In order to do anomaly detection over NCS, first we must get some normal data without any attack and abnormal data within different kinds of attack.
Thanks for these days work with newer version NCSWT. I'm now much familiar with C2WT.
We know the security goal that NCS should achieve lies in the order of importance, availability, integrity and confidentiality. How to select the appropriate security mechanisms requires a threat model first.
Threat taxonomy:
We could categorize the attacks into three main types:
1. outsider attacks. (This is where we focus)
--Deception attack (spoofing attack)
Using new version NCSWT, we could now easily change the values transmited between controller and plant by spoofed packets, causing it to perform undesired effects. I was thinking maybe could do several kinds of spoofing here. Try to find some more information. The analysis could be done offline by data from control system.
--Denial of Service attack (jamming attack)
Jamming is the interference with the Radio Frequency(RF) used by the nodes in a network. It makes use of the broadcast nature of the communication medium. We don't want to compromise the availability of network, just need to give the control network some more delay. Because if there is no network availability we can easily notice the attack and take some correct actions. There is no need to detect. I think it is meaningful that if we could detect out that there is a lot of traffic in the network and then launch an alarm. This could be done in the ns2, online. In simulation system, this kind of work has not been done before.
--Replay attack
In a replay attack, a transmitted packet is maliciously or fraudulently repeated or delayed by the adversary. I have an idea that this could also be done in NCSWT, by revising some code in ns2.
2. Key-compromise attacks.
Since low-entropy of certain measurement reports, confidentiality could be easily compromised by simple traffic analysis. So, most systems use encryption to ensure confidentiality. However, this secret key may be stole or compromised by adversary. We may not do this, since we don't do encryption in the first place.
3. Insider attacks.
adversary act as legitimate nodes in the network.
No comments:
Post a Comment