5,578 research outputs found
Statistical Approach to Detection of Attacks for Stochastic Cyber-Physical Systems
We study the problem of detecting an attack on a stochastic cyber-physical
system. We aim to treat the problem in its most general form. We start by
introducing the notion of asymptotically detectable attacks, as those attacks
introducing changes to the system's output statistics which persist
asymptotically. We then provide a necessary and sufficient condition for
asymptotic detectability. This condition preserves generality as it holds under
no restrictive assumption on the system and attacking scheme. To show the
importance of this condition, we apply it to detect certain attacking schemes
which are undetectable using simple statistics. Our necessary and sufficient
condition naturally leads to an algorithm which gives a confidence level for
attack detection. We present simulation results to illustrate the performance
of this algorithm
Malware in the Future? Forecasting of Analyst Detection of Cyber Events
There have been extensive efforts in government, academia, and industry to
anticipate, forecast, and mitigate cyber attacks. A common approach is
time-series forecasting of cyber attacks based on data from network telescopes,
honeypots, and automated intrusion detection/prevention systems. This research
has uncovered key insights such as systematicity in cyber attacks. Here, we
propose an alternate perspective of this problem by performing forecasting of
attacks that are analyst-detected and -verified occurrences of malware. We call
these instances of malware cyber event data. Specifically, our dataset was
analyst-detected incidents from a large operational Computer Security Service
Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on
automated systems. Our data set consists of weekly counts of cyber events over
approximately seven years. Since all cyber events were validated by analysts,
our dataset is unlikely to have false positives which are often endemic in
other sources of data. Further, the higher-quality data could be used for a
number for resource allocation, estimation of security resources, and the
development of effective risk-management strategies. We used a Bayesian State
Space Model for forecasting and found that events one week ahead could be
predicted. To quantify bursts, we used a Markov model. Our findings of
systematicity in analyst-detected cyber attacks are consistent with previous
work using other sources. The advanced information provided by a forecast may
help with threat awareness by providing a probable value and range for future
cyber events one week ahead. Other potential applications for cyber event
forecasting include proactive allocation of resources and capabilities for
cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs.
Enhanced threat awareness may improve cybersecurity.Comment: Revised version resubmitted to journa
Centralized Versus Decentralized Detection of Attacks in Stochastic Interconnected Systems
We consider a security problem for interconnected systems governed by linear,
discrete, time-invariant, stochastic dynamics, where the objective is to detect
exogenous attacks by processing the measurements at different locations. We
consider two classes of detectors, namely centralized and decentralized
detectors, which differ primarily in their knowledge of the system model. In
particular, a decentralized detector has a model of the dynamics of the
isolated subsystems, but is unaware of the interconnection signals that are
exchanged among subsystems. Instead, a centralized detector has a model of the
entire dynamical system. We characterize the performance of the two detectors
and show that, depending on the system and attack parameters, each of the
detectors can outperform the other. In particular, it may be possible for the
decentralized detector to outperform its centralized counterpart, despite
having less information about the system dynamics, and this surprising property
is due to the nature of the considered attack detection problem. To complement
our results on the detection of attacks, we propose and solve an optimization
problem to design attacks that maximally degrade the system performance while
maintaining a pre-specified degree of detectability. Finally, we validate our
findings via numerical studies on an electric power system.Comment: Submitted to IEEE Transactions on Automatic Control (TAC
Characterization of Model-Based Detectors for CPS Sensor Faults/Attacks
A vector-valued model-based cumulative sum (CUSUM) procedure is proposed for
identifying faulty/falsified sensor measurements. First, given the system
dynamics, we derive tools for tuning the CUSUM procedure in the fault/attack
free case to fulfill a desired detection performance (in terms of false alarm
rate). We use the widely-used chi-squared fault/attack detection procedure as a
benchmark to compare the performance of the CUSUM. In particular, we
characterize the state degradation that a class of attacks can induce to the
system while enforcing that the detectors (CUSUM and chi-squared) do not raise
alarms. In doing so, we find the upper bound of state degradation that is
possible by an undetected attacker. We quantify the advantage of using a
dynamic detector (CUSUM), which leverages the history of the state, over a
static detector (chi-squared) which uses a single measurement at a time.
Simulations of a chemical reactor with heat exchanger are presented to
illustrate the performance of our tools.Comment: Submitted to IEEE Transactions on Control Systems Technolog
Learning-based attacks in cyber-physical systems
We introduce the problem of learning-based attacks in a simple abstraction of
cyber-physical systems---the case of a discrete-time, linear, time-invariant
plant that may be subject to an attack that overrides the sensor readings and
the controller actions. The attacker attempts to learn the dynamics of the
plant and subsequently override the controller's actuation signal, to destroy
the plant without being detected. The attacker can feed fictitious sensor
readings to the controller using its estimate of the plant dynamics and mimic
the legitimate plant operation. The controller, on the other hand, is
constantly on the lookout for an attack; once the controller detects an attack,
it immediately shuts the plant off. In the case of scalar plants, we derive an
upper bound on the attacker's deception probability for any measurable control
policy when the attacker uses an arbitrary learning algorithm to estimate the
system dynamics. We then derive lower bounds for the attacker's deception
probability for both scalar and vector plants by assuming a specific
authentication test that inspects the empirical variance of the system
disturbance. We also show how the controller can improve the security of the
system by superimposing a carefully crafted privacy-enhancing signal on top of
the "nominal control policy." Finally, for nonlinear scalar dynamics that
belong to the Reproducing Kernel Hilbert Space (RKHS), we investigate the
performance of attacks based on nonlinear Gaussian-processes (GP) learning
algorithms
- …