Ph.D. Disse a ion
Doc o a e School in
In o ma ion and Communica ion Technology and Enginee ing
Depa men o Enginee ing
Uni e si y o Napoli Pa henope
Da a T us wo hiness in C i ical In as uc u es
P o ec ion
Fede ica Uccello
XXXVI Cycle
Ad iso : P o . Sal a o e D’An onio
Coo dina o : P o . Agos ino Iadicicco
2023
Abs ac
C i ical In as uc u es (CIs) o m he backbone o mode n
socie ies, ensu ing he deli e y o i al goods and se ices,
and hei dis up ion can ha e p o ound implica ions o bo h
sa e y and secu i y. Mo eo e , he eme gence o Sma In as-
uc u es and he In e ne o Things (IoT) has unde sco ed
he c i ical ole o da a in CIs, b inging new challenges o
cybe secu i y. This disse a ion explo es secu i y challenges
o CIs, especially agains cybe -a acks a ge ing da a, p e-
sen ing solu ions o secu i y moni o ing and da a p o ec ion
in CIs. The key con ibu ions o his wo k include a li e a-
u e e iew on Da a P o enance in CIs, he de elopmen and
alida ion o an Ad anced Tampe -Resis an S o age (ATRS)
amewo k, a Cybe -A ack De ec ion F amewo k (CADF),
and he in eg a ion o bo h. Machine Lea ning (ML) ech-
niques a e employed o enhance CADF’s accu acy in de ec -
ing a acks, ea u ing Associa ion Rule Mining (ARM) and
Explainable A i icial In elligence (xAI), showing p omising
expe imen al esul s. This esea ch seeks o enhance he e-
silience o c i ical in as uc u es by p o iding a comp ehen-
si e solu ion and me hodology o p e en ing and de ec ing
da a-cen ic cybe -a acks. By secu ing da a and imp o ing
secu i y moni o ing, i o e s a obus de ense agains h ea s
ha could o he wise ha e ca as ophic consequences.
Acknowledgemen s
I would like o exp ess my deepes g a i ude o all hose who ha e suppo ed me on his
ema kable jou ney o pu suing a Ph.D. I akes qui e a bi o de e mina ion, some migh
say, e en a ouch o madness, especially a e spending yea s s udying enginee ing. Bu
his jou ney would no ha e been possible wi hou he assis ance o he igh people. I
am deeply g a e ul o my colleagues a he Fi ness Lab and he p o esso s who s ood by
my side h oughou his academic endea o .
A special exp ession o g a i ude goes o Sal a o e D’An onio and Luigi Coppolino, who
ha e no only con ibu ed o my p o essional g ow h bu also ins illed in me he belie in
my own capabili ies. They challenged me wi h asks I ne e hough I could conque and
placed hei unwa e ing us in my abili ies. I ex end my hea el hanks o Enzo o
always being he e o escue me om he s ess o coun less ope a ional es s and demos,
and li e o e all. I am app ecia i e o all he iends who p o ided hei endless suppo
and encou agemen , bo h nea and a . To my iends and colleagues in Bydgosczc, you
p esence and he unique s udy ab oad expe ience you sha ed wi h me en iched my li e
and allowed me o lea n so much in such a sho ime.
Ca l, you uncondi ional encou agemen h ough e e y wis and u n in my jou ney has
been in aluable. Wo ds canno explain how g a e ul I am o you being he e o me, no
ma e he decisions I made, o whe e in he wo ld I was. Finally, hanks o my amily,
and mos especially o my mom. You a e my idol, he embodimen o who I aspi e o
become. You uncondi ional lo e and guidance ha e been he d i ing o ce behind my
accomplishmen s, e e since I was a li le kid in school. Thank you o seeing in me wha
I could no see, and pushing me in ne e gi ing up.
Fede ica Uccello
5
6
I is be e o dese e hono s and no ha e hem
han o ha e hem and no o dese e hem.
– Ma k Twain
i
ii
Con en s
Lis o Tables ii
Lis o Figu es ix
Lis o Ac onyms xi
In oduc ion 1
1 C i ical In as uc u es P o ec ion 3
1.1 Th ea Landscape in C i ical In as uc u es . . . . . . . . . . . . . . . . . 4
1.2 Secu i y In o ma ion and E en Managemen Sys em . . . . . . . . . . . . 6
1.2.1 Secu i yP obes............................. 7
1.2.2 Pa sing and No maliza ion . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.3 Co ela ionEngine ........................... 7
1.2.4 RuleEdi o ............................... 9
1.2.5 LogS o age............................... 9
1.2.6 Moni o ing ............................... 9
1.3 Role o Da a P o enance in CI Secu i y Moni o ing . . . . . . . . . . . . . 10
2 Backg ound and Rela ed Wo k 13
2.1 Da aP o enance ................................ 13
2.1.1 Blockchain-Based Da a P o enance . . . . . . . . . . . . . . . . . . 15
2.1.2 Da a P o enance h ough Sma -Con ac s . . . . . . . . . . . . . . 17
2.1.3 O he Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2 A ackDe ec ion ................................ 22
2.3 Machine Lea ning in A ack De ec ion . . . . . . . . . . . . . . . . . . . . 22
2.3.1 Associa ion Rule Mining . . . . . . . . . . . . . . . . . . . . . . . . 23
2.3.2 Explainable A i icial In elligence . . . . . . . . . . . . . . . . . . . 24
3 The Ad anced Tampe -Resis an S o age 25
iii
Lis o Ac onyms
ACL Access Con ol Language
AI A i icial In elligence
ANOVA Analysis o Va iance
ARM Associa ion Rule Mining
ATRS Ad anced Tampe -Resis an S o age
BES Bulk Elec ic Sys ems
BIM Building In o ma ion Modeling
CADF Cybe -A ack De ec ion F amewo k
CERT Compu e Eme gency Response Team
CIA Con iden iali y In eg i y and A ailabili y
CI C i ical In as uc u e
CP-ABE Ciphe ex -Policy A ibu e-based Enc yp ion
CTI Cybe h ea in o ma ion
DCS Dis ibu ed Con ol Sys ems
DoS Denial o Se ice
DDoS Dis ibu ed Denial o Se ice
EDS Ene gy Deli e y Sys ems
FDIA False Da a Injec ion A ack
xi
GDPR Gene al Da a P o ec ion Regula ion
HTTP Hype ex T ans e P o ocol
IC In eg a ed Ci cui
ICS Indus ial Con ol Sys ems
IDMEF In usion De ec ion Message Exchange Fo ma
IDS In usion De ec ion Sys em
IDSA In e na ional Da a Spaces Associa ion
IPC In e p ocess Communica ion
IPFS In e Plane a y ile s o age sys em
IoT In e ne o Things
Man in he Middle
ML Machine Lea ning
Mi M Man in he Middle
NIST Na ional Ins i u e o S anda ds and Technology
PBFT P ac ical Byzan ine Faul Tole ance
PDC Phaso da a concen a o
PMU Phaso Measu emen Uni
PoS P oo o S ake
PoW P oo o Wo k
PUF Physically Unclonable Func ion
SCADA Supe iso y Con ol and Da a Acquisi ion
SHA Secu e Hash Algo i hm
SHAP SHapley Addi i e exPlana ions (SHAP)
xii
SMOTE Syn he ic Mino i y O e -sampling Technique
SSI Sel -So e eign Iden i y
TPM T us ed Pla o m Module
TLS T anspo Laye Secu i y
UIT Uni e sal Iden i ie o Things
VDR Ve i iable Da a Regis y
xAI Explainable A i icial In elligence
xiii
In oduc ion
In ecen yea s, C i ical In as uc u es (CIs) ha e become inc easingly ulne able o
cybe -a acks. This is due o a numbe o ac o s, including he g owing eliance o
CIs on digi al echnologies and da a, he inc easing sophis ica ion o cybe a acks, and
he in e dependencies be ween di e en CIs. In ligh o he g owing h ea o cybe -
a acks, i is compulso y o de elop and implemen obus secu i y measu es o p o ec
CIs. Da a is essen ial in his con ex : la ge amoun s o da a a e s o ed and collec ed
con inuously o moni o sys ems and ne wo ks, o make ope a ional decisions, and o
p o ide se ices o cus ome s. The p o ec ion o da a in CIs is he e o e a highly c i ical
ask, as da a cons i u es one o he mos a ge ed asse s in cybe c ime. A acke s may
s eal da a o lea n abou he ulne abili ies o CI sys ems, o o manipula e hem and
dis up he se ice p o ided, and da a b eaches can ha e a signi ican epu a ional and
inancial impac as well. Howe e , p o ec ing da a in such an in e connec ed scena io
is no i ial, especially in e ms o ensu ing eliabili y and aceabili y. To add ess
hese conce ns, his Thesis collec s a se ies o esea ch and expe imen al esul s aiming a
p o iding an ex ensi e solu ion o secu i y moni o ing and da a p o ec ion in CIs. The
key con ibu ions o he p esen wo k can be summa ized as ollows:
•Li e a u e e iew on Da a P o enance in CIs: o p o ide a be e unde s anding
o he cu en landscape, a igo ous su ey has been conduc ed, wi h a ocus on
ampe - esis an s o age echniques.
•De ini ion and implemen a ion o a no el amewo k o ampe - esis an s o age in
CIs: he Ad anced Tampe -Resis an S o age (ATRS) is a Blockchain-based ool
designed o secu ely s o e da a in a ully anspa en ashion.
•De ini ion and implemen a ion o an a ack de ec ion solu ion o CIs: he Cybe -
A ack De ec ion F amewo k (CADF) has been de eloped o p omp ly de ec known
and no el a acks by moni o ing sys ems and applica ions.
•In eg a ion o he ATRS and he CADF: in o de o p o ide an inclusi e solu ion
o CIs, he wo solu ions ha e been success ully in eg a ed. When a CADF ale is
2In oduc ion
aised, all secu i y ele an da a is pe manen ly s o ed in he ATRS. Two indi idual
use cases a e p esen ed, conside ing a acks a ge ing Con iden iali y and In eg i y.
•Enhancemen o he CADF h ough Machine Lea ning (ML): A i icial In elligence
(AI) has been employed o imp o e he accu acy o he CADF de ec ion c i e ia,
achie ing nea -pe ec ion esul s. A no el use case is p esen ed, ocusing on h ea
agains A ailabili y.
The Thesis is o ganized as ollows: Chap e 1 p o ides con ex and mo i a ion behind he
p esen wo k, emphasizing he need o in eg a ed app oaches and p o iding a e e ence
a chi ec u al design o comp ehensi e eal- ime secu i y moni o ing, as well as highligh -
ing he ole o Da a P o enance in CIs p o ec ion. Chap e 2 o e iews he ela ex wo k.
In pa icula , a su ey on Da a P o enance applica ion and echniques in CIs has been
conduc ed. In addi ion, a s a e-o - he-a analysis o a ack de ec ion wi hin CIs is p e-
sen ed. Chap e 3 showcases he concep ual a chi ec u e, implemen a ion and es ing
o he ATRS; Chap e 4 shows he concep ual a chi ec u e, implemen a ion and es ing
o he CADF; The ML-based CADF augmen a ion is p esen ed in Chap e 5, including
he p oposed me hodology, a b ie o e iew o enabling echnologies, and expe imen al
esul s. Chap e 6 ex ends he alida ion p esen ed in Chap e 3 and 4, discussing appli-
ca ion domains and use cases o he p oposed in eg a ed solu ion. Finally, a Conclusion
chap e ends he Thesis wi h some inal ema ks.
Chap e 1
C i ical In as uc u es P o ec ion
CIs a e essen ial sys ems and ne wo ks ha unde pin he unc ioning o mode n socie ies.
The apid ad ancemen o echnology has led o an inc eased eliance on c i ical sys-
ems ac oss a ious domains, including ae ospace, heal hca e, anspo a ion, and ene gy.
These sys ems play a i al ole in ensu ing he smoo h ope a ion o c ucial se ices and
o en in ol e human li es and signi ican inancial implica ions. Howe e , he complexi y
o hese sys ems makes hem suscep ible o aul s and secu i y h ea s, which can ha e
se e e consequences. Fo an in as uc u e o be conside ed c i ical, a dis up ion o in-
capaci y o o e se ices would esul in signi ican impac s on sa e y, secu i y, heal h,
and/o economics. The Eu opean Commission de ines a CI as an asse o sys em ha
is needed o he main enance o i al socie al unc ions. Damage o CI, i s des uc ion,
o dis up ion by na u al disas e s, e o ism, c iminal ac i i y, o malicious beha io may
ha e a signi ican nega i e impac on he secu i y o he EU and he well-being o i s
ci izens [2]. Indus ial Con ol Sys ems (ICS) play a c ucial ole in deli e ing essen ial
se ices wi hin CIs. These sys ems consis o a g oup o con ol sys ems used o indus-
ial p o ec ion, including SCADA (Supe iso y Con ol and Da a Acquisi ion) and DCS
(Dis ibu ed Con ol Sys ems). In he pas , ICSs we e physically isola ed om he ou -
side wo ld. Howe e , wi h he bene i s o in e ope abili y, such as eal- ime moni o ing,
edundancy, and o e all op imiza ion, hese sys ems a e now connec ed o he co po a e
Wide A ea Ne wo k and he In e ne . Addi ionally, wi h he mig a ion owa ds Sma
In as uc u es h ough he deploymen o he In e ne o Things (IoT), da a is now ec-
ognized as a c ucial componen o CIs. The needs and bene i s o da a-d i en app oaches
ha e been highligh ed by he Eu opean Commission in hei Eu opean Da a S a egy [3],
unde lying how his e olu ion also b ings new challenges o cybe secu i y. In pa icula ,
i is no ed how he g owing impo ance o da a makes ICSs and CIs mo e ulne able o
a acks, making he p o ec ion o c i ical sys ems c ucial.
4C i ical In as uc u es P o ec ion
1.1 Th ea Landscape in C i ical In as uc u es
Real- ime dependabili y and secu i y moni o ing a e c i ical aspec s o main aining he
p ope unc ioning o CIs. Dependabili y moni o ing in ol es he con inuous assessmen
o sys em pe o mance and he de ec ion o po en ial aul s o ailu es; secu i y moni o ing
ocuses on iden i ying and mi iga ing secu i y h ea s such as in usions, da a b eaches,
and malicious ac i i ies. The g owing complexi y o CIs in a ious domains has p esen ed
new challenges in ensu ing hei eliabili y and secu i y. As hese sys ems become mo e
in e connec ed and echnologically ad anced, he po en ial isks associa ed wi h aul s
and secu i y h ea s ha e inc eased signi ican ly. The e o e, he e is a p essing need
o ad anced moni o ing echniques o add ess hese challenges e ec i ely. One o he
key mo i a ions behind he p esen esea ch is he po en ial consequences o aul s in
c i ical sys ems. A aul can mani es in a ious ways, such as ha dwa e ailu es, so wa e
gli ches, o communica ion e o s. In CIs, e en a mino aul can ha e se e e implica ions.
Rapid de ec ion and eco e y mechanisms a e needed o minimize he impac o aul s
and es o e he sys em o i s no mal ope a ion as quickly as possible. In addi ion o
aul s, CIs ace a wide ange o secu i y h ea s. A acks can be classi ied based on he
a acke ’s objec i es, which include comp omising he undamen al equi emen s o da a
con iden iali y, in eg i y, and a ailabili y (CIA iad).
•Da a con iden iali y - sensi i e da a can’ be disclosed o unau ho ized en i ies o
p ocesses.
•Da a in eg i y - da a can’ be modi ied in an unau ho ized way o p e en inapp op i-
a e al e a ion and/o des uc ion and gua an ee au hen ici y and non- epudia ion.
•Da a a ailabili y - da a mus be accessible and usable by whoe e is legi ima ed o
do so.
Figu e 1.1 shows examples o no able cybe -a acks aimed a dis up ing he equi e-
men s men ioned abo e. I is impo an o no e ha while he igu e shows a clea
dis inc ion be ween such a acks, he same a ack can be used o iola e mul iple e-
qui emen s. Examples o a acks a ge ing da a con iden iali y include Ea esd opping,
an a ack whe e he ad e sa y cap u es small packe s om he ne wo k ansmi ed by
he ic im, and eads he da a con en in sea ch o in o ma ion o in e es . In Man in
he Middle (Mi M) a acks, he ad e sa y sec e ly iola es he communica ions be ween
wo pa ies who belie e ha hey a e di ec ly communica ing wi h each o he , as he
a acke has inse ed hemsel es be ween he wo pa ies. Phishing is among he mos
common a acks a ec ing da a con iden iali y: he ad e sa y sends a audulen message
Th ea Landscape in C i ical In as uc u es 5
Figu e 1.1: E ec s o Cybe -A acks a ge ing da a on he CIA iad
designed o s eal sensi i e in o ma ion om he ic im, o icking he ic im in o e-
ealing hem. When i comes o da a in eg i y, common a acks include Da a Poisoning,
whe e he a acke comp omise he aining da ase o a ML model wi h alse da a o
decei e i h oughou he aining phase. In False Da a Injec ion A acks (FDIAs), he
ad e sa y injec s alse da a o dis up he a ge ’s ope a ion h ough comp omised sen-
so s. Ano he h ea o in eg i y is posed by Byzan ine A ack: The ad e sa y gains ull
con ol o a genuine de ice and pe o ms illogical beha iou o in e up he sys em. Da a
a ailabili y is also hea ily a ge ed by widely sp ead a acks, such as Denial o Se ice
(DoS)/Dis ibu ed Denial o Se ice (DDoS), whe e single/mul iple sys ems lood he a -
ge wi h a high olume o a ic ( olume ic a ack) o by a ge ing speci ic esou ces and
exhaus ing hem (non- olume ic a ack). Black Hole A acks, a malicious node uses i s
ou ing echnique o p omo e i sel o ha ing he sho es ou e o he des ina ion node.
A u he common a ack h ea ening a ailabili y is Ransomwa e, malicious so wa e de-
signed o enc yp da a un il a ansom is paid.
These secu i y h ea s can comp omise sensi i e da a, dis up sys em ope a ions, o
e en acili a e u he a acks. Real- ime secu i y moni o ing plays a key ole in iden i ying
and mi iga ing hese h ea s p omp ly, minimizing hei impac , and p e en ing po en ial
damage. Real- ime moni o ing becomes e en mo e c ucial in CI en i onmen s o de ec
and espond o secu i y inciden s p omp ly. The impo ance o ensu ing he eliabili y
and secu i y o CIs canno be o e s a ed. O ganiza ions and s akeholde s ecognize he
po en ial consequences o sys em ailu es and secu i y b eaches, bo h in e ms o inancial
12 C i ical In as uc u es P o ec ion
Chap e 2
Backg ound and Rela ed Wo k
2.1 Da a P o enance
Da a P o enance is a esea ch a ea ha holds po en ial o suppo he ein o cemen o
CIs secu i y and esilience. In ac , i s applica ion can ensu e he in eg i y and eliabil-
i y o da a by eco ding and e i ying a comple e his o y o da a, enabling audi ing and
digi al o ensics as well. E en he Eu opean Commission has p oposed a Regula ion on
Eu opean da a go e nance as pa o i s da a s a egy: his highligh s he impo ance o
acking Da a P o enance o ensu e da a eliabili y, in eg i y and au hen ici y, especially
when i comes o da a sha ing and s o age [3]. Da a P o enance in CIs aims a a double
objec i e: e ie ing he o iginal sou ce o da a, and acing all he p ocesses ha ha e led
o he cu en da a. In his way, i is possible o asce ain quali y, de ec any sou ces o
e o o ampe ing, as well as simpli y he co ec a ibu ion o copy igh and compliance
wi h egula ions. Wi h he ad en o Indus y 4.0, new h ea s ha e a isen in CIs: hese
sys ems, ini ially designed and de eloped wi hou conside ing cybe secu i y as he highes
p io i y, a e now a ge ed by new a acks, once exclusi e o cybe sys ems. As p e iously
discussed, poo da a managemen causes signi ican ulne abili ies, which can esul in
se ious consequences i exploi ed, especially in c i ical sys ems. In ac , hese in as uc-
u es a e mig a ing owa d Sma In as uc u es by deploying he IoT and in es ing in
emo e managemen and Big Da a o imp o e he quali y o se ice. The consequences
o a acks on da a ange om he in e up ion o he se ice p o ided o, in he wo s
cases, disas ous consequences in en i onmen al, economic and sa e y e ms. This clea ly
shows ha ensu ing da a eliabili y and us wo hiness is an essen ial ask o p e en
hese kinds o consequences. Da a P o enance, oge he wi h p ope da a managemen
can p o ide a iable solu ion o hese kinds o p oblems and consequences in CIs. The
de ini ion o p o enance is complica ed by he he e ogenei y o he da a in ol ed. Se -
14 Backg ound and Rela ed Wo k
e al in e na ional ini ia i es, such as he In e na ional Da a Spaces Associa ion (IDSA)1,
GAIA-X2o FIWARE3, aim o p o ide gene ic amewo ks o sha e, manage and p ocess
da a in he con ex o Indus y 4.0 and Big Da a, in o de o enable da a sha ing h ough
da a spaces cha ac e ized by uni o m ules. IDSA in ends o gua an ee da a so e eign y
by an open, endo -independen a chi ec u e o a pee - o-pee ne wo k which p o ides
con ol o da a usage om all domains in a secu e, us ed, equal pa ne ship. The main
goal is a global s anda d o In e na ional Da a Spaces and in e aces. Gaia-X has he ob-
jec i e o add ess he challenges o he da a en i onmen wi hin he Eu opean Union. The
a chi ec u e o Gaia-X is based on he p inciple o decen aliza ion, as a esul o mul iple
indi idual pla o ms ollowing a common s anda d. The end goal is a da a in as uc u e
based on openness, anspa ency, and us , by building a ne wo ked sys em ha links
Cloud Se ices P o ide s oge he in many c i ical scena ios, such as heal hca e, ene gy,
inance and so on. In 2021, IDSA and GAIA-X published a posi ion pape o p opose an
in eg a ion o hei indi idual app oaches [8]: he me ge would esul in an a chi ec u e
combining he da a app oach o In e na ional Da a Spaces wi h he decen alized pe spec-
i e o e ed by GAIA-X. The FIWARE Founda ion p omo es he FIWARE echnological
ecosys em, which aims a p o iding a modula , open and public so wa e pla o m o en-
able mul iple sma applica ions, including sma ci ies, sma ag icul u e, sma ene gy
and mo e, which a e s ongly dependen on da a. Wi h a speci ic e e ence o he GAIA-X
p ojec , da a p o enance is de ined as a e ospec i e eco ding o da a lows and usages
o suppo , o ins ance, da a aceabili y o audi ing [8]. Hence, i is clea ha objec i es
ha da a p o enance has o ackle in CIs a e ela ed o he managemen o he o igin,
de elopmen , owne ship, loca ion, and changes o da a. This may also include pe sonnel
and p ocesses used o in e ac wi h o make modi ica ions o da a.
In o de o o e iew he ole o Da a P o enance in he ecen secu i y landscape, a
li e a u e e iew has been conduc ed, wi h a majo ocus on esea ch wo ks discussing
ampe - esis an Da a P o enance. The esea ch has been pe o med among i le, key-
wo d and abs ac o he s udies, by explo ing he ollowing da abases: Web o Science,
4Scopus 5, and IEEE 6. To selec ele an Rela ed Wo ks, he ollowing esea ch c i e-
ia ha e been applied: (a) excluding any duplica e s udies and ex ended e sions o he
same wo k, (b) excluding any wo k published be o e 2013 o an up- o-da e analysis, (c)
only conside ing he ones w i en in English, (d) excluding e iews, su eys, and wo ks
ha we e no esea ch pape s, and (e) emo ing he pape s ha we e ou o scope. The
1h ps://in e na ionalda aspaces.o g/
2h ps://www.da a-in as uc u e.eu/GAIAX/Na iga ion/EN/Home/home.h ml
3h ps://www. iwa e.o g/
4h ps://www.webo science.com/wos/woscc/basic-sea ch
5h ps://www.scopus.com/sea ch/ o m.u i?display=basic
6h ps://ieeexplo e.ieee.o g/sea ch/ad anced
Da a P o enance 15
ollowing sec ions discuss he indings, p o iding backg ound and mo i a ion behind he
wo k desc ibed in Chap e 3.
2.1.1 Blockchain-Based Da a P o enance
Among he esea ch wo k explo ed, a majo i y ocuses on Blockchain o enable ans-
pa en and ampe -p oo Da a P o enance. A blockchain is a dis ibu ed, decen alized,
and immu able ledge . Dis ibu ed means ha each pa o he ne wo k is loca ed in
di e en physical loca ions. The p ocessing is sp ead ac oss mul iple use s, called nodes.
Decen alized means ha a decision is made ac oss a ious nodes. Each node decides i s
beha iou , which will e en ually a ec he ne wo k’s beha iou . In his way, he e’s no
single node ha can access he sys em’s in o ma ion comple ely.
Blockchain echnology can be de ined as a subse o Dis ibu ed Ledge Technology
(DLT), based on consensus algo i hms be ween pee nodes. The e’s no cen al con ol
and e i ica ion uni . Immu able means ha a ansac ion canno be ampe ed once i
is packed in o he blockchain. A ansac ion is a da a packe ha memo izes pa ame e s
and i ’s he esul o unc ion calls. Once da a is s o ed in a blockchain, i can’ be dele ed
o manipula ed. I is possible o in alida e i , bu he o iginal da a won’ be a ec ed.
A Da a P o enance eco d echnique consis s o he s o age o da a and ope a ions as
blockchain ansac ions.
A blockchain can be imagined as a pile o blocks, consis ing o a block heade and a
block body. Each block con ains h ee pieces o in o ma ion: he ac ual da a (depending
on he ype o blockchain), he c yp og aphic hash o he cu en block ob ained by
hashing p ocess, and he hash o he p e ious block. The hashing p ocess is a one-way
p ocess ha consis s in aking he inpu da a and enc yp ing i using a hashing algo i hm,
such as Secu e Hash Algo i hm (SHA), a amily o c yp og aphic hash unc ions published
by he USA Na ional Ins i u e o S anda ds and Technology (NIST). A hashing algo i hm
e u ns an ou pu s ing o ixed leng h ha iden i ies and ep esen s he block uniquely,
ac ing as a unique inge p in o ha block. The blocks a e linked acco ding o he
p e ious hashes, making he blockchain i ually secu e and in iolable: in ac , he hash
depends on he inpu and, consequen ly, changing he da a o ampe ing i will lead o a
new hash code o he block, di e en om he p e ious one. Hashing, he e o e, is e y
use ul o de ec ing al e a ion. A blockchain is based on consen be ween nodes. In o de
o each consen , speci ic algo i hms a e equi ed. Se e al algo i hms ha e been de eloped
in he pas ew yea s. Howe e , he mos popula consensus algo i hms a e:
•PoW (P oo o wo k): i equi es p oo ha wo k occu ed, such as ha dwa e
p ocessing. The membe s o he ne wo k mus expend e o sol ing an a bi a y
ma hema ical puzzle o de e malicious uses o compu ing powe , such as spam o
16 Backg ound and Rela ed Wo k
DoS a acks.
•PoS (P oo o S ake): i equi es an ac ual s ake o he cu ency o de e mine
he nex block. Ins ead o u ilizing ene gy o answe PoW puzzles, a PoS mine is
limi ed o mining a pe cen age o ansac ions ha is e lec i e o hei owne ship
s ake.
The main di e ence be ween he wo algo i hms lies in he powe consump ion, which
is much in e io in PoS. Many blockchain pla o ms a e mig a ing om PoW o PoS o
planning o do so in he nex ew yea s o make his echnology mo e sus ainable in e ms
o cos s and ene gy [9]. Ano he no able consensus algo i hm is he P ac ical Byzan ine
Faul Tole ance (PBFT), whe e consensus can be eached e en in case a small numbe o
nodes demons a e malicious beha iou , such as alsi ying in o ma ion. Blockchain can
be p i a e, public, o pe missioned. In a public blockchain, anyone is allowed o join he
pee ne wo k, while in a p i a e one only selec ed and e i ied pa icipan s a e allowed.
The alida ion is pe o med by he ne wo k ope a o (s), o by a p e-de ined se p o o-
col. A pe missioned blockchain is cha ac e ized by p ope ies o bo h public and p i a e
blockchains. In [10], a amewo k o p o ec ing P o enance da a in IoT en i onmen s is
p oposed. The amewo k add esses he equi emen s o ampe p e en ion, high a ail-
abili y, and access con ol o P o enance da a h ough a ully dis ibu ed, ligh weigh ,
and keyless signa u e in as uc u e in conjunc ion wi h a ibu e-based enc yp ion and
blockchain. The amewo k allows o he en o cemen o ine-g ained access con ol poli-
cies while assu ing and en o cing he in eg i y o he P o enance da a. BlockCloud [11]
is a blockchain-based Da a P o enance a chi ec u e ha inco po a es CloudPoS, a no el
PoS-based consensus p o ocol o secu ely eco ding he da a ope a ions occu ing in
a cloud en i onmen . Wi hin BlackCloud, Da a P o enance eco ds a e collec ed and
published o a Blockchain. The sys em builds a public ime-s amped log o all use
ope a ions on cloud da a and assigns a Blockchain eceip o each P o enance en y o
u u e alida ion. In [12] bcBIM, a Building In o ma ion Modeling (BIM) model enhanced
by Bi coin blockchain o BIM da a audi , P o enance, and accoun abili y is p oposed.
The amewo k ensu es aceabili y by imes amp o eco ding BIM modi ica ion his o y.
The au ho s design a blockchain-based me hod o BIM da a agg ega ion including da a
s uc u e and basic compu a ion o consensus. The analysed sys em pa ame e s include
secu i y s eng h, block size, packaging pe iod, and hashing ime cos . The wo k [13] ex-
plo es how blockchain echnology can be used as a solu ion o inc ease he secu i y o he
Bulk Elec ic Sys ems (BES) supply chain h ough a c yp og aphically signed dis ibu ed
ledge ha p o ides inc eased Da a P o enance, a ibu ion, and audi abili y. The P o e-
nance amewo k p oposed in [14] is based on he OpenS ack Cloud pla o m and p esen s
Da a P o enance 17
a gene ic ledge in e ace mean o in e ac wi h a ious blockchain solu ions, gi ing he
Cloud p o ide he eedom o selec he blockchain o choice. The sys em has been es ed
on E he eum, T illian, and Tende min . In [15], a us ed Da a P o enance applica ion is
implemen ed using Mul ichain. In his app oach, Da a P o enance is eco ded by ea -
ing da a as ele an asse s in a ansac ional ne wo k. The p oposed p oo -o -concep
applica ion is based on exis ing esea ch [16] o collec and e i y P o enance by em-
bedding i on a p i a e blockchain pla o m. The same esea ch is he basis o ano he
amewo k [17], cha ac e ized by h ee Da a P o enance phases: da a collec ion om a
ne wo k, access e i ica ion h ough blockchain echnology, and ansac ion download o
audi ing asks. These phases co espond o he app oach and da a ea men p ocesses.
In he same ashion, he amewo k p oposed in [18] enables P o enance c ea ion and
s o age on Mul ichain: he P o enance eco ds consis o ansac ions on he Mul ichain
ledge .
The au ho s o [19] p opose a blockchain-based secu e ading amewo k, including
ea u es such as decen aliza ion, immu abili y, and in eg i y o sol e he us c isis in
a cen alized P o enance-based sys em. To imp o e he P o enance secu i y, he Access
Con ol Language (ACL) ule is p oposed. E alua ion es s demons a e ha he ame-
wo k minimizes he execu ion ime when he numbe o ansac ions inc eases in e ms
o s o age ep esen a ion o Da a P o enance and secu i y.
The amewo k p oposed in [20] aims a secu ing Da a P o enance in IoT sys ems
by combining blockchain and access con ol policies. The pla o m is implemen ed wi h
hyb id a ibu e-based enc yp ion, and he esul s a e e alua ed based on compu a ional
cos , he h oughpu o enc yp ion and dec yp ion, and he s eng h o he key, calcula ed
acco ding o he a alanche e ec .
2.1.2 Da a P o enance h ough Sma -Con ac s
Some blockchain ne wo ks ely on sma con ac s o de ine signa u e cons ain s be ween
nodes and each consen : E he eum, Hype ledge Fab ic, and Rahasak a e among hese.
Sma con ac s exis ed way be o e blockchain echnology was in oduced: a sma con-
ac is a compu e ized ansac ion p o ocol ha implemen s he e ms o he con ac .
In o he wo ds, a sma con ac con ains all he cons ain s and he logical sequence
o ac ions ha need o be pe o med in o de o e ec ua e and alida e a ansac ion.
Sma con ac s a e sandboxed and isola ed: hey can’ access ile sys ems, ne wo ks o
any p ocess unning on he same machine. Once a con ac is deployed on a blockchain, i
can’ be modi ied o upda ed again. Fo his eason, a deep es ing phase is ecommended
be o e eleasing he inal e sion o he con ac . Sma con ac s can be w i en in se -
e al code languages acco ding o he blockchain pla o m o in e es . Sma con ac s a e
18 Backg ound and Rela ed Wo k
deployed o all he nodes wi hin he ne wo k and execu ed when ce ain c i e ia a e me .
Th ee s eps a e equi ed o deploy a sma con ac : build a ansac ion objec , sign he
ansac ion and b oadcas he ansac ion o he ne wo k. The usage o sma con ac s
o building Da a P o enance amewo k a chi ec u es is a ela i ely new concep , and i
has been he subjec o ecen esea ch. An ins ance is [21], which p oposes he a chi ec-
u al design o an applica ion o blockchain echnology o medica ion an i-coun e ei ing
and aceabili y sys ems. The wo k p esen s an op imiza ion o he con en ional PBFT
consensus mechanism in he blockchain o enhance sys em ope a ion e iciency in he
p ocess o medicine aceabili y.
Many pla o ms ely on exis ing blockchain pla o ms, such as E he eum, as in [22],
[23], [24], [25], [26], [27], [28], [29], [30], [31], [32]. Among he o he s, [22] was one o
he i s wo ks explo ing he po en ial o a blockchain-assis ed in o ma ion dis ibu ion
sys em o he IoT. The s udy iden i ies key secu i y equi emen s o a amewo k o his
kind, discussing how o use blockchain and sma con ac s o sa is y hem. The p oposed
a chi ec u e is based on E he eum and i adop s a ga eway-o ien ed app oach, whe e all
blockchain- ela ed ope a ions a e o loaded o a ga eway, which in e u n p o ides an
app op ia e Applica ion P og amming In e ace (API) o he Things o in oke. The
wo k [23] p oposes a amewo k o managing IoT medical de ices and iles by c ea ing
a dis ibu ed chain o cus ody and heal h da a p i acy scheme. A p i a e blockchain
is used in combina ion wi h on-chain sma con ac s o allow o a o ensics-by-design
managemen a chi ec u e wi h audi ails o in eg i y and P o enance gua an ees as
well as heal h da a p i acy. The p i a e blockchain ecosys em is au hen ica ed by a
p oo -o -medical-s ake consensus mechanism ha is ailo ed o medical applica ions. In
[24], Da a P o enance o In eg a ed Ci cui s (IC) supply chain aceabili y is enabled
h ough he combina ion o blockchain and Physically Unclonable Func ion (PUF). The
blockchain p o ides a unique iden i ie o an IC. Using sma con ac s, he p oposed
app oach au oma es ha dwa e and so wa e p o ocols, allowing supply chain pa icipan s
o au hen ica e, ack, ace, analyze, and p o ision chips h oughou hei en i e li e
cycle.
The amewo k p oposed in [25] exploi s blockchain’s inhe en ad an ages while associ-
a ed wi h he de elopmen o au hen ica ion sys ems o p o ide anspa ency, consis ency,
and ampe -p oo P o enance eco ds. The use au hen ica es hei E he eum walle ad-
d ess o he sma con ac , which p o ides an access oken and he shippe ’s E he eum
add ess. The use hen assembles a package including hei IP add ess, E he eum public
key, oken access, and du a ion, which is signed wi h hei E he eum p i a e key and sen
o he IoT gadge . Upon deli e y, he gadge con ols he con en s and allows access i
success ul, o he wise, access is e used.
Da a P o enance 19
In [26], he a chi ec u e o a ampe -p oo Da a P o enance ex ended, bu no limi ed,
o he heal hca e scena io is p oposed. The amewo k aims a p o ec ing sensi i e da a,
such as medical eco ds. T anspo Laye Secu i y (TLS) is ea u ed o secu e o -chain
da a p io o he c ea ion and s o age o he P o enance eco ds. Wi hin he heal hca e
domain, [27] p oposes a amewo k o p oduc aceabili y in he medical supply chain,
ensu ing Da a P o enance h ough ad hoc sma con ac s and p o iding a secu e, im-
mu able his o y o ansac ions o all s akeholde s. The s akeholde s in e ac wi h he
sma con ac h ough p e-au ho ized unc ion calls and wi h he decen alized s o age
o accessing da a iles. They also in e ac wi h on-chain esou ces o ob ain in o ma ion
such as logs, In e Plane a y ile s o age sys em (IPFS) hashes, and ansac ions. The
wo k [29], based on [27], p esen s a blockchain-based solu ion o managing da a ela ed
o COVID-19 accines’ dis ibu ion and deli e y. Sma con ac s au oma e he ace-
abili y o COVID-19 accines while ensu ing Da a P o enance, anspa ency, secu i y,
and accoun abili y. Simila ly, [28] p oposes a amewo k o ha le e ages sma con-
ac s and decen alized o -chain s o age o ensu e e icien d ug aceabili y and which
moni o s he consump ion o hese d ugs by pa ien s acco ding o a doc o ’s p esc ip ion.
The s udy [30] po ays an end- o-end app oach o enhance he secu i y o he ood
supply chain by moni o ing sys ems and secu ing hei componen s. Blockchain and sma
con ac s a e used in combina ion wi h Tiny Machine Lea ning (TinyML) o ensu e he
in eg i y o collec ed da a, enabling anspa en aceabili y. TinyML is an eme ging
echnology ha can ope a e in cons ained ha dwa e and p o ide in elligen esul s by
unning ML locally on edge.
In [32], a blockchain wi h IoT-enabled pe missionless ne wo k s uc u e is designed
called “B-SMEs” is p oposed, p o iding solu ions o c oss-chain pla o ms. The blockchain
pe missionless public ne wo k is deployed along wi h wo di e en chain-o -communica ion
channels, such as o -chain and on-chain, ha ackle a numbe o ansac ions ha occu
in he chain. The a chi ec u e also includes NuCyphe h eshold e-enc yp ion wi h sma
con ac s and consensus policies o ansac ion p o ec ion and au oma ion. Addi ionally,
he IPFS is used o s o e logs o indi idual ansac ions ha occu in he B-SMEs chain.
Wi hin he SIGNED amewo k [32], he key componen o P o enance managemen
is he T aceabili y Laye , which includes a Ve i iable Da a Regis y (VDR). The VDR is
a sma con ac deployed on he blockchain, in cha ge o managing and sha ing public
c eden ials o he componen s, such as public keys and public add esses, o ensu e secu i y
and p i acy equi emen s.
Ano he popula choice is Hype ledge Fab ic, used as enabling pla o m in [33], [34],
[35], [36], and [37].
In [33], a secu e Da a P o enance amewo k o a cloud-cen ic IoT ne wo k is p o-
20 Backg ound and Rela ed Wo k
posed. The p oposed a chi ec u e is buil on op o Hype ledge Fab ic wi h he adi ional
Cloud in as uc u e. In his app oach, he c yp og aphic hash o he de ice me ada a is
s o ed in he blockchain whe eas ac ual da a is s o ed in he Cloud, o inc ease scalabil-
i y and adap i o he IoT en i onmen . Mul iple sma con ac s a e s a ioned in he
blockchain o gua an ee he P o enance eceip o he da a s o ed in he cloud.
An a chi ec u e enabling lineage aceabili y in IoT de ices is p oposed in [34]. This
app oach p oposes a p i acy-p ese ing da a managemen pla o m in eg a ed wi h man-
agemen hub nodes and o -chain s o age se ice, making use o blockchain and public-key
c yp og aphy o iden i y au hen ica ion, au ho iza ion, and P o enance acking mech-
anisms. The p oposed a chi ec u e, implemen ed in Hype ledge Fab ic, is compa ible
wi h a gene ic blockchain pla o m, public o p i a e. The amewo k eChain [35] can
de ec coun e ei ing in he elec onic supply chain by enabling acking and aceabil-
i y. The in eg i y o he P o enance eco ds in eChain is ensu ed h ough he immu able
dis ibu ed ledge o elec onic de ices ac oss he supply chain en i ies.
BlockHeal [36] is a amewo k o eleheal h ha in eg a es all essen ial heal hca e
se ices unde one pla o m and ensu es a ull- ledged us ed en i onmen , ea u ing
P o enance and alida ed wi hin se e al use cases. In [37] a blockchain-based p oduc
iden i ica ion and ce i ica ion sys em called Uni e sal Iden i ie o Things (UIT) ha
enables as p oduc au hen ici y e i ica ion using low-cos de ices. P oduc s a e em-
bedded wi h unique iden i ie s, which a e digi alized h ough he gene a ion o a digi al
ce i ica e, s o ed on a blockchain.
The blockchain pla o m Rahasak has been employed in [38], [39], and [40]. The
pla o m Siddhi [38], h ough blockchain, Sel -So e eign Iden i y (SSI) enabled Cybe
h ea in o ma ion (CTI), can ealize aceabili y, anonymiza ion, and Da a P o enance
in a scalable ashion o h ea in elligence. Sma con ac s a e used o implemen ing
unc ions such as iden i y e i ica ion and inciden epo ing. CySCP o [39] is a supply
chain P o enance amewo k assu ing cybe ansac ions in ene gy deli e y sys ems, au-
di ing logs in a ampe - esis an manne , and in eg a ed wi h o -chain s o age. Simila ly,
Vind [40] is a pla o m o en e p ise-le el Ene gy Deli e y Sys ems (EDSs) ha ealizes
Da a P o enance in a cybe supply chain ecosys em.
2.1.3 O he Technologies
Blockchain-based app oaches cons i u e he s anda d echnique o he achie emen o
ampe - esis an capabili ies. Howe e , some al e na i e no ewo hy app oaches ha e
been p oposed and employed in li e a u e. Among he o he s, a amewo k ea u ing
ampe - esis ance has been p oposed in [41]. The p oposed amewo k aims a ensu ing
he in eg i y o P o enance eco ds in Cloud en i onmen s h ough a secu e P o enance
Da a P o enance 21
chain, in oduced in he wo k [42]. P o enance chains can p e en ampe ing a acks by
acking w i es and secu ing he associa ed P o enance. The amewo ks p oposed in [43]
and [44] aim a achie ing ampe - esis an h ough he T us ed Pla o m Module (TPM).
The TPM is a ampe - esis an c yp og aphic module embedded in he mo he boa ds o
a ious commodi y sys ems, and i is able o p o ide a ha dwa e oo o us o s o ing
c yp og aphic keys and measu emen s, ep esen ing he cu en s a e o he sys em.
The amewo k p oposed in [43], based on he TPM, enables secu e Da a P o enance
in Cloud en i onmen s. The amewo k ensu es he in eg i y and con iden iali y o P o e-
nance logs h ough he ea u es o TPM, while he a ailabili y is gua an eed by s o ing
he P o enance in o ma ion in dedica ed se e s. P o USB [44] is an a chi ec u e o
ine-g ained P o enance collec ion and acking on sma USB de ices, ea u ing TPM
o ampe - esis ance. The amewo k is able o collec Da a P o enance in o ma ion by
eco ding eads and w i es a he block laye and eliably iden i ying hos s edi ing hose
blocks h ough a es a ion o e he USB channel wi h accep able o e head.
Some amewo ks enable ampe -e idence, he e o e suppo ing he de ec ion o am-
pe ing a acks. The amewo k WORAL [45], is a eady- o-deploy amewo k o gen-
e a ing and alida ing wi ness o ien ed asse ed loca ion P o enance eco ds o enhance
supply chain secu i y. The WORAL amewo k allows use -cen ic, collusion- esis an ,
ampe -e iden , p i acy-p o ec ed, e i iable, and P o enance p ese ing loca ion p oo s
o mobile de ices.
In [46], s a ing om hei p e ious esea ch, he au ho s p opose VisualP ogge , a
eal- ime secu i y isualiza ion applica ion (web and mobile) isualizing Da a P o enance
changes in a ampe /e iden ashion. The applica ion has been used o e alua e a ull-
scale secu i y isualiza ion e ec i eness amewo k de eloped by he same esea che s.
The PDMS amewo k, p oposed in [47], is a P o enance-based moni o ing and o ensic
analysis amewo k ha builds upon exis ing P o enance collec ion and acking ame-
wo k. E alua ion esul s show ha PDMS is able o keeping a low P o enance s o age
o e head, and i can be used o de ec ampe ing. Speci ically, PDMS has been es ed
o de ec ile ampe ing and i has been shown how u he analysis o he whole P o e-
nance g aph can accu a ely asce ain he a ack sou ce as well. In [48], a secu e P o e-
nance acking amewo k o IoT is p oposed. The amewo k uses he pa ial enc yp ion
echniques o CP-ABE (Ciphe ex -Policy A ibu e-based Enc yp ion) by o loading an
IoT node. The IoT node only calcula es he pa ial digi al signa u e, while he hea y-
loaded compu a ion is pe o med by he edge node. Th ough hash-based sea ching, he
P o enance acking ime dec eases. The esea ch shown in [49] uses a se o p e-exis ing
ampe - ee amewo ks o Da a P o enance o es a no el algo i hm o mi iga e poison-
ing a acks h ough Da a P o enance. The majo i y o he wo ks analyzed h oughou
28 The Ad anced Tampe -Resis an S o age
The okenId is used as inpu o he c ea ion o a new p o enance eco d along wi h he
da a sen om he p ocesses, and he CADF ale . Each ime a new p o enance eco d is
c ea ed, wo new blocks a e added o he chain. In pa icula , he i s block con ains he
ansac ion ela i e o he gene a ion o he new okenId equi ed o ack he da a poin
ecei ed. The second block con ains he ansac ion ela i e o he ac ual p o enance
eco d. In his block, he “con ex ” ield displays he inpu da a. Addi ionally, all he
necessa y p o enance in o ma ion is displayed, including he okenId, and he p o Id, a
unique iden i ie o he speci ic p o enance eco d. The c ea ion o a p o enance eco d
is igge ed by an ale om he CADF. The CADF sys em can de ec cybe -a acks on
moni o ed sys ems and applica ions h ough a se o p obes. The p obes ac as sou ces
o he co ela ion logic o he CADF, enabling he c ea ion o ale s in case o anomalies.
Each ale is iden i ied by a unique ID as well.
3.2 Sys em E alua ion
This sec ion ocuses an example use-case o in e es , p o iding de ails ega ding he im-
plemen a ion o he simula ion pe o med, along wi h pe o mance e alua ion. This use
case scena io and he one p esen ed in Sec ion 4.2.2 ha e been implemen ed in he Ene gy
domain. Howe e , i is wo h o men ion ha bo h he ATRS and he CADF can be used
o a wide scope o i ually any CI.
3.2.1 Use Case
Wi hin Sma G ids, Da a collec ion and moni o ing a e ob ained h ough wo keys en-
abling echnologies, in eg a ed oge he o he exchange o in o ma ion h ough he apid
communica ion medium:
•Phaso measu emen uni s (PMUs): also known as synch ophaso s. These
de ices can measu e he elec ical wa es on a powe g id using GPS signals as a
common ime sou ce o synch oniza ion. These uni s a e able o measu e eal- ime
powe sys em quan i ies, simul aneously and in a dis ibu ed a ea, while allowing
he collec ion o ime-s amped measu emen s.
•Phaso da a concen a o s (PDCs): hese a e nodes whe e phaso da a om
se e al PMUs a e co ela ed and ou pu as a single s eam o o he applica ions.
The in e ac ion be ween PMUs and PDCs ollows a clien /se e p o ocol: PMUs ope a e
in a se e mode, allowing clien s such as PDC o connec o i . The Da a Collec o , in
his scena io, is composed o a se o PMUs. The PMUs e ie e ension and cu en
in o ma ion (magni ude and phase angle) wi hin he simula ed sma g id, and o wa d
Sys em E alua ion 29
Table 3.1: Da a Message ame o ganiza ion acco ding o he IEEE C37.118 s anda d
Da a Message Field Size (by es) Desc ip ionDesc ip ion
SYNC 2 Sync by e.
FRAMESIZE 2 Size o he ame in by es.
IDCODE 2 Unique s eam iden i ie .
SOC 4 Second o Cen u y imes amp.
FRACSEC 4 F ac ion o Second coun .
STAT 2 Bi -mapped lag.
PHASORS 8/16 Phaso es ima es.
FREQ 2/4 F equency.
DFREQ 2/4 Ra e O Change O F equency.
ANALOG 8/16 Analog da a.
DIGITAL 4 Digi al da a.
CHK - Cyclic Redundancy Check (CRC-CCITT).
i o he P ocessing Uni h ough he TLS p o ocol: he P ocessing Uni is ac ing as a
PDC, by ecei ing and p ocessing da a collec ed by he sync ophaso s. The command
low be ween PMUs and P ocessing Uni ollows he IEEE C37.118 s anda d2, which
is he s anda d p o ocol o communica ion be ween PMUs and PDCs. The s anda d
de ines ou ypes o messages: da a, con igu a ion, and heade ( ansmi ed om PMU)
and command ( ecei ed by he PMU). Speci ically, da a messages a e he measu emen s
collec ed by he PMU. Con igu a ion messages, machine- eadable, desc ibe he me ada a
sen by he PMU. Heade messages, human- eadable, desc ibe all in o ma ion sen om
he PMU bu desc ibed by he use . Finally, commands a e machine- eadable codes
employed o con ol o con igu a ion. Each PMU could ansmi mul iple da a s eams
ha mus be uniquely iden i ied. Fo he sake o b e i y, Table 3.1 lis s and de ines ame
o ganiza ion o da a messages acco ding o he s anda d, in a concise way.
As shown in Figu e 3.2, once he P ocessing Uni connec s o he PMU se e , i mus
e ie e he PMU con igu a ion by sending he Con igu a ion eques ame.
As a esponse, he PMU sends he Con igu a ion ame, con aining in o ma ion ha
he P ocessing Uni will use o decode he da a. A he ecep ion o he Con igu a ion
ame, he P ocessing Uni sends he eques o s a he da a ansmission, and he PMU
s a s ansmi ing da a a a ixed a e. The P ocessing Uni s accep s and decodes he
da a om he PMU. When he P ocessing Uni s sends he eques o s op he ansmis-
sion, he PMU s ops ansmi ing da a. The ATRS ac s as a passi e ool: he P ocessing
Uni is cons an ly ecei ing da a om Synch onous p ocesses (in his use case, PMUs)
2h ps://s anda ds.ieee.o g/ieee/C37.118.1/4902/
30 The Ad anced Tampe -Resis an S o age
Figu e 3.2: PMU and P ocessing Uni command low acco ding o he IEEE C37.118 s anda d
and s o ing i in Cache. Whene e an ale is aised, he P ocessing Uni eques s o
he asynch onous p ocesses all he da a p oduced wi hin he moni o ing ime window o
he CADF (i.e. 10 minu es be o e he ale ). Da a cached in he same ime window is
also e ie ed, along wi h he ale ID. All his in o ma ion is s o ed on-chain, bundled
in a p o enance eco d. This ea u e allows he ATRS o only s o e anomalous da a ha
can cons i u e symp oms o a acks. In his way, he ATRS enables suppo in case o
inciden s h ough a eliable o ensic analysis, making i sui able o adap a ion o a wide
ange o possible use cases and applica ions.
3.2.2 Pe o mance E alua ion
To e alua e he pe o mance o he ATRS, wo pa ame e s ha e been conside ed: p ocess-
ing ime, and cos . The esul s o he ime p ocessing e alua ion is shown in Figu e 3.3.
The inpu da a cons i u es he con ex ield o he p o enance eco ds. The p ocessing
ime has been e alua ed by eeding simula ed da a, anging om 1B o 1KB The con ex
ield is app oxima ely 104B o sample PMU inpu s, leading o an a e age p ocessing ime
o app oxima ely 1s o he c ea ion and s o age o a p o enance eco d. The p oposed
amewo k aims a s o ing da a in cache by de aul , and s o ing on he Blockchain only
measu emen s ha allowed he de ec ion o anomalies. The da a a e o PMU and PDC
communica ion ypically anges om 1 sample pe second o 120 samples pe second.
The pe o mance is conside ed accep able o he p oposed applica ion. Simila ly, he
Sys em E alua ion 31
Figu e 3.3: Pe o mance e alua ion o he ATRS. The es was conduc ed by eeding inpu da a
o inc easing size o he amewo k
cos analysis pe o med is shown in Figu e 3.4
In he p oposed app oach, based on he E he eum blockchain o s o age, he ans-
ac ions o he TokedId eques and he c ea ion o a new p o enance eco d ha e a cos
in E he , he E he eum c yp o-cu ency, co esponding o a cos in adi ional cu ency.
Since any E he eum ansac ion equi es compu a ional esou ces o be p ocessed wi hin
he blockchain, a commission ee (gasFee) is equi ed o success ully pe o m he ansac-
ion. The gasFee is calcula ed acco ding o Eq. (3.1):
gasF ee =gasP ice[Gwei]∗gasUsed
109[ET H] (3.1)
In E he eum, “gas” is a uni ha iden i ies he amoun o compu a ional powe necessa y
o execu e a speci ic ansac ion, measu ed in wei, he smalles denomina ion o E he .
The gasFee depends on he cos pe gas uni ha a use is willing o pay o he ans-
ac ion, and he uni s o gas equi ed o said ansac ion (gasUsed). The cos analysis o
ou expe imen al app oach is epo ed in able 3.2. The gas uni s equi ed o he a ious
ope a ions ha e been e alua ed se ing a gasP ice o 20 Giga-wei. Since he ATRS is
mean o ac as a passi e ool, and only s o e secu e ele an da a when igge ed by a
CADF ale , he cos analysis is conside ed sa is ying.
32 The Ad anced Tampe -Resis an S o age
Table 3.2: Cos Analysis o he c ea ion o a p o enance eco d.a
T ansac ion Gas Uni GasFee Cos
TokenID eques 149’000 0.003 ETH €4,04 / $3,93
P o enance eco d 250’000 0.005 ETH €6,73 / $6,55
TOTAL 399’000 0.008 ETH €10,78 / $10,51
aCos is ela i e o he cu ency exchange a he ime o he w i ing.
Figu e 3.4: Cos e alua ion o he ATRS. The es was conduc ed by eeding inpu da a o
inc easing size o he amewo k
Chap e 4
The Cybe -A ack De ec ion
F amewo k
This chap e in oduces he CADF, he p oposed solu ion o a ack de ec ion in CIs.
The nex sec ions ou line he a chi ec u e and componen s o CADF ocusing on i s key
ea u es. A use case scena io in he Ene gy domain is also p esen ed, demons a ing how
CADF can e ec i ely de ec and espond o a combined b u e o ce and de ice al e a ion
a ack. The CADF’s abili y o iden i y and espond o h ea s a ge ing con iden iali y
and in eg i y is showcased, along wi h i s in eg a ion wi h he ATRS.
4.1 P oposed A chi ec u e
The CADF is a key componen o he p oposed secu i y moni o ing solu ion, conce ned
wi h imp o ing he secu i y o C i ical In as uc u es alongside he p e-exis ing secu i y
sys ems.
Figu e 4.1 shows how he CADF places i sel wi hin he concep ual a chi ec u e desc ibed
in Sec ion 1.2, highligh ing he subse o unc ionali ies ha he CADF is able o p o ide.
In o de o achie e speci ic unc ionali ies, he CADF is equipped wi h ad hoc modules,
as de ailed in he ollowing subsec ions and shown in Figu e 4.2. The dedica ed modules
a e in cha ge o eal- ime log collec ion, pa sing and consolida ing e en s, e icien e en
s eam managemen , co ela ion logic, in ui i e ule c ea ion, long- e m da a s o age, and
isualiza ion. Despi e hei widesp ead adop ion, common SIEM p oduc s can ace limi-
a ions ha a ec hei e ec i eness in secu ing CIs. Among hese, he shee olume o
da a collec ed can quickly o e whelm SIEM sys ems, leading o pe o mance deg ada ion
and alse-posi i e ale s. This is pa icula ly conce ning o CIs, whe e eal- ime h ea
de ec ion is c ucial o p e en ing dis up ions o ou ages. Ano he limi a ion lies in he
need o co ela ing da a om di e se sou ces wi hin a complex in as uc u es, as mos
34 The Cybe -A ack De ec ion F amewo k
Figu e 4.1: Func ionali ies o he CADF in acco dance o he p oposed a chi ec u e o Secu i y
Moni o ing amewo k o CIs.
SIEM ools can s uggle o e ec i ely in eg a e da a in such a complex scena io. Fu -
he mo e, SIEM p oduc s o en ely on simple ules and p ede ined h ea signa u es o
de ec anomalies. Wi h espec o adi ional solu ions, he CADF implemen s a scalable
a chi ec u e, i o a holis ic secu i y amewo k ailo ed o CIs. I implemen s eal- ime
moni o ing designed o wide and complex in as uc u es, and i add esses he lack o
ex ensi e se s o buil -in ules agains common CIs h ea s ha adi ional SIEM migh
ace. The CADF has also been es ed agains a a ie y o ealis ic scena ios wi hin ac-
ual CIs, as de ailed in Sec ion 4.2. Addi ionally, he ool has been augmen ed wi h ML
echniques (Chap e 5: hese ad anced me hods can analyze la ge da ase s and iden i y
pa e ns ha de ia e om no mal beha io , po en ially unco e ing hidden h ea s ha
may no be de ec ed by adi ional SIEM sys ems.
P oposed A chi ec u e 35
Figu e 4.2: High-le el a chi ec u e and da a low o he CADF
The de ailed a chi ec u e o he CADF is depic ed in Figu e 4.2. As shown in he
igu e, he a chi ec u e consis s o a ious componen s ha wo k oge he o p o ide
a ack de ec ion capabili ies. The ollowing illus a es each componen in mo e de ail o
p o ide a deepe unde s anding o hei oles and unc ionali ies.
4.1.1 Message Collec o
A he hea o he a chi ec u e lies he Message Collec o , a ligh weigh shippe speci -
ically designed o eal- ime log collec ion. I s p ima y unc ion is o ga he logs om
end-node applica ions o p obes. By moni o ing log iles o p ede ined loca ions, he
Message Collec o swi ly cap u es logs and o wa ds hem o he Message Adap e o
u he p ocessing. This eal- ime log collec ion ensu es ha no c i ical secu i y e en s
go unno iced.
4.1.2 Message Adap e
The Message Adap e ac s as a i al in e media y be ween he Message Collec o and
o he componen s in he a chi ec u e. I s esponsibili ies include ecei ing and consoli-
da ing e en s om he Message Collec o , pa sing he collec ed da a, and p ocessing i
36 The Cybe -A ack De ec ion F amewo k
o u he analysis. Th ough he use o inpu plugins, he Message Adap e can apply
pe sonalized da a ans o ma ions and enhancemen s o he collec ed logs. These ans-
o ma ions and enhancemen s can be cus omized using il e plugins, ensu ing ha he
messages a e aligned wi h he speci ic in o ma ion equi emen s o he moni o ing phase.
Wi hin he CADF, all he ale s a e con e ed o In usion De ec ion Message Exchange
Fo ma 2 (IDMEF 2) and o wa ded o he modules esponsible o he mi iga ion s age.
The pu pose o IDMEF is o de ine da a o ma s and exchange p ocedu es o sha ing in-
o ma ion o in e es o in usion de ec ion and esponse sys ems and o he managemen
sys ems ha may need o in e ac wi h hem. The de ails o he IDMEF o ma a e
desc ibed in he RFC 47651. Addi ionally, we use IDMEF 2 o include geolocaliza ion
and in o ma ion ela ed o he sou ce, a ge , and asse s in ol ed. The CADF u ilizes a
highly scalable amewo k a chi ec u e ha ensu es e ec i e and e icien p o ec ion. By
con e ing ele an ale s in o IDMEF 2, he Message Adap e en iches he log da a wi h
addi ional con ex ual in o ma ion such as geoloca ion, sou ce, a ge , and in ol ed asse s.
4.1.3 S eam P ocessing Suppo
The S eam P ocessing Suppo componen plays a c ucial ole in managing he e en s
ecei ed om he Message Collec o . I possesses powe ul capabili ies o handle he
p ocessing and s o age o e en s eams. The S eam P ocessing Suppo can ead and
w i e e en s e icien ly, ensu ing high-pe o mance da a inges ion and e ie al. I also
ac s as a cen al hub o impo ing and expo ing da a o and om o he componen s,
such as he His o ical Da abase, Real-Time Co ela o , and Dashboa ds. To o ganize
he da a, he S eam P ocessing Suppo c ea es sepa a e opics o each da a sou ce.
Whene e a message is s o ed in a opic, i is ma ked wi h a ime-s amp, allowing o
easy acking and analysis o e en s o e ime.
4.1.4 Real-Time Co ela o
The Real-Time Co ela o module enhances he a chi ec u e’s moni o ing capabili ies by
enabling co ela ion logic. I wo ks in conjunc ion wi h he Rule Designe componen
o iden i y ela ionships and pa e ns among he incoming e en s. Le e aging he da a
s eams om he S eam P ocessing Suppo , he Real-Time Co ela o can apply co -
ela ion ules o he e en s in eal- ime. These co ela ion ules a e designed using he
Rule Designe , allowing secu i y analys s o c ea e cus omized logic o de ec ing complex
secu i y inciden s. The Real-Time Co ela o p o ides a lexible and in ui i e in e ace
o iew, s a , and s op he co ela ion ules, empowe ing analys s o e ec i ely manage
1h ps://www. c-edi o .o g/ c/ c4765.h ml
P oposed A chi ec u e 37
he moni o ing sys em’s beha io .
4.1.5 Rule Designe
The Rule Designe componen simpli ies he p ocess o c ea ing co ela ion ules by o -
e ing a use - iendly g aphical in e ace. Secu i y analys s can easily de ine he logic o
iden i ying secu i y inciden s by selec ing he app op ia e da a sou ces om S eam P o-
cessing Suppo . The Rule Designe allows analys s o speci y condi ions, h esholds, and
ela ionships be ween e en s, enabling he c ea ion o accu a e and ailo ed co ela ion
ules. This in ui i e design signi ican ly educes he ime and e o equi ed o de elop
and modi y co ela ion ules, empowe ing analys s o adap he moni o ing sys em o
e ol ing secu i y h ea s e ec i ely.
4.1.6 His o ical Da abase
To suppo long- e m da a s o age and analysis, he a chi ec u e inco po a es a His o ical
Da abase componen . The His o ical Da abase is speci ically designed o handle he
pe sis ence o ime-s amped o ime-se ies da a gene a ed by he secu i y moni o ing
sys em. I p o ides a obus and scalable s o age solu ion o s o ing la ge olumes o
secu i y- ela ed da a o e ex ended pe iods. Secu i y analys s can le e age he His o ical
Da abase o un complex que ies and pe o m agg ega ions on he s o ed da a. These
ad anced que ying capabili ies enable analys s o gain aluable insigh s and enhance
si ua ional awa eness. By agg ega ing and displaying e en s ha ha e occu ed o e
ime, he His o ical Da abase enables e ospec i e analysis and aids in he iden i ica ion
o his o ical secu i y ends.
4.1.7 Dashboa d
The Dashboa d componen o e s a comp ehensi e and in ui i e use in e ace o isu-
alizing and explo ing he indexed da a s o ed in he His o ical Da abase. I se es as a
cen alized pla o m o secu i y analys s o access and analyze he collec ed in o ma ion
in eal- ime. Th ough he Dashboa d, analys s can pe o m sea ches, apply il e s, and
gene a e isual ep esen a ions o secu i y e en s and inciden s. This enables quick iden-
i ica ion o anomalies, h ea s, and ends, empowe ing analys s o espond p omp ly
o eme ging secu i y isks. The Dashboa d p o ides a use - iendly b owsing expe ience,
allowing analys s o na iga e h ough he his o ical da a easily and gain aluable insigh s
in o he secu i y pos u e o he c i ical in as uc u e.
44 The Hyb id Cybe -A ack De ec ion F amewo k
Figu e 5.1: P oposed app oach o Hyb id CADF. A ML classi ie is used o e alua e he ac-
cu acy o he CADF ules, and o de ine mo e ad anced disc imina o y c i e ia based on he
analysis o esul s and hidden ela ionship be ween ea u es.
Selec KBes u ilizes uni a ia e s a is ical es s, such as ANOVA F- alue, o iden i y he
mos ele an ea u es o he analysis. The se o selec ed ea u es is shown in Table
5.1. A e wa ds, he da ase was employed o simula e eal- ime ne wo k a ic. Fo
his scope, he las column con aining he labels was emo ed, while he emaining ones
a e con e ed in JSON keys, wi h he ows ep esen ing he alues. The JSON en ies
we e hen ead by a simula ed ne wo k p obe, ha shipped da a o he CADF h ough a
Ka ka p oduce . S a ic co ela ion ules we e c ea ed o disc imina e be ween egula and
anomalous a ic. As a esul o he co ela ion ules, he o iginal samples we e labelled
as malicious o benign acco ding o he p e-de ined c i e ia. This p ocedu e o mula ed
no el da ase s, which a e iden ical o he o iginal one, wi h he excep ion o he labels
a ibu ed by he CADF co ela ion ule. The co e concep is o compa e he CADF-
labelled da ase s wi h he o iginal da ase g ound u h o e alua e he e ec i ness o
he CADF ules. A e wa ds, ARM and xAI we e employed o analyze in dep h he
da ase s’ ea u es and ex ac ele an disc imina ion c i e ia o he CADF. Finally, he
CADF-labelled da ase s c ea ed wi h he new ules wew also compa ed wi h he g ound
u h.
45
Table 5.1: Mos ele an ea u es selec ed o he expe imen .
Fea u e Desc ip ion
ACK Flag Coun I ep esen s he numbe o packe s wi h he ACK
(Acknowledgmen ) lag se in he ne wo k low.
Flow Du a ion I e e s o he ime du a ion o a ne wo k low.
Idle Mean I deno es he a e age ime pe iod o inac i i y be ween
successi e packe s in a low.
Min Packe Leng h
I ep esen s he minimum leng h o packe s obse ed in he
ne wo k low. I can be indica i e o he smalles uni o da a
ansmi ed in he communica ion.
Bwd Packe Leng h Mean
I s ands o he mean packe leng h obse ed in he
backwa d di ec ion ( om des ina ion o sou ce) in he low.
I p o ides di ec ion-speci ic insigh s.
min seg size o wa d
This ea u e ep esen s he minimum TCP segmen size
obse ed in he o wa d di ec ion ( om sou ce o
des ina ion) du ing he communica ion.
Des ina ion Po
This ea u e indica es he po numbe used by he
des ina ion in he ne wo k low. I can help iden i ying
speci ic se ices o applica ions in ol ed in he
communica ion.
Packe Leng h Mean
I ep esen s he a e age leng h o packe s in he low,
o e ing insigh s in o he ypical packe size du ing he
communica ion.
URG Flag Coun
I e e s o he numbe o packe s wi h he URG (U gen ) lag
se in he low, indica ing da a ha equi es immedia e
a en ion.
Fwd Packe Leng h Mean I ep esen s he a e age leng h o packe s in he o wa d
di ec ion ( om sou ce o des ina ion) in he low.
RST Flag Coun
I ep esen s he numbe o packe s wi h he RST (Rese )
lag se in he ne wo k low. The RST lag can be signi ican
in de ec ing abno mal beha iou .
SYN Flag Coun
SYN Flag Coun deno es he numbe o packe s wi h he
SYN (Synch onize) lag se in he low, c ucial in es ablishing
a TCP connec ion.
To al Backwa d Packe s
This ea u e ep esen he o al numbe o packe s
ansmi ed in he backwa d di ec ion ( om des ina ion o
sou ce) du ing he low.
Ac i e Mean
This ea u e ep esen s he a e age ime du a ion o ac i i y
wi hin a low, p o iding insigh s in o he ac i e pe iods o
communica ion.
46 The Hyb id Cybe -A ack De ec ion F amewo k
5.1 Rule Disco e y
The applied me hod is o malised as ollows. Le X ep esen he se o ea u es in he
o iginal da ase D, and le y={DDoS, BENIGN}be he co esponding labels. The
aim is o iden i y x ule and use i as disc imina ion c i e ia be ween DDoS and BENIGN
samples. As shown in Equa ion 5.1, o minimize he numbe o mislabelled samples,
he di e ence be ween he o iginal se o labels and he CADF-labelled one mus be
minimized.
x ule ∈X:minx ule |yCADF y|(5.1)
5.1.1 CADF Rules
Wi hin he p esen esea ch, wo di e en co ela ion ules ha e been gene a ed. The
co ela ion c i e ia ha e been de ined h ough a linea co ela ion analysis be ween he
da ase ea u es and he DDoS label. Le Cbe he co ela ion index and xibe he i h
ea u e in he da ase . The linea co ela ion analysis selec s he ea u e xiwi h he
highes co ela ion index, as shown in Equa ion 5.2:
j=a gmaxi(C( i, DDoS)) (5.2)
A e his analysis, he F lowDu a ion and BwdPacke Leng hMean ea u es ha e been
selec ed and used as ounda ion o build disc imina ion c i e ia, as shown in he ollowing.
In Equa ion 5.4, he ea u e BwdP acke Leng hMean is ep esen ed as BPLeng hMean
o he sake o b e i y.
ycad =
DDoS i F lowDu a ion ≥TF lowDu a ion
BENIGN o he wise
(5.3)
ycad =
DDoS i BP Leng hMean ≥TBP Leng hMean
BENIGN o he wise
(5.4)
5.1.2 ARM Rules
ARM is a powe ul da a mining echnique widely u ilized in a ious domains, including
cybe secu i y, o disco e ing hidden pa e ns and ela ionships wi hin la ge da ase s. In
he con ex o his esea ch, ARM plays a c ucial ole in enhancing he disc imina o y c i-
e ia o adi ional ule-based CADF sys ems. The APRIORI algo i hm has been applied
o he conside ed da ase D o mine he mos co ela ed ea u es wi h he a ge a iable
(DDoS), and disco e hidden ela ionships be ween ea u es. Fo D, an in e es ing ule
Rule Disco e y 47
has been ound be ween he ollowing ea u es: BwdP acke Leng hMean,
FwdP acke Leng hMean, and Ini W inBy esF o wa d. A se o CADF-labelled da ase s,
Da m, has been c ea ed acco ding o he e ined ules de ined a e he associa ion ule min-
ing analysis. In he equa ions, he ea u es BwdP acke Leng hMean and F wdP acke Leng hMean
a e ep esen ed as BPLeng hMean and F PLeng hMean espec i ely, o he sake o
b e i y.
ya m =
DDoS i BP Leng hMean ≥T M ×F PLeng hMean
BENIGN o he wise
(5.5)
ya m =
DDoS i Ini WinBy esF o wa d = 256
o
BPLeng hMean ≥TM ×FP Leng hMean
BENIGN o he wise
(5.6)
I has been obse ed ha , o he o iginal da ase D, only DDoS ins ances had a
speci ic alue o Ini W inBy esF o wa d. As sugges ed by he associa ion ules, his has
been a key ea u e o a highly accu a e de ec ion.
5.1.3 xAI Rules
Wi hin AI, xAI has eme ged as a c i ical a ea o ocus, wi h he aim o p o ide a deepe
unde s anding o he logic behind ML models’logic. In he p esen esea ch, a hi d se o
enhanced ules is mined h ough SHapley Addi i e exPlana ions (SHAP) and ANCHOR.
All he ules om bo h se s ha e been es ed using a ML classi ie . The applica ion o
xAI on he ML classi ie o he selec ed da ase has e ealed a se o complex nes ed
ules. All he ex ac ed ules a e used o bina y classi ica ion, di iding ne wo k a ic
in o wo classes: Class : 0 (benign) and Class : 1, which ep esen s DDoS a acks. A
s iking commonali y ac oss all he ees is ha he majo i y o pa hs lead o he classi-
ica ion o a ic as benign (Class : 0). This sugges s ha he p ima y pu pose o hese
ees is o iden i y benign o non-malicious a ic e ec i ely. The SHAP alues ha e
been ex ac ed amd analyzed, leading o he ollowing CADF ule (Equa ion 5.7). The
ea u es wi h highes SHAP alues has been conside ed and employed in he de ini ion o
a disc imina o y c i e ia.
48 The Hyb id Cybe -A ack De ec ion F amewo k
yxAI =
BENIGN i Des P o ∈W hi elis
DDoS i Des P o ∈Blacklis
o
To BWDP ≤TT P L
o
FlowDu a ion > TF lowDu a ion
BENIGN o he wise
(5.7)
Finally, ano he ule has been de i ed using explainabili y ea u es p o ided by AN-
CHOR. The ule is o malized in Equa ion 5.8:
yxAI =
BENIGN i a ≥F P Leng hMean > b
DDoS i BPLeng hMean ≥T1
o
FPLeng hMean < T2
o
PLeng hMean > TP L
BENIGN o he wise
(5.8)
5.2 Pa ame e Se ings
To conduc he expe imen s and implemen he p oposed me hodology e ec i ely, se e al
pa ame e s needed o be de ined. The p esen sec ion ou lines he key pa ame e se ings
used h oughou he esea ch.
5.2.1 Fea u e Selec ion Pa ame e s
Fo he dimensionali y educ ion, he da ase s we e p ocessed wi h sciki -lea n’s Selec-
KBes , and he indi idual sco es o each ea u e we e analyzed o iden i y he mos
ele an ea u es. Selec KBes pe o ms a uni a ia e s a is ical es using he Analysis
o a iance (ANOVA) F- alue be ween he labels and he ea u es. The op 14 ea u es
we e selec ed. This alue was chosen a e obse ing a signi ican d op in ea u e sco es
beyond his poin , indica ing ha hese 14 ea u es we e he mos ele an . The co ela-
Pa ame e Se ings 49
ion be ween ea u es has also been s udied o a oid edundan ea u es and only selec
he mos ep esen a i e ones.
5.2.2 Associa ion Rule Mining Pa ame e s
The APRIORI algo i hm has been employed o disco e ing associa ion ules in he con-
side ed da ase s. The Minimum Suppo Th eshold con ols he minimum equency o
occu ence o an i emse in he da ase o i o be conside ed in he ule mining p ocess.
The au ho s expe imen ed wi h di e en suppo h esholds, including 0.1, 0.05, and 0.01,
o obse e he impac o a ying suppo le els. The Minimum Con idence Th eshold de-
e mines he minimum le el o con idence equi ed o an associa ion ule o be conside ed
ele an . Di e en con idence h esholds ha e been es ed, such as 0.7, 0.8, and 0.9, o
assess he impac on ule disco e y.
5.2.3 Rules Pa ame e s
Fo de ining co ela ion ules, he h eshold alues we e de i ed om he s a is ical p op-
e ies o he selec ed ea u es and he disco e ed c i e ia. In Equa ion 5.3 and Equa ion
5.4, he h esholds TF lowDu a ion and TBwdP acke Leng hMean ha e been se equal o he mean
alue o he selec ed ea u e o all he samples o he o iginal da ase . To de ine a sui -
able alue o he TM pa ame e shown in Equa ion 5.5 and 5.6, mul iple app oaches
ha e been conside ed. Ul ima ely, he op imal alue has been ob ained by calcula ing he
a e age BwdPacke Leng hMean o
FwdP acke Leng hMean a io o DDoS ins ances. This alue was se o op imize he
disc imina ion be ween DDoS and benign a ic. In Equa ion 5.7), he h eshold TT P L
used o he To alBackwa dP acke s ea u e has been se equal o he mean alue o he
ea u e o he en i e da ase . The h eshold o FlowDu a ion is he same employed
in Equa ion 5.3. The W hi elis and Blacklis ha e been de i ed checking he exclusi e
alues o Des ina ionP o o BENIGN and DDoS labes, espec i ely. The h esholds T1
and T2ha e been ob ained as shown in Equa ion 5.9.
T=k·σ(5.9)
Whe e σis de ined as shown in Equa ion 5.10, conside ing indi idual s anda d de ia ions
o he en i e da ase , DDoS, and BENIGN ins ances. The kpa ame e ep esen he
coe icien used o adjus he h esholds based on s anda d de ia ion. I s alue has been
de e mined h ough an empi ical ial-and-e o me hod.
σ= (σ o al)2+ (σDDoS)2+ (σBENIGN )2
3(5.10)
50 The Hyb id Cybe -A ack De ec ion F amewo k
Table 5.2: Summa y o classi ica ion epo s o he o iginal CADF ules.
Co ela ion Rules P ecision Recall F1-sco e Accu acy
BENIGN DDoS BENIGN DDoS BENIGN DDoS
Eq. 5.3 0.79 0.62 0.46 0.88 0.58 0.73 0.67
Eq. 5.4 0.73 0.98 0.98 0.63 0.84 0.76 0.77
Table 5.3: Summa y o classi ica ion epo s o he ARM ules.
Co ela ion Rules P ecision Recall F1-sco e Accu acy
BENIGN DDoS BENIGN DDoS BENIGN DDoS
Eq. 5.5 0.73 0.99 1 0.63 0.84 0.77 0.81
Eq. 5.6 1 0.99 0.99 1 0.99 0.99 0.99
The same logic has been applied conside ing BwdP acke Leng hMean and
FwdP acke Leng hMean espec i ely o T1and T2. The pa ame e s aand bha e been
se equal o he minimum and maximum alues o he ea u e o BENIGN samples,
espec i ely.
5.3 Expe imen al Resul
The esul s o he expe imen s a e summa ized in Table 5.2, Table 5.3, and Table 5.4. The
ables show a summa y o he classi ica ion epo based on P ecision (5.11), Recall (5.12),
F1-Sco e (5.13), and Accu acy (5.14). In he ollowing equa ions, o he sake o b e i y,
T ue Posi i e (TP), T ue Nega i e (TN), False Posi i e (FP) and False Nega i e (FN)
a e deno ed using he ac onyms.
P ecision = TP
TP + FP (5.11)
Recall = TP
TP + FN (5.12)
F1 Sco e = 2 ×P ecision ×Recall
P ecision + Recall (5.13)
Accu acy = Numbe o Co ec P edic ions
To al Numbe o P edic ions (5.14)
As shown in he Tables, he di e en ules implemen ed p esen a ying deg ees o pe -
o mance. Equa ion 5.4 s ands ou in compa ison o Equa ion 5.3 wi h highe P ecision,
Recall, F1-Sco e, and Accu acy. I can be also no iced ha while Equa ion 5.4 exhibi s
high P ecision, i comp omises on Recall. This sugges s a po en ial ade-o be ween p e-
Expe imen al Resul 51
Table 5.4: Summa y o classi ica ion epo s o he xAI ules.
Co ela ion Rules P ecision Recall F1-sco e Accu acy
BENIGN DDoS BENIGN DDoS BENIGN DDoS
Eq. 5.7 1 0.93 0.92 1 0.96 0.96 0.96
Eq. 5.8 1 0.96 0.96 1 0.98 0.98 0.98
cision and ecall in he o iginal CADF ules. The pe o mance me ics o he bo h ules,
while p o iding a baseline o co ela ion, e eal he need o u he e inemen . The sys-
em’s abili y o de ec DDoS a acks can be enhanced, and his ealiza ion p omp s he
need o mo e ad anced co ela ion echniques. The ARM app oach, as depic ed in Table
5.3, demons a es a no able ad ancemen in he sys em’s disc imina o y powe . ARM
has unea hed associa ion ules ha signi ican ly con ibu e o he iden i ica ion o DDoS
a ic. In pa icula , Equa ion 5.6 exhibi s ou s anding P ecision, Recall, F1-Sco e, and
Accu acy, indica ing a nea -pe ec pe o mance in dis inguishing be ween benign and
malicious ins ances. The balance be ween P ecision and Recall indica es a obus abili y
o co ec ly iden i y DDoS a ic wi hou comp omising on FN o FP. The e ec i eness o
ARM ules can be a ibu ed o hei abili y o cap u e in ica e ela ionships and depen-
dencies wi hin he ne wo k a ic da a. The disco e ed pa e ns empowe he in usion
de ec ion sys em o make mo e in o med decisions, leading o a subs an ial imp o emen
in i s o e all pe o mance. The xAI app oach, ep esen ed in Table 5.4, o e s a unique
pe spec i e on co ela ion ules. The in e p e abili y o he ules de i ed h ough xAI
echniques enhances he sys em’s anspa ency and acili a es a deepe unde s anding o
he decision-making p ocess. Bo h Equa ion 5.7 and Equa ion 5.8 showcase nea -pe ec
P ecision, Recall, F1-Sco e, and Accu acy. Addi ionally. Bo h xAI ules s ike a bal-
ance be ween P ecision and Recall, showcasing he po en ial o xAI echniques o o e
a comp ehensi e solu ion. he xAI ules p o ide human-unde s andable insigh s in o he
ea u es and pa e ns con ibu ing o he decision-making p ocess. The compa ison o
he h ee app oaches e eals a p og essi e e inemen in he sys em’s pe o mance. The
o iginal CADF ules p o ide a baseline, while he ARM and xAI app oaches con ibu e
ad anced co ela ion ules ha signi ican ly enhance he sys em’s abili y o disce n be-
ween benign and malicious a ic.
52 The Hyb id Cybe -A ack De ec ion F amewo k
Chap e 6
Applica ion Domains and Use Cases
As discussed in Chap e 3 and 4, he ATRS and CADF ha e been in eg a ed o p o ide
an inclusi e solu ion o Secu i y Moni o ing in CIs. This chap e seeks o enhance he
alida ion and es p e iously p esen ed by explo ing he a eas o applicabili y o he
p oposed amewo k in eal- ime eliabili y and secu i y moni o ing in c i ical sys ems.
These a eas encompass a ious and complemen a y equi emen s ha con ibu e o he
o e all sys em p o ec ion and con inuous ope a ion. Fo each a ea, possible use cases o
in e es a e iden i ied.
6.1 Anomaly De ec ion
Anomaly de ec ion echniques a e needed o iden i ying abno mal sys em beha iou s
ha could indica e po en ial aul s o secu i y b eaches. In he con ex o eal- ime e-
liabili y and secu i y moni o ing in c i ical sys ems, he e a e a ious app oaches ha
can be employed. S a is ical me hods, such as ou lie de ec ion and ime-se ies analysis,
can help iden i y de ia ions om no mal pa e ns. ML algo i hms, such as clus e ing,
classi ica ion, and anomaly-based models, can lea n pa e ns om his o ical da a and de-
ec anomalies in eal ime. Rule-based sys ems can de ine speci ic ules and h esholds
o iden i y de ia ions om expec ed beha iou . The selec ion o app op ia e anomaly
de ec ion algo i hms based on he speci ic cha ac e is ics o he c i ical sys em is c u-
cial. Di e en sys ems may exhibi di e en pa e ns and beha iou s, equi ing ailo ed
algo i hms ha can accu a ely iden i y anomalies wi hin ha pa icula con ex . This
in ol es unde s anding he unique ea u es, da a cha ac e is ics, and expec ed no mal be-
ha iou s o he sys em o choose algo i hms ha a e mos sui able o de ec ing anomalies
in ha speci ic en i onmen . C i ical sys ems o en gene a e and p ocess a la ge olume
o da a in eal ime. Ensu ing ha anomaly de ec ion algo i hms can handle his high
da a h oughpu is essen ial o he imely de ec ion o anomalies. Handling complex
60 Applica ion Domains and Use Cases
Chap e 7
Conclusion
In a wo ld whe e CIs a e inc easingly da a-dependen and in e connec ed, he need o
ad anced secu i y s a egies and solu ions canno be o e s a ed. De ec ing and esponding
o a acks, p ese ing da a in eg i y, and ensu ing da a aceabili y a e i al componen s
o sa egua ding hese c i ical sys ems. Th oughou he p esen disse a ion, he secu i y
challenges aced by CIs ha e been analyzed and discussed, wi h a majo ocus on he ole
o da a in sa egua ding such sys ems. Among he a ious key aspec s, e ec i e a ack
de ec ion and da a eliabili y and aceabili y me hods ha e been aken in o conside a ion
in he cou se o his s udy. A li e a u e e iew was unde aken o gain a comp ehensi e
pe spec i e on he s a e o Da a P o enance in CIs, highligh ing he impo ance o a
anspa en and ampe - esis an app oach. The ATRS, le e aging Blockchain echnology,
has been de eloped o add ess his need: he amewo k has been designed by aking in o
accoun he indings o he e iew, and i has been es ed and e alua ed in a ealis ic
scena io. Concu en ly, he CADF was designed o add ess he need o de ec ing known
and eme ging cybe h ea s wi hin CIs. The in eg a ion o he ATRS and CADF as an
inclusi e solu ion o CIs has been also accomplished: in he in eg a ed amewo k, he
ins an de ec ion o h ea s by CADF igge s he pe manen s o age o secu i y ele an
da a in ATRS. This in eg a ed app oach has been demons a ed h ough wo illus a i e
use cases, add essing cybe -a acks a ge ing da a con iden iali y and in eg i y. As he
h ea landscape con inues o e ol e, con inuous moni o ing and imp o emen o secu i y
capabili ies a e essen ial o adap o new h ea s and a ack pa e ns. The e o e, he
CADF has been enhanced wi h ML o augmen he p ecision o cybe h ea de ec ion o
ace he e ol ing na u e o a acks in oday’s landscape. In pa icula , a no el app oach
o he de ini ion o highly accu a e de ec ion ules o he CADF has been implemen ed
and es ed, ocusing on h ea s agains da a a ailabili y, wi h p omising expe imen al
esul s. Finally, a a ie y o possible applica ion domains and use cases is explo ed and
discussed, o showcase he applicabili y o he p oposed esea ch o eal-li e scena ios.
Bibliog aphy
[1] Muhammad Shee az, Muhammad A salan Pa acha, Mansoo Ul Haque, Muhammad Hani Du ad,
Syed Muhammad Mohsin, Shahab S Band, and Ami Mosa i, “E ec i e secu i y moni o ing using e i-
cien siem a chi ec u e,” Hum.-Cen ic Compu . In . Sci, ol. 13, pp. 1–18, 2023.
[2] Eu opean Commission, “C i ical in as uc u e,” h ps://ec.eu opa.eu/home-a ai s/pages/page/c i ical-
in as uc u e en.
[3] Eu opean Commission, “A eu opean s a egy o da a,” h ps://digi al-
s a egy.ec.eu opa.eu/en/policies/s a egy-da a.
[4] Oska s Podzins and And ejs Romano s, “Why siem is i eplaceable in a secu e i en i onmen ?,” in 2019
Open Con e ence o Elec ical, Elec onic and In o ma ion Sciences (eS eam), 2019, pp. 1–5.
[5] Gus a o Gonz´alez-G anadillo, Susana Gonz´alez-Za zosa, and Rod igo Diaz, “Secu i y in o ma ion and e en
managemen (siem): analysis, ends, and usage in c i ical in as uc u es,” Senso s, ol. 21, no. 14, pp.
4759, 2021.
[6] Maximilian Rosenbe g, Be ina Schneide , Ch is ophe Sche b, and Pe a Ma ia Asp ion, “An adap able
app oach o success ul siem adop ion in companies,” a Xi p ep in a Xi :2308.01065, 2023.
[7] A nold Johnson, Kelley Dempsey, Ron Ross, Sa ba i Gup a, Dennis Bailey, e al., “Guide o secu i y- ocused
con igu a ion managemen o in o ma ion sys ems,” NIST special publica ion, ol. 800, no. 128, pp. 16–16,
2011.
[8] P o . D . Bo is O o, “Gaia-x and ids,” h ps://doi.o g/10.5281/zenodo.5675897.
[9] Eu opean Commission, “Digi alising he ene gy sys em - eu ac ion plan,” .
[10] Na halie Ba acaldo, Luis Angel D Ba hen, Roqeeb O Ozugha, Robe Engel, Sami Ta a, and Heiko Ludwig,
“Secu ing da a p o enance in in e ne o hings (io ) sys ems,” in Se ice-O ien ed Compu ing–ICSOC 2016
Wo kshops: ASOCA, ISyCC, BSCI, and Sa elli e E en s, Ban , AB, Canada, Oc obe 10–13, 2016, Re ised
Selec ed Pape s 14. Sp inge , 2017, pp. 92–98.
[11] Deepak Tosh, Sachin She y, Pe e Foy ik, Cha les Kamhoua, and Lau en Njilla, “Cloudpos: A p oo -o -
s ake consensus design o blockchain in eg a ed cloud,” in 2018 IEEE 11 h in e na ional con e ence on cloud
compu ing (CLOUD). IEEE, 2018, pp. 302–309.
[12] Rongyue Zheng, Jianlin Jiang, Xiaohan Hao, Wei Ren, Feng Xiong, and Yi Ren, “bcbim: A blockchain-
based big da a model o bim modi ica ion audi and p o enance in mobile cloud,” Ma hema ical P oblems
in Enginee ing, ol. 2019, 2019.
[13] Michael Myl ea and S i Nikhil Gup a Gou ise i, “Blockchain: Nex gene a ion supply chain secu i y o
ene gy in as uc u e and ne c c i ical in as uc u e p o ec ion (cip) compliance,” Resilience Week, ol. 16,
2018.
64 Bibliog aphy
[14] Nachike Tapas, F ancesco Longo, Gio anni Me lino, and An onio Pulia i o, “T anspa en , p o enance-
assu ed, and secu e so wa e-as-a-se ice,” in 2019 IEEE 18 h In e na ional Symposium on Ne wo k Com-
pu ing and Applica ions (NCA). IEEE, 2019, pp. 1–8.
[15] Ja ie Rami ez Zayas, Edua do O’Neill, Ma ia A Seale, Alicia Ru insky, and Owen Eslinge , “An in eg a ed
blockchain app oach o p o enance o o o c a main enance da a,” in 2020 IEEE Ae ospace Con e ence.
IEEE, 2020, pp. 1–8.
[16] Xueping Liang, Sachin S She y, Deepak Tosh, Lau en Njilla, Cha les A Kamhoua, and Ke in Kwia ,
“P o chain: Blockchain-based cloud da a p o enance,” Blockchain o Dis ibu ed Sys ems Secu i y, ol. 69,
2019.
[17] C is ina Alca az, Juan E Rubio, and Ja ie Lopez, “Blockchain-assis ed access o ede a ed sma g id
domains: Coupling and ea u es,” Jou nal o Pa allel and Dis ibu ed Compu ing, ol. 144, pp. 124–135,
2020.
[18] Da y P eu enee s, Wou e Joosen, Jo ge Be nal Be nabe, and An onio Ska me a, “Dis ibu ed secu i y
amewo k o eliable h ea in elligence sha ing,” Secu i y and Communica ion Ne wo ks, ol. 2020, 2020.
[19] Randhi Kuma and Rakesh T ipa hi, “Da a p o enance and access con ol ules o owne ship ans e using
blockchain,” In e na ional Jou nal o In o ma ion Secu i y and P i acy (IJISP), ol. 15, no. 2, pp. 87–112,
2021.
[20] S Po kodi and D Kesa a aja, “Secu e da a p o enance in in e ne o hings using hyb id a ibu e based
c yp echnique,” Wi eless Pe sonal Communica ions, ol. 118, no. 4, pp. 2821–2842, 2021.
[21] Peng Zhu, Jian Hu, Yue Zhang, and Xiao ong Li, “A blockchain based solu ion o medica ion an i-
coun e ei ing and aceabili y,” IEEE Access, ol. 8, pp. 184256–184272, 2020.
[22] Geo ge C Polyzos and Nikos Fo iou, “Blockchain-assis ed in o ma ion dis ibu ion o he in e ne o hings,”
in 2017 IEEE In e na ional Con e ence on In o ma ion Reuse and In eg a ion (IRI). IEEE, 2017, pp. 75–78.
[23] Vaggelis Malamas, Thomas Dasaklis, Panayio is Ko zanikolaou, Mike Bu mes e , and Sok a is Ka sikas, “A
o ensics-by-design managemen amewo k o medical de ices based on blockchain,” in 2019 IEEE wo ld
cong ess on se ices (SERVICES). IEEE, 2019, ol. 2642, pp. 35–40.
[24] Md Nazmul Islam and Sandip Kundu, “Enabling ic aceabili y ia blockchain pegged o embedded pu ,”
ACM T ansac ions on Design Au oma ion o Elec onic Sys ems (TODAES), ol. 24, no. 3, pp. 1–23, 2019.
[25] Shubham Joshi, Shalini S alin, P ashan Kuma Shukla, Piyush Kuma Shukla, Ruby Bha , Rajan Singh
Bhado ia, and Basan Tiwa i, “Uni ied au hen ica ion and access con ol o u u e mobile communica ion-
based ligh weigh io sys ems using blockchain,” Wi eless Communica ions and Mobile Compu ing, ol. 2021,
2021.
[26] Sal a o e D’An onio and Fede ica Uccello, “Da a p o enance o heal hca e: a blockchain-based app oach,”
in 2022 IEEE 46 h Annual Compu e s, So wa e, and Applica ions Con e ence (COMPSAC). IEEE, 2022,
pp. 1655–1660.
[27] Ahmad Musamih, Khaled Salah, Raja Jaya aman, Junaid A shad, Mazin Debe, Youso Al-Hammadi, and
Same Ellahham, “A blockchain-based app oach o d ug aceabili y in heal hca e supply chain,” IEEE
access, ol. 9, pp. 9728–9743, 2021.
[28] Rawya Ma s, Jiddou Youssou , Saoussen Cheikh ouhou, and Ma iem Tu ki, “Towa ds a blockchain-based
app oach o igh d ugs coun e ei .,” in TACC, 2021, pp. 197–208.
[29] Ahmad Musamih, Raja Jaya aman, Khaled Salah, Haya R Hasan, Ib a Yaqoob, and Youso Al-Hammadi,
“Blockchain-based solu ion o dis ibu ion and deli e y o co id-19 accines,” Ieee Access, ol. 9, pp. 71372–
71387, 2021.
Bibliog aphy 65
[30] Vasileios Tsoukas, Ana gy os Gkogkidis, Aika e ini Kampa, Geo gios Spa houlas, and A hanasios Kaka oun-
as, “Enhancing ood supply chain secu i y h ough he use o blockchain and inyml,” In o ma ion, ol. 13,
no. 5, pp. 213, 2022.
[31] Abdullah Ayub Khan, Asi Ali Lagha i, Peng Li, Mazha Ali Doo io, and Shahid Ka im, “The collabo a-
i e ole o blockchain, a i icial in elligence, and indus ial in e ne o hings in digi aliza ion o small and
medium-size en e p ises,” Scien i ic Repo s, ol. 13, no. 1, pp. 1656, 2023.
[32] Zeeshan Pe ez, Zahee Khan, Abdul Gha oo , and Kam an Soom o, “Signed: Sma ci y digi al win
e i iable da a amewo k,” IEEE Access, 2023.
[33] Saqib Ali, Guojun Wang, Md Zaki ul Alam Bhuiyan, and Hai Jiang, “Secu e da a p o enance in cloud-
cen ic in e ne o hings ia blockchain sma con ac s,” in 2018 IEEE Sma Wo ld, Ubiqui ous In elli-
gence & Compu ing, Ad anced & T us ed Compu ing, Scalable Compu ing & Communica ions, Cloud & Big
Da a Compu ing, In e ne o People and Sma Ci y Inno a ion (Sma Wo ld/SCALCOM/UIC/ATC/CB-
DCom/IOP/SCI). IEEE, 2018, pp. 991–998.
[34] Hongyan Cui, Zunming Chen, Yu Xi, Hao Chen, and Jiawang Hao, “Io da a managemen and lineage
aceabili y: A blockchain-based solu ion,” in 2019 IEEE/CIC In e na ional Con e ence on Communica ions
Wo kshops in China (ICCC Wo kshops). IEEE, 2019, pp. 239–244.
[35] Nidish Vashis ha, Muhammad Moni Hossain, Md Rakib Shah ia , Fa imah Fa ahmandi, Fahim Rahman,
and Ma k M Teh anipoo , “echain: A blockchain-enabled ecosys em o elec onic de ice au hen ici y e i-
ica ion,” IEEE T ansac ions on Consume Elec onics, ol. 68, no. 1, pp. 23–37, 2021.
[36] Na meen Zaka ia Bawany, Teh eem Qama , Hi a Ta iq, and Sai ullah Adnan, “In eg a ing heal hca e se ices
using blockchain-based eleheal h amewo k,” IEEE Access, ol. 10, pp. 36505–36517, 2022.
[37] Yilin Sai, Clemen Chu, Ad ian T inchi, An onella Sola, Shi ley Shen, and Shiping Chen, “Ui -a uni e -
sal iden i ie o hings o b idge cybe and physical wo lds,” in 2022 IEEE In e na ional Con e ence on
Blockchain and C yp ocu ency (ICBC). IEEE, 2022, pp. 1–3.
[38] E anga Banda a, Xueping Liang, Pe e Foy ik, and Sachin She y, “Blockchain and sel -so e eign iden i y
empowe ed cybe h ea in o ma ion sha ing pla o m,” in 2021 IEEE In e na ional Con e ence on Sma
Compu ing (SMARTCOMP). IEEE, 2021, pp. 258–263.
[39] E anga Banda a, Deepak Tosh, Sachin She y, and Bheshaj K ishnappa, “Cyscp o-cybe supply chain p o e-
nance amewo k o isk managemen o ene gy deli e y sys ems,” in 2021 IEEE In e na ional Con e ence
on Blockchain (Blockchain). IEEE, 2021, pp. 65–72.
[40] E anga Banda a, Sachin She y, Deepak Tosh, and Xueping Liang, “Vind: A blockchain-enabled supply
chain p o enance amewo k o ene gy deli e y sys ems,” F on ie s in Blockchain, ol. 4, 2021.
[41] Adam Ba es, Ben Mood, Masoud Vala a , and Ke in Bu le , “Towa ds secu e p o enance-based access
con ol in cloud en i onmen s,” in P oceedings o he hi d ACM con e ence on Da a and applica ion secu i y
and p i acy, 2013, pp. 277–284.
[42] Hasan Ragib, Radu Sion, and Ma ianne Winsle , “The case o he ake picasso: P e en ing his o y o ge y
wi h secu e p o enance,” in Fas , ol. 9.
[43] Mohammad M Bany Taha, Si adon Chaisi i, and Ryan KL Ko, “T us ed ampe -e iden da a p o enance,”
in 2015 IEEE T us com/bigda ase/ispa. IEEE, 2015, ol. 1, pp. 646–653.
[44] Da e Tian, Adam Ba es, Ke in RB Bu le , and Raju Rangaswami, “P o usb: Block-le el p o enance-based
da a p o ec ion o usb s o age de ices,” in P oceedings o he 2016 ACM SIGSAC Con e ence on Compu e
and Communica ions Secu i y, 2016, pp. 242–253.
66 Bibliog aphy
[45] Ragib Hasan, Rasib Khan, Shams Zawoad, and Md Muni ul Haque, “Wo al: A wi ness o ien ed secu e
loca ion p o enance amewo k o mobile de ices,” IEEE T ansac ions on Eme ging Topics in Compu ing,
ol. 4, no. 1, pp. 128–141, 2015.
[46] Je e y Ga ae, Ryan KL Ko, and Ma k Appe ley, “A ull-scale secu i y isualiza ion e ec i eness measu e-
men and p esen a ion app oach,” in 2018 17 h IEEE In e na ional Con e ence On T us , Secu i y And
P i acy In Compu ing And Communica ions/12 h IEEE In e na ional Con e ence On Big Da a Science And
Enginee ing (T us Com/BigDa aSE). IEEE, 2018, pp. 639–650.
[47] Yulai Xie, Dan Feng, Xuelong Liao, and Leihua Qin, “E icien moni o ing and o ensic analysis ia accu a e
ne wo k-a ached p o enance collec ion wi h minimal s o age o e head,” Digi al In es iga ion, ol. 26, pp.
19–28, 2018.
[48] Muhammad Shoaib Siddiqui, A iqu Rahman, and Adnan Nadeem, “Secu e da a p o enance in io ne wo k
using bloom il e s,” P ocedia Compu e Science, ol. 163, pp. 190–197, 2019.
[49] Na halie Ba acaldo, B yan Chen, Heiko Ludwig, and Jaehoon Ami Sa a i, “Mi iga ing poisoning a acks
on machine lea ning models: A da a p o enance based app oach,” in P oceedings o he 10 h ACM Wo kshop
on A i icial In elligence and Secu i y, 2017, pp. 103–110.
[50] Jamal Raiyn e al., “A su ey o cybe a ack de ec ion s a egies,” In e na ional Jou nal o Secu i y and
I s Applica ions, ol. 8, no. 1, pp. 247–256, 2014.
[51] Ansam Kh aisa , Iqbal Gondal, Pe e Vamplew, and Joa de Kam uzzaman, “Su ey o in usion de ec ion
sys ems: echniques, da ase s and challenges,” Cybe secu i y, ol. 2, no. 1, pp. 1–22, 2019.
[52] Ma ek Pawlicki, Aleksand a Pawlicka, Ra a l Kozik, and Micha l Cho a´s, “The su ey and me a-analysis
o he a acks, ansg essions, coun e measu es and secu i y aspec s common o he cloud, edge and io ,”
Neu ocompu ing, p. 126533, 2023.
[53] Wenli Duo, MengChu Zhou, and Abdullah Abuso ah, “A su ey o cybe a acks on cybe physical sys ems:
Recen ad ances and challenges,” IEEE/CAA Jou nal o Au oma ica Sinica, ol. 9, no. 5, pp. 784–800, 2022.
[54] Yuchong Li and Qinghui Liu, “A comp ehensi e e iew s udy o cybe -a acks and cybe secu i y; eme ging
ends and ecen de elopmen s,” Ene gy Repo s, ol. 7, pp. 8176–8186, 2021.
[55] Blessing Guembe, Amb ose Aze a, Sanjay Mis a, Vic o Chukwudi Osamo , Luis Fe nandez-Sanz, and Ve a
Pospelo a, “The eme ging h ea o ai-d i en cybe a acks: A e iew,” Applied A i icial In elligence, ol.
36, no. 1, pp. 2037254, 2022.
[56] Tao Ban, Takeshi Takahashi, Samuel Ndichu, and Daisuke Inoue, “B eaking ale a igue: Ai-assis ed siem
amewo k o e ec i e inciden esponse,” Applied Sciences, ol. 13, no. 11, pp. 6610, 2023.
[57] Panagio is Radoglou-G amma ikis, “Secu ecybe : An sdn-enabled siem o enhanced cybe secu i y in he
indus ial in e ne o hings,” IEEE COMSOC MMTC Communica ions - F on ie s, ol. 18, no. 2, pp. Ma
2023, 2023.
[58] Hilala Al u kis ani and Mohammed A El-A endi, “Op imizing cybe secu i y inciden esponse decisions
using deep ein o cemen lea ning,” In e na ional Jou nal o Elec ical and Compu e Enginee ing, ol. 12,
no. 6, pp. 6768, 2022.
[59] Yakub Kayode Saheed, A emu Id is Abiodun, Sanjay Mis a, Monica K is iansen Holone, and Rica do
Colomo-Palacios, “A machine lea ning-based in usion de ec ion o de ec ing in e ne o hings ne wo k
a acks,” Alexand ia Enginee ing Jou nal, ol. 61, no. 12, pp. 9395–9409, 2022.
[60] S Smys, Abul Basa , Haoxiang Wang, e al., “Hyb id in usion de ec ion sys em o in e ne o hings (io ),”
Jou nal o ISMAC, ol. 2, no. 04, pp. 190–199, 2020.
Bibliog aphy 67
[61] Taehoon Kim and Wooguil Pak, “Real- ime ne wo k in usion de ec ion using de e ed decision and hyb id
classi ie ,” Fu u e Gene a ion Compu e Sys ems, ol. 132, pp. 51–66, 2022.
[62] K. Na ayana Rao, K. Venka a Rao, and P asad Reddy P.V.G.D., “A hyb id in usion de ec ion sys em based
on spa se au oencode and deep neu al ne wo k,” Compu e Communica ions, ol. 180, pp. 77–88, 2021.
[63] Samed Al and Mu a Dene , “S l-hdl: A new hyb id ne wo k in usion de ec ion sys em o imbalanced
da ase on big da a en i onmen ,” Compu e s & Secu i y, ol. 110, pp. 102435, 2021.
[64] Taehoon Kim and Wooguil Pak, “Robus ne wo k in usion de ec ion sys em based on machine-lea ning
wi h ea ly classi ica ion,” IEEE Access, ol. 10, pp. 10754–10767, 2022.
[65] Iho Subach and A em Myky iuk, “Me hodology o o ma ion o uzzy associa i e ules wi h weigh ed
a ibu es om siem da abase o de ec ion o cybe inciden s in special in o ma ion and communica ion
sys ems,” In o ma ion Technology and Secu i y, Vol. 11, Iss. 1 (20), 2023.
[66] Ma in Hus´ak, Tom´aˇs Baj oˇs, Ja osla Kaˇspa , Elias Bou-Ha b, and Pa el ˇ
Celeda, “P edic i e cybe si ua-
ional awa eness and pe sonalized blacklis ing: a sequen ial ule mining app oach,” ACM T ansac ions on
Managemen In o ma ion Sys ems (TMIS), ol. 11, no. 4, pp. 1–16, 2020.
[67] S Si anan ham, V Mohan aj, Y Su esh, and J Sen hilkuma , “Associa ion ule mining equen -pa e n-based
in usion de ec ion in ne wo k.,” Compu e Sys ems Science & Enginee ing, ol. 44, no. 2, 2023.
[68] Ping Lou, Guan ong Lu, Xuemei Jiang, Zheng Xiao, Jiwei Hu, and Junwei Yan, “Cybe in usion de ec ion
h ough associa ion ule mining on mul i-sou ce logs,” Applied In elligence, ol. 51, pp. 4043–4057, 2021.
[69] Muhammad Usama Islam, Md Mozaha ul Mo alib, Mehedi Hassan, Zubai Ibne Alam, SM Zobaed, and
Md Fazle Rabby, “The pas , p esen , and p ospec i e u u e o xai: A comp ehensi e e iew,” Explainable
A i icial In elligence o Cybe Secu i y: Nex Gene a ion A i icial In elligence, pp. 1–29, 2022.
[70] Ca los Mendes and Ta iane Noguei a Rios, “Explainable a i icial in elligence and cybe secu i y: A sys em-
a ic li e a u e e iew,” a Xi p ep in a Xi :2303.01259, 2023.
[71] Cosmas I eanyi Nwakanma, Lo e Allen Chijioke Ahakonye, Judi h Nkechinye e Njoku, Jacin a Chioma
Odi ichukwu, S anley Adiele Okolie, Chinebuli Uzondu, Ch is iana Chidimma Ndubuisi Nweke, and Dong-
Seong Kim, “Explainable a i icial in elligence (xai) o in usion de ec ion and mi iga ion in in elligen
connec ed ehicles: A e iew,” Applied Sciences, ol. 13, no. 3, pp. 1252, 2023.
[72] Sh u i Pa il, Vijayakuma Va ada ajan, Siddiqui Mohd Mazha , Abdulwodood Sahibzada, Nihal Ahmed,
Onka Sinha, Sa ish Kuma , Kailash Shaw, and Ke an Ko echa, “Explainable a i icial in elligence o
in usion de ec ion sys em,” Elec onics, ol. 11, no. 19, pp. 3079, 2022.
[73] Basim Mahbooba, Mohan Timilsina, Radhya Sahal, and Ma in Se ano, “Explainable a i icial in elligence
(xai) o enhance us managemen in in usion de ec ion sys ems using decision ee model,” Complexi y,
ol. 2021, pp. 1–11, 2021.
[74] Sa ish Kuma Ka na, P akash Paudel, Ruby Saud, and Mohan Bhanda i, “Explainable p edic ion o ea u es
con ibu ing o in usion de ec ion using ml algo i hms and lime,” .
[75] Cha hu anga Sampa h Kalu ha age, Xiaodong Liu, Ch is os Ch ysoulas, Nikolaos Pi opakis, and Pa los
Papadopoulos, “Explainable ai-based ddos a ack iden i ica ion me hod o io ne wo ks,” Compu e s, ol.
12, no. 2, pp. 32, 2023.
[76] Qian u Zhou, Rongzhen Li, Lei Xu, A umugam Nallana han, Jian Yang, and Anmin Fu, “Towa ds explain-
able me a-lea ning o ddos de ec ion,” a Xi p ep in a Xi :2204.02255, 2022.
[77] Eu opean Pa liamen and Council o he Eu opean Union, “Regula ion (EU) 2016/679 o he Eu opean
Pa liamen and o he Council,” .
68 Bibliog aphy
[78] Ma en Sigwa , Michael Bo kowski, Ma co Peise, S e an Schul e, and S e an Tai, “Blockchain-based da a
p o enance o he in e ne o hings,” in P oceedings o he 9 h In e na ional Con e ence on he In e ne o
Things, 2019, pp. 1–8.
[79] Luigi Coppolino, Sal a o e D’An onio, Fede ica Uccello, Anas asios Ly a zis, Cons an inos Bakalis, Souzana
Touloum zi, and Ioannis Papou sis, “De ec ion o adio equency in e e ence in sa elli e g ound segmen s,”
in 2023 IEEE In e na ional Con e ence on Cybe Secu i y and Resilience (CSR), 2023, pp. 648–653.
[80] Iman Sha a aldin, A ash Habibi Lashka i, and Ali A Gho bani, “Towa d gene a ing a new in usion de ec ion
da ase and in usion a ic cha ac e iza ion.,” ICISSp, ol. 1, pp. 108–116, 2018.
[81] Claudio A dagna, S ephen Co biaux, Koen Van Impe, and And eas S akianaki, “Enisa h ea landscape
2022,” .
[82] Ni esh V Chawla, Ke in W Bowye , Law ence O Hall, and W Philip Kegelmeye , “Smo e: syn he ic mino i y
o e -sampling echnique,” Jou nal o a i icial in elligence esea ch, ol. 16, pp. 321–357, 2002.
Bibliog aphy 69
Lis o Publica ions
D’An onio S, Uccello F. Da a P o enance o heal hca e: a blockchain-based app oach. In 2022 IEEE 46 h Annual
Compu e s, So wa e, and Applica ions Con e ence (COMPSAC) 2022 Jun 27 (pp. 1655-1660). IEEE.
D’An onio S, Na done R., Nicola R., Uccello F. A Tampe -Resis an S o age F amewo k o Sma G id secu i y.
In 2023 IEEE 31s Eu omic o In e na ional Con e ence on Pa allel, Dis ibu ed, and Ne wo k-Based P ocessing
(PDP) 2023 Ma ch 1 (pp. 100-103). IEEE.
Coppolino L., D’An onio S, Uccello F., Ly a zis A., Bakalis C., Touloum zi S., Papou sis I. De ec ion o adio
equency in e e ence in Sa elli e G ound Segmen s. In2023 IEEE In e na ional Con e ence on Cybe Secu i y
and Resilience (CSR) 2023 July 31 (pp. 648-653). IEEE.
Coppolino L., D’An onio S, Mazzeo G., Na done R., Romano L., Uccello F., Enhancing he C i ical In as uc u e
Secu i y wi h Da a P o enance: a Sys ema ic Li e a u e Re iew. [submi ed o Compu e s & Secu i y]
Uccello F., Pawlicki M., D’An onio S., Kozik R., and Cho as M. (2023). ”E ec i e Rules o a Rule-Based
SIEM Sys em in De ec ing DoS A acks: An Associa ion Rule Mining App oach.” In In e na ional Con e ence
on Applied In elligence. Sp inge -Na u e se ies: Compu e and In o ma ion Science (CCIS, olume 2015).
Uccello, F., Pawlicki, M., D’An onio, S., Kozik, R., and Cho as, M. ” Towa ds Hyb id NIDS: Combining ule-
based SIEM wi h AI-based in usion de ec o s” In In e na ional Con e ence on Ad ances In Compu ing Resea ch
(ACR)
Uccello, F., Pawlicki, M., D’An onio, S., Kozik, R., and Cho as, M. ” An Inno a i e App oach o Real-Time
Concep D i De ec ion in Ne wo k Secu i y” In In e na ional Con e ence on Eme ging In e ne , Da a & Web
Technologies (EIDWT)
Uccello, F., Pawlicki, M., D’An onio, S., Kozik, R., and Cho as, M. ” A no el app oach o he use o explainabili y
o mine ne wo k in usion de ec ion ules” In Asian Con e ence on In elligen In o ma ion and Da abase Sys ems
(ACIIDS)
