How do people do their research

http://blog.sciencenet.cn/home.php?mod=space&uid=44406&do=blog&id=490483

sometimes you can get an idea from the class

paper writing

Trade-off study between security and efficiency in networked control system

In this paper, we will discuss how to define security and how to measure the efficiency by our metrics of a specific networked control system. Besides, we propose a relation between these two notions using convex optimization. At last, we get a trade-off between security and efficiency in networked control system using parametric programming and differential geometry.

How is this networked control system?

Metrics for security:

Related work first:

There are many ways to quantitatively differentiate or measure the system security, accurately. [Stuart Schechter] from Harvard uses the cost to break into a system as an effective metric from the start of testing until product retirement, to find out how hard it is for real people to break into a system. It is an economic way to estimate an upper bound and a lower bound for every unique security vulnerability. [R. Ortalo and Y. Deswarte] also presents a method based on the privilege graph model for quantitatively evaluation of the security of information system. It includes two levels. In its design level, it uses security policy to denote the security objectives and in its second level, it uses a pragmatic evaluation technique to achieve a good compromise between security and efficiency in the information system. They also have another paper to presents the results of an experiment in security evaluation and validates the measures[1]. [Lingyu Wang] proposes a method using attack graphs to measure the global security of a network. It tries to integrate the measurement for individual vulnerabilities, resources, and configurations into a global measure based on a particular context. With such method, it can also provide the missing information among network components so as to consider potential attacks and their consequence in the context. These approaches have proposed their ways to evaluate modern IT systems. But, they fail to quantitatively define both the efficiency and security metrics for networked control systems.

Metrics for efficiency:

Related work first:

Analyzing efficiency in networked control system has been started three decades ago. [2,T.C.Yang] in his survey, proposed that most of networked control systems improve their efficiency, flexibility and reliability through common-bus network, reduced wiring and distributed intelligence so as to reduce the installation, reconfiguration and maintenance time and costs. [Derek, Emeka, Jia] in their SimTool paper, they only focus on run-time efficiency of the networked UAV system. Under kinds of network situations, like nominal case, with lots of background traffic and multi-hop network, this paper uses the run-time to denotes its efficiency and compare them. [3] Mei proposes that with the increase of the sampling period, the data packet dropout has to be decreased, therefore, the efficiency of NCS is increased. In a qualitative way, increasing sampling rate will increase the load of network and thus deteriorate its performance. They all illustrate a way to increase efficiency of networked control system. However, same as notion of security, they don’t have a quantitative way to evaluate the “efficiency”.

Their relation:

Get a Trade-off:

Conclusion:

Reference:

[1] Rodolphe. Ortalo, Yves. Deswarte, Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security.

[2] T.C.Yang, Networked control system: a brief survey

[3] Mei Yu, Long Wang, Stabilization of Networked Control Systems with Data Packet Dropout and Transmission Delays: Continuous-Time Case

To do: a trade-off study between efficiency (performance) and security level in intrusion detection network system

General idea: In intrusion detection network system (IDNS), each IDS could be viewed as a sensor which operate independently on their network. We will do an analytical study on a trade-off between security level and efficiency in IDNS. We will define our metrics for each notion, for example, efficiency may relate to the total resource consumption with respect to the allowed resource capacity. The performance of the whole system heavily relies on a trade-off between security enforcement and the usability of a system due to the size of signature database (since most of the existing IDS is signature-based not anomaly based system) and the number of the IDS configured on the network level (not the physical level). The performance of the system will degrade when more security is applied at all times, while the system is prone to attacks when the enforcement of security is overlooked. Hence, interesting questions arise : 1)whether there exists a solution that is both efficient and secure, which means it could be solved subject to a certain constraint. 2)whether there exists a trade-off relation between these two indexes, which remains a challenge in this field. I want to find a complete and generally applicable way to analyze this problem, and get their inside relation. It may lead to some fundamental limits in multi-tier secure networked control system design. In addition, if possible we can get the upper bound and lower bound for them.

Weekly Summary 08/01~08/11

During these two weeks, I have been looking into four papers related to game-theoretical model to balance the security enforcement and the performance of an information system. He also has a paper talking about tradeoff between security enforcement and control system accessibility. The authors usually solves the problem of limited resource allocation. It focuses on the configuration problem of the network level, where multiple IDS are deployed in an enterprise network.

The problems they are trying to solve are:

--limited resource against intrusion

We face malicious attackers from outside. We need to make some intrusion response against them, however, the resources allocated towards responding to attacks, such as IT security personnel, firewalls, and patch management systems, are growing slowly. There is a widening gap between them. In [4], the author only cares about the system administrator's time which in other words is the only resource considered. There is a big assumption that whenever the system's administrator is available, he can fix the intrusion by some actions or strategies.

--untrust IDS and no incentives

In collaborative intrusion detection networks, many proposed IDS system always assume that all IDS cooperate honestly. They are lack of trust management. Even in proposed trust-based IDN, they didn't have incentives in it. That means they haven't consider the situation when some ID only ask for assistance but never contribute. In [2], the author propose an incentive compatible resource allocation scheme to solve this problem.

--trade-off between efficiency and fairness

In intrusion detection and response field, people haven't found a way to better balance the system efficiency and fairness. Since the solution (Nash equilibrium) for noncooperative games may not result in an efficient solution. And, a common linear programming framework may result in an unfair solution in that some users may be assigned with full capacity but the others with none. In [3], the author has an analytical trade-off study between them, especially how he define the metrics to measure efficiency and fairness.

--trade-off between the security and accessibility for cps

There will be influence of cyber security policies on various control system performances. To solve such problem, the author[5] develops an optimal policy for a networked control system.

Four papers are:

[1].RRE A game theoretic intrusion response and recovery engine

[2].A game-theoretical approach to incentive design in collaborative intrusion detection networks

[3].A trade-off study between efficiency and fairness in communication networks

[4].Intrusion response as a resource allocation problem

[5].Towards a unifying security framework for Cyber-Physical Systems

My goal next week is to find a better game-theoretical

rethinking about paper: network security configurations---a nonzero-sum stochastic game approach

In this paper, the author presented an N+M-person stochastic game model for network security configurations to balance between the security and usability of complex cooperative networked control system. The paper focuses on the configuration problems of intrusion detection systems but we can see that the game-theoretic framework is general enough to be extended to address concerns regarding other network security problems, like intrusion response system, using to choose a best response method.

Besides, this paper has proposed a new notion of security capacity to denote the security performance, and characterize a feasibility problem of a nonlinear program. This notion could be further used to do as security metrics in problems like jamming and secure routing.

IDEA: we could extend this work to the case in which defenders and attackers have imperfect monitoring or partial observations of the states and consider games with asymmetric information between defenders and attackers.

DONE: a simple prisoner dilemma has been simulated in matlab. It's a two-player game with four types of payoffs. just a test, need to consider more about this.

TO DO tomorrow: paper reading on <A Game-Theoretical Approach to Incentive Design in Collaborative IDS Networks>, try to find out how to do such experiment.

To do: Game theory and implementation using Matlab

I found using game theory to model the network security configuration, trying to balance the security enforcement and the usability of a networked control system, interesting.

Tomorrow, I will try to implement prisoner's dilemma in matlab.

Game Theory meets Network Security and CPS

This guy from UIUC in Information Trust Group under the supervision of T. Basar, uses lots of game theory into intrusion detection, intrusion response system and CPS. It is a really new area, especially that the application of game theory to wireless networks is a relatively new area.

Quanyan Zhu from uiuc

He has a paper about understanding the tradeoff between security and control system accessibility. In CPS, they always differ in their security objectives, security architecture and quality-of-service requirements. To get a better tradeoff using our specific environment, maybe we could write a paper about it to solve similar problem.

reference:

cpsweek 2011

Towards a Unifying Security Framework for Cyber-physical system

To do tomorrow

another paper: network security configurations: a nonzero-sum stochastic game approach

Find drawbacks of recent research on intrusion response

In modeling system response to security threats, researchers have made extensive use of state-space models. Like the one we mentioned before, RRE: A game theoretic intrusion response and recovery engine, this paper uses the partially observable stochastic game model and extended attack tree called attack-response tree. I think the main drawback for this kind of discrete-time state space model is that they may suffer from state-space explosion.

IDEA1: we may extend some other combinatorial methods for modeling and analyzing cyber attacks and countermeasures to solve this state explosion problem.

Second, by using game theory to find the best defense from a pool of defense mechanisms, it is not a so good way actually. Complicated and consume lots of time and resource.

IDEA2: We could extend some other suitable algorithms which is less expensive compared to this kind of state-space based approach.

Another team has done a great work on this area. Dr. Kishor Trivedi

Summary: Case study (experiments) related to intrusion response, security analysis

Here is my problem on doing such research:

As most of existing work did before, they developed a tool/package/system aiming at specific environment or they have data set with intrusions injected inside already. At least, they are doing security measurement, analysis or security modeling at some kind of specific physical system or research object. If they do how to response, they will have their intrusion alerts from some kind of intrusion detection system (e.g.bro, snort) as their input, or simply use some trace. It cannot come from nowhere. It has to base on some kind of actual real system or results from other tools. Maybe I myself still stuck with engineering thought, not academic thought. Correct me here, please. Thanks.

Below is a list of most representive examples:

William H Sanders from UIUC

RRE: A Game Theoretic Intrusion Response and Recovery Engine

cited by 12, Dependable System and Networks (DSN 2009)

This paper develop a Response and Recovery Engine (RRE) uses alert notifications from Snort, and then choose an optimal response actions by solving a partially observable competitive Markov decision process. They made process control network for a power grid and SCADA as their case study. In order to investigate how such RRE works in reality, they implemented RRE on top of Snort, running on Ubuntu system.

ADEPTS: adapative intrusion response using attack graphs in an e-commerce environment

Saurabh Bagchi from Purdue

cited by 29, DSN 2005

This paper develop ADEPTS to monitor and track intrusions in real-time and deploy responses to contain and restrict the spread of attacks in the system. It also has a testbed for experiments on ADEPTS. The author setup a payload system to mimic an e-commerce webstore, with web servers running applications. Different from RRE, it uses multiple detectors which communicate with ADEPTS, such as Snort and Libsafe. Three experiments were set to demonstrate this ADEPTS 1) for survivabilitity 2) ability to deploy response as the speed of attack varies, 3) adaptation in ADEPTS in choosing responses. Attack graph is used in this paper to show attack goals, since it could provide a possible path of spread of the intrusion.

Intrusion Response as a resource allocation problem

Michael Bloem, Tansu Alpcan, Tamer Basar from uiuc, information trust institute

This paper develop an algorithm for optimal allocation of the systm administrator's time available for responding to attacks, by modeling the interaction between malicious attackers and the intrusion detection system as a noncooperactive non-zero sum game. For the experiment part, this paper implement an IDS prototype in MATLAB and demonstrate its operation under various scenarios with and without such algorithm. One common thing is that it studies intrusion response in an access control systems (PR-BAC), developed by the Boeing company.

other works like Feedback control applied to survivability: A host-based autonomic defense system, which describes the design of a prototype host-based ADS intended to protect a Linux-based web server from automated Internet worm attacks; Using alert verification to identify successful intrusion attempts, presents tool that performs real-time verification of attacks detected by an intrusion detection system. It is not a response, but to verify the alert produced by IDS.

security analysis using Fault Trees (FT)

There are many previous work on using fault trees in reliability and availability modeling. Very few is on safety modeling and security modeling of cyber physical system. Fault trees are more powerful than reliability block diagrams (RBD) with shared nodes.

One potential idea is that I could transform the system model into fault trees and then compared them. Fault trees could be used to validate the system model. Fault trees are well suited for this purpose because they are specifically intended to capture the relationship between component failure and system faults, with an assumption that all basic events be statistically independent.

But there is a key problem here: What's your research object? At least there should be a real system or existing model you can investigate into, some people have there physical system like UAV, while some other people may have their SCADA simulation system. What do you have? Simulation model of NCS? Maybe.

Combinatorial models

--Reliability Block Diagrams: (RBD) map the operational dependency of a system on its components and not the physical structure of the system, including blocks, edges, and dummy nodes. Some software packages have been developed to support construction and solution of RBD models and now it is frequently used in reliability and availability modeling. We have yet to see an application of RBDs in security modeling, but needs to create a compositional theory of security first.

Here is a brief introduction of RBDs: http://www.reliabilityeducation.com/rbd.pdf

It defines logical interaction of failures within a system that are required to sustain system operation. Once the blocks are configured properly and block data is provided, the failure rate, MTBF(mean time between failures), reliability, and availability of the system can be calculated. When it comes to security field, we need to care confidentiality and integrity, using the same method. It is also a good idea if we could use RBD to do security modeling and then quantitatively measure the security of system in order to help IT manager to manage the trade-off between functionality and security.

Weekly Summary

This week I have been doing two things basically.

One is to quantitatively measure the performability and security of the system, that is to quantify the amount of security provided by a system-level method. It needs first to specify the security policy, describe the vulnerabilities of the target system, and then quantitatively evaluation based on some model, like privilege graph model. One crucial factor is to define "cost" for them, such as intrusion damage cost, response cost. I was considering relate this cost to their performance.

Second is that I'm trying to build a intrusion response system based on our cps. First I have to get some intrusion alerts as the input to this IRS from some kind of intrusion detection system. Right now I'm doing with Bro developed by a researcher in UCB. It may need at least one week to get familiar with such system.

some existing intrusion response system

Bro: http://www.bro-ids.org/

Developed by Vern Paxon, a research at UC Berkely, it is a network-based, misuse intrusion detection system. Packets are passively captured from the network and processed into an event stream. The event stream is then compared against a policy script interpreter to detect intrusions. Reports are generated in the form of connection summaries and real-time alerts. Approximately 40 Mb of connection summaries and 20 real-time notifications occur each day. While automatic intrusion response beyond reporting and alerts is discussed as future research, it is currently not implemented.

Besides, I have saw a good paper <Cyber-Critical Infrastructure Protection Using Real-time Payload-based Anomaly Detection> written by Patrick. It uses the transport layer packets captured by Bro and then extract features from those TCP payload.

I am thinking if you want to do intrusion response, you may have to get some output/alerts from some kind of intrusion detection system. Right now I am getting myself familiar with this great tool.

Snort: http://www.snort.org/

It is also a famous network misuse intrusion detection system consists of three components: a packet decoder, a rule-based detection system, and an alert system. Intrusion response is limited to reports and alarms. Little of the work is based on such detection system.

The ultimate goal:

Expand all these network tools to cyber-physical system and come up with my own detection and response system. Theoretical part would be how to define abnormal behavior, build a model to quantitatively denote or rate the security level.

quantitatively measure the performance, dependability, perfomability and security

A unified approach for specifying measures of performance, dependability and performability

--W.H.Sanders

Using some mathematical structure, it is also possible to measure cps security in terms of the amount of "reward(or some other term)" during a specified interval of time, or the rate of accumulation of reward at a specified instant of time or in steady state. It is an evaluation of performance, perfomability based on stochastic activity network model, which could be expanded to security region.

--However, it is hard to understand this reward model, need more thoughts here!

Quantitative Evaluation of Information System Security

--R. Ortalo

This paper first specify the security policy, describe the vulnerability of target system (or organization), and then a quantitative evaluation approach based on the privilege graph model (could be some other model). This method then applied to a security-critical real organization: a medium size bank agency. Also, it is important to illustrate the security measures.

Overall, the goal is to maintain a satisfactory level of security, without impeding the operation of the system. System is still running (well) under malicious attack.

Usual security evaluation methods: evaluation criteria (ITSEC, Information Technology Security Evaluation Criteria, 1991) or risk analysis (Anderson, Comparing Risk Analysis Methodologies, 1991)

Cons: Previous work only focus on the information system design, rather than on the actual system operation (case study).

The method proposed in this paper is also model-based evaluation approach.

1)definition of security policy: security objectives and security rules (specification language)

2)modeling vulnerabilities of the organization, adopted from Dacier and Deswarte, 1994, called a privilege graph. The arcs, the nodes, and the transformation

Using model to quantitatively measure the security of cps for sure would be an promising field. to my best knowledge, I have seen two model, one is use Petri-net with stochastic model, and the other one is use privilege graph. Soon, I will get details for such method and finally come up with my own method.

prospective research

I found that no system-level methodology currently exists that can quantify the amount of security provided by a particular system-level research. Most of security methods have been qualitative. We may find a way that can quantitatively rate the security for cps, and give them a score just like what the security software does to our windows system. It is therefore useful to categorize measures of system behavior. There are some previous works related with "reward models" using the amount of reward accumulated during a specified interval of time, or a "reward rate" at a specified instant of time in steady state.

an idea on intrusion response

Intrusion response, as it said, it is kind of a reaction to some attacks happening (ongoing) in the system already. It effects after the adversary successfully attacked the system. The goal for such research is to bring an insecure network (CPS) under ongoing attacks to its normal operational mode with the minimum possible cost.

For example, if our CPS is under light DoS attack, controller and plant could still talk with each other, but there is large delay on the network caused by DoS attack. The UAV plant may not track the signal well. This is the cost, if we could define it formally, it would be much better. Then how could we response/react to this insecure network to make the possible cost minimum, which strategy should we choose to response/react based on which kind of selection algorithm.

But if we do so, that will make this problem as mitigating the attack.

Intrusion response and recovery

RRE: A Game Theoretic Intrusion Response and Recovery Engine (good paper)

--Saman Zonouz, Himanshu Khurana

This paper has implemented RRE on top of Snort, which is an open-source signature based IDS. RRE employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. An important term used here is Attack-Response Trees (ARTs) to analyze undesired security events. By solving a partially observable competitive Markov decision process that is derived from attack-response trees, RRE will choose an optimal response actions. Basically, it depends the detection of Snort (alerts from here), using its alert to figure out respective response.

RRE is based on automated cost-sensitive model. What's great in this paper is that it modeled the security maintenance of computer networks as a two-player game in which the attacker and response engine try to maximize their own benefits by taking optimal adversary and response actions, respectively. Using ART, RRE explicitly takes inherent uncertainties into account along with alerts from Snort.

It is good method for small network (LAN) IDs.

Automated Response Using System-Call Delays

--Anil somayaji

This paper developed a system called pH (for process homeostasis), which can detect and stop intrusions before the target system is compromised. It monitors every executing process on a computer at the system-call level, and responds to anomalies by either delaying (slowing down) or aborting system calls. Normal behavior is determined by the currently running binary program.

pH is implemented as a patch for the Linux 2.2 kernel. They modified the system call dispatcher so that it calls a pH function prior to dispatching the system call. Basically, the author insert a independent process into Linux to monitor the entire process and detect the abnormal process.

It is good for single-host IDs.

Cooperating Security Managers: A Peer-Based Intrusion Detection System

--Maj. Gregory B. White, Eric A. Fisch

This paper designed and implemented CSM, which could perform a larger network IDS. Individual CSM works on each individual hosts. There is a security manager working to cooperatively and autonomously communicate with them and determine the current state of a system.

The prototype of CSM was developed using a Sun SPARC-station LX running SunOS v5.3. Basically, CSM is a package patched in OS to detect intrusive activities. Applied to a network, CSM is designed to perform intrusion detection and reporting functions in a distributed environment without requiring a designated central site or server to perform the analysis of network audit data.

Toward Cost-Sensitive Modeling for Intrusion Detection and Response (good paper)

--Wenke Lee@gatech

This paper builds a cost-sensitive intrusion detection model, including development cost, operational cost, damage cost and the cost of manual and automated response to intrusions. this kind of cost-sensitive machine learning techniques can produce detection models that are optimized for user-defined cost metrics.

The experiment uses the data from a military network with a wide variety of intrusions injected into the network over a period of 7 weeks. The data was divided into two parts: training set and test set.

The main objective in applying such a model is to compare intrusion damage and response cost to

Here is what I thought:

As we have seen above, almost all the previous work has developed a tool/package/system aiming at specific environment or they have data set with intrusions injected already. Since we don't have such kind of data set/trace, we could try to take advantage of the unique environment --- our cps simulation environment to develop a similar detection and response engine, as a goal. One problem is that this may not be easily ported to other internetworked environment. But one good thing is that it could be used to test different kinds of response strategy used to pick out a best response against the adversaries.

Control techniques in NCS

Paper Reading: Control methodologies in networked control systems

After reading paper “Simulation of Network Attacks on SCADA system”, I was thinking maybe I could do a series of simulation to analyze the effects of network attacks on NCS. Different from previous work, I was thinking to make two situations, one with full-fledged DoS attack on routers so that the network will be essentially broken at that point and result in a loss of regulatory function of the controller, complete loss of the communication between controller and plant; the other with only attacking some factors inside plant, not the whole plant, so that the controller is not blind to any of the required sensors, but its regulation function could be still hampered by it not being able to control all the factors in the plant. This requires a deep understanding on the NCS we are using in NCSWT. This is the idea coming from control perspective. Maybe I could make some change to the NCS to output some more factors or let it have some more input values besides x, y, id we already had. This is why I read thoroughly over control technique.

Some valued points got from this paper:

In the NCS research field, regardless of the type of network used, the overall NCS performance is always affected by network delays. This network delay (time-varying, constant, periodic) still significantly affects the close-loop system. And it requires an advanced control methodology. (Before that, I was thinking with the development of network today, network speed, network bandwidth is making this delay almost ignorable. It may not be necessary to make network delay as research object since it may not have a significant effect on NCS performance. I was wrong.)

This network delay is composed of sensor-to-controller delay and controller-to-actuator delay for all the NCS, including hierarchical structure (multiple control system with one or multiple main controller).

To be noted that, for the effects of delays in the close-loop control system, it only has two main effects. One is widely known to degrade system performances of a control system, such as higher overshoot and the longer settling time when the delays are longer than expected. The other one is to destabilize the system by reducing the system stability margin. There have been several studies to derive stability criteria for an NCS in order to guarantee that the NCS can remain stable in a certain condition. However, there is no generic stability analysis that can be applied on every NCS. I guess this could still use the frequency domain analysis for checking stability when the delays are added into the system.

For the control techniques used to solve this network delay problem, you have to maintain the stability of the system first and then try to maintain the performance of the system. Two methods were caught into the eyes:

Sampling time scheduling methodology, to appropriately select a sampling period for an NCS such that network delays do not significantly affect the control system performance;

Event based methodology, instead of using time, this method uses a system motion as the reference of the system.

To be continued…

Research fields in CPS

During my survey last week, I attempt to have a comprehensive study of current research on CPS area. Reading papers from ICCPS'10, I found that CPS covers a wide area, such as foundation of CPS, the CPS's application, CPS testbed, CPS security, and CPS design, CPS resource allocation. I will focus on the CPS security survey.

A brief history about CPS could make us have a good understanding on it. NSF awarded a five-year $5 million grant to a research project titled “ Science of Integration for Cyber-Physical Systems,”. This project is a joint effort of many research centers (Vandy, ND, General Motors Research and Development Center, UCB, Memphis). Vanderbilt will lead the project. It aims to develop the theory, methods and tools to build cps, by combining seamlessly the necessary heterogeneous computational and physical components. The Notre Dame team will be using the theoretical concepts such as passivity and symmetry to address system uncertainties and the interdependence of design concerns.

Also, by looking into the paper, I found that nowadays all the CPS research has a great real-world testbed, not just simulation. Even model designed CPS research has tried to build their testbed so as to evaluate its performance.

Two papers were taken a lot of thought when I'm reading.

A Testbed for Secure and Robust SCADA Systems

Simulation of Network Attacks on SCADA Systems

both of them were written by guys from ISIS. They claim that it is good to use C2WT as testbed for evaluation of effect by network attack over SCADA. By doing this, you have to know more about control system used in C2WT, how plant and controller are related. Considering NCS we are using is from Emeka's model, I'm asking for further reading from Emeka about this NCS.

Paper Reading on: Modeling Load Redistribution Attacks in Power Systems

This paper introduces a special type of false data injection attack, called load redistribution attacks, defined by the authors themselves. It is very similar to what I did as Deception Attack in CPS. However, it is also very specific to Smart Power Grid System, to affect the outcome of the state estimation and then further mislead the operation and control functions of Energy Management System. With some assumptions, this paper come up with a unique attack type, LR, increasing load at some buses and reducing loads at other buses while maintaining the total load unchanged. In this kind of attack, only load bus injection measurements and line power flow measurements are attackable. It can mislead the state estimation process without being detected by any of the existing techniques for bad data detection. (Not quite understand about this. It cannot be detected? Really?)

And then, the author quantitatively analyzed its damage to system operation using 6 different LR attack case. By increasing the magnitude of attack, the system operation cost is increased. From the damaging effect analysis, the author differentiate two attacking goals: immediate attacking goal and delayed attacking goal. This is a good selling point for this paper. Do a damage effect analysis using a bi-level model and a KKT-based method is used to identify the most damaging attack from an attacker's perspective. It is aiming to maximize the operation cost immediately after the attacks. The upper level represents the attacker, and the lower level represents the reactor, subject to some constraints that make it as LR attack.

ToDo threat model in NCSWT

In order to do anomaly detection over NCS, first we must get some normal data without any attack and abnormal data within different kinds of attack.

Thanks for these days work with newer version NCSWT. I'm now much familiar with C2WT.

We know the security goal that NCS should achieve lies in the order of importance, availability, integrity and confidentiality. How to select the appropriate security mechanisms requires a threat model first.

Threat taxonomy:
We could categorize the attacks into three main types:
1. outsider attacks. (This is where we focus)
--Deception attack (spoofing attack)
Using new version NCSWT, we could now easily change the values transmited between controller and plant by spoofed packets, causing it to perform undesired effects. I was thinking maybe could do several kinds of spoofing here. Try to find some more information. The analysis could be done offline by data from control system.
--Denial of Service attack (jamming attack)
Jamming is the interference with the Radio Frequency(RF) used by the nodes in a network. It makes use of the broadcast nature of the communication medium. We don't want to compromise the availability of network, just need to give the control network some more delay. Because if there is no network availability we can easily notice the attack and take some correct actions. There is no need to detect. I think it is meaningful that if we could detect out that there is a lot of traffic in the network and then launch an alarm. This could be done in the ns2, online. In simulation system, this kind of work has not been done before.
--Replay attack
In a replay attack, a transmitted packet is maliciously or fraudulently repeated or delayed by the adversary. I have an idea that this could also be done in NCSWT, by revising some code in ns2.

2. Key-compromise attacks.
Since low-entropy of certain measurement reports, confidentiality could be easily compromised by simple traffic analysis. So, most systems use encryption to ensure confidentiality. However, this secret key may be stole or compromised by adversary. We may not do this, since we don't do encryption in the first place.

3. Insider attacks.
adversary act as legitimate nodes in the network.

whole background with security problem over CPS

I was always confused about CPS and NCS. Some paper says they are the same meaning just in the different field, while some paper says not. So I have read some of these papers trying to make it more clear, to provide a better understanding of CPSs background knowledge, its application and its challenges, especially what we are concerned--security problem of CPSs.

What's CPS?

Cyber Physical system integrates computation and dynamics of physical process with those of the software and communication. The goal of CPSs research is to deeply integrate physical and cyber design. Networked control system (NCS) are computer based control systems that monitor and control physical processes in which components are connected by network. Many real-life cyber-physical systems, such as group of UAV we used, are monitored and controlled by NCS. which means that NCS is part of CPSs, only one small field of CPSs. American government has treated CPS field as a new development strategy since 2007 (CPSweek). These research mainly concentrate in following respects:

energy control, transmission and management, model-based software design, system-resource allocation, control technique(which Xenofon does in his passivity based control structure), secure control (which I am trying to do)

In the security field of control systems, two questions must be answered: 1. why should we be interested in the security of control system(compared to IT system) 2. what are the new requirements and problems for this field? And also two problems emerged: 1. how to detect attacks 2. how to make it survive under the attacks.

For the second problem, up to now, most of the effort for protecting control system has focused on reliability(ability against random faults). If we use passivity based control system, it can achieve this goal against any network uncertainty. We are going to develop kinds of techniques to detect attacks, online and offline. Our goal is to detect attacks from a malicious party attacking our NCS. We only consider two kinds of attack model:

DoS attack:the adversary prevents the controller from receiving plant measurements or the plant from receiving control commands. To launch a DoS the adversary can jam the communication channels, compromise devices and prevent them from sending data, attack the routing protocols, flood the network with data, etc. Here emerges two questions: if the background traffic(interference signal) is really large, could we just denote it as DoS attack? if we jam the network so badly that plant and controller cannot talk to each other, I think there would be no need to detect this kind of attack? So I only make this background traffic large enough to introduce a large delay in the network. Is that really OK? Still need to think more about it.

Deception attacks: It is a compromise of integrity. the adversary sends false information
from plant or controller. the false information could include: an incorrect measurement, the incorrect time when the measurement was observed, or the incorrect sender id. The adversary can launch these attack by compromising some sensors or controllers. I will try to realize it in ns2. Capture the package and then revise the data inside.

Very good thought in how to use data from control system. Note: We argue that detecting attacks to control system can be formulated as anomaly-based intrusion detection system. The difference in control system is that instead of creating models of network traffic as most of exsiting work did before, we could directly use the model of control system instead(state-space equation). Our argument is that if we know how the output of the physical system(plant output) Y1,Y2...,Yn should react to our control command(control output) U1,U2...Un. Then any attack to sensor measurements or control system will exhibit an abnormal view of the physical process(impact control performance). Given a sequence of observations Y1,Y2...Yn (training data set), the anomaly detector should also be able to estimate the expected control signals(reference signal) to detect if a controller has been compromised. Most natural way to detect these attack is to use sequential detection theory(what Xiaowei has suggested before). I will look into it.

For future future work: If these two common attack is detected, we can investigate the effectiveness of our approach for detecting a wide range of attacks, and also to analyze the tradeoffs between the accuracy of attacks, the number of false alarms, and the damage to the control system of attacks that can go undetected in our system.

In this post, I am trying to answer what's CPS, its relationship with NCS, research challenge in this field especially secure control problem, two attack model we are going to detect, a very good thought on how to detect and also future future work...

Still long way to go.

For next reading: Looking into sequential detection theory, trying to find a great detection model or even create our own model.

Any suggestion, please do not hesitate to make a comment. I will be very appreciated it. Thanks.

anomaly detection on NCS 02-11memo

For our today's discussion:
  Take why anomaly detection should be used for networked control
system this kind of introduction aside, right now things need to be done
first are as follows:
1. Attack model
After all, this is for us to get the test data and ensure the accuracy
of our approach. Two model used here, one is DoS attack model which
could be easily implemented in network side. The other one is Deception
attack model, which will be implemented in controller side replacing the
reference signal with a small offset from our reference signal before.
At the same time, I will try to learn how to change content of package
in ns2, to do deception attack in this way.

2. Find Training set which is the normal data
Still have some questions here. At first, I have thought that this is an
off-line approach. I didn't deploy this model in Controller or Plant. So
the intuitive way is to get result from Plant directly and then analyze
it. I didn't quite understand. If we want to use the data from
Controller side, comparing its input with the Plant output, it has to be
an on-line detection way. Otherwise, the data obtained from Controller
after UAV done its work has no meaning I think.
And for "normal", means no attack on the network, but may still have
some data loss, network delay to cause some deviation from the reference
signal. But how do we decide this value? (The same as Threshold value. )
Since they all lead to a larger network delay with the same effect on
the Plant as DoS attack model does.

3. detection model
Still use the distance model to compute the deviation from test data to
nominal data

4. Detector
anomaly score compared with threshold value...

Thanks.