Speakers:Yanyan Ni, Yeze Li

Outline

Introduction

System Model

Model and Analysis

Parameterization

Numeric Data

Introduction• Cyber physical system(CPS) comprises sensors, actuators,

control units, and physical object for controlling and protecting a physical infrastructure.

• Intrusion detection system(IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.

• Three detection techniques: – Signature based– Anomaly based– Specification based

• Intrusion detection and response system(IDRS) is for detecting and responding to malicious events at runtime.

Objective

• A CPS often operates in a rough environment– energy replenishment is not possible– nodes may be compromised at times.

• An IDRS must detect malicious nodes without unnecessarily wasting energy to prolong the system life time.

• To maximize the reliability or lifetime of a CPS designed to sustain malicious attacks over a prolonged mission period without energy replenishment.

Methodology and Contribution

• Develop a probability model to assess the reliability property of a CPS equipped with an IDRS.

• Consider a variety of attacker behaviors and identify the best design settings of the detection and response strength, when given a set of parameter values characterizing the operational environment and network conditions.

• Parameterization of the model using the properties of the IDS system is one major contribution of the paper.

System Model

Reference CPS

Security Failure

• Byzantine fault model– One-third or more of the nodes are compromised– The control unit is not able to obtain any sensor reading

consensus• Impairment failure– A compromised CPS node performing active attacks without

being detected can impair the functionality of the system– Impairment by a bad node over an impairment-failure

period without being detected will severely impair the system and cause the system to fail

Attack Model

• Define:– Node capture attack turn a good node into a

bad insider node– Capture attacks of sensor-actuator nodes

• Models:– Persistent: probability one– Random: probability Prandom– Insidious: hidden all the time

Host Intrusion Detection

• Core techniques:– Behavior rule specification

• To specify the behavior of an entity by a set of rules.– Vector similarity specification

• To compare similarity of a sequence of sensor readings, commands, or votes among entities performing the same set of functions.

• Apply to reference CPS:– Detects if the location sequence deviates from the expected

location sequence– Detects dissimilarity of vote sequences among these

neighbors.

Measurement of compliance degree

• Maximum likelihood estimates of α and β:

Host Intrusion Detection

System Intrusion Detection

• Based on majority voting of host IDS results to cope with incomplete and uncertain information available to nodes in the CPS

• System-level IDS technique:– Selection m detectors– The invocation interval TIDS to best balance energy

conservation versus intrusion tolerance• The system IDS is characterized by: and

Intrusion Response

• IDRS reacts to malicious events detected at runtime by adjusting CT

• Increasing attacker strength increasing CT

• To compensate for the negative effect, the IDRS increases the audit rate or increases the number of detectors to reduce the false positive probability at the expense of more energy consumption.

Model and Analysis

parameters

• Input parameters:– , , , , , , ,

• Derived parameters:– , , ,

Parameterization

Parameterization

System-Level IDS and

and highly depends on the attacker behavior

Persistent attacker

Random attacker

Insidious attacker

Persistent attacker: Random attacker: Insidious attacker： else,

Calculation of

The first summation aggregates the probability of a false negative stemming from selecting a majority of active bad nodes.

The second summation aggregates the probability of a false negative stemming from selecting a minority of nodes from the set of active bad nodes which always cast incorrect votes.

• Persistent attacks:

• Random attacks:

• Insidious attacks:

(Using the same minimum )

The is the one in all-in attack period.

(Here we introduce a dynamic IDS response which….)• Dynamic IDS with a goal of maximizing the system life time. • Attacker strength: based on the observation during is compared with

: Represent the attacker strength at time t.

Bad node

A simple yet efficient IDS response design

• When the attacker strength is high, to remove the active attackers in the system quickly

• when there is little attacker evidence , we lower the value of so we may quickly decrease the probability of a good node being misidentified as a bad node .

So it will prevent ……

•

linear one-to-one mapping function :

1 , A node ?

A large induces a small per-host false negative probability at the expense of……

•

Here a node spends energy to transmit a CDMA waveform. Its neighbors each spend energy to receive the waveform, and each spend energy to transform it into distance. This operation is repeated for times for determining a sequence of locations.

Numerical Data

Numerical Data Effect of Intrusion Detection Strength

Effect of Attacker Behavior

Effect of Intrusion Response

• investigating other intrusion detection criteria (accumulation of deviation)

• investigating other intrusion response criteria • exploring other attack behavior models • developing a more elaborate model to

describe the relationship between intrusion responses and attacker behaviors

Future Work