disconnection aware attack detection in
play

Disconnection-aware Attack Detection in Networked Control Systems - PowerPoint PPT Presentation

Aug 30, 2022 •407 likes •647 views

IF IFAC World Congress 2020 July ly 12-17 17 Disconnection-aware Attack Detection in Networked Control Systems Hampei mpei Sasahar ahara*, *, Takayuk uki i Ish shiz izak aki**, **, Jun-ic ichi hi Imur ura**, a**, Henrik nrik

  1. IF IFAC World Congress 2020 July ly 12-17 17 Disconnection-aware Attack Detection in Networked Control Systems Hampei mpei Sasahar ahara*, *, Takayuk uki i Ish shiz izak aki**, **, Jun-ic ichi hi Imur ura**, a**, Henrik nrik Sandber andberg* g* (* KTH Roy oyal al Insti stitut tute of Tec echno hnolo logy, ** Tokyo o Ins nstit titute ute of tec echn hnology) ology)

  2. Cyb Cyber-Phy Physi sical cal Sy Syst stem m Se Security urity 1/15 malware programs targeting control systems Uranium Plant Power Grid Industrial System - Stuxnet (2010) - BlackEnergy 3 (2015) - Hatman (2017) increasing vulnerability - high connectivity - standard protocol - cyber/physical attack surfaces Information System (IS) Security Control System (CS) Security - cryptography - model-based attack detection interest in this talk - firewall - physical watermarking - authorization - heterogeneous redundant devices

  3. Mo Mode del-based based Attac tack k De Detection ection 2/15 idea: to create a dynamical model and check if the observed data coincide with the model observed data networked system local measurement residual alarm dynamical model attack detector residual generator one of the most fruitful product in CPS security techniques provided by our control community its role in more general security workflow?

  4. In Incident ident Ha Hand ndling ling 3/15 incident handling during an adverse event guideline provided by NIST (National Institute of Standard and Technology) [1] 1. detection 2. analysis 3. containment 4. eradication/recovery model-based detection disconnection of suspected components attack potential problem in CPS IS: static interaction/operation CPS: dynamic interaction/operation through feedback containment process may cause loss of dynamic function (e.g., stability) [1] P . Cichonski, et al., Computer Security Incident Handling Guide, NIST, 2012.

  5. Resear search h Obj bjectiv ctive 4/15 possible solution for CPS itself: proper segmentation segmentation: design parameter possible to choose so as to cope with disconnection segmentation: not design parameter tracking capability?? Objective designing disconnection-aware attack detectors

  6. Resear search h Obj bjectiv ctive 4/15 possible solution for CPS itself: proper segmentation segmentation: design parameter possible to choose so as to cope with disconnection segmentation: not design parameter tracking capability?? Objective designing disconnection-aware attack detectors naive approach: no feedback to the residual generator drawback: detection time depends on the time constant of the component

  7. Ma Mathema hematical tical De Desc scription iption 5/15 th subsystem : reference : measurement : interaction : interaction : attack interaction : the remaining subsystem’s indices

  8. Ma Mathema hematical tical De Desc scription iption 5/15 the entire system with remaining subsystems distributed residual generator : residual : estimated interactions

  9. Ma Mathema hematical tical De Desc scription iption 5/15 the entire system with remaining subsystems + residual generator distributed residual generator : residual : estimated interactions commonly used residual generator Luenberger-type observer in a distributed form residual feedback with a static gain

  10. Ex Example: ple: Lo Low-Volta oltage e Di Dist strib ibution ution Ne Netw twor ork 6/15 false data injection attack commonly used model (LinDistFlow) DG DG DG - power flow (at each node) node disconnection - voltage drop (at each branch) - Distributed Generation (DG) edge distributed attack detector (Luenberger) voltage (first-order system) 230 [V] (setpoint) keep around setpoint keep around setpoint (> 229 [V]) properly segmented 229 [V] disconnection at

  11. Example: Ex ple: Lo Low-Volta oltage e Di Dist strib ibution ution Ne Netw twor ork 6/15 false data injection attack commonly used model (LinDistFlow) DG DG DG - power flow (at each node) node disconnection - voltage drop (at each branch) - Distributed Generation (DG) edge distributed attack detector (Luenberger) residual (first-order system) perfect tracing (zero residual) diverge loss of tracking capability by disconnection disconnection at

  12. Pr Prob oblem lem Form ormula ulation tion 7/15 notation: remaining subsystems internally stable for any Assumption (proper segmentation) is internally stable for any Problem Design a residual generator such that Remark: naive approach is possible solution drawback: detection time depends on time constant of for any and when late detection we will seek for

  13. Pr Prob oblem lem Reform ormula ulation tion 8/15 consider the particular residual generator the error dynamics with where Luenberger-type observer (interaction errors) Remark: block-diagram internally stable for any is the design parameters Reformulated Problem Design such that the closed-loop system is internally stable for any Our approach: Retrofit Control

  14. Brief ief Revie view w of of Retr trof ofit it Co Cont ntrol ol 9/15 Retrofit Control: modular design method of a decentralized controller system of interest intended situation multiple subcontroller designers : designer of only with model knowledge of : designer of only with model knowledge of Crucial Premise the preexisting system is internally stable fundamental idea design such that the interaction relation is kept to be invariant preserving stability

  15. Brief Review of Retrofit Control (cont’d) 10/15 Retrofit Control: modular design method of a decentralized controller system of interest intended situation multiple subcontroller designers : designer of only with model knowledge of : designer of only with model knowledge of the th subcontroller designer’s viewpoint interaction relation is invariant

  16. Brief Review of Retrofit Control (cont’d) 10/15 Retrofit Control: modular design method of a decentralized controller system of interest intended situation multiple subcontroller designers : designer of only with model knowledge of : designer of only with model knowledge of the th subcontroller designer’s viewpoint interaction relation is invariant Youla parameter the entire system is stable ( holds when other models are completely unknown)

  17. Tracta ctable le Cl Classe sses of s of Retr trof ofit it Co Cont ntroller ollers 11/15 condition is difficult to handle in general (i) output-rectifying retrofit controllers: (ii) input-rectifying retrofit controllers: Existing Result on (i) Assumption: is measurable in addition to : locally stabilizing controller :rectified output Assumption can be satisfied by introducing abundant sensors on the other hand, (ii) has not received much attention because the condition is on “control inputs” requiring modification of actuators relatively difficult to address in physical systems

  18. Pr Prop opose osed d So Solu lution ion vi via Retr trof ofit it Co Cont ntrol ol 12/15 back to our problem: disconnection-aware attack detector design approach: applying retrofit control so as to key observation: control inputs in residual generator: cyber signals physical actuators are not required th sub-closed-loop idea: introducing an additional input for rectifying the original input with designing such that Solution Lemma (dual) with the structured Remark: no requirements on input/output ports of residual generator broad applicability

  19. Simula Si ulation tion 13/15 false data injection attack commonly used model (LinDistFlow) DG DG DG - power flow (at each node) node disconnection - voltage drop (at each branch) - Distributed Generation (DG) edge CIGRE benchmark model (European residential network) (first-order system) [V] for any , - residual generator measurement signal: (reactive power) confirmation controller design: linear quadratic regulator 1. early detection 2. attack impact mitigation 3. preservation of tracking capability

  20. Si Simula ulation tion 14/15 threat model: step function from at the 4 th customer’s reference voltage the normalized residual response (for decision making) naive (no feedback) proposed decision line (0.95 DC gain) decisions are made at and Result 1: early detection is achieved by the proposed method

  21. Si Simula ulation tion 14/15 the voltage response (should be regulated) disconnection naive (no feedback) disconnection proposed Result 2: voltage drop is significantly reduced

  22. Si Simula ulation tion 14/15 stability under disconnection residuals Luenberger-type proposed disconnection at Result 3: tracking capability is preserved under disconnection

  23. Co Conc nclusion lusion 15/15 summary of contributions (i) point out importance of disconnection awareness in the context of incident handling 1. detection 2. analysis 3. containment 4. eradication/recovery (ii) propose a solution based on retrofit control theory (iii) show that a particular form of retrofit controllers is appropriate for our problem, which leads to broad applicability of our method possible future directions (i) attack detector design with a given ROC (receiver operating characteristic) curve residual residual generator attack detector alarm (ii) analysis for sophisticated attacks thank you for your kind attention

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Disconnection OIR R.18-07-005 Workshop #1 2 Disconnection Volume & Pay Plan Kept Rate

Disconnection OIR R.18-07-005 Workshop #1 2 Disconnection Volume & Pay Plan Kept Rate

Disconnection OIR R.18-07-005 Workshop #1 2 Disconnection Volume & Pay Plan Kept Rate In 2017, PG&E experienced a decline in the number of residential disconnections while the total number of PG&Es customer accounts for all

591 views • 4 slides
Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Universitt Tbingen Computer Networks and Internet Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof. Dr. Georg Carle Chair for Computer Networks and Internet University of Tbingen Germany

291 views • 8 slides
Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut fr Telematik, Universitt Karlsruhe (TH), Germany Why Attack Detection still is important Distributed Denial-of-Service problem persists Attack

366 views • 19 slides
1. THE CAUSE OF FEAR Disconnection from God through unbelief, rejection of Gods love

1. THE CAUSE OF FEAR Disconnection from God through unbelief, rejection of Gods love

FEAR : Cause, Consequences and Cure 1JOHN 4:12-21 1. THE CAUSE OF FEAR Disconnection from God through unbelief, rejection of Gods love and His right to govern our lives, and disobedience Disconnection from self through

161 views • 5 slides
Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel

Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel

Problem definition Clustering Detection Measurements Result analysis Future work Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel Chwalinski Roman Belavkin Xiaochun Cheng Middlesex University

590 views • 35 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
Channel Aware Distributed Detection in Wireless Network with Correlated Observations Nahal Maleki

Channel Aware Distributed Detection in Wireless Network with Correlated Observations Nahal Maleki

Channel Aware Distributed Detection in Wireless Network with Correlated Observations Nahal Maleki Department of Electrical and Computer Engineering, University of Rochester Centralized versus Distributed Detection x 5 Fusion Center x 6 x 1 x 3 y

611 views • 47 slides
BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Efficient Semantic-Aware Detection of Near Duplicate Resources 7 th Extended Semantic Web

Efficient Semantic-Aware Detection of Near Duplicate Resources 7 th Extended Semantic Web

Efficient Semantic-Aware Detection of Near Duplicate Resources 7 th Extended Semantic Web Conference E. Ioannou, O. Papapetrou, D. Skoutas, W. Nejdl Wednesday, 2nd June 2010, Heraklion, Greece Outline 1. Motivation 2. RDFsim Approach

299 views • 26 slides
Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and

Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and

Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and Gaussian Back-end Fusion Massimiliano Todisco 1 , H ector Delgado 1 , Kong Aik Lee 2 , Md Sahidullah 3 , Nicholas Evans 1 , Tomi Kinnunen 4 and

292 views • 5 slides
Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques (NIT-K) S. K. Pal Defence Research & Development Organization (DRDO) SAG, Metcalfe House, Delhi 27-Jul-2020 1 What is Cyberspace? Refers to

766 views • 17 slides
discrepancies in disconnection / de- energisation remedies 1 CMP254 : Addressing discrepancies

discrepancies in disconnection / de- energisation remedies 1 CMP254 : Addressing discrepancies

CMP254 Addressing discrepancies in disconnection / de- energisation remedies 1 CMP254 : Addressing discrepancies in disconnection / de-energisation remedies Context There is a gap in the current industry code arrangements. For

193 views • 8 slides
RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo

RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo

RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo Focardi 1 August 23, 2017 1 Universit Ca Foscari Venezia (IT) / Cryptosense (FR) 30th IEEE Computer Security Foundations Symposium (CSF2017) Santa

1.1k views • 46 slides
Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and

Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and

Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honeypot Environment Eric Badger Masters Student Computer Engineering 1 Overview Introduction/Motivation Challenges

508 views • 30 slides
Schedule Date Day Class Title Chapters HW Lab Exam No. Due date Due date 8.1 8.2

Schedule Date Day Class Title Chapters HW Lab Exam No. Due date Due date 8.1 8.2

Schedule Date Day Class Title Chapters HW Lab Exam No. Due date Due date 8.1 8.2 29 Oct Wed 17 Operational Amplifiers 30 Oct Thu 31 Oct Fri Recitation HW 7 1 Nov Sat 2 Nov Sun 8.3 8.4 3 Nov Mon 18 Operational

578 views • 34 slides
Downlink Multi-User MIMO for IEEE 802.16m Sivakishore Reddy Naga Sekhar Centre of Excellence in

Downlink Multi-User MIMO for IEEE 802.16m Sivakishore Reddy Naga Sekhar Centre of Excellence in

Downlink Multi-User MIMO for IEEE 802.16m Sivakishore Reddy Naga Sekhar Centre of Excellence in Wireless Technology 2013 Outline 1 Introduction 2 Closed Loop MU-MIMO 3 Results 4 Open Loop MU-MIMO 5 Results 6 Conclusions Sivakishore Reddy Naga

415 views • 40 slides
General feedback system Relevant relations/transfer functions + v + y y ref F r ( s ) G ( s )

General feedback system Relevant relations/transfer functions + v + y y ref F r ( s ) G ( s )

General feedback system Relevant relations/transfer functions + v + y y ref F r ( s ) G ( s ) + + n F y ( s ) + Loop gain: G o ( s ) = F y ( s ) G ( s ) Closed loop system: Y ( s ) = G c ( s ) Y ref ( s ) + S ( s )

406 views • 8 slides
ECE321 Electronics I Fall 2006 Professor James E. Morris Lecture 2 28 th September, 2006

ECE321 Electronics I Fall 2006 Professor James E. Morris Lecture 2 28 th September, 2006

ECE321 Electronics I Fall 2006 Professor James E. Morris Lecture 2 28 th September, 2006 Operational Amplifiers 2.1 Ideal Op-amps 2.2 Inverting Amplifier 2.3 Non- Inverting Amplifier 2 1 Figure 2.1 Circuit symbol for the op amp. Figure 2.2

400 views • 11 slides
ROBOTICA 03CFIOR 03CFIOR Basilio Bona DAUIN Politecnico di Torino Basilio Bona 1

ROBOTICA 03CFIOR 03CFIOR Basilio Bona DAUIN Politecnico di Torino Basilio Bona 1

ROBOTICA 03CFIOR 03CFIOR Basilio Bona DAUIN Politecnico di Torino Basilio Bona 1 ROBOTICA 03CFIOR Control Part 1 Introduction to robot control The motion control problem consists in the design of control algorithms for the

819 views • 47 slides
RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background Discussion (Strengths/Weaknesses) RowHammer-based Attack Mitigation Techniques Circuit-level Studies Other Works RowHammer in

382 views • 19 slides
Applied Sliding Mode Control e Paulo V. S. Cunha 1 Jos 1 Department of Electronics and

Applied Sliding Mode Control e Paulo V. S. Cunha 1 Jos 1 Department of Electronics and

Applied Sliding Mode Control e Paulo V. S. Cunha 1 Jos 1 Department of Electronics and Telecommunication Engineering State University of Rio de Janeiro, Brazil Beihang University, Beijing, China, November 8 th , 2017 Outline 1.

2.54k views • 60 slides
IE1206 Embedded Electronics Le1 Le2 PIC-block Documentation, Serial com Pulse sensors I , U , R

IE1206 Embedded Electronics Le1 Le2 PIC-block Documentation, Serial com Pulse sensors I , U , R

IE1206 Embedded Electronics Le1 Le2 PIC-block Documentation, Serial com Pulse sensors I , U , R , P , serial and parallell Le3 Ex1 KC1 LAB1 Pulse sensors, Menu program Start of programing task Ex2 Le4 Kirchhoffs laws

629 views • 38 slides

More recommend