Anomaly Based Intrusion Detection System for ... · Anomaly Rule-Based IDS Approach Tested Attacks...

Anomaly Based Intrusion Detection System for

ZigBee Networks in Smart Grid (ABIDS)

Bilal Al Baalbaki, Jesus Pacheco, Youssif Al-Nashif, and Salim Hariri

University of Arizona

Agenda

Motivation

Smart Grid

ZigBee

Anomaly Rule-Based IDS Approach

Tested Attacks

Experimental Results

Conclusion

Current work

Motivation

According to DOE report [2012] the current electric grid lacks of the following

points:

Reliability: During last 40 years, there were 8 massive blackout, which took all

US electricity down. Just in the past nine years, three blackout have occurred.

Efficiency: If we can make the electricity 5% more efficient, then we can

support 6 million new houses and save $600 million.

Economy: In 2000, one hour blackout in Chicago costs the board of trade

around $20 trillion.

Security: The current topology of the electric gird makes it open for any attack.

Since US grid is centralized in most of it parts then any failure will lead to

catastrophic consequences. The current monitoring systems are reactive and behind

the action, and takes long time to recover the system.

Smart Grid

According to [Yan2013]

Intelligent: SG is capable of sensing systems and predicting the coming

electricity peaks. As a result, SG will be able to mitigate any potential

failure or outage. Moreover, it has the capability to switch the power source

between the conventional ones and the renewable energy to provide the

consumers with the highest energy quality with the cheapest price. All the

previously mentioned factors, they should be done with low intervene from

the users.

Efficient: SG is able to meet the increased demand for the electricity since

it uses the energy resources in an optimal way, and always has a backup

plants.

Smart Grid [Yan2013] (cont’d)

Motivating: SG enables two communication ways between the consumers

and their service providers. Consequently, both will have better

understanding of the current status (price, demand, etc.) of the electricity

and will be motivated to take actions that improve the operations of smart

grid and reduce operations costs.

Quality-focused: SG is capable of improving the delivered power. A few

of these qualities: continuity of service, no variation in voltage magnitude,

smooth transient voltages and currents, low harmonic content in the

waveforms, and free of disturbances and interruptions.

Resilient: SG system will be able to adapt smoothly to any change or

failure in the electric grid. Furthermore, SG will be more robust against the

attacks and natural disasters as it becomes more decentralized and

reinforced with Smart Grid security protocols.

Figure 1. General Diagram for Smart Grid

Figure 2. Smart Home Technology Overview

ZigBee

Low-power wireless M2M networks. The ZigBee standard operates on the IEEE

802.15.4 physical radio specification and operates in unlicensed bands (ISM)

including 2.4 GHz, 900 MHz and 868 MHz

Frequency

(MHZ)

Data rate

(Kbps)

Number of

Cannels

Location

2400 250 16 Global

915 40 10 America

868 20 1 Europe

Table 1. Wireless Network Radio Frequency Bands [Lundgren2012]

Specification

Short-range

Low-power

Low-data-rate

Wireless multi-hop networking technology standard

Go from sleep to active mode in(15-30)ms

Each ZigBee device can handle up to 65k nodes

Topology

Full Function Device (FFD):

� Can be either coordinator or router

� Can talk to any node

� Starts the network and authenticates RFD

� Connects networks with each other

� Can fit in any network topology (star, cluster tree, peer to peer or mesh)

Reduced Function Device (RFD):

� Can be just an end-point

� Can talk only to FFD

� Ask FFD for authentication

Topology (Cont’d)

ZigBee Coordinator (ZC)

ZigBee Router (ZR)

ZigBee Trust Center (ZTC)

ZigBee End Device (ZED)

ZigBee Gateway (ZG)

Architecture

Figure 4. ZigBee Protocol

Stack[Kunz, Lung 2012]

Mesh Network

Figure 5. Mesh Network [ZigBee Alliance 2014]

Security Keys

MASTER KEYS

Most of the time these keys are factory installed. If they are not provided, Trust center consider MAC address as a master key.

NETWORK KEYS

All devices on a ZigBee network share the same key. The FFD that start the network can choose the network key.

LINK KEYS

Keys that originate from the Trust Center are called Trust Center Link

ZigBee Pro Security

Access control

Key based

Frame Counter

ZIGBEE’S SECURITY MEANS TWO THINGS

ENCRYPTION: MALICIOUS NODES CANNOT DECODE THE

DATA

AUTHENTICATION: ZIGBEE’S NODES DO NOT EXECUTE

ANY COMMAND FROM UNTRUSTED DEVICE

Related Work[Hwajeong 2011]: (public, master and private key)

Approach: setup, encryption, key generation, decryption, and delegation.

Advantages: Reduce the key numbers, which reduced the size of the required

memory

Drawbacks: 1- An intruder with low monitoring overhead and data extraction

skills can gain access to the system.

2- The system does not support digital signature since it depends on the

attributes, and hence cannot be protected from malicious injection.

[Jokar, Leung 2011]: (Specification IDS)

Approach: 7 specifications (4 PHY and 3 MAC) to build a normal behavioral

model.

Advantages: It can detect unknown attacks

Drawbacks: 1- Has high false positive alerts since it uses the nominal values

only.

2- It is just a simulation work

Related Work[Namboodiri 2013]: (Secure HAN)

Approach: Divide HAN into 4 groups, and each group has it own power

history logger to protect Advanced Meter Infrastructure (AMI) data

Advantages: Add time sensitivity to security concerns

Drawbacks: 1- It can only detect known attacks.

2- The user is always trustworthy.

[Manikopolous 2010]: (Statistical IDS)

Approach: Use neural network classifier to differentiate between the normal

and abnormal data. All the data upper or below a predefined threshold will be

tagged as abnormal

Advantages: Has high detection rate when the traffic intensity is high

Drawbacks: The detection rate decreased significantly when the attack

intensity becomes low

ABIDS Approach

Almost all the related research target

either the integrity or confidentiality

ABIDS has one assumption, which is

any attack, misconfiguration, or misuse

will lead to a behavior that is different

from the normal behavior that we refer

to as an abnormal behavior.

Figure 6. ABIDS Work Steps.

Figure 7. ABIDS Architecture.

TestBed A

RF

TestBed B

Ethernet

Arduino Xbee Shield

Ubisys TransceiverXbee PRO Transceiver

Monitoring:

�Wireshark&Tshark

�The unit has two outputs:

�1) To dataset in the training phase.

�2) To the rule selection unit in the run-time phase.

Dataset:� PostgreSQL.

� The stored data are categorized into keys, addresses, IDs and

payload.

�All the data are store in integer type, which makes the data

mining results more effective.

� ABIDS dataset contains both the normal data, and the

abnormal data.

Training Unit:

� Feature extraction: In this module the data are filtered

and rearranged, so all the repeated data, unnecessary data,

static data will be dropped. The previous action ensures the

best data analysis and classification.

� Rules Generation:

I. ABIDS uses weka.

II. JRip

Reference Profile

Anomaly Protection Engine

� Rule Selection: This unit will attempt to detect the

occurrence of any abnormal event.

�Classification:

I. Impact

II. Target

III. Connection

�Risk Management

Action Handling

Impact Target Connection

LL 1

ZC/ZED Insider/OutsiderL 2

H 3

HH 4

Table 2. Attacks Classes.

Classification Unit

Figure 8. Classification Unit.

Tested Attacks

1. Wide Band DoS

2. Flooding

3. Delay

4. NWK Knockdown

5. Jamming

6. Pulse DoS

Experimental Results

Attacks Detection Ability Attacks

DoS √ KNOWN

Delay √ KNOWN

Flooding √ KNOWN

NWK

Knockdown

√ UNKNOWN

Jamming √ UNKNOWN

Pulse DoS √ UNKNOWN

Table 2. Detection Ability.

Detection Rate

Figure 9. Detection Rate.

ABIDS VS Statistical IDs

Figure 10. ABIDS vs Statistical IDS.

Classified Attacks

Target Attacks

1 2 3 4 5 6

ZC 1,O 2,O 4,O

ZED 2,O 3,O 2,I 3,I

Table 3. Combination of attack classes.

1. Wide Band DoS

2. Flooding

3. Delay

4. NWK Knockdown

5. Jamming

6. Pulse DoS

Classification Rate

Figure 11. Classification Rate.

1. Wide Band DoS

2. Flooding

3. Delay

4. NWK Knockdown

5. Jamming

6. Pulse DoS

Conclusion

Smart Grid (SG) is a promising technology for improve performance and

reduce waste in power generation, distribution and consumption.

SG has many potential vulnerabilities that make SG systems attractive

for cyber-attacks especially for residential regions.

ABIDS approach can efficiently detect unknown attacks as well as known

attacks.

The experimental results showed that ABIDS achieved zero false positive

alerts and 2% false negative for unknown attacks.

ABIDS provided a classification module for the detected attacks in order

to provide the best response to stop or mitigate the impact of the detected

attack.

Future Work

Enhancing the attack classification rate

Adding more smart home features to our testbed as face recognition, and

fingerprint reading to evaluate ABIDS system.

Extending ABIDS testbed to include more smart grid regions.

� Big data collector

� Data aggregation and correlation

� Cyber-physical Behavior Analysis

� Risk and impact analysis

� Response unit

References

“The SMART GRID: An Introduction,” prepared for the U.S. Department

of Energy by Litos Strategic Communication under contract No. DE-

AC26-04NT41817, Subtask 560.01.04, released in 2012

Y. Yan, Y. Qian, H. Sharif, D. Tipper, “A Survey on Cyber Security for

Smart Grid Communications,” Communications Surveys & Tutorials, IEEE

, vol.14, no.4, pp.998,1010, Fourth Quarter 2012.

ZigBee Alliance, Online Available: http://www.zigbee.org/

Biswas, A. Alkhalid, T. Kunz, C. H. Lung, “A Lightweight Defense

against the Packet in Packet Attack in ZigBee Networks,” Wireless Days

(WD), 2012 IFIP , vol., no., pp.1,3, 21-23 Nov. 2012.

M. H. Bhuyan; D. K. Bhattacharyya; J. K. Kalita, “Network Anomaly

Detection: Methods, Systems and Tools,” Communications Surveys &

Tutorials, IEEE, vol.16, no.1, pp.303, 336, First Quarter 2014.

ReferencesM. Yu, “A Nonparametric Adaptive Cusum Method And Its Application

In Network Anomaly Detection,” International Journal of Advancements

in Computing Technology, vol. 4, no. 1, pp. 280–288, 2012.

C. Manikopoulos, S. Papavassiliou, “Network Intrusion and Fault

Detection: A Statistical Anomaly Approach,” IEEE Communications

Magazine, vol. 40, no. 10, pp. 76–82, October 2010.

P. Jokar; H. Nicanfar; V. C M Leung, "Specification-based Intrusion

Detection for home area networks in smart grids," Smart Grid

Communications (SmartGridComm), 2011 IEEE International Conference

on , vol., no., pp.208,213, 17-20 Oct. 2011

S. Hwajeong; K. CheolSoo; K. Howon, "ZigBee security for Home

automation using attribute-based cryptography," Consumer Electronics

(ICCE), 2011 IEEE International Conference on, vol., no., pp.367, 368,

9-12 Jan. 2011

(up to now)

Thank you

Motivation (cont’d)

Environment/Climate Change: US population is 4% of the whole world

population while it contributes more than 25% in the greenhouse gases [72]. The

previous problem is resulted because more than 50% of US electricity is produced

from burning coal.

Affordability: To address all the previous problems, electric grid should build

more power plants, add more substations, update the transmission lines and the

transformers, etc. All that will be reflected on the electricity bill without mentioning

that the KWH price has been tripled since 2006.

Smart Grid (SG)

Real-time display of data to consumer and

utility.

Control from utility company (demand-

response).

Intelligent appliances.

Exporting generated power from renewable

resources.

IEEE 802.15.4

DSSS for moving between channels

High performance with low SNR

CSMA-CA

O-QPSK and BPSK

Half-duplex operation

IEEE 802.15.4 PHY

Activating and deactivating the transceiver

Transmitting and receiving data

Does Energy Detection (ED)

Perform Carrier Sense (CS)

Determine The Link Quality Indicator (LQI)

Perform Channel Clear Assessment (CCA)

IEEE 802.15.4 MAC

Device Association and Disassociation

GTS Management

Orphan Notification

Channel Scanning

ZigBee NWK

Broadcasting

Multicasting

Tree Topology

Mesh Topology

Routing

a b c

MAC

Secure one-hop link between devices.

Control accessing the wireless

communications medium.

Manage network association and dissociation

functions though using 64-bit MAC addresses.

Provide security services including integrity,

and access control.

Cskip (d) = {1+Cm×(Lm−d−1) , if Rm=1

{1+Cm−Rm−Cm×RmLm−d−1/(1−Rm),otherwise [54]

The nth end device address=Parent address+Cskip(d)×Rm+n [54]

A < D < Cskip (d-1) [54]

Address of the next hop=A+1+int((D−(A+1))/Cskip(d))×Cskip(d) [54]

NTW

Start Networks

Responsible for Addressing

Neighbor discovery

Routing Discovery

APS

Filters out packets for non-registered

endpoints, or profiles that don't match

Generates acknowledgments (Optional)

Maintains the local binding table

Fragments and reassembles the

packets

ZigBee Pro

Mesh only

Same Logical Device Types as ZigBee feature set (ZC, ZR,

ZED)

Network Manager for PAN ID conflict resolution and

frequency agility

Symmetric Key with AES-128-CCM*

Key Hierarchy: Master Keys (optional), Network Keys and

Link Keys (optional)

Applications

Figure 3. ZigBee Applications [ZigBee Alliance 2014]

Tools&Devices

Wireshark &Tshark

X-CTU

Postgres SQL

Weka

Digi platform

ZigBee Transcievers (e.g. ubisys, Memsic, and Xbee)

Libpcap

Figure 12. MTDApproach