On the Formal Semantics of the Cognitive Middleware AWDRAT

The purpose of this work is two fold: on one hand we want to formalize the behavior of critical components of the self generating and adapting cognitive middleware AWDRAT such that the formalism not only helps to understand the semantics and technical details of the middleware but also opens an opportunity to extend the middleware to support other complex application domains of cybersecurity; on the other hand, the formalism serves as a prerequisite for our proof of the behavioral correctness of the critical components to ensure the safety of the middleware itself. However, here we focus only on the core and critical component of the middleware, i.e. Execution Monitor which is a part of the module "Architectural Differencer" of AWDRAT. The role of the execution monitor is to identify inconsistencies between run-time observations of the target system and predictions of the System Architectural Model. Therefore, to achieve this goal, we first define the formal (denotational) semantics of the observations (run-time events) and predictions (executable specifications as of System Architectural Model); then based on the aforementioned formal semantics, we formalize the behavior of the "Execution Monitor" of the middleware

Sound and Complete Runtime Security Monitor for Application Software

Conventional approaches for ensuring the security of application software at run-time, through monitoring, either produce (high rates of) false alarms (e.g. intrusion detection systems) or limit application performance (e.g. run-time verification). We present a runtime security monitor that detects both known and unknown cyber attacks by checking that the run-time behavior of the application is consistent with the expected behavior modeled in application specification. This is crucial because, even if the implementation is consistent with its specification, the application may still be vulnerable due to flaws in the supporting infrastructure (e.g. the language runtime system, libraries and operating system). This runtime security monitor is sound and complete, eliminating false alarms, as well as efficient, so that it does not limit runtime application performance and so that it supports real-time systems. The security monitor takes as input the application specification and the application implementation, which may be expressed in different languages. The specification language of the application software is formalized based on monadic second order logic and event calculus interpreted over algebraic data structures. This language allows us to express behavior of an application at any desired (and practical) level of abstraction as well as with high degree of modularity. The security monitor detects every attack by systematically comparing the application execution and specification behaviors at runtime, even though they operate at two different levels of abstraction. We define the denotational semantics of the specification language and prove that the monitor is sound and complete. Furthermore, the monitor is efficient because of the modular application specification at appropriate level(s) of abstraction

ARMET: behavior-based secure and resilient industrial control systems

In this paper, we introduce a design methodology to develop reliable and secure industrial control systems (ICSs) based on the behavior of their computational resources (i.e., process/application) and underlying physical resources (e.g., the controlled plant). The methodology has three independent, but complementary, components that employ novel approaches and techniques in the design of reliable and secure ICSs. First, we introduce reliable-and-secure-by-design development of secure industrial control applications through stepwise sound refinement of an executable specification, employing deductive synthesis to enforce functional and nonfunctional (e.g., security and safety) properties of ICS applications. Second, we present a runtime security monitor at the middleware level of ICSs that protects ICS operation in the field through comparison of the application execution and the application specification execution in real time; the runtime security monitor can be synthesized from the executable specification. Finally, based on the specification, we perform a vulnerability analysis for false data injection (FDI) attacks, which leads to ICS application designs that are resilient to this type of attacks. We demonstrate the methodology through its application to a basic and typical ICS example application, describing all the tools used and ARMET, the middleware monitor that constitutes the core component of the methodology

Securing industrial cyber-physical systems: A run-time multi-layer monitoring

Industrial Cyber-Physical Systems (ICPSs) are widely deployed in monitoring and control of the nation's critical industrial processes such as water distribution networks and power grids. ICPSs are the tight integration of cyber (software) and physical entities connected via communication networks. Communication networks are typically realised via wireless channels to reduce the cost of wires and installation. However, they are also inherently unreliable, easy to disrupt and subvert, which makes them a potential target for cyber attacks. The failure of communication can cause data loss or delays, which can compromise system functionality and have catastrophic consequences due to the strict real-time requirements of ICPSs. Current run-time security monitors protect ICPSs either at communication level (through network intrusion monitors) or application level (through threat detection monitors). Such monitors are layer-specific and thus fail to detect advanced threats arising from the multi-layer disruption. In this paper, we present a multi-layer run-time security monitor that can detect discrepancies caused by interdependent application and communication layer attacks and prevent their propagation into the system's control loops. We demonstrate the effectiveness of the approach via an example of the ICPS used for control and monitoring of a water distribution network