On Ladder Logic Bombs in Industrial Control Systems

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

Error Prevention Scheme with Four Particles

It is shown that a simplified version of the error correction code recently suggested by Shor exhibits manifestation of the quantum Zeno effect. Thus, under certain conditions, protection of an unknown quantum state is achieved. Error prevention procedures based on four-particle and two-particle encoding are proposed and it is argued that they have feasible practical implementations.Comment: 4 pages, RevTeX, references updated and improved protocol adde

Exact Computation of Influence Spread by Binary Decision Diagrams

Evaluating influence spread in social networks is a fundamental procedure to estimate the word-of-mouth effect in viral marketing. There are enormous studies about this topic; however, under the standard stochastic cascade models, the exact computation of influence spread is known to be #P-hard. Thus, the existing studies have used Monte-Carlo simulation-based approximations to avoid exact computation. We propose the first algorithm to compute influence spread exactly under the independent cascade model. The algorithm first constructs binary decision diagrams (BDDs) for all possible realizations of influence spread, then computes influence spread by dynamic programming on the constructed BDDs. To construct the BDDs efficiently, we designed a new frontier-based search-type procedure. The constructed BDDs can also be used to solve other influence-spread related problems, such as random sampling without rejection, conditional influence spread evaluation, dynamic probability update, and gradient computation for probability optimization problems. We conducted computational experiments to evaluate the proposed algorithm. The algorithm successfully computed influence spread on real-world networks with a hundred edges in a reasonable time, which is quite impossible by the naive algorithm. We also conducted an experiment to evaluate the accuracy of the Monte-Carlo simulation-based approximation by comparing exact influence spread obtained by the proposed algorithm.Comment: WWW'1

Stealthy Deception Attacks Against SCADA Systems

SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage

Quantum Communication Protocol Employing Weak Measurements

We propose a communication protocol exploiting correlations between two events with a definite time-ordering: a) the outcome of a {\em weak measurement} on a spin, and b) the outcome of a subsequent ordinary measurement on the spin. In our protocol, Alice, first generates a "code" by performing weak measurements on a sample of N spins. The sample is sent to Bob, who later performs a post-selection by measuring the spin along either of two certain directions. The results of the post-selection define the "key', which he then broadcasts publicly. Using both her previously generated code and this key, Alice is able to infer the {\em direction} chosen by Bob in the post-selection. Alternatively, if Alice broadcasts publicly her code, Bob is able to infer from the code and the key the direction chosen by Alice for her weak measurement. Two possible experimental realizations of the protocols are briefly mentioned.Comment: 5 pages, Revtex, 1 figure. A second protocol is added, where by a similar set of weak measurement Alice can send, instead of receiving, a message to Bob. The security question for the latter protocol is discusse

Leaf segmentation and tracking using probabilistic parametric active contours

Active contours or snakes are widely used for segmentation and tracking. These techniques require the minimization of an energy function, which is generally a linear combination of a data fit term and a regularization term. This energy function can be adjusted to exploit the intrinsic object and image features. This can be done by changing the weighting parameters of the data fit and regularization term. There is, however, no rule to set these parameters optimally for a given application. This results in trial and error parameter estimation. In this paper, we propose a new active contour framework defined using probability theory. With this new technique there is no need for ad hoc parameter setting, since it uses probability distributions, which can be learned from a given training dataset

A survey of localization in wireless sensor network

Localization is one of the key techniques in wireless sensor network. The location estimation methods can be classified into target/source localization and node self-localization. In target localization, we mainly introduce the energy-based method. Then we investigate the node self-localization methods. Since the widespread adoption of the wireless sensor network, the localization methods are different in various applications. And there are several challenges in some special scenarios. In this paper, we present a comprehensive survey of these challenges: localization in non-line-of-sight, node selection criteria for localization in energy-constrained network, scheduling the sensor node to optimize the tradeoff between localization performance and energy consumption, cooperative node localization, and localization algorithm in heterogeneous network. Finally, we introduce the evaluation criteria for localization in wireless sensor network

Effects of Contact Network Models on Stochastic Epidemic Simulations

The importance of modeling the spread of epidemics through a population has led to the development of mathematical models for infectious disease propagation. A number of empirical studies have collected and analyzed data on contacts between individuals using a variety of sensors. Typically one uses such data to fit a probabilistic model of network contacts over which a disease may propagate. In this paper, we investigate the effects of different contact network models with varying levels of complexity on the outcomes of simulated epidemics using a stochastic Susceptible-Infectious-Recovered (SIR) model. We evaluate these network models on six datasets of contacts between people in a variety of settings. Our results demonstrate that the choice of network model can have a significant effect on how closely the outcomes of an epidemic simulation on a simulated network match the outcomes on the actual network constructed from the sensor data. In particular, preserving degrees of nodes appears to be much more important than preserving cluster structure for accurate epidemic simulations.Comment: To appear at International Conference on Social Informatics (SocInfo) 201

Bioactive ceramic-reinforced composites for bone augmentation

Biomaterials have been used to repair the human body for millennia, but it is only since the 1970s that man-made composites have been used. Hydroxyapatite (HA)-reinforced polyethylene (PE) is the first of the ‘second-generation’ biomaterials that have been developed to be bioactive rather than bioinert. The mechanical properties have been characterized using quasi-static, fatigue, creep and fracture toughness testing, and these studies have allowed optimization of the production method. The in vitro and in vivo biological properties have been investigated with a range of filler content and have shown that the presence of sufficient bioactive filler leads to a bioactive composite. Finally, the material has been applied clinically, initially in the orbital floor and later in the middle ear. From this initial combination of HA in PE other bioactive ceramic polymer composites have been developed

Efficient public-key cryptography with bounded leakage and tamper resilience

We revisit the question of constructing public-key encryption and signature schemes with security in the presence of bounded leakage and tampering memory attacks. For signatures we obtain the first construction in the standard model; for public-key encryption we obtain the first construction free of pairing (avoiding non-interactive zero-knowledge proofs). Our constructions are based on generic building blocks, and, as we show, also admit efficient instantiations under fairly standard number-theoretic assumptions. The model of bounded tamper resistance was recently put forward by Damgård et al. (Asiacrypt 2013) as an attractive path to achieve security against arbitrary memory tampering attacks without making hardware assumptions (such as the existence of a protected self-destruct or key-update mechanism), the only restriction being on the number of allowed tampering attempts (which is a parameter of the scheme). This allows to circumvent known impossibility results for unrestricted tampering (Gennaro et al., TCC 2010), while still being able to capture realistic tampering attack