Enforcing current-state opacity through shuffle in event observations

Opacity is a property that ensures that a secret behavior of the system is kept hidden from an Intruder. In this work, we deal with current-state opacity, and propose an Opacity-Enforcer that is able to change, in an appropriate way, the order of observation in the event occurrences in the system, so as to mislead the Intruder to always wrongly estimate at least one non-secret state. A necessary and sufficient condition for the feasibility of the Opacity-Enforcer synthesis is presented and also two algorithms to build the automaton that realizes such an enforcement.Opacidade é uma propriedade que garante que qualquer comportamento secreto do sistema permaneça escondido de um Intruso. Neste trabalho será considerado o problema da opacidade de estado atual e será proposto um Forçador de Opacidade capaz de permutar adequadamente a ordem de observação dos eventos ocorridos no sistema, de tal forma que o Intruso seja enganado e sempre estime, erroneamente, pelo menos um estado não secreto. Condições necessárias e suficientes para a síntese do Forçador de Opacidade são propostas a fim de que a mesma seja factível e são também apresentados dois algoritmos para construção do autômato que implementa a estratégia usada pelo Forçador de Opacidade

Compositional and Abstraction-Based Approach for Synthesis of Edit Functions for Opacity Enforcement

This paper develops a novel compositional and abstraction-based approach to synthesize edit functions for opacity enforcement in modular discrete event systems. Edit functions alter the output of the system by erasing or inserting events in order to obfuscate the outside intruder, whose goal is to infer the secrets of the system from its observation. We synthesize edit functions to solve the opacity enforcement problem in a modular setting, which significantly reduces the computational complexity compared with the monolithic approach. Two abstraction methods called opaque observation equivalence and opaque bisimulation are first employed to abstract the individual components of the modular system and their observers. Subsequently, we propose a method to transform the synthesis of edit functions to the calculation of modular supremal nonblocking supervisors. We show that the edit functions synthesized in this manner correctly solve the opacity enforcement problem

From Security Enforcement to Supervisory Control in Discrete Event Systems: Qualitative and Quantitative Analyses

Cyber-physical systems are technological systems that involve physical components that are monitored and controlled by multiple computational units that exchange information through a communication network. Examples of cyber-physical systems arise in transportation, power, smart manufacturing, and other classes of systems that have a large degree of automation. Analysis and control of cyber-physical systems is an active area of research. The increasing demands for safety, security and performance improvement of cyber-physical systems put stringent constraints on their design and necessitate the use of formal model-based methods to synthesize control strategies that provably enforce required properties. This dissertation focuses on the higher level control logic in cyber-physical systems using the framework of discrete event systems. It tackles two classes of problems for discrete event systems. The first class of problems is related to system security. This problem is formulated in terms of the information flow property of opacity. In this part of the dissertation, an interface-based approach called insertion/edit function is developed to enforce opacity under the potential inference of malicious intruders that may or may not know the implementation of the insertion/edit function. The focus is the synthesis of insertion/edit functions that solve the opacity enforcement problem in the framework of qualitative and quantitative games on finite graphs. The second problem treated in the dissertation is that of performance optimization in the context of supervisory control under partial observation. This problem is transformed to a two-player quantitative game and an information structure where the game is played is constructed. A novel approach to synthesize supervisors by solving the game is developed. The main contributions of this dissertation are grouped into the following five categories. (i) The transformation of the formulated opacity enforcement and supervisory control problems to games on finite graphs provides a systematic way of performing worst case analysis in design of discrete event systems. (ii) These games have state spaces that are as compact as possible using the notion of information states in each corresponding problem. (iii) A formal model-based approach is employed in the entire dissertation, which results in provably correct solutions. (iv) The approaches developed in this dissertation reveal the interconnection between control theory and formal methods. (v) The results in this dissertation are applicable to many types of cyber-physical systems with security-critical and performance-aware requirements.PHDElectrical and Computer EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/150002/1/jiyiding_1.pd

Reduced-Complexity Verification for K-Step and Infinite-Step Opacity in Discrete Event Systems

Opacity is a property that captures security concerns in cyber-physical systems and its verification plays a significant role. This paper investigates the verifications of K-step and infinite-step weak and strong opacity for partially observed nondeterministic finite state automata. K-step weak opacity is checked by constructing, for some states in the observer, appropriate state-trees, to propose a necessary and sufficient condition. Based on the relation between K-step weak and infinite-step weak opacity, a condition that determines when a system is not infinite-step weak opaque is presented. Regarding K-step and infinite-step strong opacity, we develop a secret-involved projected automaton, based on which we construct secret-unvisited state trees to derive a necessary and sufficient condition for K-step strong opacity. Furthermore, an algorithm is reported to compute a verifier that can be used to obtain a necessary and sufficient condition for infinite-step strong opacity. It is argued that, in some particular cases, the proposed methods achieve reduced complexity compared with the state of the art

Verification and Enforcement of Opacity Security Properties in Discrete Event Systems.

The need for stringent cybersecurity is becoming significant as computers and networks are integrated into every aspect of our lives. A recent trend in cybersecurity research is to formalize security notions and develop theoretical foundations for designing secure systems. In this dissertation, we address a security notion called opacity based on the control theory for Discrete Event Systems (DES). Opacity is an information-flow property that captures whether a given secret of the system can be inferred by intruders who passively observe the behavior of the system. Finite-state automata are used to capture the dynamics of computer systems that need to be rendered opaque with respect to a given secret. Under the observation of the intruder, the secret of the system is opaque if “whenever the secret has occurred, there exists another non-secret behavior that is observationally equivalent.” This research focuses on the analysis and the enforcement of four notions of opacity. First, we develop algorithms for verifying opacity notions under the attack model of a single intruder and that of multiple colluding intruders. We then consider the enforcement of opacity when the secret is not opaque. Specifically, we propose a novel enforcement mechanism based on event insertion to address opacity enforcement for a class of systems whose dynamics cannot be modified. An insertion function, placed at the output of the system, inserts fictitious observable events to the system’s output without interacting with the system. We develop a finite structure called the All-Insertion Structure (AIS) that enumerates all valid insertion functions. The AIS establishes a necessary and sufficient condition for the existence of a valid insertion function, and provides a structure to synthesize one insertion function. Furthermore, we introduce the maximum total cost and the maximum mean cost to quantify insertion functions. A condition for determining which cost objective to use is established. For each cost, we develop an algorithmic procedure for synthesizing an optimal insertion function from the AIS. Finally, our analysis and enforcement procedure is applied to ensuring location privacy in location-based services.PHDElectrical Engineering: SystemsUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/108905/1/ycwu_1.pd

Resilience Against Sensor Deception Attacks at the Supervisory Control Layer of Cyber-Physical Systems: A Discrete Event Systems Approach

Cyber-Physical Systems (CPS) are already ubiquitous in our society and include medical devices, (semi-)autonomous vehicles, and smart grids. However, their security aspects were only recently incorporated into their design process, mainly in response to catastrophic incidents caused by cyber-attacks on CPS. The Stuxnet attack that successfully damaged a nuclear facility, the Maroochy water breach that released millions of gallons of untreated water, the assault on power plants in Brazil that disrupted the distribution of energy in many cities, and the intrusion demonstration that stopped the engine of a 2014 Jeep Cherokee in the middle of a highway are examples of well-publicized cyber-attacks on CPS. There is now a critical need to provide techniques for analyzing the behavior of CPS while under attack and to synthesize attack-resilient CPS. In this dissertation, we address CPS under the influence of an important class of attacks called sensor deception attacks, in which an attacker hijacks sensor readings to inflict damage to CPS. The formalism of regular languages and their finite-state automata representations is used to capture the dynamics of CPS and their attackers, thereby allowing us to leverage the theory of supervisory control of discrete event systems to pose our investigations. First, we focus on developing a supervisory control framework under sensor deception attacks. We focus on two questions: (1) Can we automatically find sensor deception attacks that damage a given CPS? and (2) Can we design a secure-by-construction CPS against sensor deception attacks? Answering these two questions is the main contribution of this dissertation. In the first part of the dissertation, using techniques from the fields of graph games and Markov decision processes, we develop algorithms for synthesizing sensor deception attacks in both qualitative and quantitative settings. Graph games provide the means of synthesizing sensor deception attacks that might damage the given CPS. In a second step, equipped with stochastic information about the CPS, we can leverage Markov decision processes to synthesize attacks with the highest likelihood of damage. In the second part of the dissertation, we tackle the problem of designing secure-by-construction CPS. We provide two different methodologies to design such CPS, in which there exists a trade-off between flexibility on selecting different designs and computational complexity of the methods. The first method is developed based on supervisory control theory, and it provides a computationally efficient way of designing secure CPS. Alternatively, a graph-game method is presented as a second solution for this investigated problem. The graph-game method grants flexible selection of the CPS at the cost of computational complexity. The first method finds one robust supervisor, whereas the second method provides a structure in which all robust supervisors are included. Overall, this dissertation provides a comprehensive set of algorithmic techniques to analyze and mitigate sensor deception attacks at the supervisory layer of cyber-physical control systems.PHDElectrical and Computer EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/166117/1/romulo_1.pd

Digital watermarking and novel security devices

EThOS - Electronic Theses Online ServiceGBUnited Kingdo