SlideShare a Scribd company logo

Composite Intrusion Detection in Process Control Networks

Download as PPT, PDF
G
guest8fdee6
Education
1 of 22
1 Universita degli Studi di Milano Composite Intrusion Detection in Process Control Networks Julian L. Rrushi
2 Overview • This dissertation develops a multi-algorithmic intrusion detection approach for operation in a networked process control environment • The intrusion detection approach can be used to detect layer-7 attacks on industrial process control systems • It can also be used to detect spread of worm code over a process control network, network insertion of rootkit code into the memory of a compromised control system, synchronization of logic bombs or other malware in a process control network, and valid but destructive network packets generated by malicious insiders
3 Background
4 Capturing the Behavior of a Cyber-Physical System • We have found that the behavior of a physical process is reflected as evolutions of specific RAM content… • …and that the behavior of network traffic in a process control network is also reflected as evolutions of specific RAM content • Well-behaved network traffic and physical processes are characterized by specific evolutions of specific RAM content, which in this research we refer to as normal evolutions • For a network packet to be classified as normal, its payload should cause a normal evolution of RAM content • Thus, in this work the challenge of anomaly detection takes the form of estimating normal evolutions of RAM content
5 Estimation-Inspection (EI) Algorithm • The evolutions of values of each variable are modeled as a stochastic vector • The challenge is the construction of probability mass functions, which consult RAM content and return stochastic vectors • In this dissertation a probability mass function is developed via a series of logistic regression models • The Estimation part of the EI algorithm uses logistic regression and maximum likelihood estimation to estimate statistical parameters • The Inspection part of the EI algorithm uses those statistical parameters in logistic regression formulae to estimate the normalcy probability of payload content
6 Probabilistic Validation of the EI Algorithm
On the Rationality of Simulation-based Validation • Simulation-based validation is commonly employed in environments in which experimentation with real world equipment and/or physical phenomena is not available or feasible • Examples include conflict detection algorithms that are used in airborne collision avoidance systems • Several procedures for validating the effectiveness of radar algorithms to detect and classify moving targets • And so forth
8 Leveraging Specification-based Detection
9 Supervisory Control Specifications • A system operator interacts with an HMI to operate a nuclear power plant over a process control network. Such operation is conducted according to precise supervisory instructions • An example of a supervisory instruction is the consultation of a power- to-flow operating map to keep thermal power within predefined thresholds • It is such supervisory instructions from which we derive specifications in the form of activity network models that reason in terms of network packets • A concrete case study is the development of an activity network model that detects any network packet that has potential for inducing stresses on the walls of a reactor pressure vessel
10 Automatic Control Specifications • The logic of automatic operation is encoded into control applications that run in control systems • We derive specifications in the form of activity network models from control applications • Redundant program execution does not seem to be necessary • We consider functions of a control application that read from or write to network sockets in conjunction with program variables stored in the RAM of a control system • A case study is the development of an activity network model that recognizes network packets that protect a reactor from unsafe conditions created by a fault in any of the water pumps
11 Mirage Theory - Definition Mirage theory is comprised of actions that are devised to deliberately mislead an adversary as to digitally controlled physical processes and equipment such as nuclear power plants, thereby causing the adversary to take specific actions that will contribute to the detection of his/her intrusion in process control networks Inspired from operation Fortitude South, mirage theory exploits the adversary's reliance on analysis of intercepted network data to derive the presence and characteristics of physical targets, and the lack of means to verify that intercepted traffic is indeed generated by existing physical targets
12 Exploiting Reconnaissance Analyses
13 Elements of Mirage Theory • A continuous space constructed via computer simulation or emulation of physical processes and equipment • A discrete space formed by process control systems and networks that are deployed and configured as if they were to monitor and control a real physical process through real sensors and actuators • An artificial boundary between continuous and discrete spaces developed ad-hoc to allow for a regular interaction between the said spaces, and to also prevent an adversary from crossing the discrete space
14 Boundary Between Continuous and Discrete Spaces
15 Detecting Foreign Network Traffic
Bayesian Theory of Confirmation
Deriving an Incomplete-data Space
Estimation of Hypothesis-based Probabilities • We compute the complete-data sample expected by a given probability distribution first • We then compute the maximum likelihood estimate, i.e. the probability distribution that maximizes the probability of the complete-data sample • The maximum likelihood estimate is equal to the relative frequency estimate, given that our probability model is unconstrained • This cycle is repeated until reaching a probability distribution that produces a maximal probability of the complete-data sample • The hypothesis-based probability of evidence is equal to the product of the hypothesis-based probabilities of the individual variables that compose it
Estimation of Prior Hypotheses Probabilities
Bayesian Comparison of Competing Hypotheses We apply the Bayes' theorem in its ratio form to have the normalcy and abnormality hypotheses compete again each-other: The hypotheses that holds is the one with the highest probability as estimated by the Bayes' theorem
Empirical Testing • The multi-algorithmic IDS was tested in a testbed that resembles the networked process control environment of a nuclear power plant • A number of test vulnerabilities and exploitations were introduced to facilitate the tests • Both the EI algorithm and the physical process aware specification- based approach exhibited a false alarms rate of 0 false positives/hr and a probability of detection of 0.98 • The Bayesian theory of confirmation was tested via a technique that we refer to as detection failure injection • The corrective effects of the Bayesian theory of confirmation resulted to be proportional to the degree of detection failure injection
Conclusions • The effectiveness of the multi-algorithmic IDS is indicative of the potential of evolutions of specific RAM content to capture the normal behavior of a cyber-physical system such as a power plant • The application of statistics and probability theory along with expert knowledge within the multi-algorithmic IDS has proven to be effective in leveraging those evolutions for anomaly detection • The multi-algorithmic IDS provides for near-real-time detection of attacks, and hence is not heavyweight • This is mainly due to the fact that the detection intelligence is created offline before deployment

Recommended

Automatic test packet generation in network
Automatic test packet generation in networkAutomatic test packet generation in network
Automatic test packet generation in networkeSAT Journals
 
automatic test packet generation
automatic test packet generationautomatic test packet generation
automatic test packet generationswathi78
 
Network Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes NetNetwork Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes NetGyan Prakash
 
VeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real TimeVeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real TimeOpen Networking Summits
 
M41028892
M41028892M41028892
M41028892IJERA Editor
 
SFA: Stateful Forwarding Abstraction in SDN Data Plane
SFA: Stateful Forwarding Abstraction in SDN Data PlaneSFA: Stateful Forwarding Abstraction in SDN Data Plane
SFA: Stateful Forwarding Abstraction in SDN Data PlaneOpen Networking Summits
 
fault localization in computer network..
fault localization in computer network..fault localization in computer network..
fault localization in computer network..CDAC PUNE
 
A SYSTEM FOR VALIDATING AND COMPARING HOST-BASED DDOS DETECTION MECHANISMS
A SYSTEM FOR VALIDATING AND COMPARING HOST-BASED DDOS DETECTION MECHANISMSA SYSTEM FOR VALIDATING AND COMPARING HOST-BASED DDOS DETECTION MECHANISMS
A SYSTEM FOR VALIDATING AND COMPARING HOST-BASED DDOS DETECTION MECHANISMSIJNSA Journal
 

Recommended

Automatic test packet generation in network
Automatic test packet generation in networkAutomatic test packet generation in network
Automatic test packet generation in networkeSAT Journals
 
automatic test packet generation
automatic test packet generationautomatic test packet generation
automatic test packet generationswathi78
 
Network Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes NetNetwork Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes NetGyan Prakash
 
VeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real TimeVeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real TimeOpen Networking Summits
 
M41028892
M41028892M41028892
M41028892IJERA Editor
 
SFA: Stateful Forwarding Abstraction in SDN Data Plane
SFA: Stateful Forwarding Abstraction in SDN Data PlaneSFA: Stateful Forwarding Abstraction in SDN Data Plane
SFA: Stateful Forwarding Abstraction in SDN Data PlaneOpen Networking Summits
 
fault localization in computer network..
fault localization in computer network..fault localization in computer network..
fault localization in computer network..CDAC PUNE
 
A SYSTEM FOR VALIDATING AND COMPARING HOST-BASED DDOS DETECTION MECHANISMS
A SYSTEM FOR VALIDATING AND COMPARING HOST-BASED DDOS DETECTION MECHANISMSA SYSTEM FOR VALIDATING AND COMPARING HOST-BASED DDOS DETECTION MECHANISMS
A SYSTEM FOR VALIDATING AND COMPARING HOST-BASED DDOS DETECTION MECHANISMSIJNSA Journal
 
On-line Power System Static Security Assessment in a Distributed Computing Fr...
On-line Power System Static Security Assessment in a Distributed Computing Fr...On-line Power System Static Security Assessment in a Distributed Computing Fr...
On-line Power System Static Security Assessment in a Distributed Computing Fr...idescitation
 
Parameter Estimation of Software Reliability Growth Models Using Simulated An...
Parameter Estimation of Software Reliability Growth Models Using Simulated An...Parameter Estimation of Software Reliability Growth Models Using Simulated An...
Parameter Estimation of Software Reliability Growth Models Using Simulated An...Editor IJCATR
 
Multisensor data fusion for defense application
Multisensor data fusion for defense applicationMultisensor data fusion for defense application
Multisensor data fusion for defense applicationSayed Abulhasan Quadri
 
Testing embedded system through optimal mining technique (OMT) based on multi...
Testing embedded system through optimal mining technique (OMT) based on multi...Testing embedded system through optimal mining technique (OMT) based on multi...
Testing embedded system through optimal mining technique (OMT) based on multi...IJECEIAES
 
Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Mumbai Academisc
 
Yolinda chiramba Survey Paper
Yolinda chiramba Survey PaperYolinda chiramba Survey Paper
Yolinda chiramba Survey PaperYolinda Chiramba
 
B.Eng-Final Year Project interim-report
B.Eng-Final Year Project interim-reportB.Eng-Final Year Project interim-report
B.Eng-Final Year Project interim-reportAkash Rajguru
 
Final Paper
Final PaperFinal Paper
Final PaperColby Stanley
 
Multi sensor data fusion system for enhanced analysis of deterioration in con...
Multi sensor data fusion system for enhanced analysis of deterioration in con...Multi sensor data fusion system for enhanced analysis of deterioration in con...
Multi sensor data fusion system for enhanced analysis of deterioration in con...Sayed Abulhasan Quadri
 
IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...
IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...
IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...IEEEGLOBALSOFTSTUDENTPROJECTS
 
Power system transmission issues and effects
Power system transmission issues and effectsPower system transmission issues and effects
Power system transmission issues and effectsAnand Azad
 
Introduction to differential power analysis - Rambus
Introduction to differential power analysis - RambusIntroduction to differential power analysis - Rambus
Introduction to differential power analysis - RambusRambus
 
Node-Level Trust Evaluation in Wireless Sensor Networks
Node-Level Trust Evaluation in Wireless Sensor NetworksNode-Level Trust Evaluation in Wireless Sensor Networks
Node-Level Trust Evaluation in Wireless Sensor NetworksJAYAPRAKASH JPINFOTECH
 
Data fusion
Data fusionData fusion
Data fusionyousef emami
 
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control PoliciesModel-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control PoliciesLionel Briand
 
Anomalous payload based network intrusion detection
Anomalous payload based network intrusion detectionAnomalous payload based network intrusion detection
Anomalous payload based network intrusion detectionUltraUploader
 
chaos-monkey-increasing (1) (1)
chaos-monkey-increasing (1) (1)chaos-monkey-increasing (1) (1)
chaos-monkey-increasing (1) (1)Michael Alan Chang
 
Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...ijfcstjournal
 
4th Year Project Presentation Slides
4th Year Project Presentation Slides4th Year Project Presentation Slides
4th Year Project Presentation SlidesItrat Rahman
 
ieee project topic & abstracts in php
ieee project topic & abstracts in phpieee project topic & abstracts in php
ieee project topic & abstracts in phpaswin tbbc
 
Cloud data management
Cloud data managementCloud data management
Cloud data managementambitlick
 
FAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDS
FAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDSFAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDS
FAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDSMaurvi04
 

More Related Content

What's hot

On-line Power System Static Security Assessment in a Distributed Computing Fr...
On-line Power System Static Security Assessment in a Distributed Computing Fr...On-line Power System Static Security Assessment in a Distributed Computing Fr...
On-line Power System Static Security Assessment in a Distributed Computing Fr...idescitation
 
Parameter Estimation of Software Reliability Growth Models Using Simulated An...
Parameter Estimation of Software Reliability Growth Models Using Simulated An...Parameter Estimation of Software Reliability Growth Models Using Simulated An...
Parameter Estimation of Software Reliability Growth Models Using Simulated An...Editor IJCATR
 
Multisensor data fusion for defense application
Multisensor data fusion for defense applicationMultisensor data fusion for defense application
Multisensor data fusion for defense applicationSayed Abulhasan Quadri
 
Testing embedded system through optimal mining technique (OMT) based on multi...
Testing embedded system through optimal mining technique (OMT) based on multi...Testing embedded system through optimal mining technique (OMT) based on multi...
Testing embedded system through optimal mining technique (OMT) based on multi...IJECEIAES
 
Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Mumbai Academisc
 
Yolinda chiramba Survey Paper
Yolinda chiramba Survey PaperYolinda chiramba Survey Paper
Yolinda chiramba Survey PaperYolinda Chiramba
 
B.Eng-Final Year Project interim-report
B.Eng-Final Year Project interim-reportB.Eng-Final Year Project interim-report
B.Eng-Final Year Project interim-reportAkash Rajguru
 
Multi sensor data fusion system for enhanced analysis of deterioration in con...
Multi sensor data fusion system for enhanced analysis of deterioration in con...Multi sensor data fusion system for enhanced analysis of deterioration in con...
Multi sensor data fusion system for enhanced analysis of deterioration in con...Sayed Abulhasan Quadri
 
IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...
IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...
IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...IEEEGLOBALSOFTSTUDENTPROJECTS
 
Power system transmission issues and effects
Power system transmission issues and effectsPower system transmission issues and effects
Power system transmission issues and effectsAnand Azad
 
Introduction to differential power analysis - Rambus
Introduction to differential power analysis - RambusIntroduction to differential power analysis - Rambus
Introduction to differential power analysis - RambusRambus
 
Node-Level Trust Evaluation in Wireless Sensor Networks
Node-Level Trust Evaluation in Wireless Sensor NetworksNode-Level Trust Evaluation in Wireless Sensor Networks
Node-Level Trust Evaluation in Wireless Sensor NetworksJAYAPRAKASH JPINFOTECH
 
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control PoliciesModel-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control PoliciesLionel Briand
 
Anomalous payload based network intrusion detection
Anomalous payload based network intrusion detectionAnomalous payload based network intrusion detection
Anomalous payload based network intrusion detectionUltraUploader
 
chaos-monkey-increasing (1) (1)
chaos-monkey-increasing (1) (1)chaos-monkey-increasing (1) (1)
chaos-monkey-increasing (1) (1)Michael Alan Chang
 
Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...ijfcstjournal
 
4th Year Project Presentation Slides
4th Year Project Presentation Slides4th Year Project Presentation Slides
4th Year Project Presentation SlidesItrat Rahman
 
ieee project topic & abstracts in php
ieee project topic & abstracts in phpieee project topic & abstracts in php
ieee project topic & abstracts in phpaswin tbbc
 

What's hot (20)

On-line Power System Static Security Assessment in a Distributed Computing Fr...
On-line Power System Static Security Assessment in a Distributed Computing Fr...On-line Power System Static Security Assessment in a Distributed Computing Fr...
On-line Power System Static Security Assessment in a Distributed Computing Fr...
 
Parameter Estimation of Software Reliability Growth Models Using Simulated An...
Parameter Estimation of Software Reliability Growth Models Using Simulated An...Parameter Estimation of Software Reliability Growth Models Using Simulated An...
Parameter Estimation of Software Reliability Growth Models Using Simulated An...
 
Multisensor data fusion for defense application
Multisensor data fusion for defense applicationMultisensor data fusion for defense application
Multisensor data fusion for defense application
 
Testing embedded system through optimal mining technique (OMT) based on multi...
Testing embedded system through optimal mining technique (OMT) based on multi...Testing embedded system through optimal mining technique (OMT) based on multi...
Testing embedded system through optimal mining technique (OMT) based on multi...
 
Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...
 
Yolinda chiramba Survey Paper
Yolinda chiramba Survey PaperYolinda chiramba Survey Paper
Yolinda chiramba Survey Paper
 
B.Eng-Final Year Project interim-report
B.Eng-Final Year Project interim-reportB.Eng-Final Year Project interim-report
B.Eng-Final Year Project interim-report
 
Final Paper
Final PaperFinal Paper
Final Paper
 
Multi sensor data fusion system for enhanced analysis of deterioration in con...
Multi sensor data fusion system for enhanced analysis of deterioration in con...Multi sensor data fusion system for enhanced analysis of deterioration in con...
Multi sensor data fusion system for enhanced analysis of deterioration in con...
 
IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...
IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...
IEEE 2014 JAVA NETWORKING PROJECTS Secure continuous aggregation in wireless ...
 
Power system transmission issues and effects
Power system transmission issues and effectsPower system transmission issues and effects
Power system transmission issues and effects
 
Introduction to differential power analysis - Rambus
Introduction to differential power analysis - RambusIntroduction to differential power analysis - Rambus
Introduction to differential power analysis - Rambus
 
Node-Level Trust Evaluation in Wireless Sensor Networks
Node-Level Trust Evaluation in Wireless Sensor NetworksNode-Level Trust Evaluation in Wireless Sensor Networks
Node-Level Trust Evaluation in Wireless Sensor Networks
 
Data fusion
Data fusionData fusion
Data fusion
 
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control PoliciesModel-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
 
Anomalous payload based network intrusion detection
Anomalous payload based network intrusion detectionAnomalous payload based network intrusion detection
Anomalous payload based network intrusion detection
 
chaos-monkey-increasing (1) (1)
chaos-monkey-increasing (1) (1)chaos-monkey-increasing (1) (1)
chaos-monkey-increasing (1) (1)
 
Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...
 
4th Year Project Presentation Slides
4th Year Project Presentation Slides4th Year Project Presentation Slides
4th Year Project Presentation Slides
 
ieee project topic & abstracts in php
ieee project topic & abstracts in phpieee project topic & abstracts in php
ieee project topic & abstracts in php
 

Similar to Composite Intrusion Detection in Process Control Networks

Cloud data management
Cloud data managementCloud data management
Cloud data managementambitlick
 
FAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDS
FAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDSFAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDS
FAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDSMaurvi04
 
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...SparkCognition
 
On false data injection attacks against power system
On false data injection attacks against power systemOn false data injection attacks against power system
On false data injection attacks against power systemShakas Technologies
 
JPJ1439 On False Data-Injection Attacks against Power System State Estimation...
JPJ1439 On False Data-Injection Attacks against Power System State Estimation...JPJ1439 On False Data-Injection Attacks against Power System State Estimation...
JPJ1439 On False Data-Injection Attacks against Power System State Estimation...chennaijp
 
Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17redpel dot com
 
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...IEEEBEBTECHSTUDENTSPROJECTS
 
IEEE 2014 JAVA NETWORK SECURITY PROJECTS Top k-query-result-completeness-veri...
IEEE 2014 JAVA NETWORK SECURITY PROJECTS Top k-query-result-completeness-veri...IEEE 2014 JAVA NETWORK SECURITY PROJECTS Top k-query-result-completeness-veri...
IEEE 2014 JAVA NETWORK SECURITY PROJECTS Top k-query-result-completeness-veri...IEEEGLOBALSOFTSTUDENTPROJECTS
 
Artificial immune system
Artificial immune systemArtificial immune system
Artificial immune systemTejaswini Jitta
 
Penentration testing
Penentration testingPenentration testing
Penentration testingtahreemsaleem
 
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...IEEEBEBTECHSTUDENTSPROJECTS
 
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS On false-data-injection-attacks-...
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS On false-data-injection-attacks-...IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS On false-data-injection-attacks-...
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS On false-data-injection-attacks-...IEEEGLOBALSOFTSTUDENTPROJECTS
 
2014 IEEE JAVA PARALLEL DISTRIBUTED PROJECT On false-data-injection-attacks-a...
2014 IEEE JAVA PARALLEL DISTRIBUTED PROJECT On false-data-injection-attacks-a...2014 IEEE JAVA PARALLEL DISTRIBUTED PROJECT On false-data-injection-attacks-a...
2014 IEEE JAVA PARALLEL DISTRIBUTED PROJECT On false-data-injection-attacks-a...IEEEGLOBALSOFTSTUDENTSPROJECTS
 
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Jowin John Chemban
 
Red + Blue, How Purple Are You
Red + Blue, How Purple Are YouRed + Blue, How Purple Are You
Red + Blue, How Purple Are YouJared Atkinson
 

Similar to Composite Intrusion Detection in Process Control Networks (20)

Cloud data management
Cloud data managementCloud data management
Cloud data management
 
FAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDS
FAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDSFAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDS
FAULT TOLERANCE OF RESOURCES IN COMPUTATIONAL GRIDS
 
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
 
Network Forensics.pdf
Network Forensics.pdfNetwork Forensics.pdf
Network Forensics.pdf
 
On false data injection attacks against power system
On false data injection attacks against power systemOn false data injection attacks against power system
On false data injection attacks against power system
 
JPJ1439 On False Data-Injection Attacks against Power System State Estimation...
JPJ1439 On False Data-Injection Attacks against Power System State Estimation...JPJ1439 On False Data-Injection Attacks against Power System State Estimation...
JPJ1439 On False Data-Injection Attacks against Power System State Estimation...
 
2.4_Overview of Microgrid Research, Development, and Resiliency Analysis_Hovs...
2.4_Overview of Microgrid Research, Development, and Resiliency Analysis_Hovs...2.4_Overview of Microgrid Research, Development, and Resiliency Analysis_Hovs...
2.4_Overview of Microgrid Research, Development, and Resiliency Analysis_Hovs...
 
Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17
 
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...
 
IEEE 2014 JAVA NETWORK SECURITY PROJECTS Top k-query-result-completeness-veri...
IEEE 2014 JAVA NETWORK SECURITY PROJECTS Top k-query-result-completeness-veri...IEEE 2014 JAVA NETWORK SECURITY PROJECTS Top k-query-result-completeness-veri...
IEEE 2014 JAVA NETWORK SECURITY PROJECTS Top k-query-result-completeness-veri...
 
Artificial immune system
Artificial immune systemArtificial immune system
Artificial immune system
 
Penentration testing
Penentration testingPenentration testing
Penentration testing
 
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...
2014 IEEE JAVA NETWORK SECURITY PROJECT Top k-query-result-completeness-verif...
 
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS On false-data-injection-attacks-...
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS On false-data-injection-attacks-...IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS On false-data-injection-attacks-...
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS On false-data-injection-attacks-...
 
2014 IEEE JAVA PARALLEL DISTRIBUTED PROJECT On false-data-injection-attacks-a...
2014 IEEE JAVA PARALLEL DISTRIBUTED PROJECT On false-data-injection-attacks-a...2014 IEEE JAVA PARALLEL DISTRIBUTED PROJECT On false-data-injection-attacks-a...
2014 IEEE JAVA PARALLEL DISTRIBUTED PROJECT On false-data-injection-attacks-a...
 
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
 
unit3.ppt
unit3.pptunit3.ppt
unit3.ppt
 
Seminar
SeminarSeminar
Seminar
 
Red + Blue, How Purple Are You
Red + Blue, How Purple Are YouRed + Blue, How Purple Are You
Red + Blue, How Purple Are You
 
2453
24532453
2453
 

Recently uploaded

ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationAadityaSharma884161
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
Romantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxRomantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxsqpmdrvczh
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 

Recently uploaded (20)

ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint Presentation
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
Romantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxRomantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 

Composite Intrusion Detection in Process Control Networks

  • 1. 1 Universita degli Studi di Milano Composite Intrusion Detection in Process Control Networks Julian L. Rrushi
  • 2. 2 Overview • This dissertation develops a multi-algorithmic intrusion detection approach for operation in a networked process control environment • The intrusion detection approach can be used to detect layer-7 attacks on industrial process control systems • It can also be used to detect spread of worm code over a process control network, network insertion of rootkit code into the memory of a compromised control system, synchronization of logic bombs or other malware in a process control network, and valid but destructive network packets generated by malicious insiders
  • 4. 4 Capturing the Behavior of a Cyber-Physical System • We have found that the behavior of a physical process is reflected as evolutions of specific RAM content… • …and that the behavior of network traffic in a process control network is also reflected as evolutions of specific RAM content • Well-behaved network traffic and physical processes are characterized by specific evolutions of specific RAM content, which in this research we refer to as normal evolutions • For a network packet to be classified as normal, its payload should cause a normal evolution of RAM content • Thus, in this work the challenge of anomaly detection takes the form of estimating normal evolutions of RAM content
  • 5. 5 Estimation-Inspection (EI) Algorithm • The evolutions of values of each variable are modeled as a stochastic vector • The challenge is the construction of probability mass functions, which consult RAM content and return stochastic vectors • In this dissertation a probability mass function is developed via a series of logistic regression models • The Estimation part of the EI algorithm uses logistic regression and maximum likelihood estimation to estimate statistical parameters • The Inspection part of the EI algorithm uses those statistical parameters in logistic regression formulae to estimate the normalcy probability of payload content
  • 6. 6 Probabilistic Validation of the EI Algorithm
  • 7. On the Rationality of Simulation-based Validation • Simulation-based validation is commonly employed in environments in which experimentation with real world equipment and/or physical phenomena is not available or feasible • Examples include conflict detection algorithms that are used in airborne collision avoidance systems • Several procedures for validating the effectiveness of radar algorithms to detect and classify moving targets • And so forth
  • 9. 9 Supervisory Control Specifications • A system operator interacts with an HMI to operate a nuclear power plant over a process control network. Such operation is conducted according to precise supervisory instructions • An example of a supervisory instruction is the consultation of a power- to-flow operating map to keep thermal power within predefined thresholds • It is such supervisory instructions from which we derive specifications in the form of activity network models that reason in terms of network packets • A concrete case study is the development of an activity network model that detects any network packet that has potential for inducing stresses on the walls of a reactor pressure vessel
  • 10. 10 Automatic Control Specifications • The logic of automatic operation is encoded into control applications that run in control systems • We derive specifications in the form of activity network models from control applications • Redundant program execution does not seem to be necessary • We consider functions of a control application that read from or write to network sockets in conjunction with program variables stored in the RAM of a control system • A case study is the development of an activity network model that recognizes network packets that protect a reactor from unsafe conditions created by a fault in any of the water pumps
  • 11. 11 Mirage Theory - Definition Mirage theory is comprised of actions that are devised to deliberately mislead an adversary as to digitally controlled physical processes and equipment such as nuclear power plants, thereby causing the adversary to take specific actions that will contribute to the detection of his/her intrusion in process control networks Inspired from operation Fortitude South, mirage theory exploits the adversary's reliance on analysis of intercepted network data to derive the presence and characteristics of physical targets, and the lack of means to verify that intercepted traffic is indeed generated by existing physical targets
  • 13. 13 Elements of Mirage Theory • A continuous space constructed via computer simulation or emulation of physical processes and equipment • A discrete space formed by process control systems and networks that are deployed and configured as if they were to monitor and control a real physical process through real sensors and actuators • An artificial boundary between continuous and discrete spaces developed ad-hoc to allow for a regular interaction between the said spaces, and to also prevent an adversary from crossing the discrete space
  • 14. 14 Boundary Between Continuous and Discrete Spaces
  • 16. Bayesian Theory of Confirmation
  • 18. Estimation of Hypothesis-based Probabilities • We compute the complete-data sample expected by a given probability distribution first • We then compute the maximum likelihood estimate, i.e. the probability distribution that maximizes the probability of the complete-data sample • The maximum likelihood estimate is equal to the relative frequency estimate, given that our probability model is unconstrained • This cycle is repeated until reaching a probability distribution that produces a maximal probability of the complete-data sample • The hypothesis-based probability of evidence is equal to the product of the hypothesis-based probabilities of the individual variables that compose it
  • 19. Estimation of Prior Hypotheses Probabilities
  • 20. Bayesian Comparison of Competing Hypotheses We apply the Bayes' theorem in its ratio form to have the normalcy and abnormality hypotheses compete again each-other: The hypotheses that holds is the one with the highest probability as estimated by the Bayes' theorem
  • 21. Empirical Testing • The multi-algorithmic IDS was tested in a testbed that resembles the networked process control environment of a nuclear power plant • A number of test vulnerabilities and exploitations were introduced to facilitate the tests • Both the EI algorithm and the physical process aware specification- based approach exhibited a false alarms rate of 0 false positives/hr and a probability of detection of 0.98 • The Bayesian theory of confirmation was tested via a technique that we refer to as detection failure injection • The corrective effects of the Bayesian theory of confirmation resulted to be proportional to the degree of detection failure injection
  • 22. Conclusions • The effectiveness of the multi-algorithmic IDS is indicative of the potential of evolutions of specific RAM content to capture the normal behavior of a cyber-physical system such as a power plant • The application of statistics and probability theory along with expert knowledge within the multi-algorithmic IDS has proven to be effective in leveraging those evolutions for anomaly detection • The multi-algorithmic IDS provides for near-real-time detection of attacks, and hence is not heavyweight • This is mainly due to the fact that the detection intelligence is created offline before deployment