{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T07:20:03Z","timestamp":1778743203131,"version":"3.51.4"},"reference-count":26,"publisher":"SAGE Publications","issue":"5","license":[{"start":{"date-parts":[[2019,7,8]],"date-time":"2019-07-08T00:00:00Z","timestamp":1562544000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2019,9,17]]},"abstract":"<jats:p>In recent years, Advanced Persistent Threats (APTs) have become a major issue for critical infrastructures that are increasingly integrating modern IT technologies. This requires the development of advanced cyber-security services that can holistically detect and trace these attacks, beyond traditional solutions. In this sense, Opinion Dynamics has been proven as an effective solution, as they can locate the most affected areas within the industrial network. With this information, it is possible to put in place accurate response techniques to limit the impact of attacks on the infrastructure. In this paper, we analyze the applicability of Opinion Dynamics to trace an APT throughout its entire life cycle, by correlating different anomalies over time and accounting for the persistence of threats and the criticality of resources. Moreover, we run various experiments with this novel technique over a testbed that models a real control system, thereby assessing its effectiveness in an actual industrial scenario.<\/jats:p>","DOI":"10.3233\/jcs-191293","type":"journal-article","created":{"date-parts":[[2019,7,9]],"date-time":"2019-07-09T15:05:32Z","timestamp":1562684732000},"page":"521-546","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":14,"title":["Tracking APTs in industrial ecosystems: A\u00a0proof of concept"],"prefix":"10.1177","volume":"27","author":[{"given":"Juan E.","family":"Rubio","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of Malaga, Campus de Teatinos s\/n, 29071, Malaga, Spain. E-mails:\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rodrigo","family":"Roman","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Malaga, Campus de Teatinos s\/n, 29071, Malaga, Spain. E-mails:\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Cristina","family":"Alcaraz","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Malaga, Campus de Teatinos s\/n, 29071, Malaga, Spain. E-mails:\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yan","family":"Zhang","sequence":"additional","affiliation":[{"name":"Department of Informatics, University of Oslo, Norway. E-mail:\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","published-online":{"date-parts":[[2019,7,8]]},"reference":[{"key":"ref001","unstructured":"C.Alcaraz, G.Bernieri, F.Pascucci, J.Lopez and R.Setola, Covert channels-based stealth attacks in Industry 4.0, IEEE Systems Journal (in press)."},{"key":"ref002","unstructured":"Beazley, 2018 Breach Briefing Whitepaper (2018), https:\/\/www.beazley.com\/documents\/Whitepapers\/201802-beazley-breach-briefing.pdf, last retrieved in February 2019."},{"key":"ref003","doi-asserted-by":"publisher","DOI":"10.1109\/JSYST.2015.2487684"},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"P.\u00a0Chen, L.\u00a0Desmet and C.\u00a0Huygens, A\u00a0study on advanced persistent threats, in: IFIP International Conference on Communications and Multimedia Security, Springer, 2014, pp.\u00a063\u201372.","DOI":"10.1007\/978-3-662-44885-4_5"},{"key":"ref005","unstructured":"A.Cherepanov, TeleBots are back\u00a0\u2013 supply-chain attacks against Ukraine, 2017, https:\/\/www.welivesecurity.com, last retrieved in April 2018."},{"key":"ref006","unstructured":"A.\u00a0Cherepanov, GreyEnergy White Paper: A\u00a0successor to BlackEnergy, 2018, https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2018\/10\/ESET_GreyEnergy.pdf, last retrieved in February 2019."},{"key":"ref007","unstructured":"N.Falliere, L.O.Murchu and E.Chien, W32.Stuxnet Dossier, version 1.4 (February 2011), 2011, https:\/\/www.symantec.com, last retrieved in April 2018."},{"key":"ref008","doi-asserted-by":"publisher","DOI":"10.1137\/S0895480100375831"},{"key":"ref009","unstructured":"R.Hegselmann, U.Krause et al., Opinion dynamics and bounded confidence models, analysis, and simulation, Journal of Artificial Societies and Social Simulation 5(3) (2002)."},{"key":"ref010","unstructured":"E.M.Hutchins, M.J.Cloppert and R.M.Amin, Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains, Leading Issues in Information Warfare & Security Research 1(1) (2011)."},{"key":"ref011","unstructured":"International Society of Automation, ISA-95 standard, 2017, https:\/\/www.isa.org\/isa95\/, last retrieved in December 2017."},{"key":"ref012","doi-asserted-by":"publisher","DOI":"10.1016\/j.ipl.2006.01.007"},{"key":"ref013","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.08.005"},{"key":"ref014","doi-asserted-by":"crossref","unstructured":"A.\u00a0Lemay, J.M.\u00a0Fernandez and S.\u00a0Knight, A\u00a0modbus command and control channel, in: 2016 Annual IEEE Systems Conference (SysCon), IEEE, 2016, pp.\u00a01\u20136.","DOI":"10.1109\/SYSCON.2016.7490631"},{"key":"ref015","unstructured":"C.\u00a0Leonardo and D.\u00a0Johnson, MODBUS covert channel, in: Proceedings of the International Conference on Security and Management (SAM), The Steering Committee of The World Congress in Computer Science, Computer\u2026, 2014, p.\u00a01."},{"key":"ref016","doi-asserted-by":"publisher","DOI":"10.1109\/TAC.1974.1100557"},{"key":"ref017","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2018.2826226"},{"key":"ref018","unstructured":"MITRE Corporation, MITRE ATT&CK, 2018, https:\/\/attack.mitre.org, last retrieved in April 2018."},{"key":"ref019","unstructured":"OpenWeatherMap, Malaga weather, 2019, https:\/\/openweathermap.org\/, last retrieved in February 2019."},{"key":"ref020","doi-asserted-by":"publisher","DOI":"10.1016\/j.physa.2013.01.023"},{"key":"ref021","doi-asserted-by":"crossref","unstructured":"J.E.\u00a0Rubio, C.\u00a0Alcaraz and J.\u00a0Lopez, Preventing advanced persistent threats in complex control networks, in: European Symposium on Research in Computer Security, Vol.\u00a010493, 2017, pp.\u00a0402\u2013418.","DOI":"10.1007\/978-3-319-66399-9_22"},{"key":"ref022","doi-asserted-by":"crossref","unstructured":"J.E.\u00a0Rubio, C.\u00a0Alcaraz, R.\u00a0Roman and J.\u00a0Lopez, Analysis of intrusion detection systems in industrial ecosystems, in: 14th International Conference on Security and Cryptography, 2017, pp.\u00a0116\u2013128.","DOI":"10.5220\/0006426301160128"},{"key":"ref023","unstructured":"S2Grupo, Emas SOM\u00a0\u2013 monitoring system for industrial environments, 2018, https:\/\/s2grupo.es\/es\/emas-ics\/, last retrieved in April 2018."},{"key":"ref024","unstructured":"SANS Industrial Control Systems, Analysis of the cyber attack on the Ukrainian power grid, 2016, https:\/\/ics.sans.org, last retrieved in April 2018."},{"key":"ref025","unstructured":"Symantec Security Response Attack Investigation Team, Dragonfly: Western energy sector targeted by sophisticated attack group, 2017, https:\/\/www.symantec.com, last retrieved in April 2018."},{"key":"ref026","doi-asserted-by":"publisher","DOI":"10.1038\/30918"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191293","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-191293","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191293","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:20Z","timestamp":1777495520000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-191293"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,7,8]]},"references-count":26,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2019,9,17]]}},"alternative-id":["10.3233\/JCS-191293"],"URL":"https:\/\/doi.org\/10.3233\/jcs-191293","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,7,8]]}}}