{"668074":{"#nid":"668074","#data":{"type":"event","title":"PhD Defense by Moses Ike","body":[{"value":"\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cstrong\u003ETitle:\u003C\/strong\u003E Detection and Forensic Analysis of Modern ICS Attacks via Correlating SCADA Host Operations with Physical Behavior\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u0026nbsp;\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cstrong\u003EDate:\u003C\/strong\u003E Monday, June 26, 2023\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cstrong\u003ETime:\u003C\/strong\u003E 12pm \u2013 2pm Eastern Standard Time\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cstrong\u003ELocation:\u003C\/strong\u003E Zoom (online) Meeting: \u003Ca href=\u0022https:\/\/gatech.zoom.us\/j\/8741589206\u0022\u003Ehttps:\/\/gatech.zoom.us\/j\/8741589206\u003C\/a\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003EMeeting ID: 874 158 9206\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u0026nbsp;\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u0026nbsp;\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cstrong\u003EMoses Ike\u003C\/strong\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003EPh.D. Candidate in Computer Science\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003ESchool of Cybersecurity and Privacy\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003EGeorgia Institute of Technology\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u0026nbsp;\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cstrong\u003ECommittee:\u003C\/strong\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cspan\u003EDr. Wenke Lee (Advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology\u003C\/span\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cspan\u003EDr. Saman Zonouz,\u003C\/span\u003E\u0026nbsp;\u003Cspan\u003E\u003Cspan\u003ESchool of Cybersecurity and Privacy\u003C\/span\u003E\u003C\/span\u003E\u003Cspan\u003E, Georgia Institute of Technology\u003C\/span\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cspan\u003EDr. Mustaque Ahamad,\u0026nbsp;\u003C\/span\u003E\u003Cspan\u003E\u003Cspan\u003ESchool of Cybersecurity and Privacy\u003C\/span\u003E\u003C\/span\u003E\u003Cspan\u003E, Georgia Institute of Technology\u003C\/span\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cspan\u003EDr. Uzoma Onunkwo, Cybersecurity Research and Development, Sandia National Laboratories\u003C\/span\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cspan\u003EDr. Sukarno Mertoguno, \u003C\/span\u003E\u003Cspan\u003E\u003Cspan\u003ESchool of Cybersecurity and Privacy\u003C\/span\u003E\u003C\/span\u003E\u003Cspan\u003E, Georgia Institute of Technology\u003C\/span\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cspan\u003EDr. Vijay Madisetti, \u003C\/span\u003E\u003Cspan\u003E\u003Cspan\u003ESchool of Cybersecurity and Privacy\u003C\/span\u003E\u003C\/span\u003E\u003Cspan\u003E, Georgia Institute of Technology\u003C\/span\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u0026nbsp;\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u003Cstrong\u003EAbstract:\u003C\/strong\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003EThe increased cyber connectivity in modern Industrial Control Systems (ICS) has improved the overall operations of life-essential industrial processes such as electricity supply. Unfortunately, it also widened the attack surface of ICS, allowing cyber adversaries to penetrate previously air-gapped ICS plants, causing physical disruptions and damages to critical infrastructure. Modern ICS attackers penetrate plants by infecting cyber-facing Supervisory Control and Data Acquisition (SCADA) workstations, which directly manage industrial processes and physical devices. To evade deployed defenses, attackers use knowledge of ICS to blend with normal SCADA activities by injecting just enough malicious command at each step, which overtime leads to damages. This stealthy attack tactic evades current host and sensor-based solutions due to their inability to correlate SCADA operations with their physical effects.\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003E\u0026nbsp;\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003ETo address this issue, this dissertation proposes a hybrid approach that leverages ICS domain knowledge to correlate control host operations in SCADA with the physical behavior of ICS processes. To demonstrate the efficacy of this approach, I first present an ICS attack detection technique called SCAPHY. SCAPHY leverages the unique execution phases of SCADA to identify the limited set of SCADA API calls to legitimately control physical processes in different phases, which differentiates from attacker\u2019s activities in these phases. SCAPHY detected real past attacks with high accuracy such as the Ukrainian electricity disruption that was launched from the plant\u2019s SCADA systems. Next, to proactively detect attack payloads which have been staged for execution, I present FORECAST, a forward symbolic exploration of SCADA execution states following suspicious ICS process symptoms. FORECAST detects \u201cnot-yet-executed\u201d or staged attack behaviors in collected states, and ranks them by their likelihood of future execution, enabling ICS operators to prioritize their attack response workflows. Finally, I present OTGUARD, which extends the ideas from FORECAST into a technique capable of identifying the infection source of ICS attacks across multiple SCADA execution states. OTGUARD uses the physical location of the triggered ICS process symptom to correlate suspicious SCADA execution states leading up to the attack.\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n","summary":"","format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003E\u003Cspan\u003E\u003Cspan\u003EDetection and Forensic Analysis of Modern ICS Attacks via Correlating SCADA Host Operations with Physical Behavior\u003C\/span\u003E\u003C\/span\u003E\u003C\/p\u003E\r\n","format":"limited_html"}],"field_summary_sentence":[{"value":"Detection and Forensic Analysis of Modern ICS Attacks via Correlating SCADA Host Operations with Physical Behavior"}],"uid":"27707","created_gmt":"2023-06-12 16:08:23","changed_gmt":"2023-06-13 19:05:54","author":"Tatianna Richardson","boilerplate_text":"","field_publication":"","field_article_url":"","field_event_time":{"event_time_start":"2023-06-26T12:00:00-04:00","event_time_end":"2023-06-26T15:00:00-04:00","event_time_end_last":"2023-06-26T15:00:00-04:00","gmt_time_start":"2023-06-26 16:00:00","gmt_time_end":"2023-06-26 19:00:00","gmt_time_end_last":"2023-06-26 19:00:00","rrule":null,"timezone":"America\/New_York"},"location":"Zoom (online) Meeting: ","extras":[],"groups":[{"id":"221981","name":"Graduate Studies"}],"categories":[],"keywords":[{"id":"100811","name":"Phd Defense"}],"core_research_areas":[],"news_room_topics":[],"event_categories":[{"id":"1788","name":"Other\/Miscellaneous"}],"invited_audience":[{"id":"78761","name":"Faculty\/Staff"},{"id":"78771","name":"Public"},{"id":"174045","name":"Graduate students"}],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[],"email":[],"slides":[],"orientation":[],"userdata":""}}}