View
213
Download
0
Category
Preview:
Citation preview
Speakers:Yanyan Ni, Yeze Li
Outline
Introduction
System Model
Model and Analysis
Parameterization
Numeric Data
Introduction• Cyber physical system(CPS) comprises sensors, actuators,
control units, and physical object for controlling and protecting a physical infrastructure.
• Intrusion detection system(IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.
• Three detection techniques: – Signature based– Anomaly based– Specification based
• Intrusion detection and response system(IDRS) is for detecting and responding to malicious events at runtime.
Objective
• A CPS often operates in a rough environment– energy replenishment is not possible– nodes may be compromised at times.
• An IDRS must detect malicious nodes without unnecessarily wasting energy to prolong the system life time.
• To maximize the reliability or lifetime of a CPS designed to sustain malicious attacks over a prolonged mission period without energy replenishment.
Methodology and Contribution
• Develop a probability model to assess the reliability property of a CPS equipped with an IDRS.
• Consider a variety of attacker behaviors and identify the best design settings of the detection and response strength, when given a set of parameter values characterizing the operational environment and network conditions.
• Parameterization of the model using the properties of the IDS system is one major contribution of the paper.
System Model
Reference CPS
Security Failure
• Byzantine fault model– One-third or more of the nodes are compromised– The control unit is not able to obtain any sensor reading
consensus• Impairment failure– A compromised CPS node performing active attacks without
being detected can impair the functionality of the system– Impairment by a bad node over an impairment-failure
period without being detected will severely impair the system and cause the system to fail
Attack Model
• Define:– Node capture attack turn a good node into a
bad insider node– Capture attacks of sensor-actuator nodes
• Models:– Persistent: probability one– Random: probability Prandom– Insidious: hidden all the time
Host Intrusion Detection
• Core techniques:– Behavior rule specification
• To specify the behavior of an entity by a set of rules.– Vector similarity specification
• To compare similarity of a sequence of sensor readings, commands, or votes among entities performing the same set of functions.
• Apply to reference CPS:– Detects if the location sequence deviates from the expected
location sequence– Detects dissimilarity of vote sequences among these
neighbors.
Measurement of compliance degree
• Maximum likelihood estimates of α and β:
Host Intrusion Detection
System Intrusion Detection
• Based on majority voting of host IDS results to cope with incomplete and uncertain information available to nodes in the CPS
• System-level IDS technique:– Selection m detectors– The invocation interval TIDS to best balance energy
conservation versus intrusion tolerance• The system IDS is characterized by: and
Intrusion Response
• IDRS reacts to malicious events detected at runtime by adjusting CT
• Increasing attacker strength increasing CT
• To compensate for the negative effect, the IDRS increases the audit rate or increases the number of detectors to reduce the false positive probability at the expense of more energy consumption.
Model and Analysis
parameters
• Input parameters:– , , , , , , ,
• Derived parameters:– , , ,
Parameterization
Parameterization
System-Level IDS and
and highly depends on the attacker behavior
Persistent attacker
Random attacker
Insidious attacker
Persistent attacker: Random attacker: Insidious attacker: else,
Calculation of
The first summation aggregates the probability of a false negative stemming from selecting a majority of active bad nodes.
The second summation aggregates the probability of a false negative stemming from selecting a minority of nodes from the set of active bad nodes which always cast incorrect votes.
• Persistent attacks:
• Random attacks:
• Insidious attacks:
(Using the same minimum )
The is the one in all-in attack period.
(Here we introduce a dynamic IDS response which….)• Dynamic IDS with a goal of maximizing the system life time. • Attacker strength: based on the observation during is compared with
: Represent the attacker strength at time t.
Bad node
A simple yet efficient IDS response design
• When the attacker strength is high, to remove the active attackers in the system quickly
• when there is little attacker evidence , we lower the value of so we may quickly decrease the probability of a good node being misidentified as a bad node .
So it will prevent ……
•
linear one-to-one mapping function :
1 , A node ?
A large induces a small per-host false negative probability at the expense of……
•
Here a node spends energy to transmit a CDMA waveform. Its neighbors each spend energy to receive the waveform, and each spend energy to transform it into distance. This operation is repeated for times for determining a sequence of locations.
Numerical Data
Numerical Data Effect of Intrusion Detection Strength
Effect of Attacker Behavior
Effect of Intrusion Response
• investigating other intrusion detection criteria (accumulation of deviation)
• investigating other intrusion response criteria • exploring other attack behavior models • developing a more elaborate model to
describe the relationship between intrusion responses and attacker behaviors
Future Work
Recommended