Towards Cyber Sensing: Venturing Beyond Traditional Security
Events
Artūrs Lavrenovs, Kimmo HeinäaroandErwinOrye
NATOCCDCOE,Tallinn,Estonia
Arturs.Lavrenovs@ccdcoe.org
Kimmo.Heinaaro@ccdcoe.org
Erwin.Orye@ccdcoe.org
DOI:10.34190/EWS.20.062
Abstract:HostandnetworkbasedeventsarethebackbonesofanymodernITmonitoringanddetectionsystem.Thenumber
oflowerprioritysecurityeventsissignificantand might contain weak indicators of cyberattacks; by combininghostand
networkeve ntswithsensordatathatarenotpartofconventionalITsecurity,weareabletoelevateotherwisemissedevents
to discover hidden cyber attacks. The sensor data is fed into a situational awareness system whichaugments traditional
alerts.Thistechniqueisprimarilyapplicableforcriticalinfrastru cture,military,governmentandlargeorganisationswhere
the adversary is sophisticated enough to bypass existing detection methods. We discuss operational and strategic
implicationsbyusingthistypeofsensor.Wehaveimplementedtheseprinciplesintwoscenariostestedincyberexercises.
InthefirstproofofconceptwefocusedonsensorfusionbyintegratingexistingnonITsensorsystemswithITse curityand
correlatedthecollecteddata.ThisenabledtheBlueTeamtodetectwellhiddenRedTeamattacksagainstasimulatedpower
gridandcounteractthem.Inthesecond,weexploredalargevarietyofsensorsmonitoringindi vidualpersonnelandtheir
operating environment. Sensors used in this research are categorised into biological, environmental and EM spectrum.
Biologicalsensordataincludesheartrate,stressleveland brain wave monitoring. EnvironmentalsensorsmonitortheRF
spectrum,CO
2
level,VOClevel,temperature,humidity,infrared,ultraviolet,visiblelight,noiselevel,proximityandvibration.
Keywords:hostbasedevents,networkbasedevents,IDS,securityevents,sensors
1. Introduction
Criticalinfrastructure,governmentandmilitarynetworksareundereverincreasingthreatofcyberattack.The
defence solutions market is experiencing growth and vendors are constantly developing new and more
advancedsolutionsthatusecuttingedgeapproacheslikeArtificialIntelligence(AI).Butmostofthesesolutions
relyontraditionalsourcesof data host andnetworkbasedevents.Asadversaries inthisscenarioareupto
statelevelactors,theyhavetheresourcestoinvestigate,adapttoandovercomenewadvanceddefences.This
callsforawideningofourviewandexploringadditionalsourcesofdata.
Itdoesnotnecessarilyequatetoacquiringanothernewandexpensivesolutioncontainingbothhardwareand
softwarecomponents,butratherevaluatingwhatsensordataisalreadyavailable.Sensorscanbeviewedfrom
systemcentric and humancentric perspectives. The former primarily focuses on the states of the systems,
inferring human properties indirectly when possible , while the latter addresses biological data that can be
measureddirectlyviadedicatedsensors.Werefertothecombiningoftraditional andothersensordataforthe
purposeofdetectingcyberattacksascybersensing.
InSection 2wereviewexistingresearchaddressinghumanbehaviouranalysisandtrainingmodels.InSection3
we explore data sources acquirable from different sensors. In Section 4 we describe a proof of concept
correlatingtraditionalsecurityeventswithbuildingautomationandgatheringdatafromenvironmentalsensors.
Section 5 discusses operational and strategic implications of cyber sensing, and Section 6 presents our
conclusions.
2. Relatedwork
Therearetworelatedstreamsofworkinthisfield.Thefirstisfromahumancentricperspectiveandthesecond
concernshowcomputermodelscanbeusedtopredicthumanbehaviour.
Sensorfusionmimicsthehumanbraincombiningmultiplesenses.Linetal.(2004)proposeaneural network
architecture to integrate data from several physiological and behavioural sensors to improve reliability and
resistancetoimpersonation(multimodalverificationsystem).
