CYBER PHYSICAL SYSTEMS Robert Mitchell IngRay Chen Member IEEE Presented By Manasa Ananth Kritika Mathur Agenda Introduction Objective System Model System Description Attacker Behavior Modeling ID: 539247
Download Presentation The PPT/PDF document "MODELING AND ANALYSIS OF ATTACKS AND COU..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
MODELING AND ANALYSIS OF ATTACKS AND COUNTER DEFENSE MECHANISMS FOR CYBER PHYSICAL SYSTEMS
-Robert Mitchell, Ing-Ray Chen, Member, IEEE
Presented By,
Manasa Ananth
Kritika MathurSlide2
AgendaIntroduction
ObjectiveSystem Model
System Description
Attacker Behavior Modeling
System Failure Definition - Countermeasures
Performance Model – SPN Model
Performance Analysis
ConclusionSlide3
AcronymsSlide4
IntroductionCyber Physical System (CPS)
is a system of collaborating computational elements controlling physical entities.
Two lines of research in modeling and analysis of CPSs,
Focused on a formal process or framework for designing and engineering a CPS - formalize safety and functional requirements utilizing formal modeling and analysis tools and then perform rigorous model verification.
Focused on a mathematical model for analyzing the system’s response behavior in the presence of malicious nodes performing various attacksSlide5
ObjectiveBased on second line of research work,
Develop a state-based stochastic process to model a CPS equipped with an intrusion detection system (IDS) presented with various types of attacks, including random, opportunistic and insidious, with the objective to improve IDS designs so as to prolong the system lifetime.
Primary Objective
To capture the dynamics between adversary behavior and defense for survivability of CPSs.
End product
Tool that is capable of analyzing a myriad of attacker behaviors and seeing the effectiveness of countering adaptive defense strategies which incorporate attack/response dynamics.Slide6
System Model
System Description
A
modernized electrical grid
is a smart grid that uses digital information and communications technology to gather and act on information, such as information about the behaviors of suppliers and consumers, in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricitySlide7
System Description Cont’d
Five types of Physical Devices
Centralized Management
Perform system-wide management functions
Attended
Physically secure
High Performance
Sensors
Translate measurements of the physical world into the cyber domain
Unattended
Physically vulnerableSlide8
System Description Cont’d
Distributed Control NodesServe as agents for the centralized management nodes
Also execute control algorithms on sensor data and apply results to actuators
Unattended
Physically vulnerable
Actuators
Translate decisions made in the cyber domain into the physical world
Unattended
Physically vulnerable
Communication Links
Connect centralized management nodes, sensors, control nodes and actuatorsSlide9
Attacker Behavior ModelingSurveilling Attacker
This brand of attacker seeks to gain information about or information residing on the target systemIn a commercial domain, a company would do this to steal trade secrets from a competitor
Interested in centralized management nodes, communications links and sensors
Destructive attacker
This brand of attacker seeks to disrupt the target system
In the law enforcement domain, a political group would do this to disrupt some entity with a different worldview.
Interested in actuators, centralized management nodes and control nodesSlide10
System Failure Definition - CountermeasuresAttrition Failure
Occurs when the modernized electrical grid doesn't have enough control nodes or actuators to accomplish its intended workSensors are not considered towards attrition failure
Reasons:
If a sensor is compromised – it will send illegitimate data to control node, which would be drowned by the legitimate data sent by a great number of uncompromised nodes
If a sensor is evicted – there is minimal short-term impact as any control loop can run free of external input long enough to restore it.
Attacker – Destructive Attacker
Countermeasure
Redundancy
- Modern electrical grid systems use some degree of redundancy to counterbalance failed, evicted and compromised nodes.
Design parameter is redundancy factor (
α
X
) over the minimum number of nodes (MIN
X
) required for the functionality.
INIT
X
= MIN
X
*
α
X
where x belongs to {C, A}Slide11
System Failure Definition - CountermeasuresPervasion Failure
Occurs when the density of compromised control nodes or actuators is too high. Here the compromised nodes collude to overwhelm the other nodes.Sensors are not considered towards pervasion failure
Reason:
If a sensor is compromised – it has no means to directly or indirectly attack the modernized electrical grid.
Attacker – Destructive Attacker
Countermeasure
Redundancy
- Modern electrical grid systems use some degree of redundancy to counterbalance failed, evicted and compromised nodes.
Design parameter is redundancy factor (
α
X
) over the minimum number of nodes (MIN
X
) required for the functionality.
INIT
X
= MIN
X
*
α
X
where x belongs to {C, A}Slide12
System Failure Definition - CountermeasuresExfiltration Failure
Occurs when the aggressor secretes enough modernized electrical grid data to achieve an intelligence victory or leaks enough surveillance data to instrument a devastating attack
Sensors and Control nodes are considered towards Exfiltration Failure
Exfiltration is perfectly suited for compromised sensors because receiving raw data is a sensor’s sole purpose. After gathering sensing reports, a compromised control node can leak information.
Attacker – Surveilling Attacker
Basic sequence of events in an exfiltration attack is:
The aggressor is authenticated on the victim network
The aggressor finds valuable data
The aggressor connects with an aggressor-owned server outside of the victim network
The aggressor transmits the valuable data
The victim experiences exfiltration failure
Countermeasures are discussed in the next slideSlide13
System Failure Definition - CountermeasuresExfiltration Failure Countermeasures
Intrusion detectionSystem equipped with IDS applying anomaly or signature based detection technique to detect and evict suspicious nodes
Intrusion detection quality is characterized by the input parameters - false negative probability (
P
fnx
) and false positive probability (
P
fpx
) with X belongs to {S, C, A}
False negative probability – Probability that a malicious node is misdetected
False positive probability – Probability that a good node is misidentified as malicious node
Countermeasure employed by the CPS to detect and evict malicious nodes is to apply the optimal detection interval T
IDSX
for periodic intrusion detection with X belongs to {S, C, A}
P
fnx
↓
=> T
IDSX
↓
- malicious nodes can be detected and evicted often
P
fpx
↑
=> T
IDSX
↑
- good nodes should not be misidentified and evicted often
Data leak rate control
The CPS runs an inward facing firewall to cope with the compromised sensors and control nodes
The firewall either denies the connection or throttles the outbound session speed, thus buying more detection time
Design parameter – Maximum transmission rate T
TX
bits per second
To cope with the compromised sensor the system limits data leak rate by rotating one sensor among all sensors that measure the same physical phenomenon to do sensing and data transmission per sensing interval (T
sensing
).
Design parameter is T
sensing
, with which data leak is possible only when the compromised sensor node is rotated to do sensing
If a sensor performs data transmission in every T
sensing
interval, the IDS generates a detectionSlide14
System Failure Definition – Countermeasures SummarySlide15
Performance Model – SPN ModelSlide16
Underlying Semi – Markov modelsSPN Model – System initialization is done by populating the system with INITx nodes with
x∈ {S,C
,
A}.
Places are used to hold tokens with each representing one node
Initially, all nodes are uncompromised and put in places PGOODx as tokens
The underlying model would be Markov if transition times were exponentially distributed. However, this is a strong assumption, hence a semi-Markov model is used to underlie the SPN to accommodate generally distributed transition times.
State representation
(PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)Slide17
Underlying Semi – Markov modelsAdversary compromising an uncompromised node
(PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)
Modeled by transitions TCP
X
in the SPN model
λ
TCPx
represents the rate at which an uncompromised node becomes a compromised node because of the capture event
For example, if in state (0, n
s
, n
c
, n
a
, 0, 0, 0, 0, 0) an uncompromised sensor node is compromised, a token will flow from PGOODS to PBADS and the resulting state is (0, n
s
-1, n
c
, n
a
, 1, 0, 0, 0, 0) Slide18
Underlying Semi – Markov modelsIDS incorrectly evicting an uncompromised node
(PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)
Modeled by transitions TFP
X
in the SPN model
λ
TFPx
represents the rate
For example, if in state (0, n
s
, n
c
, n
a
, 0, 0, 0, 0, 0) the IDS misdetects and evicts an uncompromised actuator, a token will flow from PGOODA and the resulting state is(0, n
s
, n
c
, n
a
-1, 0, 0, 0, 0, 0) Slide19
Underlying Semi – Markov modelsIDS correctly evicting a compromised node
(PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)
Modeled by transitions TID
X
in the SPN model
λ
TIDx
represents the rate
For example, if in state (0, n
s
, n
c
-1, n
a
, 0, 1, 0, 0, 0) the IDS detects and evicts a compromised control node, a token will flow from PBAD
C
and the resulting state is(0, n
s
, n
c
-1, n
a
, 0, 0, 0, 0, 0)
The physical meaning of the TID
x
timed transitions is the rate that the modernized electrical grid IDS generates true positives for compromised sensors, control nodes and actuatorsSlide20
Underlying Semi – Markov modelsSystem failure due to attrition
(PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)
TATTRIT
X
,
x
∈
{C
,
A}
models attrition failure event
Transition is enabled when number of node type X is less than the minimum specified MIN
X
Slide21
Underlying Semi – Markov modelsSystem failure due to pervasion
(PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)
TPERVADE
X
,
x
∈
{C
,
A}
models pervasion failure event
When uncompromised control nodes and actuators transition to compromised (PBAD
X
), they degrade the defense of the network by falsely endorsing their confederates and falsely reporting uncompromised nodes as compromised. Also when the modernized electrical grid evicts uncompromised nodes (TFP
x
), this reduces the preponderance of uncompromised nodes counterbalancing the false endorsements and false alerts.
This defense can be defeated when at least 1/3 of the control nodes or actuators are compromised (PBAD
X
) following the definition of Byzantine failureSlide22
Underlying Semi – Markov modelsSystem failure due to extensive exfiltration
(PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)
TLEAK
X
models failure event
TLEAK
X
transition is the event that the aggressor secrets enough data to cause an exfiltration failure
When compromised sensor nodes (PBADS) discreetly relay the confidential data of a modernized electrical grid outside the system, competitors and criminals learn valuable business intelligence and guerrillas and nation-states learn system vulnerabilities
T
TX
and T
sensing
are the countermeasures for this threatSlide23
Performance AnalysisModel Parameterization
Two Kinds of parametersDesign parameter is one that the system manager can choose.
Input parameter is one that the operating environment dictates.Slide24
Model Parameterization Cont’d
1. Aggregate Compromise Rate λ
TCPx
λ
TCPx
= |PGOODx| x
λ
x
|PGOODx| = number of uncompromised nodes of device type x and
λ
x
= per node compromised rate
More uncompromised sensors, control nodes or actuators translates to more opportunities for compromise.
2.
Aggregate Detection rate
λ
TIDx
λ
TIDx
= |PBADx| x (1-P
fnx
)/T
IDSx
|PBADx
|=
number of compromised nodes
P
fnx
= false negative probability
T
IDSx
is the IDS detection interval for device type x.
In every T
IDSx
interval, a bad node of type x will be correctly identified as a bad node with probability 1
−P
fnx
, so the aggregate rate at which bad nodes are detected and evicted correctly is
|
PBADx
|
multiplied with (1
−P
fnx
)
/
T
IDSx
.Slide25
Model Parameterization Cont’d
3. Aggregate False Positive Rate λTCPx
λ
TCPx
= |PGOODx| x P
fnx
/T
IDSx
|PGOODx| = number of uncompromised nodes of device type x and
P
fpx
is the false positive probability
T
IDSx
is the IDS detection interval for device type x.
In every T
IDSx
interval, a good node of type x will be misidentified as a bad node with probability
P
fpx
, so the aggregate rate at which good nodes suffer from false positives is
|
PGOODx
|
multiplied with
P
fpx
/
T
IDSx
.
4. Aggregate Sensor Exfiltration Rate
λ
TLEAKS
First term is for a compromised sensor node to rotate in for reporting sensing data,
Second term is for the rate at which sensing reporting occurs
Third term is for the maximum number of leaks the system can tolerate before an exfiltration failure occurs.Slide26
Model Parameterization Cont’d
5. Aggregate Control Node Exfiltration Rate
λ
TLEAKC
= |PBADC| x T
TX
x 1/MAXLEAKC
T
TX
= Data Transmission rate per node allowable
MAXLEAKC is the maximum data amount leaked beyond which an exfiltration failure occursSlide27
Results
Numerical data for MTTF assessment as a result of applying countermeasures (Intrusion Detection , Data Leak Rate Control & Redundancy) against attack behavior (Surveilling and Destructive attacker
)causing attrition, pervasion or exfiltration system failure.
Objective:
Analyze the effect of countermeasures in terms of the following on MTTF
Intrusion detection interval for node type x ∈ {S,C,A) T
IDSx
False Positive Probability P
fp
False Negative Probability P
fn
Effect of redundancy failure
α
xSlide28
Results Cont’dMTTF(Mean Time To Failure)
Let L be a binary random variable denoting lifetime of the system L =1 if the system is alive at time t , 0 otherwise
The expected value of L is the reliability of the system R(t) at time t.
Integration of R(t) from t = 0 to 1 gives the MTTF or the average lifetime of the system
Maximize
Assignment to L by a reward function assigning a reward r
i
of 0 or 1 to state i at time t as:
Probability of the system being in state i at time t, Pi(t), should be known.
This is obtained by,
Defining a SPN model using SPNP
Solving the underlying semi-Markov model utilizing solution techniques such as SOR, Gauss Seidel, or Uniformization.Slide29
Results Cont’dIntrusion detection interval for node type x ∈ {S,C,A) T
IDSx (MTTF as λx )
Attrition failure
MTTF increases as T
IDS
increases due to setting of
P
fn
= 0
.
1
<
P
fp
= 0
.
2
- Probability that a good node is misidentified as a bad node is higher than that a bad node is missed.
- A smaller T
IDS
, will cause more good nodes to be evicted than bad nodes causing s
ystem to fail faster due to attrition failure because of a lack of good nodes in the system
.
Exfiltration failure
MTTF is maximized at the optimal T
IDS
because exfiltration failure is affected by the bad node ratio.
- In order to maximize MTTF under exfiltration
failure, one needs to minimize this ratio.
- Optimal T
IDS
that maximizes the MTTF under exfiltration failure exists because the bad node ratio minimizes with this optimal T
IDS
value.Slide30
Results Cont’dIntrusion detection interval for node type x ∈ {S,C,A) T
IDSx
Pervasion failure
- MTTF is maximized at the optimal T
IDS
value identified is due to the fact that pervasion failure occurs when the bad node ratio is at least 1/3.
- Optimal T
IDS
value that maximizes the MTTF exists because with this optimal T
IDS
value, the bad node ratio is the lowest.
Overall
There still exists an optimal T
IDS
for the MTTF curve under combined failure.Slide31
Results Cont’dEffect of false positive probability P
fp (MTTF as Pfp )
MTTF decreases as
P
fp
increases for all failure types because as
P
fp
increases there is a higher probability of a good node being misidentified as a bad node and evicted.
Except for attrition failure,
there is an optimal TIDS value under which the MTTF is maximized.
TIDS value for MTTF
maximization increases as
P
fp
increases.Slide32
Results Cont’dEffect of false negative probability P
fn
- Same as
P
fp
except that the MTTF is less sensitive to
P
fn.
- MTTF under attrition failure is insensitive to
P
fn
because attrition failure depends on the number of good nodes remaining in the system. Attrition failure is only sensitive to the good node compromising rate
λ
x
, which determines how fast a good node is compromised into a bad node, as well as the false positive rate, i.e.,
P
fp
, which determines how fast a good node is misidentified as a bad node and evicted.Slide33
Results Cont’dEffect of redundancy factor α
x
Attrition failure (MTTF as
α
x
)
Redundancy factor
α
determines the number of nodes initially (INITx) with INITx = MINx
×
α
x
(where x ∈ {C,A}) MINx is the minimum number of control nodes or actuators.
Attrition failure depends on the number of good nodes remaining in the system, putting in more initial nodes can better prevent attrition failure from occurring. Therefore, the MTTF under attrition failure increases as
α
increases.
Exfiltration Failure (MTTF as
α
x
)
Exfiltration failure can occur through TLEAKC/S which depends on the absolute number of bad control nodes/ sensors.
λ
TLEAKC
increases as the initial number of “control” nodes increases, i.e., as
α
C
increases, because this increases the chance of bad “control” nodes being produced due to node compromising events.
λ
TLEAKS
does not depend on
α
C
.
MTTF under exfiltration failure decreases as
α
increasesSlide34
Results Cont’dEffect of redundancy factor α
x
Pervasion failure (MTTF as
α
x
)
MTTF under pervasion failure increases as
α
increases.
Pervasion failure depends on the bad node ratio which decreases as more initial nodes are put in the system ,especially if the detection interval T
IDS
is large
Overall
There exists an optimal T
IDS
that maximizes the MTTF of the CPS against all attacks causing attrition, pervasion or exfiltration system failures.Slide35
Conclusion
Developed an analytical model based on SPNs to capture the dynamics between adversary behavior and defense for CPSs.
Results revealed optimal design conditions including the intrusion detection interval and the redundancy level under which the modernized electrical grid’s MTTF is maximized.
Redundancy should be used with caution, because while it suppresses attrition and pervasion failure, it also induces exfiltration failure.
Future Work
Investigate how control theory or game theory principles controlling the attack/defense dynamics can further improve the CPS survivability.