Identifying Vulnerabilities of Industrial Control Systems using Evolutionary Multiobjective Optimisation

In this paper we propose a novel methodology to assist in identifying vulnerabilities in a real-world complex heterogeneous industrial control systems (ICS) using two evolutionary multiobjective optimisation (EMO) algorithms, NSGA-II and SPEA2. Our approach is evaluated on a well known benchmark chemical plant simulator, the Tennessee Eastman (TE) process model. We identified vulnerabilities in individual components of the TE model and then made use of these to generate combinatorial attacks to damage the safety of the system, and to cause economic loss. Results were compared against random attacks, and the performance of the EMO algorithms were evaluated using hypervolume, spread and inverted generational distance (IGD) metrics. A defence against these attacks in the form of a novel intrusion detection system was developed, using a number of machine learning algorithms. Designed approach was further tested against the developed detection methods. Results demonstrate that EMO algorithms are a promising tool in the identification of the most vulnerable components of ICS, and weaknesses of any existing detection systems in place to protect the system. The proposed approach can be used by control and security engineers to design security aware control, and test the effectiveness of security mechanisms, both during design, and later during system operation.Comment: 25 page

Identifying vulnerabilities of industrial control systems using evolutionary multiobjective optimisation

In this paper, we propose a novel methodology to assist in identifying vulnerabilities in real-world complex heterogeneous industrial control systems (ICS) using two Evolutionary Multiobjective Optimisation (EMO) algorithms, NSGA-II and SPEA2. Our approach is evaluated on a well-known benchmark chemical plant simulator, the Tennessee Eastman (TE) process model. We identified vulnerabilities in individual components of the TE model and then made use of these vulnerabilities to generate combinatorial attacks. The generated attacks were aimed at compromising the safety of the system and inflicting economic loss. Results were compared against random attacks, and the performance of the EMO algorithms was evaluated using hypervolume, spread, and inverted generational distance (IGD) metrics. A defence against these attacks in the form of a novel intrusion detection system was developed, using machine learning algorithms. The designed approach was further tested against the developed detection methods. The obtained results demonstrate that the developed EMO approach is a promising tool in the identification of the vulnerable components of ICS, and weaknesses of any existing detection systems in place to protect the system. The proposed approach can serve as a proactive defense tool for control and security engineers to identify and prioritise vulnerabilities in the system. The approach can be employed to design resilient control strategies and test the effectiveness of security mechanisms, both in the design stage and during the operational phase of the system

Optimization of parameters for binary genetic algorithms.

In the GA framework, a species or population is a collection of individuals or chromosomes, usually initially generated randomly. A predefined fitness function guides selection while operators like crossover and mutation are used probabilistically in order to emulate reproduction.Genetic Algorithms (GAs) belong to the field of evolutionary computation which is inspired by biological evolution. From an engineering perspective, a GA is an heuristic tool that can approximately solve problems in which the search space is huge in the sense that an exhaustive search is not tractable. The appeal of GAs is that they can be parallelized and can give us "good" solutions to hard problems.One of the difficulties in working with GAs is choosing the parameters---the population size, the crossover and mutation probabilities, the number of generations, the selection mechanism, the fitness function---appropriate to solve a particular problem. Besides the difficulty of the application problem to be solved, an additional difficulty arises because the quality of the solution found, or the sum total of computational resources required to find it, depends on the selection of the parameters of the GA; that is, finding a correct fitness function and appropriate operators and other parameters to solve a problem with GAs is itself a difficult problem. The contributions of this dissertation, then, are: to show that there is not a linear correlation between diversity in the initial population and the performance of GAs; to show that fitness functions that use information from the problem itself are better than fitness functions that need external tuning; and to propose a relationship between selection pressure and the probabilities of crossover and mutation that improve the performance of GAs in the context of of two extreme schema: small schema, where the building block in consideration is small (each bit individually can be considered as part of the general solution), and long schema, where the building block in consideration is long (a set of interrelated bits conform part of the general solution).Theoretical and practical problems like the one-max problem and the intrusion detection problem (considered as problems with small schema) and the snake-in-the-box problem (considered as a problem with long schema) are tested under the specific hypotheses of the Dissertation.The Dissertation proposes three general hypotheses. The first one, in an attempt to measure the impact of the input over the output, study that there is not a linear correlation between diversity in the initial population and performance of GAs. The second one, proposes the use of parameters that belong to the problem itself to joint objective and constraint in fitness functions, and the third one use Holland's Schema Theorem for finding an interrelation between selection pressure and the probabilities of crossover and mutation that, if obeyed, is expected to result in better performance of the GA in terms of the solution quality found within a given number of generations and/or the number of generations to find a solution of a given quality than if the interrelation is not obeyed

Improved off-line intrusion detection using a Genetic Algorithm

Uno de los enfoques principales para el problema cada vez más importante de la seguridad informática es el sistema de detección de intrusiones. Se han propuesto varias arquitecturas y enfoques, entre ellos: enfoques estadísticos basados ​​en reglas; Redes neuronales; Sistema inmune; Algoritmos genéticos; y programación genética. Este documento se centra en el desarrollo de un sistema de detección de intrusiones fuera de línea para analizar un archivo de seguimiento de auditoría de Sun. La detección de intrusiones fuera de línea se puede lograr mediante la búsqueda de registros de seguimiento de auditoría de las actividades del usuario en busca de coincidencias con los patrones de eventos necesarios para ataques conocidos. Dado que dicha búsqueda es NP-completa, será necesario emplear métodos heurísticos a medida que crezcan las bases de datos de eventos y ataques. Los algoritmos genéticos pueden proporcionar métodos de búsqueda heurísticos apropiados. Sin embargo, equilibrar la necesidad de detectar todos los posibles ataques que se encuentran en una pista de auditoría con la necesidad de evitar falsos positivos (advertencias de ataques que no existen) es un desafío, dados los valores de aptitud escalar que requieren los algoritmos genéticos. Este estudio analiza una función de aptitud independiente de los parámetros variables para superar este problema. Esta función de aptitud permite que el IDS reduzca significativamente su tasa de falsos positivos y falsos negativos. Este documento también describe la extensión del sistema para tener en cuenta la posibilidad de que las intrusiones sean mutuamente excluyentes o no mutuamente excluyentes.https://www.scitepress.org/Link.aspx?doi=10.5220/0002553100660073One of the primary approaches to the increasingly important problem of computer security is the Intrusion Detection System. Various architectures and approaches have been proposed including: Statistical, rule-based approaches; Neural Networks; Immune Systems; Genetic Algorithms; and Genetic Programming. This paper focuses on the development of an off-line Intrusion Detection System to analyze a Sun audit trail file. Off-line intrusion detection can be accomplished by searching audit trail logs of user activities for matches to patterns of events required for known attacks. Because such search is NP-complete, heuristic methods will need to be employed as databases of events and attacks grow. Genetic Algorithms can provide appropriate heuristic search methods. However, balancing the need to detect all possible attacks found in an audit trail with the need to avoid false positives (warnings of attacks that do not exist) is a challenge, given the scalar fitness values required by Genetic Algorithms. This study discusses a fitness function independent of variable parameters to overcome this problem. This fitness function allows the IDS to significantly reduce both its false positive and false negative rate. This paper also describes extending the system to account for the possibility that intrusions are either mutually exclusive or not mutually exclusive

Improved off-line intrusion detection using a genetic algorithm

Abstract: One of the primary approaches to the increasingly important problem of computer security is the Intrusion Detection System. Various architectures and approaches have been proposed including: Statistical, rule-base