330 research outputs found
A Frequency Hopping Method to Detect Replay Attacks
The application of information technology in network control systems introduces the potential threats to the future industrial control system. The malicious attacks undermine the security of network control system, which could cause a huge economic loss. This thesis studies a particular cyber attack called the replay attack, which is motivated by the Stuxnet worm allegedly used against the nuclear facilities in Iran. For replay attack, this thesis injects the narrow-band signal into control signal and adopts the spectrum estimation approach to test the estimation residue. In order to protect the information of the injected signal from knowing by attackers, the frequency hopping technology is employed to encrypt the frequency of the narrow-band signal. The detection method proposed in the thesis is illustrated and examined by the simulation studies, and it shows the good detection rate and security
Set-based replay attack detection in closed-loop systems using a plug & play watermarking approach
© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.This paper presents a watermarking signal injection method that compensates its effect in the loop, avoiding thus the signal reinjection. Similar to a virtual actuator scheme, the proposed methodology masks the presence of the authentication signal to the system controller, that do not need to be retuned as it remains immunized. Furthermore, a set-based analysis concerning the effect that the performance loss imposed by a watermarking signal has in the detectability of a replay attack is performed for the stationary, assuming that a standard state observer is used in order to monitor the plant. Finally, a numerical application example is used to illustrate the proposed approach.This work has been partially funded by the Spanish State ResearchAgency (AEI) and the European Regional Development Fund (ERFD)through the projects SCAV (ref. MINECO DPI2017-88403-R) and DEOCS(ref. MINECO DPI2016-76493) and AGAUR ACCIO RIS3CAT UTILITIES4.0 – P7 SECUTIL. This work has been also supported by the AEI throughthe Maria de Maeztu Seal of Excellence to IRI (MDM-2016-0656).Peer ReviewedPostprint (author's final draft
Detection of replay attacks in cyber-physical systems using a frequency-based signature
This paper proposes a frequency-based approach for the detection of replay attacks affecting cyber-physical systems (CPS). In particular, the method employs a sinusoidal signal with a time-varying frequency (authentication signal) into the closed-loop system and checks whether the time profile of the frequency components in the output signal are compatible with the authentication signal or not. In order to carry out this target, the couplings between inputs and outputs are eliminated using a dynamic decoupling technique based on vector fitting. In this way, a signature introduced on a specific input channel will affect only the output that is selected to be associated with that input, which is a property that can be exploited to determine which channels are being affected. A bank of band-pass filters is used to generate signals whose energies can be compared to reconstruct an estimation of the time-varying frequency profile. By matching the known frequency profile with its estimation, the detector can provide the information about whether a replay attack is being carried out or not. The design of the signal generator and the detector are thoroughly discussed, and an example based on a quadruple-tank process is used to show the application and effectiveness of the proposed method.Peer ReviewedPostprint (author's final draft
Detection of replay attacks in CPSs using observer-based signature compensation
© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.This paper presents a replay attack detection method that addresses the performance loss of watermarking-based approaches. The proposed method injects a sinusoidal signal that affects a subset, chosen at random, of the system outputs. The presence of the signal in each one of the outputs is estimated by means of independent observers and its effect is compensated in the control loop. When a system output is affected by a replay attack, the loss of feedback of the associated observer destabilizes the signal estimation, leading to an exponential increase of the estimation error up to a threshold, above which the estimated signal compensation in the control loop is disabled. This event triggers the detection of a replay attack over the output corresponding to the disrupted observer. The effectiveness of the method is demonstrated using results obtained with a quadruple-tank system simulator.Peer ReviewedPostprint (author's final draft
Learning-based attacks in cyber-physical systems
We introduce the problem of learning-based attacks in a simple abstraction of
cyber-physical systems---the case of a discrete-time, linear, time-invariant
plant that may be subject to an attack that overrides the sensor readings and
the controller actions. The attacker attempts to learn the dynamics of the
plant and subsequently override the controller's actuation signal, to destroy
the plant without being detected. The attacker can feed fictitious sensor
readings to the controller using its estimate of the plant dynamics and mimic
the legitimate plant operation. The controller, on the other hand, is
constantly on the lookout for an attack; once the controller detects an attack,
it immediately shuts the plant off. In the case of scalar plants, we derive an
upper bound on the attacker's deception probability for any measurable control
policy when the attacker uses an arbitrary learning algorithm to estimate the
system dynamics. We then derive lower bounds for the attacker's deception
probability for both scalar and vector plants by assuming a specific
authentication test that inspects the empirical variance of the system
disturbance. We also show how the controller can improve the security of the
system by superimposing a carefully crafted privacy-enhancing signal on top of
the "nominal control policy." Finally, for nonlinear scalar dynamics that
belong to the Reproducing Kernel Hilbert Space (RKHS), we investigate the
performance of attacks based on nonlinear Gaussian-processes (GP) learning
algorithms
DoubleEcho: Mitigating Context-Manipulation Attacks in Copresence Verification
Copresence verification based on context can improve usability and strengthen
security of many authentication and access control systems. By sensing and
comparing their surroundings, two or more devices can tell whether they are
copresent and use this information to make access control decisions. To the
best of our knowledge, all context-based copresence verification mechanisms to
date are susceptible to context-manipulation attacks. In such attacks, a
distributed adversary replicates the same context at the (different) locations
of the victim devices, and induces them to believe that they are copresent. In
this paper we propose DoubleEcho, a context-based copresence verification
technique that leverages acoustic Room Impulse Response (RIR) to mitigate
context-manipulation attacks. In DoubleEcho, one device emits a wide-band
audible chirp and all participating devices record reflections of the chirp
from the surrounding environment. Since RIR is, by its very nature, dependent
on the physical surroundings, it constitutes a unique location signature that
is hard for an adversary to replicate. We evaluate DoubleEcho by collecting RIR
data with various mobile devices and in a range of different locations. We show
that DoubleEcho mitigates context-manipulation attacks whereas all other
approaches to date are entirely vulnerable to such attacks. DoubleEcho detects
copresence (or lack thereof) in roughly 2 seconds and works on commodity
devices
Bibliographical review on cyber attacks from a control oriented perspective
This paper presents a bibliographical review of definitions, classifications and applications concerning cyber attacks in networked control systems (NCSs) and cyber-physical systems (CPSs). This review tackles the topic from a control-oriented perspective, which is complementary to information or communication ones. After motivating the importance of developing new methods for attack detection and secure control, this review presents security objectives, attack modeling, and a characterization of considered attacks and threats presenting the detection mechanisms and remedial actions. In order to show the properties of each attack, as well as to provide some deeper insight into possible defense mechanisms, examples available in the literature are discussed. Finally, open research issues and paths are presented.Peer ReviewedPostprint (author's final draft
Separability of State Trajectories and its Applications to Security of Cyber-Physical Systems
This article studies a fundamental problem of security of cyber-physical
systems (CPSs). We focus on a class of attacks where some of the actuators
could be malicious while all the sensors are considered to be honest. We
introduce a novel idea of separability of state trajectories that are generated
by the honest and corrupt actuators, and establish its connection to the
security of CPSs in the context of detecting the presence of malicious
actuators (if any,) in the system. As a defense strategy to guard the CPS
against malicious attacks, we focus on the mechanism of perturbing the
pre-determined control action by injecting a certain class of random process by
the honest actuators called private excitation, which is assumed to have a
known distribution. As primary contributions we give sufficient conditions for
the existence and non-existence of a separator for linear time-invariant
stochastic systems, under the assumption that the policies are
randomized-Markovian and randomized history dependent. Several technical
aspects of the established results are discussed extensively.Comment: 26 page
- …