1 Taha Hassan Lulu Wang CS 5214 Fall 2015 Overview Survivability of cyberphysical systems Failure types attrition pervasion exfiltration Case Study Reliability in the electrical grid Optimal design conditions and tradeoffs ID: 468029
Download Presentation The PPT/PDF document "Attacks and Counter Defense Mechanisms f..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Attacks and Counter Defense Mechanisms for Cyber-Physical Systems
1
Taha Hassan
Lulu Wang
CS 5214 Fall 2015Slide2
Overview
Survivability of cyber-physical systems
Failure types (attrition, pervasion, exfiltration)
Case Study: Reliability in the electrical grid
Optimal design conditions and tradeoffs
2Slide3
Survivability: System Model
‘Smart’ grid conceptual model
Centralized management nodes
Sensors
Distributed control nodes
Actuators
Communications Links
3Slide4
Survivability: Failure Types
4
Attrition failure (direct mission impact)
Pervasion failure (direct means to damage)
Exfiltration failure (secretion of grid data to instrument attack)Slide5
Survivability: Attacker Behavior
5
Surveilling attacker
Long-term operations (trade secrets analogy)
CM nodes, sensors, comm. links
Need for discretion
Destructive attacker
Short-term disruption
Actuators, CM nodes, control nodes
Discretion not a concernSlide6
Survivability: Countermeasures
6
Intrusion detection
P
fnx
, P
fpx
Optimal detection interval
TIDSX
Data leak rate control
T
TX
,
T
sensing
Redundancy
Redundancy factor α
x
INIT
x
= MIN
x
✕
α
xSlide7
7
System behavior description based on SPN modeling
Three devices represented by nodes: S,C,A
Sensors, Control nodes and Actuators
Performance ModelSlide8
8
PATTRIT=1, sys. failure, too many C and A been evicted & compromised
PLEAK=1, sys. failure, compromised S & C exfiltrating too much data
PPERVADE=1, sys. failure, a high ratio of uncompromised C & A been compromised
Performance ModelSlide9
9
Performance ModelSlide10
Performance Model
10
Performance ModelSlide11
System initiation
INITx nodes
x
∈
{S,C,A}, for sensors, control nodes, and actuators, respectively.all nodes are uncompromisedplace PGOODx holds tokensone token
representing
one nodes
11
Performance Model: The first eventSlide12
Transitions
TCPx
model this event:
attackerUncompromised nodes
compromised
TCPx: attacker compromises a device
The
time
of this process:
a random variable exponentially distributed
Node: from good to malicious
Place: node been moved from PGOODx to PBADx
12
Performance Model: The second eventSlide13
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS,
PBADC, PBADA, PLEAK, PPERVADE)
If in state (0, ns, nc, na, 0, 0, 0, 0, 0),
an uncompromised sensor node is compromised
, a token will flow
from PGOODS to PBADS, and the resulting state is (0, ns − 1, nc, na, 1, 0, 0, 0, 0).
13
Performance Model: The second eventSlide14
Transitions
TFPx
model this event:
Uncompromised nodes may be incorrectly evicted
TFPx: the detection sys. IDS falsely detects a node
Node: an uncompromised node be removed from place PGOODx
Place: remove from PGOODx
14
Performance Model: The third eventSlide15
15
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS,
PBADC, PBADA, PLEAK, PPERVADE)
If in state (0, ns, nc, na, 0, 0, 0, 0, 0) the IDS misdetects and evicts an uncompromised actuator, a token will flow from PGOODA, and the resulting state is (0, ns, nc, na − 1, 0, 0, 0, 0, 0).
Performance Model: The third eventSlide16
Transitions
TIDx
model this event:
compromised nodes be correctly evicted
TIDx: IDS correctedly detectes a compromised node as compromised
Node: The # of
unevicted compromised
nodes - 1
Place: one token in place PBADx is to be removed
16
Performance Model: The fourth eventSlide17
17
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS,
PBADC, PBADA, PLEAK, PPERVADE)
If in state (0, ns, nc−1, na, 0, 1, 0, 0, 0) the IDS detects and evicts a compromised control node, a token will flow from PBADC, and the resulting state is (0, ns, nc − 1, na, 0, 0, 0, 0, 0).
Performance Model: The fourth eventSlide18
Performance Model: The fifth event
TATTRITx models the sys. attrition failure event
TATTRITx: fired by EATTRITx, uncompromised control node count is lesser than the minimum count
Node:one token set in place PATTRIT
Place: PATTRIT
When TATTRITx is enabled:
the attrition failure condition is true
enabling function returns true
18Slide19
Performance Model: The fifth event
19
Table V lists the enabling functions governing the firing of TATTRITx. Slide20
Performance Model: The fifth event
20
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)
TCPx: a token been moved from PGOODx to PBADx
TFPx: remove a token from PGOODxSlide21
Performance Model: The sixth event
TPERVADEx
models this sys. pervasion failure event
TPERVADEx: fired by EPERVADEx, Byzantine failure condition applied to nodes
Node: when nodes from PGOODx transimit to PBADx, when nodes are evicted from PGOODx
Place: PERVADE set 1
Byzantine failure: when at least 1/3 of the control nodes or actuators are compromised (PBADx) , the system suffers from a byzantine failure.
21Slide22
Performance Model: The sixth event
22
The enabling functions of TPERVADEx with x ∈ {C,A} are defined in TableV governing the firing of TPERVADEx. Slide23
Performance Model: The sixth event
23
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)
TCPx: a token been moved from PGOODx to PBADx
PPERVADE: placed by 1Slide24
Performance Model: The seventh event
TLEAKx
models this system exfiltration failure event
TLEAKx: attacker secretes enough data about victim sensor/control node
Node: Bad nodes (odes from PBADx) transmit the data out of the system, criminals hack the system and steal the intelligence away
Place: PLEAK set 1
countermeasures: data leak rate controls
24Slide25
Performance Model: The seventh event
25
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)
PLEAK: placed by 1Slide26
Performance Analysis
Model Parameterization
Results
26Slide27
Model Parameterization
27Slide28
Model Parameterization
The parameters are from input and design parameters
Design parameter
is one that the system manager can choose.
Input parameter
is one that the operating environment dictates.
λT means the
transition rate
of
transition T
28Slide29
Model Parameterization
29Slide30
Model Parameterization: Physical explanations
30
TCPx: Attracker compromises a device
|PGOODx| : the # of uncompromised nodes of device type x
λx : the per-node compromise rate for device type x.
The more uncompromised devices, the more compromise opportunitiesSlide31
Model Parameterization: Physical explanations
31
TIDx: IDS ( IDS, intrusion detection system) detects a compromised device
: rate that bad nodes are detected and forced to leave the place correctly
|PBADx| : the # of compromised nodes
Pfnx : the false negative probability
( : the IDS detection interval
In every TIDSx interval,
1−Pfnx = probability (a bad node be correctly identified as a bad node) Slide32
Model Parameterization: Physical explanations
32
TLEAKS: attacker secretes a substantial amount of victim sensor data
λTLEAKS: the rate that TLEAKS transition happens
the first term is for a compromised sensor node to rotate in for reporting sensing data
the second term is for the rate at which sensing reporting occurs
the third term is for the maximum number of leaks the system can tolerate before an exfiltration failure occurs
MAXLEAKS : an input parameter, the maximum number of leaks the system can tolerateSlide33
Model Parameterization: Physical explanations
33
TLEAKC: attacker secretes a substantial amount of victim control node data
T
TX
: the data transmission rate per node allowable
MAXLEAKC : an input parameter, the maximum data amount leaked beyond which an exfiltration failure occursSlide34
Model Parameterization: Physical explanations
34
TFPx: IDS falsely detects a device
: the rate that good nodes suffer from false positives
|PGOODx| : the # of uncompromised nodes
: the false positive probability that a good node of type x will be misidentified as a bad node
: the IDS detection interval Slide35
Results: Effects of detection interval
TIDSX
35
P
fn <
P
fp
: Mislabeling healthy nodes more probable so lesser TIDSx
implies faster monotonic failure
Exfiltration and pervasion failures depend on the ‘bad node ratio’, hence an optimal MTTF at optimal node ratioSlide36
Results: Effects of false pos./neg. prob.
TIDSX
36
P
fp
: Rate of mislabeling healthy nodes more probable so lesser
T
IDSx implies faster monotonic failure
Similar trends for
P
fn
. MTTF is less sensitive to it though.Slide37
Results: Effects of redundancy factor (α
c) T
IDS
X
37
Attrition and pervasion: redundancy improves MTTF (bad node ratio decreases with redundancy)
Exfiltration: redundancy limits MTTF (Note that transition rate for TLEAKC changes with num_bad_nodes, for TLEAKS, it’s bad_node_ratio)Slide38
Questions.
38