Resilience improvement of complex internets of utility systems is still an open issue for the current research. Proposed solutions fail to implement an integrated approach to detection, mitigation, and reaction which is able to face both well-known and new, previously unknown cyber-attacks (in particular distributed ones, which constitute one of the most serious and still unresolved threat scenarios affecting networked systems). In this work, we present the conceptual architecture of a novel multi-layer distributed Intrusion Detection and Reaction System based on the Autonomic Communication paradigm. The architecture relies on a self-organizing cooperative overlay network of complementary components that are dynamically and autonomously adapted to face distributed cyberattacks against Industrial Control Systems. The proposed architecture aims at being a guideline for experts and practitioners to address the well-known problem of distributed nature of new types of cyber-attacks, by implementing mechanisms to orchestrate available resources for effective detection and remediation dynamically. A distributed flow monitoring system provides input data to cooperative intrusion detection agents, which allow correlating information from heterogeneous feeds to improve the identification of attacks originating from both the inside and the outside of the monitored network and to support customizable remediation mechanisms.
Read full abstract