MONITORING REMOTE SERVICE PLATFORMS USING ARTIFICIAL INTELLIGENCE-BASED DISTRIBUTED INTRUSION DETECTION

Due to their flexibility, remote support platforms are ideal for contributing to companies' digital strategy. Simultaneously, this flexibility of use cases makes it difficult to reliably detect attacks on the network infrastructure. This paper presents a proposal for the detection of fraud patterns on remote service platforms through artificial intelligence. A blockchainbased approach will be used to adapt these attack signatures to the specific use cases of remote service platform users. By employing a blockchain-based attack signature selection mechanism, remote service platform users will be able to adjust the attack signatures flexibly and in a tamper-proof manner. 706 34TH BLED ECONFERENCE DIGITAL SUPPORT FROM CRISIS TO PROGRESSIVE CHANGE


Introduction
Effective plant reliability is of utmost importance for manufacturing and other industrial pursuits. Due to industrial plants' high-profile nature, unplanned downtime events can easily result in extraordinary costs (Christer & Waller, 1984).
The causes of such breakdowns are numerous, and troubleshooting is typically performed by engineers or experienced technicians (Hiltunen et al., 2008). To ensure the lowest possible downtime, a company must have suitable service technicians as soon as possible on-site and available. Due to a plant's complexity, deploying an emergency service for troubleshooting can quickly turn into a planning problems (Vossing, 2017); digitization may improve the planning process's accuracy.
Remote service platforms (RSPs) are digital solutions that help companies better plan service deployment in plants. Companies can implement RSPs to train and educate workers remotely on new machines, plants, or systems. Analog monitoring processes, such as maintenance, quality assurance, and auditing, can be performed remotely, as well (Werner & Bechini, 2019). Moreover, RSPs allow remote guidance of workers and transmission of instructions. Service technicians and engineers can use RSPs to transmit real-time advice to on-site workers and repair problems from a distance without traveling. This results in less downtime and thus to a faster restart of production after an incident.
This digitization of analog processes causes additional economic side-effects on companies. On the one hand is the direct saving of travel costs (e.g., costs for cars, flights, trains, cabs, and hotel accommodation). On the other hand, companies can redeploy their service technicians much more quickly. Service technicians must no longer "waste" time traveling and can be deployed more frequently in the same time frame. Last, saving on travel impacts a company's carbon dioxide (CO2) footprint and can be a competitive advantage.
In summary, RSPs offer many benefits to companies. They can ensure that a service technician can quickly get to where they are needed, even if that technician might not be able or allowed to travel.

RSP Architecture
Figure illustrates a generic approach for an RSP. The architecture typically consists of three main components (Yin et al., 2006). On the one hand, it is an individual exchange and management platform to which both the service technician and the customer have access via the Hypertext Transfer Protocol Secure (HTTPS). The platform management server enables two or more participants to communicate and exchange data with each other. The management functionalities refer to access control and user management.
On the other hand, a client-side application allows users to connect to the central platform management server. Typically, these are desktop, browser, or smartphone/tablet/smart glasses applications. In a basic configuration of the communications infrastructure, two or more participants communicate via peer-topeer (P2P)networks (Ripeanu, 2001), using the Web Real-Time Communication Protocol (Johnston et al., 2013). If a P2P connection is not feasible for technical reasons, participants switch to alternate settings (Mahy et al., 2010).

RSP Security
An essential prerequisite for the successful implementation of RSPs is, in addition to pure functionality, confidence in the security settings of the platform's network (i.e., confidence in its security goals: confidentiality, integrity, and availability [CIA]) (Can & Sahingoz, 2015). Security assets are often critical for selecting software packages (Academy et al., 2007) and is often assumed to be naturally given (Sahay & Gupta, 2003) by a software provider.
Basis security measures of RSPs can be achieved by applying state-of-the-art security protocols, such as HTTPS or other authentication mechanisms (Kiraz, 2016). However, this basic security is not always appropriate, and advanced security mechanisms are needed. For example, the primary security mechanisms do not include protection against network-based attacks and do not allow monitoring whether a system has been exploited or tampered (Brown & Heikki, 2005;Jatti & Kishor Sontif, 2019;Liao et al., 2013). Some authors recommend implementing network intrusion detection systems (NIDSs) as the first choice for detecting network-based attacks (Debar et al., 2000;El-Bakry & Mastorakis, 2008).
The idea of intrusion detection systems (IDSs) was described in 1987 by Denning (Denning, 1987). Henceforth, the topics of IDSs were well researched by the scientific community (Khraisat et al., 2019). Today, there is a specialization trend in those systems, such as for wireless sensor networks (Can & Sahingoz, 2015), the Internet of Things (Zarpelão et al., 2017), smart grids (Jow et al., 2017), and cloud computing (Chiba et al., 2016). Specialization has the advantage that systems' unique characteristics can be considered. It is conceivable that an IDS designed for Internet of Things applications could have significantly higher requirements in terms of power consumption than, for example, an IDS developed for cloud systems.
On the other hand, many RSPs require security measures. Unauthorized platform access, attacks on communication infrastructure, and unauthorized use of premium services are only a few potential threat scenarios that could reduce confidence in RSPs. For these reasons, it is logical and consequent to develop an IDS tailored to RSPs.

Problem Definition
In general, the implementation of an IDS for RSPs requires attention to three main aspects. These are the mathematical requirements, the challenges for tailoring an IDS for RSPs, and the possibility of customizing and notarizing the selected configuration on the customer's part.

Mathematical Boundaries
A significant problem encountered by IDSs is the so-called base rate fallacy (Axelsson, 2000), a statistical error that may occur when determining conditional probabilities. This problem can be easily explained by applying Bayes' theorem.
Research question: What is the conditional probability that a connection marked by the IDS as an SYN flood is valid? What is the conditional probability that traffic is valid under the condition that the IDS triggers an alarm? Using the values mentioned above in Bayes' theorem yields the following: Thus, if an alarm triggers the IDS, the probability is around 92% that it is a false alarm, which is an extremely high value. Ultimately, a high value can result in employees ignoring the alarm, leading to current attacks being ignored. DIGITAL SUPPORT FROM CRISIS TO PROGRESSIVE CHANGE

Tailoring Intrusion Detection to RSPs
According to (Liao et al., 2013), IDSs are divided into signature-based, anomalybased, and specification-based systems. Signature-based and specification-based systems belong to the knowledge-based systems, while anomaly-based systems belong to the behavior-based systems. Anomaly-based IDSs detect typical user behavior and network connections; if the behavior deviates from this pattern, anomaly-based IDSs react accordingly.
Currently, there exists a trend towards specialization when developing an IDS.
Research gap: a scientific approach that handles specific requirements of an IDS in the environment of RSPs is missing. The challenge for defining an IDS for RSP is the broadness of the RSP use cases, such as remote training (Masoni et al., 2017), remote audits (Teeter et al., 2010), and remote assembly (Elvezio et al., 2017). One challenge for an IDS is the ability to be adapted as flexibly as possible to existing and future RSP use cases and at the same time meet all users' data protection requirements.
To be more precise, two artificial intelligence (AI) methods are needed. In the first step, the network traffic must be classified correctly. Using AI, received network traffic must be classified based on its properties. E.g., being HTTPS, ping, or another kind of traffic. clustering algorithms can do so (Liu et al., 2008;Münz et al., 2007). There are two approaches in principle: Supervised and Unsupervised Learning Algorithms (Sathya & Abraham, 2013). Even though their differences have been analyzed in the past, in the use case of RSPs, a priori, it is not clear which method can be used most reliably to classify the network traffic in the use cases of RSPs.
In the next step, the classified network traffic must then be analyzed and predicted whether the examined network traffic is a possible attack. The prediction of an attack can be made in various ways, for example, by analyzing the transmitted packet information using text analysis algorithms (Min et al., 2018;Stone, 2007) or using regression (Altwaijry & Algarny, 2012;Wang, 2005). Again, a priori, it is not clear which method is best suited for predicting possible attacks on RSPs. It might also be the case that a hybrid solution might be most promising.

Customization of IDSs
Typically, IDSs are configured utilizing policies (Bace & Mell, 2001). Based on the example presented in Figure , the IDS would raise an alert containing the alert message "IP Package detected" if an IP packet from any source IP and Port would be sent to any destination IP and Port. Therefore, IDS policies can determine attack patterns and read off allowed network activities. This knowledge can serve as beneficial information for an attacker to plan an attack. Securing and configuring IDS policies are therefore crucial in terms of securing infrastructures. Consequently, RSP customers are interested in confining these policies independently and need a monitoring option for selected policies and attack signatures. As such, RSP customers also need a guarantee (notarized confirmation) that the RSP provider has indeed implemented the established IDS policy and attack signatures.

Resulting Research Questions
The central question to be answered by this dissertation project is as follows: "Is it possible to develop a privacy-compliant and customizable artificial intelligence (AI)-based attack DIGITAL SUPPORT FROM CRISIS TO PROGRESSIVE CHANGE detection system for remote service platforms with the highest possible detection rate and lowest possible false-positive rate, optimization of data exchange, and an intuitive visualization and reaction to detected attacks?" Further research questions (RQ) that this project includes are the following: 1. What are legal requirements for RSP's IDS? 2. What relevant intrusion detection system approaches already exist? 3. How can client-side applications be used to detect intrusions on RSPs? 4. How long does the learning phase of an AI-based IDS guarantee the greatest possible likelihood of attack detection? 5. How should a neural network be adjusted to distinguish between different application areas within the RSP? 6. How should the IDS react upon attack?

Methodology
The purpose of this chapter is to clearly outline what (implementation) is being done to solve each research question and how (means) it is being done. Moreover, this chapter addresses how the data is collected and what data can be accessed to answer the research questions.
RQs 1 and 2 serve as the basis for this dissertation, as they establish the research scope. Both research questions will be addressed via qualitative research or, to be more precise, by systematically reviewing the literature. RQ1 clarifies the legal framework in which this dissertation must operate to develop a legally secure and data-protection-compliant IDS for RSPs. The approach for solving RQs 1 and 2 is literature research, as described by vom Brocke et al. (Vom Brocke et al., 2009).
RQ 3 concerns the architecture of the software to be developed within the scope of this dissertation. The central task of the IDS is to detect attacks by examining deviations from normal behavior (Umer et al., 2017). Therefore, the IDS must receive status information of all entities being monitored. To guarantee error-free monitoring, this dissertation additionally must develop an architecture that monitors all entities reliably. Hence, RQ3 will be investigated through both qualitative and quantitative methods. A qualitative literature review must identify which IDS architectural approaches already exist and which approaches should be considered when analyzing this research question. On the other hand, quantitative experiments must collect and evaluate network load data and create attack signatures. An RSP typically has several connected devices, such as laptops, servers, smartphones, and smart glasses (Kao et al., 2014). By evaluating the network traffic, it is possible to check which approaches to architecture and communication with the IDS prove to be the most reliable in practice.
Since there are no reliable values for RQs 4 and 5, they must be investigated in an explorative study (Shields & Rangarjan, 2013). Therefore, a neural network will be created and trained over several periods in an attack-free test network. The attack vectors to be defined for this purpose will subsequently investigate whether the trained network recognizes attacks and how many it recognizes. Qualitative methods must be used to determine which training times are realistically achievable for actual companies (i.e., interviews with various stakeholders).
The final research question is highly individual, and it might not be possible to answer it in general terms. Instead, this dissertation aims to develop a set of recommendations based on a comprehensible presentation of various automated attack reactions. This is intended to present to users the possibilities of reacting to an attack and the consequences of these reactions.

Expected Results
On the one hand, this dissertation's expected results are a data protection compliant intrusion detection system that includes a set of attack signatures that are continuously improved by utilizing artificial intelligence. On the other hand, this dissertation expects to deliver a procedure allowing for the customer of the RSP to monitor the selected attack signatures and adjust them independently, if necessary. DIGITAL SUPPORT FROM CRISIS TO PROGRESSIVE CHANGE

Continuously Attack Signature Generation and Evaluation
To successfully detect an attack, the IDS must distinguish between "regular" and "attack" behaviors. Creating a continuous attack signature through log files utilization on both the client and server is, therefore, one expected outcome. Although through this dissertation, a substantial amount of actual RSP data will be available, this data will be (according to current knowledge) "attack-free." Another expected result of this dissertation is the creation of "attack" data and RSP-tailored attack signatures through penetration tests.

IDS Management via Blockchain
Besides, the goal is to develop a procedure that allows the customer of the RSP to monitor the selected attack signatures and adjust them independently, if necessary. A possible solution for this is the definition of the attack signature via blockchain. Blockchain can be used to establish a notarized definition of the selected attack signatures on the one hand and, on the other, be able to adjust the attack signature without the intervention of the platform operator.

Future Development
At the core of this dissertation, new attack patterns are created to detect attacks on RSPs. In particular, the data from the mobile devices that are part of the RSP will be used for this purpose. Generally, it can be assumed that client devices are mostly connected end-to-end encrypted-both with the management server and with each other for communication.
However, encrypted data packets can be examined for attack patterns to only a restricted level (Sherry et al., 2015). The data in the data packets can be analyzed for malicious content to only a limited extent. In the first step, a cloud infrastructure must be set up with which it is possible to simulate attacks on an RSP. The infrastructure must decrypt the devices' end-to-end encryption and forward the decrypted data packets to an IDS. Thus, the infrastructure must allow for the decryption of the network traffic, which must be analyzed. The decryption of encrypted network traffic can typically be achieved using a reverse proxy (Radivilova et al., 2018). In the second step, the newly built infrastructure must detect and classify new attack signatures. By performing targeted penetration tests, predefined attack patterns can be generated. Based on the performed penetration tests, the data packets analyzed by the IDS can then be stored as a new attack signature. For example, suppose a penetration test is used to conduct a brute force attack for guessing management server login data. In this case, these data packets can be uniquely recognized by the IDS and stored as a new attack signature. Later, an AI will be trained to improve the generated attack signatures continuously. Once it is possible to generate targeted attack signatures and improve them via AI, the cloud infrastructure will be connected to a blockchain. With the help of the blockchain, it should then be possible to select and monitor the various generated attack signatures in a tamper-proof manner. The result will be an IDS that specializes in RSPs, can detect attacks, and can be configured and monitored independently of the RSP operator via blockchain.