ARTINALI: Dynamic Invariant Detec4on for Cyber-Physical System Security Maryam Raiyat Aliabadi, Amita Kamath, Julien Gascon-Samson, Karthik Pa8abiraman
Cyber-Physical Systems Distributed Controllers C2 C3 C1 Network a1 s2 s1 a2 Physical Process a3 s3 Actuators Sensors 2
Mo4va4on 3
CPS Security Requirements Real->me constraints Resource constraints Goal : Design an Automated, Real-4me and AHack-neutral security solu>on for CPSes 1.5 sec 1.5 sec 1.5 sec with respect to their resource constraints Zero-day aEacks No human-in-the-loop 4
Threat Model D CVE-2016-1516 [2016] A Measurements Cyber Process D A C (Control Algorithm) Stuxnet[2010] Communica>on network DENIE DE IED D Physical Process Commands C [HealthCom2013] B [USENIX’2015] 5
Previous work • Intrusion Detec>on System (IDS) – Signature-based IDSs [CSUR2014] – Anomaly-based IDSs [Computers&Security2009] – Specifica>on-based IDSs [SmarGridCom2010] • Sta>c analysis • Dynamic analysis 6
Dynamic Analysis-based Techniques (Invariant-based) • Invariant – Energy usage >=0 Data Daikon [ICSE’01] Gk-tail [ICSE’08] Time Texada [ASE’15] Perfume property miner [ASE’14] Event 7
Main Idea: Break down the search space T1 T2 T3 D: Data E:Event D, E, T T:Time E1 E2 E3 E4 E|T D|E Ej T1 Tk D2 D1 D3 D4 D5 D1 Di E1 Ej D2 10
Methodology • ARTINALI : A R eal T ime-specific I nvariant i N ference AL gor I thm – 3 dimensions and 6 classes of invariants Data Data per event P(D|E) Data per 4me Event P(D|T) Time per event P(E|T) Time 9
CPS plaYorms • Advanced metering infrastructure (AMI) – SEGMeter • hEp://smartenergygroups.com • Smart Ar>ficial Pancreas (SAP) – OpenAPS • hEps://openaps.org/ 10
Intrusion Detec4on System AHack To test Tracing Intrusion detected! CPS module Detector IDS prototype Invariant converter Interface CPS model (invariant set) Data Texad Daikon Perfume ARTINALI Daikon a Time Texada Perfume Event 11
Targeted aHacks CPS PlaYorm Targeted aHack AHack entry point AMI Meter spoofing [ACSAC2010] Decep>on on A (SEGMeter) Sync. Tampering [ACSAC2010] Decep>on on D Message dropping [CCNC2011] DoS on A SAP CGM spoofing [Healthcom2011] Decep>on on A Take away : (OpenAPS) Stop basal injec>on [BHC2011] Decep>on and DoS on C ARTINALI detected all targeted aEacks Resume basal injec>on [BHC2011] Decep>on and DoS on C successfully 12
Arbitrary AHacks Data muta4ons Ar4ficial delay inser4on Branch flipping Smart facial recogniEon system (CVE-2016-1516) SynchronizaEon tampering in smart meter, [ACSAC2010] CGM spoofing in SAP, [BHC2011] 13
Accuracy Metrics • False Nega>ve Rate (FNR) β>1 • False Posi>ve Rate (FPR) β=1 • F-Score(β) β<1 14
F-Score(β)- Tuning/Training SEGMeter ARTINALI-based IDS for OpenAPS Maximum Maximum % % 120 F-Score(2) F-Score(2) FP (%) FN(%) 100 F-score(1) 80 F-score(2) OpenAPS F-score(0.5) 60 40 20 0 5 10 15 20 25 30 35 40 Number of training traces Number of training traces (a) Daikon (b) Texada (c) Perfume (d) ARTINALI 15
False Nega4ves’ Rate • ARTINALI-based IDS reduces the ra>o of FN by 89 to 95% compared with the other tools across both plalorms. - SEGMeter FNR (%)- 95% confidence interval 100 Data muta>on 90 Branch flipping 80 Ar>ficial delays 70 60 Aggregated FN 50 40 30 20 10 0 Daikon Texada Perfume ARTINALI 16
False Posi4ves’ Rate • ARTINALI-based IDS reduces the ra>o of FP by 20 to 48% compared with the other tools across both plalorms. - SEGMeter FPR (%)- 95% confidence interval 30 25 (15-12)/15=20% improvement 20 15 10 5 0 Daikon Texada Perfume ARTINALI 17
Overheads SEGMeter Performance Detec4on Memory Overhead (%) 4me (sec) usage Daikon 27.3 16.63 1.24 MB Texada 23.7 14.45 3.21 MB Pefume 32.08 19.57 3.94 MB ARTINALI 31.6 19.25 2.96 MB T0 T0+60 T0+120 Time CPS 1 st execu4on CPS 2 nd execu4on CPS 3 rd execu4on IDS 1 st IDS 2 nd execu4on execu4on 18
Summary and Future Work • ARTINALI: A Mul>-Dimensional model for CPS – Captures data-event-Eme interplay – Introduces Real-Eme data invariants – Increases the coverage of IDS – Decreases the rate of false posiEves – Imposes comparable overheads • Examine generalizability of ARTINALI – Unmanned Aerial Vehicle (UAV) • hEps://github.com/karthikp-ubc/Ar>nali 19
Recommend
More recommend
![Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j](https://c.sambuz.com/1033063/verified-cyber-physical-systems-s.jpg)
