Detecting Process-Aware Attacks in Sequential Control Systems
- 3 Citations
- 602 Downloads
Abstract
Industrial control systems (ICS) can be subject to highly sophisticated attacks which may lead the process towards critical states. Due to the particular context of ICS, protection mechanisms are not always practical, nor sufficient. On the other hand, developing a process-aware intrusion detection solution with satisfactory alert characterization remains an open problem. This paper focuses on process-aware attacks detection in sequential control systems. We build on results from runtime verification and specification mining to automatically infer and monitor process specifications. Such specifications are represented by sets of temporal safety properties over states and events corresponding to sensors and actuators. The properties are then synthesized as monitors which report violations on execution traces. We develop an efficient specification mining algorithm and use filtering rules to handle the large number of mined properties. Furthermore, we introduce the notion of activity and discuss its relevance to both specification mining and attack detection in the context of sequential control systems. The proposed approach is evaluated in a hardware-in-the-loop setting subject to targeted process-aware attacks. Overall, due to the explicit handling of process variables, the solution provides a better characterization of the alerts and a more meaningful understanding of false positives.
Keywords
Intrusion Detection Linear Temporal Logic Safety Property Execution Trace Attack DetectionReferences
- 1.Common cyber security vulnerabilities in ICS. Technical report, U.S DHS (2011)Google Scholar
- 2.Bauer, A.: Monitorability of omega-regular languages. CoRR abs/1006.3638 (2010)Google Scholar
- 3.Bauer, N., Huuck, R., Lukoschus, B., Engell, S.: A unifying semantics for sequential function charts. In: Ehrig, H., Damm, W., Desel, J., Große-Rhode, M., Reif, W., Schnieder, E., Westkämper, E. (eds.) Integration of Software Specification Techniques for Applications in Engineering. LNCS, vol. 3147, pp. 400–418. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-27863-4_22 CrossRefGoogle Scholar
- 4.Carcano, A., Coletta, A., et al.: A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans. Ind. Inf. 7(2), 179–186 (2011)CrossRefGoogle Scholar
- 5.Cárdenas, A., Amin, S., et al.: Challenges for securing cyber physical systems. In: Workshop on Future Directions in Cyber-physical Systems Security, July 2009Google Scholar
- 6.Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the 1st ACM Workshop CPSS, pp. 13–24 (2015)Google Scholar
- 7.Cheung, S., Skinner, K.: Using model-based intrusion detection for SCADA networks. In: Proceedings of SCADA Security Scientific Symposium, pp. 127–134 (2007)Google Scholar
- 8.d’Amorim, M., Roşu, G.: Efficient monitoring of \({\omega }\)-languages. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 364–378. Springer, Heidelberg (2005). doi: 10.1007/11513988_36 CrossRefGoogle Scholar
- 9.De Giacomo, G., Masellis, R.D., Montali, M.: Reasoning on LTL on finite traces: insensitivity to infiniteness. In: Proceedings of AAAI 2014, pp. 1027–1033 (2014)Google Scholar
- 10.Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: Proceedings of ICSE (1999)Google Scholar
- 11.Dzung, D., Naedele, M., Von Hoff, T.P., Crevatin, M.: Security for industrial communication systems. Proc. IEEE 93, 1152–1177 (2005)CrossRefGoogle Scholar
- 12.Falliere, N., Murchu, L.O., et al.: W32.Stuxnet Dossier-Symantec security response. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf. Accessed June 2016
- 13.Foulard, C., Flaus, J.M., Jacomino, M.: Automatique pour les classes préparatoires, 1st edn. Hermés-Lavoisier, Paris (1997)Google Scholar
- 14.Hadziosmanovic, D., Sommer, R., et al.: Through the eye of the PLC: towards semantic security monitoring for industrial control systems. In: Proceedings of ACSAC (2014)Google Scholar
- 15.ISO/IEC 29192 - Information technology - Security techniques - Lightweight cryptography. Standard, ISO, Geneva, Switzerland (2012)Google Scholar
- 16.John, K.H., Tiegelkamp, M.: IEC 61131–3: Programming Industrial Automation, 2nd edn. Springer, Heidelberg (2010)CrossRefGoogle Scholar
- 17.Larsen, J.: Breakage-Black Hat (2008). https://www.blackhat.com/presentations/bh-dc-08/Larsen/Presentation/bh-dc-08-larsen.pdf. Accessed June 2016
- 18.Lemieux, C., Park, D., Beschastnikh, I.: General LTL specification mining. In: Proceedings fo ASE 2015, pp. 81–92 (2015)Google Scholar
- 19.Leucker, M., Schallhart, C.: A brief account of runtime verification. J. Logic Algebraic Program. 78(5), 293–303 (2009)CrossRefzbMATHGoogle Scholar
- 20.Li, W., Forin, A., Seshia, S.A.: Scalable specification mining for verification and diagnosis. In: 47th ACM/IEEE DAC, pp. 755–760 (2010)Google Scholar
- 21.Lin, H., Slagell, A., Di Martino, C., et al.: Adapting bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol. In: Proceedings of CSIIRW 2013, pp. 1–4 (2013)Google Scholar
- 22.Mitchell, R., Chen, I.R.: Behavior rule specification-based intrusion detection for safety critical medical cyber physical systems. IEEE Trans Depend. Sec. Comp. 12(1), 16–30 (2014)CrossRefGoogle Scholar
- 23.Pnueli, A.: The temporal logic of programs. In: Proceedings of SFCS 1977, pp. 46–57. IEEE Computer Society, Washington, DC (1977)Google Scholar
- 24.Puaun, D.O., Chechik, M.: On closure under stuttering. FAC 14, 342–368 (2003)zbMATHGoogle Scholar
- 25.Schumann, J., Moosbrugger, P., Rozier, K.Y.: R2U2: monitoring and diagnosis of security threats for unmanned aerial systems. In: Bartocci, E., Majumdar, R. (eds.) RV 2015. LNCS, vol. 9333, pp. 233–249. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-23820-3_15 CrossRefGoogle Scholar
- 26.Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE S&P, pp. 305–316 (2010)Google Scholar
- 27.Stouffer, K., Falco, J., Scarfone, K.: Spp. 800–82 Rev 2. Guide to Industrial Control Systems (ICS) Security. NIST (2015)Google Scholar
- 28.Vardi, M.Y.: An automata-theoretic approach to linear temporal logic. In: Banff Higher Order Workshop 1995 (1996)Google Scholar
- 29.Yoon, M.k., Ciocarlie, G.F.: Communication pattern monitoring: improving the utility of anomaly detection for industrial control systems. In: SENT (2014)Google Scholar
- 30.Zimmer, C., Bhat, B., et al.: Time-based intrusion detection in cyber-physical systems. In: Proceedings of First ACM/IEEE International Conference on CPS, pp. 109–118 (2010)Google Scholar