potential of Process Mining for Intrusion Detection in Smart Metering

G. Eibl; C. Ferner; T. Hildebrandt; F. Stertz; S. Burkhart; S. Rinderle-Ma; D. Engel

doi:10.5220/0006103900380046

Exploration of the Potential of Process Mining for Intrusion Detection in Smart Metering

G. Eibl, C. Ferner, T. Hildebrandt, F. Stertz, S. Burkhart, S. Rinderle-Ma, D. Engel

Research Group Workflow Systems and Technology, University of Vienna

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Process mining is a set of data mining techniques that learn and analyze processes based on event logs. While process mining has recently been proposed for intrusion detection in business processes, it has never been applied to smart metering processes. The goal of this paper is to explore the potential of process mining for the detection of intrusions into smart metering systems. As a case study the remote shutdown process has been modeled and a threat analysis was conducted leading to an extensive attack tree. It is shown that currently proposed process mining techniques based on conformance checking do not suffice to find all attacks of the attack tree; an inclusion of additional perspectives is necessary. Consequences for the design of a realistic testing environment based on simulations are discussed. Copyright © 2017 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved.

Original language	English
Title of host publication	Proceedings of the 3rd International Conference on Information Systems Security and Privacy
Publisher	SCITEPRESS
Pages	38-46
Number of pages	9
Volume	1
ISBN (Print)	978-989-758-209-7
DOIs	https://doi.org/10.5220/0006103900380046
Publication status	Published - 2017
Event	3rd International Conference on Information Systems Security and Privacy, ICISSP 2017 - Porto, Portugal Duration: 19 Feb 2017 → 21 Feb 2017 https://icissp.scitevents.org/?y=2017

Conference

Conference	3rd International Conference on Information Systems Security and Privacy, ICISSP 2017
Abbreviated title	ICISSP 2017
Country/Territory	Portugal
City	Porto
Period	19/02/17 → 21/02/17
Internet address	https://icissp.scitevents.org/?y=2017

Keywords

Intrusion Detection
Process Mining
Smart Grids
Smart Metering
Data mining
Electric measuring instruments
Forestry
Information systems
Information use
Attack tree
Business Process
Conformance checking
Process mining
Smart grid
Smart metering
Testing environment
Threat analysis
Intrusion detection

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.5220/0006103900380046

https://www.scopus.com/inward/record.uri?eid=2-s2.0-85049209751&doi=10.5220%2f0006103900380046&partnerID=40&md5=a1ea780974db7cdd102eccd49c2fdd9b

Cite this

@inproceedings{4c6f1a3ce7d74848b1be13994b3a7bda,

title = "Exploration of the Potential of Process Mining for Intrusion Detection in Smart Metering",

abstract = "Process mining is a set of data mining techniques that learn and analyze processes based on event logs. While process mining has recently been proposed for intrusion detection in business processes, it has never been applied to smart metering processes. The goal of this paper is to explore the potential of process mining for the detection of intrusions into smart metering systems. As a case study the remote shutdown process has been modeled and a threat analysis was conducted leading to an extensive attack tree. It is shown that currently proposed process mining techniques based on conformance checking do not suffice to find all attacks of the attack tree; an inclusion of additional perspectives is necessary. Consequences for the design of a realistic testing environment based on simulations are discussed. Copyright {\textcopyright} 2017 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved.",

keywords = "Intrusion Detection, Process Mining, Smart Grids, Smart Metering, Data mining, Electric measuring instruments, Forestry, Information systems, Information use, Attack tree, Business Process, Conformance checking, Process mining, Smart grid, Smart metering, Testing environment, Threat analysis, Intrusion detection",

author = "G. Eibl and C. Ferner and T. Hildebrandt and F. Stertz and S. Burkhart and S. Rinderle-Ma and D. Engel",

note = "Conference code: 134790 Cited By :3 Export Date: 14 December 2023 References: Accorsi, R., Stocker, T., On the exploitation of process mining for security audits: The conformance checking case (2012) Proceedings of The 27th Annual ACM Symposium on Applied Computing, pp. 1709-1716. , ACM; Berthier, R., Sanders, W.H., Khurana, H., Intrusion detection for advanced metering infrastructures: Requirements and architectural directions (2010) 2010 First IEEE International Conference on Smart Grid Communications, pp. 350-355. , IEEE; Bezerra, F., Wainer, J., Algorithms for anomaly detection of traces in logs of process aware information systems (2013) Information Systems, 38 (1), pp. 33-44; Bezerra, F., Wainer, J., Van Der Aalst, W.M.P., Anomaly detection using process mining (2009) 10th International Workshop, Enterprise, Business-Process and Information Systems Modeling, 29, pp. 149-161; Jalali, H., Baraani, A., Process aware host-based intrusion detection model (2012) International Journal of Communication Networks and Information Security, 4 (2), pp. 117-124; Kordy, B., Kordy, P., Mauw, S., Schweitzer, P., ADTool: Security analysis with attack-defense trees (2013) International Conference on Quantitative Evaluation of Systems; Kordy, B., Mauw, S., Radomirovi{\'c}, S., Schweitzer, P., Attack-defense trees (2012) Journal of Logic and Computation, p. exs029; Kordy, B., Pi{\`e}tre-Cambac{\'e}d{\`e}s, L., Schweitzer, P., DAG-based attack and defense modeling: Don{\textquoteright} t miss the forest for the attack trees (2014) Computer Science Review, 13, pp. 1-38; (2015) {\"O}sterreich Use-Cases F{\"u}r Das Smart Metering Advanced Meter Communication System (AMCS), , Oesterreichs-Energie; Roy, A., Kim, D.S., Trivedi, K.S., ACT: Towards unifying the constructs of attack and defense trees (2012) Security and Communication Networks, 5 (8), pp. 929-943; Salter, C., Saydjari, O.S., Schneier, B., Wallner, J., Toward a secure system engineering methodology (1998) Proceedings of The 1998 Workshop on New Security Paradigms (NSPW{\textquoteright}98), pp. 2-10; Stocker, T., Accorsi, R., SecSy: Security-aware synthesis of process event logs (2013) Proceedings of The 5th International Workshop on Enterprise Modelling and Information Systems Architectures, , St. Gallen, Switzerland; Van der Aalst, W.M., (2011) Process Mining: Discovery, Conformance and Enhancement of Business Processes, , Springer; Van der Aalst, W.M., De Medeiros, A.K.A., Process mining and security: Detecting anomalous process executions and checking process conformance (2005) Electronic Notes in Theoretical Computer Science, 121, pp. 3-21; 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017, ICISSP 2017 ; Conference date: 19-02-2017 Through 21-02-2017",

year = "2017",

doi = "10.5220/0006103900380046",

language = "English",

isbn = "978-989-758-209-7",

volume = "1",

pages = "38--46",

booktitle = "Proceedings of the 3rd International Conference on Information Systems Security and Privacy",

publisher = "SCITEPRESS",

address = "Portugal",

url = "https://icissp.scitevents.org/?y=2017",

}

Eibl, G , Ferner, C, Hildebrandt, T, Stertz, F, Burkhart, S, Rinderle-Ma, S & Engel, D 2017, Exploration of the Potential of Process Mining for Intrusion Detection in Smart Metering. in Proceedings of the 3rd International Conference on Information Systems Security and Privacy . vol. 1, SCITEPRESS, pp. 38-46, 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017, Porto, Portugal, 19/02/17. https://doi.org/10.5220/0006103900380046

Exploration of the Potential of Process Mining for Intrusion Detection in Smart Metering. / Eibl, G.; Ferner, C.; Hildebrandt, T. et al.
Proceedings of the 3rd International Conference on Information Systems Security and Privacy . Vol. 1 SCITEPRESS, 2017. p. 38-46.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Exploration of the Potential of Process Mining for Intrusion Detection in Smart Metering

AU - Eibl, G.

AU - Ferner, C.

AU - Hildebrandt, T.

AU - Stertz, F.

AU - Burkhart, S.

AU - Rinderle-Ma, S.

AU - Engel, D.

N1 - Conference code: 134790 Cited By :3 Export Date: 14 December 2023 References: Accorsi, R., Stocker, T., On the exploitation of process mining for security audits: The conformance checking case (2012) Proceedings of The 27th Annual ACM Symposium on Applied Computing, pp. 1709-1716. , ACM; Berthier, R., Sanders, W.H., Khurana, H., Intrusion detection for advanced metering infrastructures: Requirements and architectural directions (2010) 2010 First IEEE International Conference on Smart Grid Communications, pp. 350-355. , IEEE; Bezerra, F., Wainer, J., Algorithms for anomaly detection of traces in logs of process aware information systems (2013) Information Systems, 38 (1), pp. 33-44; Bezerra, F., Wainer, J., Van Der Aalst, W.M.P., Anomaly detection using process mining (2009) 10th International Workshop, Enterprise, Business-Process and Information Systems Modeling, 29, pp. 149-161; Jalali, H., Baraani, A., Process aware host-based intrusion detection model (2012) International Journal of Communication Networks and Information Security, 4 (2), pp. 117-124; Kordy, B., Kordy, P., Mauw, S., Schweitzer, P., ADTool: Security analysis with attack-defense trees (2013) International Conference on Quantitative Evaluation of Systems; Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P., Attack-defense trees (2012) Journal of Logic and Computation, p. exs029; Kordy, B., Piètre-Cambacédès, L., Schweitzer, P., DAG-based attack and defense modeling: Don’ t miss the forest for the attack trees (2014) Computer Science Review, 13, pp. 1-38; (2015) Österreich Use-Cases Für Das Smart Metering Advanced Meter Communication System (AMCS), , Oesterreichs-Energie; Roy, A., Kim, D.S., Trivedi, K.S., ACT: Towards unifying the constructs of attack and defense trees (2012) Security and Communication Networks, 5 (8), pp. 929-943; Salter, C., Saydjari, O.S., Schneier, B., Wallner, J., Toward a secure system engineering methodology (1998) Proceedings of The 1998 Workshop on New Security Paradigms (NSPW’98), pp. 2-10; Stocker, T., Accorsi, R., SecSy: Security-aware synthesis of process event logs (2013) Proceedings of The 5th International Workshop on Enterprise Modelling and Information Systems Architectures, , St. Gallen, Switzerland; Van der Aalst, W.M., (2011) Process Mining: Discovery, Conformance and Enhancement of Business Processes, , Springer; Van der Aalst, W.M., De Medeiros, A.K.A., Process mining and security: Detecting anomalous process executions and checking process conformance (2005) Electronic Notes in Theoretical Computer Science, 121, pp. 3-21

PY - 2017

Y1 - 2017

N2 - Process mining is a set of data mining techniques that learn and analyze processes based on event logs. While process mining has recently been proposed for intrusion detection in business processes, it has never been applied to smart metering processes. The goal of this paper is to explore the potential of process mining for the detection of intrusions into smart metering systems. As a case study the remote shutdown process has been modeled and a threat analysis was conducted leading to an extensive attack tree. It is shown that currently proposed process mining techniques based on conformance checking do not suffice to find all attacks of the attack tree; an inclusion of additional perspectives is necessary. Consequences for the design of a realistic testing environment based on simulations are discussed. Copyright © 2017 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved.

AB - Process mining is a set of data mining techniques that learn and analyze processes based on event logs. While process mining has recently been proposed for intrusion detection in business processes, it has never been applied to smart metering processes. The goal of this paper is to explore the potential of process mining for the detection of intrusions into smart metering systems. As a case study the remote shutdown process has been modeled and a threat analysis was conducted leading to an extensive attack tree. It is shown that currently proposed process mining techniques based on conformance checking do not suffice to find all attacks of the attack tree; an inclusion of additional perspectives is necessary. Consequences for the design of a realistic testing environment based on simulations are discussed. Copyright © 2017 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved.

KW - Intrusion Detection

KW - Process Mining

KW - Smart Grids

KW - Smart Metering

KW - Data mining

KW - Electric measuring instruments

KW - Forestry

KW - Information systems

KW - Information use

KW - Attack tree

KW - Business Process

KW - Conformance checking

KW - Process mining

KW - Smart grid

KW - Smart metering

KW - Testing environment

KW - Threat analysis

KW - Intrusion detection

U2 - 10.5220/0006103900380046

DO - 10.5220/0006103900380046

M3 - Conference contribution

SN - 978-989-758-209-7

VL - 1

SP - 38

EP - 46

BT - Proceedings of the 3rd International Conference on Information Systems Security and Privacy

PB - SCITEPRESS

T2 - 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017

Y2 - 19 February 2017 through 21 February 2017

ER -

Exploration of the Potential of Process Mining for Intrusion Detection in Smart Metering

Abstract

Conference

Keywords

UN SDGs

Access to Document

Fingerprint

Cite this