Friday, February 11, 2011

anomaly detection on NCS 02-11memo 

For our today's discussion:
  Take why anomaly detection should be used for networked control
system this kind of introduction aside, right now things need to be done
first are as follows:
1. Attack model
After all, this is for us to get the test data and ensure the accuracy
of our approach. Two model used here, one is DoS attack model which
could be easily implemented in network side. The other one is Deception
attack model, which will be implemented in controller side replacing the
reference signal with a small offset from our reference signal before.
At the same time, I will try to learn how to change content of package
in ns2, to do deception attack in this way.

2. Find Training set which is the normal data
Still have some questions here. At first, I have thought that this is an
off-line approach. I didn't deploy this model in Controller or Plant. So
the intuitive way is to get result from Plant directly and then analyze
it. I didn't quite understand. If we want to use the data from
Controller side, comparing its input with the Plant output, it has to be
an on-line detection way. Otherwise, the data obtained from Controller
after UAV done its work has no meaning I think.
And for "normal", means no attack on the network, but may still have
some data loss, network delay to cause some deviation from the reference
signal. But how do we decide this value? (The same as Threshold value. )
Since they all lead to a larger network delay with the same effect on
the Plant as DoS attack model does.

3. detection model
Still use the distance model to compute the deviation from test data to
nominal data

4. Detector
anomaly score compared with threshold value...

Thanks.


Posted by at
Labels:

2 comments:

  1. XiaoweiFebruary 17, 2011 at 11:14 PM

    I have several suggestions for your experiment.
    1. Training:
    (1) For a "typical" network setting (delay, pkt loss), vary the input signal (i.e. reference signal, by changing the sine wave frequency or using square/saw wave, observe the plant output and controller input. The reason why we vary the signal is the frequency of input signal may influence the plant output due to the response time. These data can be regarded as normal training data.
    ps: I still think we should look at controller input, instead of plant output. Since, in normal situation, the controller input should be closely correlated with plant output. Using either one will achieve similar result. Moreover, if the system is under attack, the controller input will be different from plant output, which will yield larger deviation than observing plant output.
    (2) Calculate the anomaly scores for the above training set using your defined distance model. The scores should be small enough to fall within a range, which can be inferred as the detection threshold.
    2. Attack:
    Simulate the DoS and deception attacks. Calculate the anomaly scores respectively.
    3. Argument for our approach:
    The effect of DoS attack is increased network delay and pkt loss. If the background traffic is too large, we can assume there is ongoing attack. Instead of observing network-layer characteristics (pkt loss, delay) as in traditional approach, we look at higher-level signal, the deviation of which can also indicate possible DoS attack. Also, traditional approaches cannot handle deception attack, since the network-layer features are all normal except the packet content. Our approach can detect it because the signal would largely deviate from what we expect.

    I am not sure whether I make it clear or correct. Please correct me or add more comments for our discussion.

    ReplyDelete
  2. JiannianFebruary 18, 2011 at 1:30 AM

    Xiaowei, thanks for your comment.
    (1)I have done an experiment with the frequency of reference signal large enough. And the plant output could be seen as following figure.
    http://www.flickr.com/photos/57508663@N07/5454962795/
    It seems that no matter how large frequency of input signal is, it cannot influence the plant output. Response time?
    Yes, it is reasonable to use ConIn-Reference pair as the feature to show the deviation between normal with abnormal point, as the result I have got with clusters.
    (2)What do you mean by small enough? how to tune this parameter?
    about this threshold, maybe we should not just define it by ourselves...
    2. I am getting down to it.
    3. large background traffic=attack??I will think more about it. Or just make it as an assumption.

    ReplyDelete

Subscribe to: Post Comments (Atom)