The core technological innovation brought by PREEMPTIVE, is based on the depicted stack of techniques adopted to analyze cyber threats.
Industrial process analysis: this analysis identifies misbehavior at process level through measurements analysis that could be detect the effect of a cyber-attack on the process behaviour (WP6). This “misbehavior detection” will receive information from host and network detection tools, combining together the network utility taxonomy
Context aware event analysis: specialized event-mining techniques for enumerating infrequent events and discover anomalous behavior of the system as a whole
Host base analysis: this analysis takes into account system events such as O:S events , software drivers events, etc.
Network based analysis: this analysis considers low level industrial protocol network traffic.
PREEMPTIVE Methodology at a glance
It is the concept of the “PREEMPTIVE dual approach” which is based on the two pillars of the “Industrial process misbehavior detection” and the “Comm. & Sw related threats prevention and detection. The biggest strength of PREEMPTIVE is the analysis at the same time of the industrial processes, in the physical domain, and the analysis of the cyberassets (industrial network protocols, base software) in the cyber domain. Using these two complementary techniques, the capability to mitigate the exploitation of vulnerability of the utility networks is dramatically improved.