Bayesian, Advanced, Novel, Detailed, and Actionable Intrusion Detection (BANDAID)

Existing cybersecurity solutions do not provide descriptive actionable information upon detection of an
attack or anomaly, nor do they make accurate mitigation recommendations, making it hard to respond
quickly to an adverse event. Compounding this issue in operational technology (OT) systems is: (1) OT
systems have unique architectures and use a variety of different, potentially proprietary, protocols, making
generalizable solutions difficult to create; and (2) any cybersecurity solution must not interfere with the
normal operations of the system. Considering the criticality of OT systems, their cybersecurity must be
taken more seriously, with a focus on providing information that results in quicker responses to threats to
avoid downtime.This proposal will result in a cyberattack detection and inference solution for OT systems that provides
actionable feedback to security personnel, allowing for faster attack classification and response times. The
solution will run on its own device, interfacing with OT systems in a way that avoids interfering with normal
activity. The solution will also run an anomaly detection framework that provides the evidence of an
anomaly to an engine that uses systemic functional grammars (SFGs), a concept from computational
linguistics, to represent the attack space. The engine will use the evidence provided by the anomaly
detection component to probabilistically determine what attack is currently ongoing, the most likely
alternatives, and recommended mitigations, then send this information to security personnel who can take
the steps necessary to remediate the attack.Phase I will consist of developing a proof of concept for the solution’s software components. We will
work with our subcontractor to identify a target OT system to interface with. We will utilize their subject
matter expertise and lab to obtain normal operating data, as well as attack data, from a simulated operational
technology system and then leverage this data to put together an end-to-end demonstration of the software
components, which include: (1) data ingestion and transformation; (2) ensemble anomaly detection; (3)
systemic functional grammar engine; (4) attack evidence to attack class mapping; and (5) recommending
mitigations. Phase II will consist of integrating the software component with hardware and integrating the
full device with a physical system for testing.We believe the proposed approach has significant commercial benefit, not only because of its cuttingedge
anomaly detection component, but because the grammar engine can interface with any anomaly
detection capabilities, not just ours. This means the attack mapping engine can be leveraged by other
anomaly detection solutions and vice versa. The ability to ground attack classification using probabilistic
evidence allows for higher confidence in detected attack vectors, allowing for more concrete mitigation
recommendations. These capabilities will lead to better actionable cyber intelligence solutions across the
operational technology sector.