The ISC International Journal of Information Security

Abstract The increasing integration of modern network infrastructure into industrial control systems elevates the need for robust cyber intrusion detection for industrial protocols. Unsupervised anomaly detection is particularly effective for this task, as it identifies novel attacks by modeling normal behaviour rather than relying on limited attack data. While techniques like autoencoders, which use reconstruction error to flag deviations, can be effective, their application is often hindered by practical challenges, such as regulatory constraints and the large volumes of data that prohibit the centralised collection required for training. Federated learning offers a solution by distributing the training process to local clients and aggregating only the resulting model parameters, thus preserving data privacy and locality. This paper proposes an anomaly-based intrusion detection framework built on federated learning. Using the CIC-Modbus2023 dataset, which comprises raw Modbus traffic from a smart grid, we systematically extract and label network flows based on attack logs. We then train and evaluate several autoencoder variants—including standard, variational, and adversarial autoencoders—within this federated setting. Our results demonstrate strong performance in detecting malicious behaviour, highlighting the framework’s potential as a promising approach for mitigating threats against the Modbus protocol without centralised data access. The code is available at https://github.com/hamid-rd/FLBased-ICS-NIDS. 

Abstract Impossible-differential cryptanalysis is one of the powerful methods utilized for evaluating the robustness of block ciphers; however, mCrypton is one of the block ciphers whose master key has not been recovered with this method in the single-key scenario. This paper first clarifies the branch number of the linear layer of mCrypton block ciphers with an observation. It has been shown that the branch number of the linear layer in mCrypton block cipher is four. Then, using this result, a 4-round impossible differential in a single-key scenario has been found. On the other hand, by exploiting the result of several observations, some vulnerabilities in the key-schedule algorithm were discovered and introduced. As a result, by exploiting the discovered vulnerabilities and 4-round property, impossible-differential cryptanalysis was successfully applied to seven rounds of mCrypton-64. To our knowledge, this is the first impossible differential cryptanalysis applied on mCrypton-64. In addition, this method requires 2^36.0 bytes of memory, 2^59.0 chosen plaintexts (with the corresponding ciphertexts), and 2^59.6 encryptions to recover the master key.

Abstract Given the rapid evolution of emerging technologies, such as the Internet of Things (IoT), there is a growing interest in lightweight block ciphers. This paper focuses on the security assessment of SAND-128, a newly proposed lightweight block cipher based on SIMON, recognized for its reliance on S-box-based security evaluation approaches. By employing Xiang’s MILP-aided method for integral distinguisher search, this study utilizes a MILP optimizer to identify a 16-round integral characteristic for SAND-128 with nine balanced bits. Furthermore, by extending the distinguisher to 17 rounds utilizing a novel idea without an increase in data complexity, we propose a comprehensive 20-round integral attack on SAND-128, including the key recovery step. This attack leverages the partial sums technique, resulting in a time complexity of 2119, memory complexity of 276 bytes, and data complexity of 2127. This cryptanalysis is, to the best of our knowledge, the best integral attack on reduced-round SAND-128 presented thus far.

Abstract Distributed Denial of Service (DDoS) attacks threaten server and network availability with minimal resources. These attacks mimic legitimate traffic, evading Intrusion Detection Systems (IDS) and Intrusion Prevention Systems(IPS). The primary challenge in countering DDoS attacks is achieving early detection as close to their origin. In addition, the persistence of malicious traffic hidden within legitimate traffic remains a common challenge for various mitigation techniques. This paper introduces a modular approach for identifying and mitigating DDoS attacks in both online and offline settings, using deep learning and rule-based techniques. We train the IDS with VGG16, GoogLeNet, Support Vector Machines (SVM), and Random Forest (RF) and evaluate them using the CICDDoS2019 dataset. Our experiments show a detection accuracy of 99.87% offline and 99.67% online. Our methodology outperforms state-of-the-art approaches in offline detection, particularly with VGG16 and GoogLeNet. In our online setup, the mitigation module successfully addresses all attacks detected by our anti-DDoS solution.

Abstract As the Industrial Internet of Things (IIoT) faces increasing cyber threats, the need for effective and practical intrusion detection systems (IDS) becomes paramount. One of the key challenges in designing IDS is ensuring the online detection and identification (localization) of potential attacks in real-time. Our research addresses this challenge by developing a lightweight online intrusion detection framework tailored explicitly for water distribution systems. Our proposed framework aims to balance real-time detection/identification and maintaining accuracy criteria. Immediate alarm triggering for every anomaly detected can lead to a high false positive rate while waiting for attack confirmation can cause harmful delays. To overcome these limitations, we present a novel approach that achieves real-time detection while maintaining a low false positive rate (below 5%), making it highly applicable in real-world scenarios. We train and test our system using BATADAL datasets, demonstrating its superior performance compared to other mechanisms. Additionally, we introduce a PCA-based Concealment Detection Statistical Outlier (PCACD-SO) identification approach that enables the real-time identification of compromised sensors, actuators, or connections during an attack. The results validate the effectiveness of our lightweight online intrusion detection framework, showcasing its ability to detect cyber attacks in real-time while maintaining a low false positive rate. Furthermore, our proposed PCACD-SO identification approach enhances the system’s capability to identify and isolate compromised components swiftly, enabling prompt response and mitigation.

Abstract Industrial control systems are widely used in industrial sectors and critical infrastructures to monitor and control industrial processes. Recently, the security of industrial control systems has attracted a lot of attention, because these systems are now increasingly interacting with the Internet. Classic systems are suffering from many security problems and with the expansion
of Internet connectivity, they are now exposed to new types of threats and cyber-attacks. Addressing this, intrusion detection technology is one of the most important security solutions that is used in industrial control systems to identify
potential attacks and malicious activities. In this paper, we propose Stacked Autoencoder-Deep Neural Network (SAE-DNN), as a semi-supervised Intrusion Detection System (IDS) with appropriate performance and applicability on a wide range of Cyber-Physical Systems (CPSs). The proposed approach comprises a stacked autoencoder, a deep learning-based feature extractor, helping us with a low dimension and low noise representation of data. In addition, our system includes a deep neural network (DNN)-based classifier, which is used to detect anomalies with a high detection rate and low false positive rate in a real-time process. The SAE-DNN’s performance is evaluated on the WADI dataset, which is a real testbed for a water distribution system. The results indicate the superior performance of our approach over existing supervised and unsupervised methods while using a few percentages of labeled data.

Abstract Large-scale data collection is challenging in alternative centralized learning as privacy concerns or prohibitive policies may rise. As a solution, Federated Learning (FL) is proposed wherein data owners, called participants, can train a common model collaboratively while their privacy is preserved. However, recent attacks, namely Membership Inference Attacks (MIA) or Poisoning Attacks (PA), can threaten the privacy and performance in FL systems. This paper develops an innovative Adversarial-Resilient Privacy-preserving Scheme (ARPS) for FL to cope with preceding threats using differential privacy and
cryptography. Our experiments display that ARPS can establish a private model with high accuracy out‌performing state-of-the-art approaches. To the best of our knowledge, this work is the only scheme providing privacy protection beyond any output models in conjunction with Byzantine resiliency without sacrificing accuracy and efficiency.

Abstract Conventional Bit-based Division Property (CBDP), as a generalization of integral property, has been a powerful tool for integral cryptanalysis of many block ciphers. Exploiting a Mixed Integral Linear Programming (MILP) optimizer, an alternative approach to searching integral distinguishers was proposed, which has overcome the bottleneck of the cipher block length. The MILP-aided method starts by modeling CBDP propagation by a system of linear inequalities. Then by choosing an appropriate objective function, the problem of searching distinguisher transforms into an MILP problem. As an application of this technique, we focused on a newly proposed lightweight block cipher SAND. SAND is a family of two AND-RX block ciphers SAND-64 and SAND-128, which was designed to overcome the difficulty regarding security
evaluation. For SAND-64, we found a 12-round distinguisher with 23 balanced bits and a data complexity of 263, with the superiority of a higher number of balanced bits than the designers’ one. Furthermore, we applied an integral attack on a 15 and 16-round SAND-64, including the key recovery step which resulted in time complexity of 2105 and 2109.91 and memory complexity of 252 and 285 bytes, respectively.

Abstract GOST block cipher designed in the 1970s and published in 1989 as the Soviet and Russian standard GOST 28147-89. In order to enhance the security of GOST block cipher after proposing various attacks on it, designers published a modified version of GOST, namely GOST2, in 2015 which has a new key schedule and explicit choice for S-boxes. In this paper, by using three exactly identical portions of GOST2 and fixed point idea, more enhanced fixed point attacks for filtration of wrong keys are presented. More precisely, the focus of the new attacks is on reducing memory complexity while keeping other complexities unchanged as well. The results show a significant reduction in the memory complexity of the attacks, while the time complexity slightly increased in comparison to the previous fixed point attacks. To the best of our knowledge, the lowest memory complexity for an attack on full-round GOST2 block cipher is provided here.

Abstract In the biclique attack, a shorter biclique usually results in less data complexity, but at the expense of more computational complexity. The early abort technique can be used in partial matching part of the biclique attack in order to slightly reduce the computations. In this paper, we make use of this technique, but instead of slight improvement in the computational complexity, we keep the amount of this complexity the same and reduce the data complexity enormously by a shorter biclique.
With this approach, we analysed full-round of LBlock, and also LBlock with modified key schedule (which was designed to resist biclique attack) both with data complexity 2^12, while the data complexity of the best biclique attack on the former was 2^52 and for the latter there is no attack on the full-round cipher, so far. Then we proposed a new key schedule that is more resistant against biclique cryptanalysis, though the low diffusion of the cipher makes it vulnerable to this attack regardless of the strength of the key schedule. Also using this method, we analyzed TWINE-80 with 2^12 data complexity. The lowest data complexity for the prior attack on the TWINE-80 was 2^60. In all the attacks presented in this paper, the computational complexities are slightly improved in comparison to the existing attacks.