Fingerprinting for Cyber-Physical System Security: Device Physics Matters Too

Gu, Qinchen; Formby, David; Ji, Shouling; Çam, Hasan; Beyah, Raheem

doi:10.1109/msp.2018.3761722

Cited by 24 publications

(7 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several different approaches have emerged over the last few years for detecting and preventing CPS attacks. These include techniques based on anomaly detection, where the logs of the physical data are analysed to identify suspicious events and anomalous behaviours [7,12,17,22,28,32,40,44,45,47,49,51,54,57,60,65,66]; digital fingerprinting, where sensors are checked for spoofing by monitoring time and frequency domain features from sensor and process noise [13,35,43,50,79]; and invariant-based checkers, which monitor for violations of invariant properties over sensor and actuator states [8,9,11,20,24,25,29,39,73,81]. A key difference between many of these works and ours, aside from the specific target of code modification attacks, is the need for either significant amounts of data from the real system (for training), or knowledge of the underlying processes and control operations (e.g.…”

Section: Related Workmentioning

confidence: 99%

“…Compromising any one of these components or PLCs can potentially allow an attacker to manipulate the system into a damaging physical state. This has motivated a huge variety of research into defending and assessing CPSs, spanning techniques based on anomaly detection [7,12,17,22,28,32,39,40,44,45,47,49,51,54,57,60,65,66], fingerprinting [13,35,43,50,79], invariant-based monitoring [8,9,11,20,24,25,29,73,81], trusted execution environments [70], and fuzzing [26,27,78].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Code integrity attestation for PLCs using black box neural network predictions

Chen

Poskitt

Sun

2021

Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

Cyber-physical systems (CPSs) are widespread in critical domains, and significant damage can be caused if an attacker is able to modify the code of their programmable logic controllers (PLCs). Unfortunately, traditional techniques for attesting code integrity (i.e. verifying that it has not been modified) rely on firmware access or roots-of-trust, neither of which proprietary or legacy PLCs are likely to provide. In this paper, we propose a practical code integrity checking solution based on privacy-preserving black box models that instead attest the input/output behaviour of PLC programs. Using faithful offline copies of the PLC programs, we identify their most important inputs through an information flow analysis, execute them on multiple combinations to collect data, then train neural networks able to predict PLC outputs (i.e. actuator commands) from their inputs. By exploiting the black box nature of the model, our solution maintains the privacy of the original PLC code and does not assume that attackers are unaware of its presence. The trust instead comes from the fact that it is extremely hard to attack the PLC code and neural networks at the same time and with consistent outcomes. We evaluated our approach on a modern six-stage water treatment plant testbed, finding that it could predict actuator states from PLC inputs with near-100% accuracy, and thus could detect all 120 effective code mutations that we subjected the PLCs to. Finally, we found that it is not practically possible to simultaneously modify the PLC code and apply discreet adversarial noise to our attesters in a way that leads to consistent (mis-)predictions. CCS CONCEPTS• Software and its engineering → Embedded software; • Security and privacy → Embedded systems security; • Computing methodologies → Neural networks.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Code integrity attestation for PLCs using black box neural network predictions

Chen

Poskitt

Sun

2021

Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

show abstract

“…A malicious node could launch a routing attack to control data traffic, to degrade network performance (e.g., sinkhole, worm hole), or to deplete network resources, such as energy or bandwidth, (e.g., flooding, rushing attack) [7,8]. For the case of critical infrastructure cyber-physical systems, network attacks may imply potential economic and human losses, thus, it is important to protect RWN from these threats [9,10].…”

Section: Introductionmentioning

confidence: 99%

LC-IDS: Loci-Constellation-Based Intrusion Detection for Reconfigurable Wireless Networks

Zuñiga-Mejia

Villalpando-Hernández

Vargas-Rosales

et al. 2021

Electronics

View full text Add to dashboard Cite

Detection accuracy of current machine-learning approaches to intrusion detection depends heavily on feature engineering and dimensionality-reduction techniques (e.g., variational autoencoder) applied to large datasets. For many use cases, a tradeoff between detection performance and resource requirements must be considered. In this paper, we propose Loci-Constellation-based Intrusion Detection System (LC-IDS), a general framework for network intrusion detection (detection of already known and previously unknown routing attacks) for reconfigurable wireless networks (e.g., vehicular ad hoc networks, unmanned aerial vehicle networks). We introduce the concept of ‘attack-constellation’, which allows us to represent all the relevant information for intrusion detection (misuse detection and anomaly detection) on a latent 2-dimensional space that arises naturally by considering the temporal structure of the input data. The attack/anomaly-detection performance of LC-IDS is analyzed through simulations in a wide range of network conditions. We show that for all the analyzed network scenarios, we can detect known attacks, with a good detection accuracy, and anomalies with low false positive rates. We show the flexibility and scalability of LC-IDS that allow us to consider a dynamic number of neighboring nodes and routing attacks in the ‘attack-constellation’ in a distributed fashion and with low computational requirements.

show abstract

“…Given the potential impact of cyber-attacks on these systems [46,51,60], ensuring their security and protection has become a more important goal than ever before. The different temporal scales, modalities, and process interactions in CPSs, however, pose a significant challenge for solutions to overcome, and have led to a variety of research into different possible countermeasures, including ones based on anomaly detection [11,15,27,45,48,52,58,61,66,69,71], fingerprinting [12,13,44,56], invariant-based monitoring [7,8,10,18,24,25,28,39,82], and trusted execution environments [74].…”

Section: Introductionmentioning

confidence: 99%

Active fuzzing for testing and securing cyber-physical systems

Chen

Xuan

Poskitt

et al. 2020

Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

Cyber-physical systems (CPSs) in critical infrastructure face a pervasive threat from attackers, motivating research into a variety of countermeasures for securing them. Assessing the effectiveness of these countermeasures is challenging, however, as realistic benchmarks of attacks are difficult to manually construct, blindly testing is ineffective due to the enormous search spaces and resource requirements, and intelligent fuzzing approaches require impractical amounts of data and network access. In this work, we propose active fuzzing, an automatic approach for finding test suites of packetlevel CPS network attacks, targeting scenarios in which attackers can observe sensors and manipulate packets, but have no existing knowledge about the payload encodings. Our approach learns regression models for predicting sensor values that will result from sampled network packets, and uses these predictions to guide a search for payload manipulations (i.e. bit flips) most likely to drive the CPS into an unsafe state. Key to our solution is the use of online active learning, which iteratively updates the models by sampling payloads that are estimated to maximally improve them. We evaluate the efficacy of active fuzzing by implementing it for a water purification plant testbed, finding it can automatically discover a test suite of flow, pressure, and over/underflow attacks, all with substantially less time, data, and network access than the most comparable approach. Finally, we demonstrate that our prediction models can also be utilised as countermeasures themselves, implementing them as anomaly detectors and early warning systems.

show abstract

Fingerprinting for Cyber-Physical System Security: Device Physics Matters Too

Cited by 24 publications

References 4 publications

Code integrity attestation for PLCs using black box neural network predictions

Code integrity attestation for PLCs using black box neural network predictions

LC-IDS: Loci-Constellation-Based Intrusion Detection for Reconfigurable Wireless Networks

Active fuzzing for testing and securing cyber-physical systems

Contact Info

Product

Resources

About