Saturday, February 19, 2011

whole background with security problem over CPS

I was always confused about CPS and NCS. Some paper says they are the same meaning just in the different field, while some paper says not. So I have read some of these papers trying to make it more clear, to provide a better understanding of CPSs background knowledge, its application and its challenges, especially what we are concerned--security problem of CPSs.

What's CPS?
Cyber Physical system integrates computation and dynamics of physical process with those of the software and communication. The goal of CPSs research is to deeply integrate physical and cyber design. Networked control system (NCS) are computer based control systems that monitor and control physical processes in which components are connected by network. Many real-life cyber-physical systems, such as group of UAV we used, are monitored and controlled by NCS. which means that NCS is part of CPSs, only one small field of CPSs. American government has treated CPS field as a new development strategy since 2007 (CPSweek). These research mainly concentrate in following respects:
energy control, transmission and management, model-based software design, system-resource allocation, control technique(which Xenofon does in his passivity based control structure), secure control (which I am trying to do)

In the security field of control systems, two questions must be answered: 1. why should we be interested in the security of control system(compared to IT system) 2. what are the new requirements and problems for this field? And also two problems emerged: 1. how to detect attacks 2. how to make it survive under the attacks.

For the second problem, up to now, most of the effort for protecting control system has focused on reliability(ability against random faults). If we use passivity based control system, it can achieve this goal against any network uncertainty. We are going to develop kinds of techniques to detect attacks, online and offline. Our goal is to detect attacks from a malicious party attacking our NCS. We only consider two kinds of attack model:

DoS attack:the adversary prevents the controller from receiving plant measurements or the plant from receiving control commands. To launch a DoS the adversary can jam the communication channels, compromise devices and prevent them from sending data, attack the routing protocols, flood the network with data, etc. Here emerges two questions: if the background traffic(interference signal) is really large, could we just denote it as DoS attack? if we jam the network so badly that plant and controller cannot talk to each other, I think there would be no need to detect this kind of attack? So I only make this background traffic large enough to introduce a large delay in the network. Is that really OK? Still need to think more about it.

Deception attacks: It is a compromise of integrity. the adversary sends false information
from plant or controller. the false information could include: an incorrect measurement, the incorrect time when the measurement was observed, or the incorrect sender id. The adversary can launch these attack by compromising some sensors or controllers. I will try to realize it in ns2. Capture the package and then revise the data inside.

Very good thought in how to use data from control system. Note: We argue that detecting attacks to control system can be formulated as anomaly-based intrusion detection system. The difference in control system is that instead of creating models of network traffic as most of exsiting work did before, we could directly use the model of control system instead(state-space equation). Our argument is that if we know how the output of the physical system(plant output) Y1,Y2...,Yn should react to our control command(control output) U1,U2...Un. Then any attack to sensor measurements or control system will exhibit an abnormal view of the physical process(impact control performance). Given a sequence of observations Y1,Y2...Yn (training data set), the anomaly detector should also be able to estimate the expected control signals(reference signal) to detect if a controller has been compromised. Most natural way to detect these attack is to use sequential detection theory(what Xiaowei has suggested before). I will look into it.
For future future work: If these two common attack is detected, we can investigate the effectiveness of our approach for detecting a wide range of attacks, and also to analyze the tradeoffs between the accuracy of attacks, the number of false alarms, and the damage to the control system of attacks that can go undetected in our system.

In this post, I am trying to answer what's CPS, its relationship with NCS, research challenge in this field especially secure control problem, two attack model we are going to detect, a very good thought on how to detect and also future future work...
Still long way to go.

For next reading: Looking into sequential detection theory, trying to find a great detection model or even create our own model.

Any suggestion, please do not hesitate to make a comment. I will be very appreciated it. Thanks.
Posted by at 1 comment:
Labels: ,

Friday, February 11, 2011

anomaly detection on NCS 02-11memo 

For our today's discussion:
  Take why anomaly detection should be used for networked control
system this kind of introduction aside, right now things need to be done
first are as follows:
1. Attack model
After all, this is for us to get the test data and ensure the accuracy
of our approach. Two model used here, one is DoS attack model which
could be easily implemented in network side. The other one is Deception
attack model, which will be implemented in controller side replacing the
reference signal with a small offset from our reference signal before.
At the same time, I will try to learn how to change content of package
in ns2, to do deception attack in this way.

2. Find Training set which is the normal data
Still have some questions here. At first, I have thought that this is an
off-line approach. I didn't deploy this model in Controller or Plant. So
the intuitive way is to get result from Plant directly and then analyze
it. I didn't quite understand. If we want to use the data from
Controller side, comparing its input with the Plant output, it has to be
an on-line detection way. Otherwise, the data obtained from Controller
after UAV done its work has no meaning I think.
And for "normal", means no attack on the network, but may still have
some data loss, network delay to cause some deviation from the reference
signal. But how do we decide this value? (The same as Threshold value. )
Since they all lead to a larger network delay with the same effect on
the Plant as DoS attack model does.

3. detection model
Still use the distance model to compute the deviation from test data to
nominal data

4. Detector
anomaly score compared with threshold value...

Thanks.


Posted by at 2 comments:
Labels:
Subscribe to: Posts (Atom)