Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Anomaly Based Intrusion Detection System for
ZigBee Networks in Smart Grid (ABIDS)
Bilal Al Baalbaki, Jesus Pacheco, Youssif Al-Nashif, and Salim Hariri
University of Arizona
Agenda
Motivation
Smart Grid
ZigBee
Anomaly Rule-Based IDS Approach
Tested Attacks
Experimental Results
Conclusion
Current work
Motivation
According to DOE report [2012] the current electric grid lacks of the following
points:
Reliability: During last 40 years, there were 8 massive blackout, which took all
US electricity down. Just in the past nine years, three blackout have occurred.
Efficiency: If we can make the electricity 5% more efficient, then we can
support 6 million new houses and save $600 million.
Economy: In 2000, one hour blackout in Chicago costs the board of trade
around $20 trillion.
Security: The current topology of the electric gird makes it open for any attack.
Since US grid is centralized in most of it parts then any failure will lead to
catastrophic consequences. The current monitoring systems are reactive and behind
the action, and takes long time to recover the system.
Smart Grid
According to [Yan2013]
Intelligent: SG is capable of sensing systems and predicting the coming
electricity peaks. As a result, SG will be able to mitigate any potential
failure or outage. Moreover, it has the capability to switch the power source
between the conventional ones and the renewable energy to provide the
consumers with the highest energy quality with the cheapest price. All the
previously mentioned factors, they should be done with low intervene from
the users.
Efficient: SG is able to meet the increased demand for the electricity since
it uses the energy resources in an optimal way, and always has a backup
plants.
Smart Grid [Yan2013] (cont’d)
Motivating: SG enables two communication ways between the consumers
and their service providers. Consequently, both will have better
understanding of the current status (price, demand, etc.) of the electricity
and will be motivated to take actions that improve the operations of smart
grid and reduce operations costs.
Quality-focused: SG is capable of improving the delivered power. A few
of these qualities: continuity of service, no variation in voltage magnitude,
smooth transient voltages and currents, low harmonic content in the
waveforms, and free of disturbances and interruptions.
Resilient: SG system will be able to adapt smoothly to any change or
failure in the electric grid. Furthermore, SG will be more robust against the
attacks and natural disasters as it becomes more decentralized and
reinforced with Smart Grid security protocols.
Figure 1. General Diagram for Smart Grid
Figure 2. Smart Home Technology Overview
ZigBee
Low-power wireless M2M networks. The ZigBee standard operates on the IEEE
802.15.4 physical radio specification and operates in unlicensed bands (ISM)
including 2.4 GHz, 900 MHz and 868 MHz
Frequency
(MHZ)
Data rate
(Kbps)
Number of
Cannels
Location
2400 250 16 Global
915 40 10 America
868 20 1 Europe
Table 1. Wireless Network Radio Frequency Bands [Lundgren2012]
Specification
Short-range
Low-power
Low-data-rate
Wireless multi-hop networking technology standard
Go from sleep to active mode in(15-30)ms
Each ZigBee device can handle up to 65k nodes
Topology
Full Function Device (FFD):
� Can be either coordinator or router
� Can talk to any node
� Starts the network and authenticates RFD
� Connects networks with each other
� Can fit in any network topology (star, cluster tree, peer to peer or mesh)
Reduced Function Device (RFD):
� Can be just an end-point
� Can talk only to FFD
� Ask FFD for authentication
Topology (Cont’d)
ZigBee Coordinator (ZC)
ZigBee Router (ZR)
ZigBee Trust Center (ZTC)
ZigBee End Device (ZED)
ZigBee Gateway (ZG)
Architecture
Figure 4. ZigBee Protocol
Stack[Kunz, Lung 2012]
Mesh Network
Figure 5. Mesh Network [ZigBee Alliance 2014]
Security Keys
MASTER KEYS
Most of the time these keys are factory installed. If they are not provided, Trust center consider MAC address as a master key.
NETWORK KEYS
All devices on a ZigBee network share the same key. The FFD that start the network can choose the network key.
LINK KEYS
Keys that originate from the Trust Center are called Trust Center Link
ZigBee Pro Security
Access control
Key based
Frame Counter
ZIGBEE’S SECURITY MEANS TWO THINGS
ENCRYPTION: MALICIOUS NODES CANNOT DECODE THE
DATA
AUTHENTICATION: ZIGBEE’S NODES DO NOT EXECUTE
ANY COMMAND FROM UNTRUSTED DEVICE
Related Work[Hwajeong 2011]: (public, master and private key)
Approach: setup, encryption, key generation, decryption, and delegation.
Advantages: Reduce the key numbers, which reduced the size of the required
memory
Drawbacks: 1- An intruder with low monitoring overhead and data extraction
skills can gain access to the system.
2- The system does not support digital signature since it depends on the
attributes, and hence cannot be protected from malicious injection.
[Jokar, Leung 2011]: (Specification IDS)
Approach: 7 specifications (4 PHY and 3 MAC) to build a normal behavioral
model.
Advantages: It can detect unknown attacks
Drawbacks: 1- Has high false positive alerts since it uses the nominal values
only.
2- It is just a simulation work
Related Work[Namboodiri 2013]: (Secure HAN)
Approach: Divide HAN into 4 groups, and each group has it own power
history logger to protect Advanced Meter Infrastructure (AMI) data
Advantages: Add time sensitivity to security concerns
Drawbacks: 1- It can only detect known attacks.
2- The user is always trustworthy.
[Manikopolous 2010]: (Statistical IDS)
Approach: Use neural network classifier to differentiate between the normal
and abnormal data. All the data upper or below a predefined threshold will be
tagged as abnormal
Advantages: Has high detection rate when the traffic intensity is high
Drawbacks: The detection rate decreased significantly when the attack
intensity becomes low
ABIDS Approach
Almost all the related research target
either the integrity or confidentiality
ABIDS has one assumption, which is
any attack, misconfiguration, or misuse
will lead to a behavior that is different
from the normal behavior that we refer
to as an abnormal behavior.
Figure 6. ABIDS Work Steps.
Figure 7. ABIDS Architecture.
TestBed A
RF
TestBed B
Ethernet
Arduino Xbee Shield
Ubisys TransceiverXbee PRO Transceiver
Monitoring:
�Wireshark&Tshark
�The unit has two outputs:
�1) To dataset in the training phase.
�2) To the rule selection unit in the run-time phase.
Dataset:� PostgreSQL.
� The stored data are categorized into keys, addresses, IDs and
payload.
�All the data are store in integer type, which makes the data
mining results more effective.
� ABIDS dataset contains both the normal data, and the
abnormal data.
Training Unit:
� Feature extraction: In this module the data are filtered
and rearranged, so all the repeated data, unnecessary data,
static data will be dropped. The previous action ensures the
best data analysis and classification.
� Rules Generation:
I. ABIDS uses weka.
II. JRip
Reference Profile
Anomaly Protection Engine
� Rule Selection: This unit will attempt to detect the
occurrence of any abnormal event.
�Classification:
I. Impact
II. Target
III. Connection
�Risk Management
Action Handling
Impact Target Connection
LL 1
ZC/ZED Insider/OutsiderL 2
H 3
HH 4
Table 2. Attacks Classes.
Classification Unit
Figure 8. Classification Unit.
Tested Attacks
1. Wide Band DoS
2. Flooding
3. Delay
4. NWK Knockdown
5. Jamming
6. Pulse DoS
Experimental Results
Attacks Detection Ability Attacks
DoS √ KNOWN
Delay √ KNOWN
Flooding √ KNOWN
NWK
Knockdown
√ UNKNOWN
Jamming √ UNKNOWN
Pulse DoS √ UNKNOWN
Table 2. Detection Ability.
Detection Rate
Figure 9. Detection Rate.
ABIDS VS Statistical IDs
Figure 10. ABIDS vs Statistical IDS.
Classified Attacks
Target Attacks
1 2 3 4 5 6
ZC 1,O 2,O 4,O
ZED 2,O 3,O 2,I 3,I
Table 3. Combination of attack classes.
1. Wide Band DoS
2. Flooding
3. Delay
4. NWK Knockdown
5. Jamming
6. Pulse DoS
Classification Rate
Figure 11. Classification Rate.
1. Wide Band DoS
2. Flooding
3. Delay
4. NWK Knockdown
5. Jamming
6. Pulse DoS
Conclusion
Smart Grid (SG) is a promising technology for improve performance and
reduce waste in power generation, distribution and consumption.
SG has many potential vulnerabilities that make SG systems attractive
for cyber-attacks especially for residential regions.
ABIDS approach can efficiently detect unknown attacks as well as known
attacks.
The experimental results showed that ABIDS achieved zero false positive
alerts and 2% false negative for unknown attacks.
ABIDS provided a classification module for the detected attacks in order
to provide the best response to stop or mitigate the impact of the detected
attack.
Future Work
Enhancing the attack classification rate
Adding more smart home features to our testbed as face recognition, and
fingerprint reading to evaluate ABIDS system.
Extending ABIDS testbed to include more smart grid regions.
� Big data collector
� Data aggregation and correlation
� Cyber-physical Behavior Analysis
� Risk and impact analysis
� Response unit
References
“The SMART GRID: An Introduction,” prepared for the U.S. Department
of Energy by Litos Strategic Communication under contract No. DE-
AC26-04NT41817, Subtask 560.01.04, released in 2012
Y. Yan, Y. Qian, H. Sharif, D. Tipper, “A Survey on Cyber Security for
Smart Grid Communications,” Communications Surveys & Tutorials, IEEE
, vol.14, no.4, pp.998,1010, Fourth Quarter 2012.
ZigBee Alliance, Online Available: http://www.zigbee.org/
Biswas, A. Alkhalid, T. Kunz, C. H. Lung, “A Lightweight Defense
against the Packet in Packet Attack in ZigBee Networks,” Wireless Days
(WD), 2012 IFIP , vol., no., pp.1,3, 21-23 Nov. 2012.
M. H. Bhuyan; D. K. Bhattacharyya; J. K. Kalita, “Network Anomaly
Detection: Methods, Systems and Tools,” Communications Surveys &
Tutorials, IEEE, vol.16, no.1, pp.303, 336, First Quarter 2014.
ReferencesM. Yu, “A Nonparametric Adaptive Cusum Method And Its Application
In Network Anomaly Detection,” International Journal of Advancements
in Computing Technology, vol. 4, no. 1, pp. 280–288, 2012.
C. Manikopoulos, S. Papavassiliou, “Network Intrusion and Fault
Detection: A Statistical Anomaly Approach,” IEEE Communications
Magazine, vol. 40, no. 10, pp. 76–82, October 2010.
P. Jokar; H. Nicanfar; V. C M Leung, "Specification-based Intrusion
Detection for home area networks in smart grids," Smart Grid
Communications (SmartGridComm), 2011 IEEE International Conference
on , vol., no., pp.208,213, 17-20 Oct. 2011
S. Hwajeong; K. CheolSoo; K. Howon, "ZigBee security for Home
automation using attribute-based cryptography," Consumer Electronics
(ICCE), 2011 IEEE International Conference on, vol., no., pp.367, 368,
9-12 Jan. 2011
(up to now)
Thank you
Motivation (cont’d)
Environment/Climate Change: US population is 4% of the whole world
population while it contributes more than 25% in the greenhouse gases [72]. The
previous problem is resulted because more than 50% of US electricity is produced
from burning coal.
Affordability: To address all the previous problems, electric grid should build
more power plants, add more substations, update the transmission lines and the
transformers, etc. All that will be reflected on the electricity bill without mentioning
that the KWH price has been tripled since 2006.
Smart Grid (SG)
Real-time display of data to consumer and
utility.
Control from utility company (demand-
response).
Intelligent appliances.
Exporting generated power from renewable
resources.
IEEE 802.15.4
DSSS for moving between channels
High performance with low SNR
CSMA-CA
O-QPSK and BPSK
Half-duplex operation
IEEE 802.15.4 PHY
Activating and deactivating the transceiver
Transmitting and receiving data
Does Energy Detection (ED)
Perform Carrier Sense (CS)
Determine The Link Quality Indicator (LQI)
Perform Channel Clear Assessment (CCA)
IEEE 802.15.4 MAC
Device Association and Disassociation
GTS Management
Orphan Notification
Channel Scanning
ZigBee NWK
Broadcasting
Multicasting
Tree Topology
Mesh Topology
Routing
a b c
MAC
Secure one-hop link between devices.
Control accessing the wireless
communications medium.
Manage network association and dissociation
functions though using 64-bit MAC addresses.
Provide security services including integrity,
and access control.
Cskip (d) = {1+Cm×(Lm−d−1) , if Rm=1
{1+Cm−Rm−Cm×RmLm−d−1/(1−Rm),otherwise [54]
The nth end device address=Parent address+Cskip(d)×Rm+n [54]
A < D < Cskip (d-1) [54]
Address of the next hop=A+1+int((D−(A+1))/Cskip(d))×Cskip(d) [54]
NTW
Start Networks
Responsible for Addressing
Neighbor discovery
Routing Discovery
APS
Filters out packets for non-registered
endpoints, or profiles that don't match
Generates acknowledgments (Optional)
Maintains the local binding table
Fragments and reassembles the
packets
ZigBee Pro
Mesh only
Same Logical Device Types as ZigBee feature set (ZC, ZR,
ZED)
Network Manager for PAN ID conflict resolution and
frequency agility
Symmetric Key with AES-128-CCM*
Key Hierarchy: Master Keys (optional), Network Keys and
Link Keys (optional)
Applications
Figure 3. ZigBee Applications [ZigBee Alliance 2014]
Tools&Devices
Wireshark &Tshark
X-CTU
Postgres SQL
Weka
Digi platform
ZigBee Transcievers (e.g. ubisys, Memsic, and Xbee)
Libpcap
Figure 12. MTDApproach