Automatic test packet generation in networkeSAT Journals
Abstract Now a day’s we see that networks are widely distributed so administrators depends on various tools such as ping and traceroute to rectify the problem in the network. We proposed an automated and systematic approach for testing and debugging network called "Automatic Test Packet Generation"(ATPG). Initially ATPG reads router configuration and then generates a model which is device freelance. The model is used to generate the minimum number of test packets to cover every link and rule in network. ATPG is capable for detecting both functional and performance problems. Test packets are sent at regular intervals and special technique is used to localize faults. Keywords: Test Packet Generation Algorithm; Network Troubleshooting; Data Plane Analysis.
Network Traffic Anomaly Detection Through Bayes NetGyan Prakash
Traffic anomaly detection using high performance measurement systems offers the possibility of improving the speed of
detection and enabling detection of important, short lived anomalies. In this paper we investigate the problem of detecting anomalies
using traffic measurements with fine-grained time stamps. We develop a new detection algorithm (called KS3) that utilizes a Bayes
Net to efficiently consider multiple input signals and to explicitly define what is considered “anomalous”.
The input signals considered KS3 are traffic volumes and correlations between ingress egress packet and bit rates. These
complementary signals enable identification of expanded range of anomalies. Using a set of high precision traffic measurements
collected at our campus border router over a 10 month period and an annotated anomaly log supplied by our network operators, we
show that KS3 is highly accurate, identifying 86% of the anomalies listed in the log. Compared with well known time series-based
and wavelet-based detectors, this represents over a 20% improvement in accuracy. Investigation of events identified by KS3 that did
not appear in the operator log indicate many are, in fact, true positives. Deployment of Ks3 in an operational environment supports
this by showing zero false positives during initial tests.
Ahmed Khurshid
Research Track Part 1
ONS2015: http://bit.ly/ons2015sd
ONS Inspire! Webinars: http://bit.ly/oiw-sd
Watch the talk (video) on ONS Content Archives: http://bit.ly/ons-archives-sd
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Jun Bi
Tsinghua University
Research Track Session Part 1
ONS2015: http://bit.ly/ons2015sd
ONS Inspire! Webinars: http://bit.ly/oiw-sd
Watch the talk (video) on ONS Content Archives: http://bit.ly/ons-archives-sd
A SYSTEM FOR VALIDATING AND COMPARING HOST-BASED DDOS DETECTION MECHANISMSIJNSA Journal
All DDoS detection mechanisms need to be validated and compared with each other. Researchers are looking for an easy way to do these jobs and to get reliable results. The best way to do that is to build a practical system and run the mechanisms simultaneously. Based on behavior of mechanisms in the same situation, various mechanisms are evaluated and compared with each other. However, to build such a actual system is not an easy job. Currently, no more systems allow running simultaneously mechanisms for
evaluating and comparing purpose. This paper proposes a system and method for running simultaneously
DDoS detection mechanisms. The system helps researchers not only to validate their mechanisms reliably
and quickly but also to compare mechanisms easily.
Automatic test packet generation in networkeSAT Journals
Abstract Now a day’s we see that networks are widely distributed so administrators depends on various tools such as ping and traceroute to rectify the problem in the network. We proposed an automated and systematic approach for testing and debugging network called "Automatic Test Packet Generation"(ATPG). Initially ATPG reads router configuration and then generates a model which is device freelance. The model is used to generate the minimum number of test packets to cover every link and rule in network. ATPG is capable for detecting both functional and performance problems. Test packets are sent at regular intervals and special technique is used to localize faults. Keywords: Test Packet Generation Algorithm; Network Troubleshooting; Data Plane Analysis.
Network Traffic Anomaly Detection Through Bayes NetGyan Prakash
Traffic anomaly detection using high performance measurement systems offers the possibility of improving the speed of
detection and enabling detection of important, short lived anomalies. In this paper we investigate the problem of detecting anomalies
using traffic measurements with fine-grained time stamps. We develop a new detection algorithm (called KS3) that utilizes a Bayes
Net to efficiently consider multiple input signals and to explicitly define what is considered “anomalous”.
The input signals considered KS3 are traffic volumes and correlations between ingress egress packet and bit rates. These
complementary signals enable identification of expanded range of anomalies. Using a set of high precision traffic measurements
collected at our campus border router over a 10 month period and an annotated anomaly log supplied by our network operators, we
show that KS3 is highly accurate, identifying 86% of the anomalies listed in the log. Compared with well known time series-based
and wavelet-based detectors, this represents over a 20% improvement in accuracy. Investigation of events identified by KS3 that did
not appear in the operator log indicate many are, in fact, true positives. Deployment of Ks3 in an operational environment supports
this by showing zero false positives during initial tests.
Ahmed Khurshid
Research Track Part 1
ONS2015: http://bit.ly/ons2015sd
ONS Inspire! Webinars: http://bit.ly/oiw-sd
Watch the talk (video) on ONS Content Archives: http://bit.ly/ons-archives-sd
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Jun Bi
Tsinghua University
Research Track Session Part 1
ONS2015: http://bit.ly/ons2015sd
ONS Inspire! Webinars: http://bit.ly/oiw-sd
Watch the talk (video) on ONS Content Archives: http://bit.ly/ons-archives-sd
A SYSTEM FOR VALIDATING AND COMPARING HOST-BASED DDOS DETECTION MECHANISMSIJNSA Journal
All DDoS detection mechanisms need to be validated and compared with each other. Researchers are looking for an easy way to do these jobs and to get reliable results. The best way to do that is to build a practical system and run the mechanisms simultaneously. Based on behavior of mechanisms in the same situation, various mechanisms are evaluated and compared with each other. However, to build such a actual system is not an easy job. Currently, no more systems allow running simultaneously mechanisms for
evaluating and comparing purpose. This paper proposes a system and method for running simultaneously
DDoS detection mechanisms. The system helps researchers not only to validate their mechanisms reliably
and quickly but also to compare mechanisms easily.
On-line Power System Static Security Assessment in a Distributed Computing Fr...idescitation
The computation overhead is of major concern when
going for increased accuracy in online power system security
assessment (OPSSA). This paper proposes a scalable solution
technique based on distributed computing architecture to
mitigate the problem. A variant of the master/slave pattern is
used for deploying the cluster of workstations (COW), which
act as the computational engine for the OPSSA. Owing to the
inherent parallel structure in security analysis algorithm, to
exploit the potential of distributed computing, domain
decomposition is adopted instead of functional decomposition.
The security assessment is performed utilizing the developed
composite security index that can accurately differentiate the
secure and non-secure cases and has been defined as a function
of bus voltage and line flow limit violations. Validity of
proposed architecture is demonstrated by the results obtained
from an intensive experimentation using the benchmark IEEE
57 bus test system. The proposed framework, which is scalable,
can be further extended to intelligent monitoring and control
of power system
Parameter Estimation of Software Reliability Growth Models Using Simulated An...Editor IJCATR
The parameter estimation of Goel’s Okomotu Model is performed victimisation simulated annealing. The Goel’s Okomotu
Model is predicated on Exponential model and could be a easy non-homogeneous Poisson method (NHPP) model. Simulated
annealing could be a heuristic optimisation technique that provides a method to flee local optima. The information set is optimized
using simulated annealing technique. SA could be a random algorithmic program with higher performance than Genetic algorithmic
program (GA) that depends on the specification of the neighbourhood structure of a state area and parameter settings for its cooling
schedule.
Testing embedded system through optimal mining technique (OMT) based on multi...IJECEIAES
Testing embedded systems must be done carefully particularly in the significant regions of the embedded systems. Inputs from an embedded system can happen in multiple order and many relationships can exist among the input sequences. Consideration of the sequences and the relationships among the sequences is one of the most important considerations that must be tested to find the expected behavior of the embedded systems. On the other hand combinatorial approaches help determining fewer test cases that are quite enough to test the embedded systems exhaustively. In this paper, an Optimal Mining Technique that considers multi-input domain which is based on built-in combinatorial approaches has been presented. The method exploits multi-input sequences and the relationships that exist among multi-input vectors. The technique has been used for testing an embedded system that monitors and controls the temperature within the Nuclear reactors.
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
Node-Level Trust Evaluation in Wireless Sensor Networks
To buy this project in ONLINE, Contact:
Email: jpinfotechprojects@gmail.com,
Website: https://www.jpinfotech.org
Verification of the protection services in antivirus systems by using nusmv m...ijfcstjournal
In this paper, a model of protection services in the antivirus system is proposed. The antivirus system
behavior separate in to preventive and control behaviors. We extract the properties which are expected
from the model of antivirus system approach from control behavior in the form of CTL and LTL temporal
logic formulas. To implement the behavior models of antivirus system approach, the ArgoUML tool and the
NuSMV model checker are employed. The results show that the antivirus system approach can detects
fairness, reachability, deadlock free and verify some properties of the proposed model verified by using
NuSMV model checker.
Php project aim is to develop dynamic and attractive web application as per user requirement. you can easily develop web application with our guidance............
Our Project Guidance Methods
We are following Waterfall Methodology for Project development and condition and it has been strictly followed by each guiding staffs and we have better knowledge in this field and updated with new innovative technologies. Our past students have found project work at our centers as a reliable, efficient, inexpensive and a fruitful learning experience. We provide Students about their project at various stages of their project through regular classes and also through detailed technical documentation that we provide in digital format.
for more details..... contact us..........
softroniics
calicut || palakkad || coimbatore
9037061113 , 9037291113
www.softroniics.in
A Rule-Based Intrusion Detection System (IDS) is a cybersecurity mechanism designed to identify and respond to malicious activities or unauthorized access attempts within a network or system. This system operates by analyzing network traffic or system events against a predefined set of rules or signatures.
In a Rule-Based IDS, each rule specifies a pattern or behavior indicative of an intrusion or security threat. These rules are typically created based on known attack patterns, vulnerabilities, or abnormal behaviors observed in network traffic. When the IDS detects a match between the observed activity and a rule, it triggers an alert or takes predefined actions, such as blocking the suspicious traffic or logging the event for further analysis.
The effectiveness of a Rule-Based IDS depends on the quality and comprehensiveness of its rule set. Security analysts continuously update and refine these rules to adapt to evolving threats and vulnerabilities. However, Rule-Based IDSs may struggle to detect novel or sophisticated attacks that do not match any existing rules.
Key components of a Rule-Based IDS include:
1. Rule Engine: The core component responsible for evaluating incoming network traffic or system events against the defined rules.
2. Rule Database: A repository of rules containing information about known threats, vulnerabilities, and attack patterns.
3. Alerting Mechanism: A feature that generates alerts or notifications when suspicious activity is detected, allowing security personnel to investigate and respond promptly.
4. Response Mechanism: Automated or manual actions taken in response to detected intrusions, such as blocking malicious traffic or initiating incident response procedures.
In summary, a Rule-Based IDS provides an essential layer of defense against known threats and common attack patterns by analyzing network traffic or system events against a predefined set of rules. However, it may require regular updates and may not effectively detect novel or sophisticated attacks.
On-line Power System Static Security Assessment in a Distributed Computing Fr...idescitation
The computation overhead is of major concern when
going for increased accuracy in online power system security
assessment (OPSSA). This paper proposes a scalable solution
technique based on distributed computing architecture to
mitigate the problem. A variant of the master/slave pattern is
used for deploying the cluster of workstations (COW), which
act as the computational engine for the OPSSA. Owing to the
inherent parallel structure in security analysis algorithm, to
exploit the potential of distributed computing, domain
decomposition is adopted instead of functional decomposition.
The security assessment is performed utilizing the developed
composite security index that can accurately differentiate the
secure and non-secure cases and has been defined as a function
of bus voltage and line flow limit violations. Validity of
proposed architecture is demonstrated by the results obtained
from an intensive experimentation using the benchmark IEEE
57 bus test system. The proposed framework, which is scalable,
can be further extended to intelligent monitoring and control
of power system
Parameter Estimation of Software Reliability Growth Models Using Simulated An...Editor IJCATR
The parameter estimation of Goel’s Okomotu Model is performed victimisation simulated annealing. The Goel’s Okomotu
Model is predicated on Exponential model and could be a easy non-homogeneous Poisson method (NHPP) model. Simulated
annealing could be a heuristic optimisation technique that provides a method to flee local optima. The information set is optimized
using simulated annealing technique. SA could be a random algorithmic program with higher performance than Genetic algorithmic
program (GA) that depends on the specification of the neighbourhood structure of a state area and parameter settings for its cooling
schedule.
Testing embedded system through optimal mining technique (OMT) based on multi...IJECEIAES
Testing embedded systems must be done carefully particularly in the significant regions of the embedded systems. Inputs from an embedded system can happen in multiple order and many relationships can exist among the input sequences. Consideration of the sequences and the relationships among the sequences is one of the most important considerations that must be tested to find the expected behavior of the embedded systems. On the other hand combinatorial approaches help determining fewer test cases that are quite enough to test the embedded systems exhaustively. In this paper, an Optimal Mining Technique that considers multi-input domain which is based on built-in combinatorial approaches has been presented. The method exploits multi-input sequences and the relationships that exist among multi-input vectors. The technique has been used for testing an embedded system that monitors and controls the temperature within the Nuclear reactors.
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
Node-Level Trust Evaluation in Wireless Sensor Networks
To buy this project in ONLINE, Contact:
Email: jpinfotechprojects@gmail.com,
Website: https://www.jpinfotech.org
Verification of the protection services in antivirus systems by using nusmv m...ijfcstjournal
In this paper, a model of protection services in the antivirus system is proposed. The antivirus system
behavior separate in to preventive and control behaviors. We extract the properties which are expected
from the model of antivirus system approach from control behavior in the form of CTL and LTL temporal
logic formulas. To implement the behavior models of antivirus system approach, the ArgoUML tool and the
NuSMV model checker are employed. The results show that the antivirus system approach can detects
fairness, reachability, deadlock free and verify some properties of the proposed model verified by using
NuSMV model checker.
Php project aim is to develop dynamic and attractive web application as per user requirement. you can easily develop web application with our guidance............
Our Project Guidance Methods
We are following Waterfall Methodology for Project development and condition and it has been strictly followed by each guiding staffs and we have better knowledge in this field and updated with new innovative technologies. Our past students have found project work at our centers as a reliable, efficient, inexpensive and a fruitful learning experience. We provide Students about their project at various stages of their project through regular classes and also through detailed technical documentation that we provide in digital format.
for more details..... contact us..........
softroniics
calicut || palakkad || coimbatore
9037061113 , 9037291113
www.softroniics.in
A Rule-Based Intrusion Detection System (IDS) is a cybersecurity mechanism designed to identify and respond to malicious activities or unauthorized access attempts within a network or system. This system operates by analyzing network traffic or system events against a predefined set of rules or signatures.
In a Rule-Based IDS, each rule specifies a pattern or behavior indicative of an intrusion or security threat. These rules are typically created based on known attack patterns, vulnerabilities, or abnormal behaviors observed in network traffic. When the IDS detects a match between the observed activity and a rule, it triggers an alert or takes predefined actions, such as blocking the suspicious traffic or logging the event for further analysis.
The effectiveness of a Rule-Based IDS depends on the quality and comprehensiveness of its rule set. Security analysts continuously update and refine these rules to adapt to evolving threats and vulnerabilities. However, Rule-Based IDSs may struggle to detect novel or sophisticated attacks that do not match any existing rules.
Key components of a Rule-Based IDS include:
1. Rule Engine: The core component responsible for evaluating incoming network traffic or system events against the defined rules.
2. Rule Database: A repository of rules containing information about known threats, vulnerabilities, and attack patterns.
3. Alerting Mechanism: A feature that generates alerts or notifications when suspicious activity is detected, allowing security personnel to investigate and respond promptly.
4. Response Mechanism: Automated or manual actions taken in response to detected intrusions, such as blocking malicious traffic or initiating incident response procedures.
In summary, a Rule-Based IDS provides an essential layer of defense against known threats and common attack patterns by analyzing network traffic or system events against a predefined set of rules. However, it may require regular updates and may not effectively detect novel or sophisticated attacks.
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...SparkCognition
IoT has revolutionized processes throughout oil and gas operations, but the increased connectivity it provides also leaves systems more vulnerable to cyberattacks than ever before. To sufficiently combat the growth of threats in both number and sophistication, combined with the scarcity of security talent, the oil and gas industry needs a stronger approach to cybersecurity. AI-based solutions for cybersecurity can monitor and protect not only the IT infrastructure, but also the OT network.
JPJ1439 On False Data-Injection Attacks against Power System State Estimation...chennaijp
We are good IEEE java projects development center in Chennai and Pondicherry. We guided advanced java technologies projects of cloud computing, data mining, Secure Computing, Networking, Parallel & Distributed Systems, Mobile Computing and Service Computing (Web Service).
For More Details:
http://jpinfotech.org/final-year-ieee-projects/2014-ieee-projects/java-projects/
Presentation from the EPRI-Sandia Symposium on Secure and Resilient Microgrids: Overview of Microgrid Research, Development, and Resiliency Analysis, presented by Rob Hovsapian, Idaho National Laboratory, Baltimore, MD, August 29-31, 2016.
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Jowin John Chemban
By:
Jowin John Chemban (jowinchemban@gmail.com)
HGW16CS022 (2016-2020 Batch)
S7 B.Tech Computer Science Engineering
Holy Grace Academy of Engineering, Mala
Date : September 2019
Malware Detection in Cloud Computing Infrastructures
malware detection whole design and working in a short ppt effectively explaining the criteria and infrastructure
Have you heard about Purple Teaming, but you were unsure of exactly what it is? Maybe you've heard it explained as "the red and blue teams working together to improve the organization's security posture." While that may be a good high level description of Purple Teaming as a concept, it lacks a clear direction of how this outcome is achieved. As they say, "The Devil is in the details." At SpecterOps, we believe that a Purple Team exercise is one that leverages an adversarial mindset to evaluate the overall efficacy of security controls, whether they are detective or preventative.
Join us for an hour-long webinar where we will dive into the major questions regarding Purple Team including:
- Why small changes in adversary tradecraft have a profound effect on detectability.
- How to map variations between tools that implement the same technique.
- How to construct a representative sample set of test cases.
Similar to Composite Intrusion Detection in Process Control Networks (20)
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
This is a presentation by Dada Robert in a Your Skill Boost masterclass organised by the Excellence Foundation for South Sudan (EFSS) on Saturday, the 25th and Sunday, the 26th of May 2024.
He discussed the concept of quality improvement, emphasizing its applicability to various aspects of life, including personal, project, and program improvements. He defined quality as doing the right thing at the right time in the right way to achieve the best possible results and discussed the concept of the "gap" between what we know and what we do, and how this gap represents the areas we need to improve. He explained the scientific approach to quality improvement, which involves systematic performance analysis, testing and learning, and implementing change ideas. He also highlighted the importance of client focus and a team approach to quality improvement.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Composite Intrusion Detection in Process Control Networks
1. 1
Universita degli Studi di Milano
Composite Intrusion Detection in Process Control Networks
Julian L. Rrushi
2. 2
Overview
• This dissertation develops a multi-algorithmic intrusion detection
approach for operation in a networked process control environment
• The intrusion detection approach can be used to detect layer-7 attacks on
industrial process control systems
• It can also be used to detect spread of worm code over a process control
network, network insertion of rootkit code into the memory of a
compromised control system, synchronization of logic bombs or other
malware in a process control network, and valid but destructive network
packets generated by malicious insiders
4. 4
Capturing the Behavior of a Cyber-Physical System
• We have found that the behavior of a physical process is reflected as
evolutions of specific RAM content…
• …and that the behavior of network traffic in a process control network
is also reflected as evolutions of specific RAM content
• Well-behaved network traffic and physical processes are characterized
by specific evolutions of specific RAM content, which in this research
we refer to as normal evolutions
• For a network packet to be classified as normal, its payload should
cause a normal evolution of RAM content
• Thus, in this work the challenge of anomaly detection takes the form of
estimating normal evolutions of RAM content
5. 5
Estimation-Inspection (EI) Algorithm
• The evolutions of values of each variable are modeled as a stochastic
vector
• The challenge is the construction of probability mass functions, which
consult RAM content and return stochastic vectors
• In this dissertation a probability mass function is developed via a series
of logistic regression models
• The Estimation part of the EI algorithm uses logistic regression and
maximum likelihood estimation to estimate statistical parameters
• The Inspection part of the EI algorithm uses those statistical
parameters in logistic regression formulae to estimate the normalcy
probability of payload content
7. On the Rationality of Simulation-based Validation
• Simulation-based validation is commonly employed in environments in
which experimentation with real world equipment and/or physical
phenomena is not available or feasible
• Examples include conflict detection algorithms that are used in airborne
collision avoidance systems
• Several procedures for validating the effectiveness of radar algorithms to
detect and classify moving targets
• And so forth
9. 9
Supervisory Control Specifications
• A system operator interacts with an HMI to operate a nuclear power
plant over a process control network. Such operation is conducted
according to precise supervisory instructions
• An example of a supervisory instruction is the consultation of a power-
to-flow operating map to keep thermal power within predefined
thresholds
• It is such supervisory instructions from which we derive specifications
in the form of activity network models that reason in terms of network
packets
• A concrete case study is the development of an activity network model
that detects any network packet that has potential for inducing stresses
on the walls of a reactor pressure vessel
10. 10
Automatic Control Specifications
• The logic of automatic operation is encoded into control applications
that run in control systems
• We derive specifications in the form of activity network models from
control applications
• Redundant program execution does not seem to be necessary
• We consider functions of a control application that read from or write
to network sockets in conjunction with program variables stored in the
RAM of a control system
• A case study is the development of an activity network model that
recognizes network packets that protect a reactor from unsafe
conditions created by a fault in any of the water pumps
11. 11
Mirage Theory - Definition
Mirage theory is comprised of actions that are devised to deliberately mislead an
adversary as to digitally controlled physical processes and equipment such as
nuclear power plants, thereby causing the adversary to take specific actions that
will contribute to the detection of his/her intrusion in process control networks
Inspired from operation Fortitude South, mirage theory exploits the adversary's
reliance on analysis of intercepted network data to derive the presence and
characteristics of physical targets, and the lack of means to verify that intercepted
traffic is indeed generated by existing physical targets
13. 13
Elements of Mirage Theory
• A continuous space constructed via computer simulation or emulation of
physical processes and equipment
• A discrete space formed by process control systems and networks that
are deployed and configured as if they were to monitor and control a real
physical process through real sensors and actuators
• An artificial boundary between continuous and discrete spaces
developed ad-hoc to allow for a regular interaction between the said
spaces, and to also prevent an adversary from crossing the discrete space
18. Estimation of Hypothesis-based Probabilities
• We compute the complete-data sample expected by a given probability
distribution first
• We then compute the maximum likelihood estimate, i.e. the probability
distribution that maximizes the probability of the complete-data sample
• The maximum likelihood estimate is equal to the relative frequency
estimate, given that our probability model is unconstrained
• This cycle is repeated until reaching a probability distribution that
produces a maximal probability of the complete-data sample
• The hypothesis-based probability of evidence is equal to the product of
the hypothesis-based probabilities of the individual variables that
compose it
20. Bayesian Comparison of Competing Hypotheses
We apply the Bayes' theorem in its ratio form to have the normalcy and
abnormality hypotheses compete again each-other:
The hypotheses that holds is the one with the highest probability as estimated by
the Bayes' theorem
21. Empirical Testing
• The multi-algorithmic IDS was tested in a testbed that resembles the
networked process control environment of a nuclear power plant
• A number of test vulnerabilities and exploitations were introduced to
facilitate the tests
• Both the EI algorithm and the physical process aware specification-
based approach exhibited a false alarms rate of 0 false positives/hr and a
probability of detection of 0.98
• The Bayesian theory of confirmation was tested via a technique that we
refer to as detection failure injection
• The corrective effects of the Bayesian theory of confirmation resulted to
be proportional to the degree of detection failure injection
22. Conclusions
• The effectiveness of the multi-algorithmic IDS is indicative of the
potential of evolutions of specific RAM content to capture the normal
behavior of a cyber-physical system such as a power plant
• The application of statistics and probability theory along with expert
knowledge within the multi-algorithmic IDS has proven to be effective
in leveraging those evolutions for anomaly detection
• The multi-algorithmic IDS provides for near-real-time detection of
attacks, and hence is not heavyweight
• This is mainly due to the fact that the detection intelligence is created
offline before deployment
