ARTINALI: Dynamic Invariant Detec4on for Cyber-Physical System - - PowerPoint PPT Presentation

ARTINALI: Dynamic Invariant Detec4on for Cyber-Physical System Security

Maryam Raiyat Aliabadi, Amita Kamath, Julien Gascon-Samson, Karthik Pa8abiraman

2

C1 Physical Process Network s2 s1 s3 a1 a2 a3

Sensors Actuators

Distributed Controllers C2 C3

Cyber-Physical Systems

3

Mo4va4on

CPS Security Requirements

1.5 sec

4

1.5 sec 1.5 sec

Goal : Design an Automated, Real-4me and AHack-neutral security solu>on for CPSes with respect to their resource constraints

Real->me constraints Resource constraints Zero-day aEacks No human-in-the-loop

5

Cyber Process (Control Algorithm) Physical Process Communica>on network Measurements Commands A C B

Threat Model D

Stuxnet[2010] [HealthCom2013] CVE-2016-1516[2016] [USENIX’2015] A C D DE DENIE IED D

Previous work

6

• Intrusion Detec>on System (IDS)

– Signature-based IDSs [CSUR2014] – Anomaly-based IDSs [Computers&Security2009] – Specifica>on-based IDSs [SmarGridCom2010]

• Sta>c analysis
• Dynamic analysis

• Invariant

– Energy usage >=0

7

Data Event Time

Daikon [ICSE’01] Gk-tail [ICSE’08] Perfume property miner [ASE’14] Texada [ASE’15]

Dynamic Analysis-based Techniques

(Invariant-based)

Main Idea: Break down the search space

T1 E2 E4 E3 D2 E1 T2 T3 D5 D4 D3 T1 E1 Tk Ej D1 D1 Ej Di D2 D|E E|T D, E, T

10

D: Data E:Event T:Time

Methodology

• ARTINALI: A Real Time-specific Invariant iNference

ALgorIthm

– 3 dimensions and 6 classes of invariants

9

Data Event Time Data per event P(D|E) Time per event P(E|T) Data per 4me P(D|T)

CPS plaYorms

• Advanced metering

infrastructure (AMI)

– SEGMeter

• hEp://smartenergygroups.com
• Smart Ar>ficial Pancreas

(SAP)

– OpenAPS

• hEps://openaps.org/

10

Intrusion Detec4on System

11

Tracing module Intrusion Detector ARTINALI CPS IDS prototype Perfume Texad a Daikon Invariant converter Interface CPS model (invariant set) To test AHack detected!

Data Event Time

Daikon Perfume Texada

12

Targeted aHacks

CPS PlaYorm Targeted aHack AHack entry point AMI (SEGMeter) Meter spoofing [ACSAC2010] Decep>on on A

• Sync. Tampering [ACSAC2010]

Decep>on on D Message dropping [CCNC2011] DoS on A SAP (OpenAPS) CGM spoofing [Healthcom2011] Decep>on on A Stop basal injec>on [BHC2011] Decep>on and DoS on C Resume basal injec>on [BHC2011] Decep>on and DoS on C

Take away : ARTINALI detected all targeted aEacks successfully

Arbitrary AHacks

13

Data muta4ons Branch flipping Ar4ficial delay inser4on

Smart facial recogniEon system (CVE-2016-1516) CGM spoofing in SAP, [BHC2011] SynchronizaEon tampering in smart meter, [ACSAC2010]

14

Accuracy Metrics

• False Nega>ve Rate (FNR)
• False Posi>ve Rate (FPR)
• F-Score(β)

β>1 β<1 β=1

F-Score(β)- Tuning/Training

15

20 40 60 80 100 120 5 10 15 20 25 30 35 40

FP (%) FN(%) F-score(1) F-score(2) F-score(0.5)

Maximum F-Score(2) Number of training traces

ARTINALI-based IDS for OpenAPS

% Maximum F-Score(2) Number of training traces %

SEGMeter OpenAPS

(a) Daikon (b) Texada (c) Perfume (d) ARTINALI

False Nega4ves’ Rate

16

• SEGMeter
• ARTINALI-based IDS reduces the ra>o of FN by 89 to 95%

compared with the other tools across both plalorms.

10 20 30 40 50 60 70 80 90 100

Daikon Texada Perfume ARTINALI Data muta>on Branch flipping Ar>ficial delays Aggregated FN

FNR (%)- 95% confidence interval

False Posi4ves’ Rate

17

• SEGMeter
• ARTINALI-based IDS reduces the ra>o of FP by 20 to 48%

compared with the other tools across both plalorms.

5 10 15 20 25 30 Daikon Texada Perfume ARTINALI

(15-12)/15=20% improvement FPR (%)- 95% confidence interval

18

Overheads

Performance Overhead (%) Detec4on 4me (sec) Memory usage Daikon 27.3 16.63 1.24 MB Texada 23.7 14.45 3.21 MB Pefume 32.08 19.57 3.94 MB ARTINALI 31.6 19.25 2.96 MB

SEGMeter

Time T0 T0+60 T0+120

IDS 1st execu4on CPS 1st execu4on CPS 2nd execu4on CPS 3rd execu4on IDS 2nd execu4on

Summary and Future Work

• ARTINALI: A Mul>-Dimensional model for CPS

– Captures data-event-Eme interplay – Introduces Real-Eme data invariants – Increases the coverage of IDS – Decreases the rate of false posiEves – Imposes comparable overheads

• Examine generalizability of ARTINALI

– Unmanned Aerial Vehicle (UAV)

• hEps://github.com/karthikp-ubc/Ar>nali

19