Composite Intrusion Detection in Process Control Networks
1. 1
Universita degli Studi di Milano
Composite Intrusion Detection in Process Control Networks
Julian L. Rrushi
2. 2
Overview
• This dissertation develops a multi-algorithmic intrusion detection
approach for operation in a networked process control environment
• The intrusion detection approach can be used to detect layer-7 attacks on
industrial process control systems
• It can also be used to detect spread of worm code over a process control
network, network insertion of rootkit code into the memory of a
compromised control system, synchronization of logic bombs or other
malware in a process control network, and valid but destructive network
packets generated by malicious insiders
4. 4
Capturing the Behavior of a Cyber-Physical System
• We have found that the behavior of a physical process is reflected as
evolutions of specific RAM content…
• …and that the behavior of network traffic in a process control network
is also reflected as evolutions of specific RAM content
• Well-behaved network traffic and physical processes are characterized
by specific evolutions of specific RAM content, which in this research
we refer to as normal evolutions
• For a network packet to be classified as normal, its payload should
cause a normal evolution of RAM content
• Thus, in this work the challenge of anomaly detection takes the form of
estimating normal evolutions of RAM content
5. 5
Estimation-Inspection (EI) Algorithm
• The evolutions of values of each variable are modeled as a stochastic
vector
• The challenge is the construction of probability mass functions, which
consult RAM content and return stochastic vectors
• In this dissertation a probability mass function is developed via a series
of logistic regression models
• The Estimation part of the EI algorithm uses logistic regression and
maximum likelihood estimation to estimate statistical parameters
• The Inspection part of the EI algorithm uses those statistical
parameters in logistic regression formulae to estimate the normalcy
probability of payload content
7. On the Rationality of Simulation-based Validation
• Simulation-based validation is commonly employed in environments in
which experimentation with real world equipment and/or physical
phenomena is not available or feasible
• Examples include conflict detection algorithms that are used in airborne
collision avoidance systems
• Several procedures for validating the effectiveness of radar algorithms to
detect and classify moving targets
• And so forth
9. 9
Supervisory Control Specifications
• A system operator interacts with an HMI to operate a nuclear power
plant over a process control network. Such operation is conducted
according to precise supervisory instructions
• An example of a supervisory instruction is the consultation of a power-
to-flow operating map to keep thermal power within predefined
thresholds
• It is such supervisory instructions from which we derive specifications
in the form of activity network models that reason in terms of network
packets
• A concrete case study is the development of an activity network model
that detects any network packet that has potential for inducing stresses
on the walls of a reactor pressure vessel
10. 10
Automatic Control Specifications
• The logic of automatic operation is encoded into control applications
that run in control systems
• We derive specifications in the form of activity network models from
control applications
• Redundant program execution does not seem to be necessary
• We consider functions of a control application that read from or write
to network sockets in conjunction with program variables stored in the
RAM of a control system
• A case study is the development of an activity network model that
recognizes network packets that protect a reactor from unsafe
conditions created by a fault in any of the water pumps
11. 11
Mirage Theory - Definition
Mirage theory is comprised of actions that are devised to deliberately mislead an
adversary as to digitally controlled physical processes and equipment such as
nuclear power plants, thereby causing the adversary to take specific actions that
will contribute to the detection of his/her intrusion in process control networks
Inspired from operation Fortitude South, mirage theory exploits the adversary's
reliance on analysis of intercepted network data to derive the presence and
characteristics of physical targets, and the lack of means to verify that intercepted
traffic is indeed generated by existing physical targets
13. 13
Elements of Mirage Theory
• A continuous space constructed via computer simulation or emulation of
physical processes and equipment
• A discrete space formed by process control systems and networks that
are deployed and configured as if they were to monitor and control a real
physical process through real sensors and actuators
• An artificial boundary between continuous and discrete spaces
developed ad-hoc to allow for a regular interaction between the said
spaces, and to also prevent an adversary from crossing the discrete space
18. Estimation of Hypothesis-based Probabilities
• We compute the complete-data sample expected by a given probability
distribution first
• We then compute the maximum likelihood estimate, i.e. the probability
distribution that maximizes the probability of the complete-data sample
• The maximum likelihood estimate is equal to the relative frequency
estimate, given that our probability model is unconstrained
• This cycle is repeated until reaching a probability distribution that
produces a maximal probability of the complete-data sample
• The hypothesis-based probability of evidence is equal to the product of
the hypothesis-based probabilities of the individual variables that
compose it
20. Bayesian Comparison of Competing Hypotheses
We apply the Bayes' theorem in its ratio form to have the normalcy and
abnormality hypotheses compete again each-other:
The hypotheses that holds is the one with the highest probability as estimated by
the Bayes' theorem
21. Empirical Testing
• The multi-algorithmic IDS was tested in a testbed that resembles the
networked process control environment of a nuclear power plant
• A number of test vulnerabilities and exploitations were introduced to
facilitate the tests
• Both the EI algorithm and the physical process aware specification-
based approach exhibited a false alarms rate of 0 false positives/hr and a
probability of detection of 0.98
• The Bayesian theory of confirmation was tested via a technique that we
refer to as detection failure injection
• The corrective effects of the Bayesian theory of confirmation resulted to
be proportional to the degree of detection failure injection
22. Conclusions
• The effectiveness of the multi-algorithmic IDS is indicative of the
potential of evolutions of specific RAM content to capture the normal
behavior of a cyber-physical system such as a power plant
• The application of statistics and probability theory along with expert
knowledge within the multi-algorithmic IDS has proven to be effective
in leveraging those evolutions for anomaly detection
• The multi-algorithmic IDS provides for near-real-time detection of
attacks, and hence is not heavyweight
• This is mainly due to the fact that the detection intelligence is created
offline before deployment