Skip to main content

Tracking Advanced Persistent Threats in Critical Infrastructures Through Opinion Dynamics

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11098)


Advanced persistent threats pose a serious issue for modern industrial environments, due to their targeted and complex attack vectors that are difficult to detect. This is especially severe in critical infrastructures that are accelerating the integration of IT technologies. It is then essential to further develop effective monitoring and response systems that ensure the continuity of business to face the arising set of cyber-security threats. In this paper, we study the practical applicability of a novel technique based on opinion dynamics, that permits to trace the attack throughout all its stages along the network by correlating different anomalies measured over time, thereby taking the persistence of threats and the criticality of resources into consideration. The resulting information is of essential importance to monitor the overall health of the control system and correspondingly deploy accurate response procedures.


  • Advanced persistent threat
  • Detection
  • Traceability
  • Opinion dynamics

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-99073-6_27
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   79.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-99073-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.


  1. Cazorla, L., Alcaraz, C., Lopez, J.: Cyber stealth attacks in critical information infrastructures. IEEE Syst. J. 12(2), 1778–1792 (2018)

    CrossRef  Google Scholar 

  2. Singh, S., Sharma, P.K., Moon, S.Y., Moon, D., Park, J.H.: A comprehensive study on apt attacks countermeasures for future networks communications: challenges solutions. J. Supercomput. 1–32 (2016).

  3. Rubio, J.E., Alcaraz, C., Lopez, J.: Preventing advanced persistent threats in complex control networks. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 402–418. Springer, Cham (2017).

    CrossRef  Google Scholar 

  4. Lin, C.-T.: Structural controllability. IEEE Trans. Autom. Control 19(3), 201–208 (1974)

    MathSciNet  CrossRef  Google Scholar 

  5. Haynes, T.W., Hedetniemi, S.M., Hedetniemi, S.T., Henning, M.A.: Domination in graphs applied to electric power networks. SIAM J. Discret. Math. 15(4), 519–529 (2002)

    MathSciNet  CrossRef  Google Scholar 

  6. Kneis, J., Mölle, D., Richter, S., Rossmanith, P.: Parameterized power domination complexity. Inf. Process. Lett. 98(4), 145–149 (2006)

    MathSciNet  CrossRef  Google Scholar 

  7. Pagani, G.A., Aiello, M.: The power grid as a complex network: a survey. Phys. A: Stat. Mech. Appl. 392(11), 2688–2700 (2013)

    MathSciNet  CrossRef  Google Scholar 

  8. Watts, D.J., Strogatz, S.H.: Collective dynamics of ‘small-world’ networks. Nature 393(6684), 440 (1998)

    CrossRef  Google Scholar 

  9. Hegselmann, R., Krause, U., et al.: Opinion dynamics and bounded confidence models, analysis, and simulation. J. Artif. Soc. Soc. Simul. 5(3), 1–33 (2002)

    Google Scholar 

  10. Lemay, A., Calvet, J., Menet, F., Fernandez, J.M.: Survey of publicly available reports on advanced persistent threat actors. Comput. Secur. 72, 26–59 (2018)

    CrossRef  Google Scholar 

  11. Falliere, N., Murchu, L.O., Chien, E.: W32.stuxnet dossier, version 1.4, February 2011. Accessed Apr 2018

  12. Symantec Security Response Attack Investigation Team. Dragonfly: Western energy sector targeted by sophisticated attack group (2017). Accessed Apr 2018

  13. SANS Industrial Control Systems. Analysis of the cyber attack on the Ukrainian power grid (2016). Accessed Apr 2018

  14. Cherepanov, A.: Telebots are back - supply-chain attacks against Ukraine (2017). Accessed Apr 2018

  15. MITRE Corporation. MITRE ATT&CK (2018). Accessed Apr 2018

  16. Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014).

    CrossRef  Google Scholar 

  17. Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warf. Secur. Res. 1(1), 80 (2011)

    Google Scholar 

  18. Rubio, J.E., Alcaraz, C., Roman, R., Lopez, J.: Analysis of intrusion detection systems in industrial ecosystems. In: 14th International Conference on Security and Cryptography, pp. 116–128 (2017)

    Google Scholar 

  19. S2Grupo. Emas SOM - Monitoring System for Industrial Environments (2018). Accessed Apr 2018

Download references


This work has been partially supported by the research project SADCIP (RTC-2016-4847-8), financed by the Ministerio de Economía y Competitividad, and DISS-IIoT, financed by the University of Malaga (UMA) trough the “I Plan Propio de Investigación y Transferencia” of UMA. Likewise, the work of the first author has been partially financed by the Spanish Ministry of Education under the FPU program (FPU15/03213). The authors also thank J. Rodriguez (NICS Lab.) for his valuable comments, support, ideas, and incredible help. You rock.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Juan E. Rubio .

Editor information

Editors and Affiliations


A Correctness Proof: Consensus-Based Detection and Traceability

This section presents the correctness proof of the consensus-based detection and traceability problem for APTs. This problem is solved when the following conditions are met:

  1. 1.

    The attacker is able to find an IT/OT device in the system and attack it.

  2. 2.

    The detection system is able to trace the threat, thanks in part to the consensus (detection and traceability).

  3. 3.

    The system is able to properly finish in a finite time (termination).

  4. 4.

    The algorithm is capable of terminating and providing advanced detection at any moment (validity).

The first requirement is satisfied because we assume that the attacker is capable (i) declaring the chain of attacks in advance, such as scanning, lateral movement, exfiltration or destruction (see Sect. 3.2), and (ii) identifying kinds of devices (e.g. IT/OT nodes and firewalls) by their functionalities. The modus operandi of the attacker is systematic except when the attacker needs to make a specific lateral movement, either through the selection of a new random neighbor node within the network or the selection of the neighbor with the highest betweeness. To comply with the predefined attack patterns, the attacker first needs to identify the first target node, which generally belongs to IT network − evidently, this characteristic depends on the type of attacker (insider or outsider) and their skills. If the attacker is an outsider, her goal is to find a \(v_{IT_i} \in V_{IT}\) in order to penetrate by itself within the system, and to advance until reaching those nodes serving as firewalls such that \(v_{FW_i} \in V_{FW}\). Once a \(v_{FW_i}\) is finally reached, the attacker tries to gain access in the operative network to compromise the most critical devices, i.e. \(v_{OT_i} \in V_{OT}\). If the attacker is an outsider, the compromises relies, in this case, on the pre-established APT threat chain; i.e. on attackSet.

The second requirement is also found due to the software prevention agents, \(a_i \in A\), integrated as part of \(v_{IT_i}\), \(v_{FW_i}\) and \(v_{OT_i}\) of G(VE). These agents present capacities to detect anomalies and trace the intrusive presence by means of opinion dynamic parameters, the values of the which are attenuated according to time and aggressiveness of the threat (the decay factor). This attenuation, dependent on \(\varPhi _i\), does not means to completely forget an incident in past. But rather, in remembering the most significant aftermaths of the previous attacks in order to show the advance of the threat in real time, and therefore its traceability.

Through induction we demonstrate the third requirement, corresponding to termination of the approach. To do this, we specify the initial and final conditions together with the base case. Namely:

  • Precondition: by assumptions, we assume that the attacker is an advanced expert with skills to reach the IT-OT communication channels belonging to G(VE). However, this capacity depends on the set attackSet defined in Algorithm 1, which defines threat chain such that \(attackSet \ne \oslash \).

  • Postcondition: (i) the attacker reaches the network G(VE) and compromises at least a node in V such that \(attackSet = \oslash \) after the loop in Algorithm 1. And (ii) the system successful detects the threat such that \(\delta > 0\) and marks the traceability according to the real consensus state of G(VE), registered in the array vector x.

  • Case 1: \(attackSet \ne \oslash \), but \(\mid attackSet \mid = 1\). In this case, the attacker needs to launch the unique attack defined in attackSet. As mentioned, if the attack does not imply a lateral movement, the success of the threat is concentrated on just one node in V, since the following iteration of the loop implies that \(attackSet \leftarrow attackSet \setminus attack\), and therefore \(attackSet = \oslash \). To the contrary, if the attack entails a lateral movement, then the attacker has to select a new neighbor node, either from a random or target point of view.

    Any attack in V means an impact on the attacked node with a significant influence in its opinion dynamic (i.e. x(attackednode). If, in addition, the decay factor is activated, the system weakens, but does not delete, the aggressiveness of the threat to stress the current trace of threat over the time. This computation is possible through \(\varPhi _i\) in Algorithm 2. Once x is updated, the system computes the \(\delta \) value taking into account the weighted average of the opinion dynamics of the entire system (see Algorithm 3).

  • Induction: if we assume that we are in step k (\(k \ge 1\)) of the loop where \(attackSet \ne \oslash \), then Case 1 is going to be considered each time. When \(k = \mid attackSet \mid \), the system computes Case 1 and ends the detection algorithm with \(\delta > 0\) since \(attackSet = \oslash \), showing the traceability of the threat through x and complying with the postcondition.

Finally, the latter requirement is also satisfied since the algorithm finalizes and detects the threat through opinion dynamic (either individual or collective) and shows the traceability of the threat over the time.

B The Mapping of the attackStages to \(\varTheta \)

We have presented in Sect. 3.2 a model that maps every element of the set attackStages to the elements of \(\varTheta = \{\theta _1, \theta _2, \theta _3, \theta _4, \theta _5\}\). For this mapping, we have taken into consideration the defense mechanisms analyzed in Sect. 3.1. In particular, the rationale behind this mapping is as follows:

  • We assign \(\theta _1\) only to the destruction stage, because any major disruption in the functionality of a device (e.g. unavailable resources, device turned off) will trigger multiple high priority alerts. Note that, as explained in our defense model, we assume that all field devices are also covered by detection mechanisms, thus any attack (e.g. the Stuxnet final payload) against these sensitive devices can be easily detected.

  • \(\theta _2\) is only assigned to the element at the left side of the compromise stage (\(n_i \rightarrow neighbours(n_i)\)). The reason is simple: the act of compromising and taking control of \(n_i\) will not only trigger various host alerts, but also multiple network alerts due to the various discovery queries targeting all \(neighbours(n_i)\). The correlation of all these events will draw attention to the state of \(n_i\).

  • For \(\theta _4\), we consider the security alerts caused by combination of a single anomalous connection to a node plus the delivery of malware to that node. As such, this \(\theta \) covers all the elements at the right side of the lateralMovement stages. Note, however, that in some particular cases (like the initialIntrusion stage and the \(*LateralMovement_{OT}\) stages), additional anomalies will be detected: a potentially anomalous external connection, and a certain instability in the otherwise stable OT communication environment, respectively. Therefore, the \(\theta \) assigned to the elements of those stages will be \(\theta _3\).

  • Finally, \(\theta _5\) is assigned to those stages where the nodes produce or receive anomalous traffic (e.g. a connection that deviates from what is considered as normal traffic). Again, in situations where a connection with the outside world is made (e.g. exfiltration stage), as the possibility of anomalous traffic will increase, the \(\theta \) will be increase as well.

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Rubio, J.E., Roman, R., Alcaraz, C., Zhang, Y. (2018). Tracking Advanced Persistent Threats in Critical Infrastructures Through Opinion Dynamics. In: Lopez, J., Zhou, J., Soriano, M. (eds) Computer Security. ESORICS 2018. Lecture Notes in Computer Science(), vol 11098. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-99072-9

  • Online ISBN: 978-3-319-99073-6

  • eBook Packages: Computer ScienceComputer Science (R0)