8,456 research outputs found
No Need to Know Physics: Resilience of Process-based Model-free Anomaly Detection for Industrial Control Systems
In recent years, a number of process-based anomaly detection schemes for
Industrial Control Systems were proposed. In this work, we provide the first
systematic analysis of such schemes, and introduce a taxonomy of properties
that are verified by those detection systems. We then present a novel general
framework to generate adversarial spoofing signals that violate physical
properties of the system, and use the framework to analyze four anomaly
detectors published at top security conferences. We find that three of those
detectors are susceptible to a number of adversarial manipulations (e.g.,
spoofing with precomputed patterns), which we call Synthetic Sensor Spoofing
and one is resilient against our attacks. We investigate the root of its
resilience and demonstrate that it comes from the properties that we
introduced. Our attacks reduce the Recall (True Positive Rate) of the attacked
schemes making them not able to correctly detect anomalies. Thus, the
vulnerabilities we discovered in the anomaly detectors show that (despite an
original good detection performance), those detectors are not able to reliably
learn physical properties of the system. Even attacks that prior work was
expected to be resilient against (based on verified properties) were found to
be successful. We argue that our findings demonstrate the need for both more
complete attacks in datasets, and more critical analysis of process-based
anomaly detectors. We plan to release our implementation as open-source,
together with an extension of two public datasets with a set of Synthetic
Sensor Spoofing attacks as generated by our framework
Unsupervised Anomaly-based Malware Detection using Hardware Features
Recent works have shown promise in using microarchitectural execution
patterns to detect malware programs. These detectors belong to a class of
detectors known as signature-based detectors as they catch malware by comparing
a program's execution pattern (signature) to execution patterns of known
malware programs. In this work, we propose a new class of detectors -
anomaly-based hardware malware detectors - that do not require signatures for
malware detection, and thus can catch a wider range of malware including
potentially novel ones. We use unsupervised machine learning to build profiles
of normal program execution based on data from performance counters, and use
these profiles to detect significant deviations in program behavior that occur
as a result of malware exploitation. We show that real-world exploitation of
popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform can
be detected with nearly perfect certainty. We also examine the limits and
challenges in implementing this approach in face of a sophisticated adversary
attempting to evade anomaly-based detection. The proposed detector is
complementary to previously proposed signature-based detectors and can be used
together to improve security.Comment: 1 page, Latex; added description for feature selection in Section 4,
results unchange
Deep Predictive Coding Neural Network for RF Anomaly Detection in Wireless Networks
Intrusion detection has become one of the most critical tasks in a wireless
network to prevent service outages that can take long to fix. The sheer variety
of anomalous events necessitates adopting cognitive anomaly detection methods
instead of the traditional signature-based detection techniques. This paper
proposes an anomaly detection methodology for wireless systems that is based on
monitoring and analyzing radio frequency (RF) spectrum activities. Our
detection technique leverages an existing solution for the video prediction
problem, and uses it on image sequences generated from monitoring the wireless
spectrum. The deep predictive coding network is trained with images
corresponding to the normal behavior of the system, and whenever there is an
anomaly, its detection is triggered by the deviation between the actual and
predicted behavior. For our analysis, we use the images generated from the
time-frequency spectrograms and spectral correlation functions of the received
RF signal. We test our technique on a dataset which contains anomalies such as
jamming, chirping of transmitters, spectrum hijacking, and node failure, and
evaluate its performance using standard classifier metrics: detection ratio,
and false alarm rate. Simulation results demonstrate that the proposed
methodology effectively detects many unforeseen anomalous events in real time.
We discuss the applications, which encompass industrial IoT, autonomous vehicle
control and mission-critical communications services.Comment: 7 pages, 7 figures, Communications Workshop ICC'1
- …