Intrusion Detection for Cyber-Physical Attacks in Cyber-Manufacturing System

In the vision of Cyber-Manufacturing System (CMS) , the physical components such as products, machines, and tools are connected, identifiable and can communicate via the industrial network and the Internet. This integration of connectivity enables manufacturing systems access to computational resources, such as cloud computing, digital twin, and blockchain. The connected manufacturing systems are expected to be more efficient, sustainable and cost-effective. However, the extensive connectivity also increases the vulnerability of physical components. The attack surface of a connected manufacturing environment is greatly enlarged. Machines, products and tools could be targeted by cyber-physical attacks via the network. Among many emerging security concerns, this research focuses on the intrusion detection of cyber-physical attacks. The Intrusion Detection System (IDS) is used to monitor cyber-attacks in the computer security domain. For cyber-physical attacks, however, there is limited work. Currently, the IDS cannot effectively address cyber-physical attacks in manufacturing system: (i) the IDS takes time to reveal true alarms, sometimes over months; (ii) manufacturing production life-cycle is shorter than the detection period, which can cause physical consequences such as defective products and equipment damage; (iii) the increasing complexity of network will also make the detection period even longer. This gap leaves the cyber-physical attacks in manufacturing to cause issues like over-wearing, breakage, defects or any other changes that the original design didn’t intend. A review on the history of cyber-physical attacks, and available detection methods are presented. The detection methods are reviewed in terms of intrusion detection algorithms, and alert correlation methods. The attacks are further broken down into a taxonomy covering four dimensions with over thirty attack scenarios to comprehensively study and simulate cyber-physical attacks. A new intrusion detection and correlation method was proposed to address the cyber-physical attacks in CMS. The detection method incorporates IDS software in cyber domain and machine learning analysis in physical domain. The correlation relies on a new similarity-based cyber-physical alert correlation method. Four experimental case studies were used to validate the proposed method. Each case study focused on different aspects of correlation method performance. The experiments were conducted on a security-oriented manufacturing testbed established for this research at Syracuse University. The results showed the proposed intrusion detection and alert correlation method can effectively disclose unknown attack, known attack and attack interference that causes false alarms. In case study one, the alarm reduction rate reached 99.1%, with improvement of detection accuracy from 49.6% to 100%. The case studies also proved the proposed method can mitigate false alarms, detect attacks on multiple machines, and attacks from the supply chain. This work contributes to the security domain in cyber-physical manufacturing systems, with the focus on intrusion detection. The dataset collected during the experiments has been shared with the research community. The alert correlation methodology also contributes to cyber-physical systems, such as smart grid and connected vehicles, which requires enhanced security protection in today’s connected world

Defending Against Adversarial Attacks in Transmission- and Distribution-level PMU Data

Phasor measurement units (PMUs) provide high-fidelity data that improve situation awareness of electric power grid operations. PMU datastreams inform wide-area state estimation, monitor area control error, and facilitate event detection in real time. As PMU data become more available and increasingly reliable, these devices are found in new roles within control systems, such as remedial action schemes and early warning detection systems. As with other cyber physical systems, maintaining data integrity and security pose a significant challenge for power system operators. In this paper, we present a comprehensive analysis of multiple machine learning techniques to detect malicious data injection within PMU data streams. The two datasets used in this study come from two PMU networks: an inter-university, research-grade distribution network spanning three institutions in the U.S. Pacific Northwest, and a utility transmission network from the Bonneville Power Administration. We implement the detection algorithms with TensorFlow, an open-source software library for machine learning, and the results demonstrate potential for distributing the training workload and achieving higher performance, while maintaining effectiveness in the detection of spoofed data.Comment: 9 pages, 2 figure

Forensics Based SDN in Data Centers

Recently, most data centers have adopted for Software-Defined Network (SDN) architecture to meet the demands for scalability and cost-efficient computer networks. SDN controller separates the data plane and control plane and implements instructions instead of protocols, which improves the Quality of Services (QoS) , enhances energy efficiency and protection mechanisms . However, such centralizations present an opportunity for attackers to utilize the controller of the network and master the entire network devices, which makes it vulnerable. Recent studies efforts have attempted to address the security issue with minimal consideration to the forensics aspects. Based on this, the research will focus on the forensic issue on the SDN network of data center environments. There are diverse approaches to accurately identify the various possible threats to protect the network. For this reason, deep learning approach will used to detect DDoS attacks, which is regarded as the most proper approach for detection of threat. Therefore, the proposed network consists of mobile nodes, head controller, detection engine, domain controller, source controller, Gateway and cloud center. The first stage of the attack is analyzed as serious, where the process includes recording the traffic as criminal evidence to track the criminal, add the IP source of the packet to blacklist and block all packets from this source and eliminate all packets. The second stage not-serious, which includes blocking all packets from the source node for this session, or the non-malicious packets are transmitted using the proposed protocol. This study is evaluated in OMNET ++ environment as a simulation and showed successful results than the existing approaches

Security of Internet of Things (IoT) Using Federated Learning and Deep Learning — Recent Advancements, Issues and Prospects

There is a great demand for an efficient security framework which can secure IoT systems from potential adversarial attacks. However, it is challenging to design a suitable security model for IoT considering the dynamic and distributed nature of IoT. This motivates the researchers to focus more on investigating the role of machine learning (ML) in the designing of security models. A brief analysis of different ML algorithms for IoT security is discussed along with the advantages and limitations of ML algorithms. Existing studies state that ML algorithms suffer from the problem of high computational overhead and risk of privacy leakage. In this context, this review focuses on the implementation of federated learning (FL) and deep learning (DL) algorithms for IoT security. Unlike conventional ML techniques, FL models can maintain the privacy of data while sharing information with other systems. The study suggests that FL can overcome the drawbacks of conventional ML techniques in terms of maintaining the privacy of data while sharing information with other systems. The study discusses different models, overview, comparisons, and summarization of FL and DL-based techniques for IoT security

Comprehensive Security Framework for Global Threats Analysis

Cyber criminality activities are changing and becoming more and more professional. With the growth of financial flows through the Internet and the Information System (IS), new kinds of thread arise involving complex scenarios spread within multiple IS components. The IS information modeling and Behavioral Analysis are becoming new solutions to normalize the IS information and counter these new threads. This paper presents a framework which details the principal and necessary steps for monitoring an IS. We present the architecture of the framework, i.e. an ontology of activities carried out within an IS to model security information and User Behavioral analysis. The results of the performed experiments on real data show that the modeling is effective to reduce the amount of events by 91%. The User Behavioral Analysis on uniform modeled data is also effective, detecting more than 80% of legitimate actions of attack scenarios