The document discusses mission critical systems and the need for mission assurance and survivability against sophisticated cyber attacks. It proposes a deception-based secure proactive recovery framework with three main components: 1) surreptitiously detecting intrusions without alerting attackers; 2) making detection information inaccessible to attackers using redundant design for test circuitry; and 3) using deception in recovery to increase mission survival chances. An initial centralized system was developed and evaluated, showing promising results. Future work aims to enhance the solution for decentralized environments while maintaining tamper-resistance and mission survivability.

1. Abstract
Mission critical systems, initially thought of as something that strictly belongs to a military
setting are increasingly becoming commonplace. It may not be easily perceived but most of the
systems today (military or industrial) are mission critical. Moreover, a rapid increase in the
structural complexity of these systems not only leads to an increase in benign faults but open
doors to malicious entities. Over the years, these malicious entities in cyber-space have grown
smarter and extremely resourceful. Therefore, mission assurance is a growingly important
necessity.
Mission assurance is a generic term encompassing diverse measures required to make the
critical operations (missions) more resilient. In this dissertation proposal, the focus is
specifically on mission survivability (a subset of mission assurance), which is the ability of a
system to fulfill its mission in a timely manner. It generally involves four layers of security:
prevention, detection, recovery and adaptation. The first two layers, viz. prevention and
detection, are meant to provide a strong defense. If these two layers fail in protecting the
system, recovery layer is the fallback plan. Yet, if a determined adversary stages an attack on
the recovery phase, it is quite possible that the mission will fail due to lack of any further
countermeasures. Though adaptation/evolution mechanisms are considered as the fourth layer
of defense, they are generally activated during or after the recovery phase. Without a
successful recovery, adaptation/evolution mechanisms will hardly be effective. Therefore,
mission critical systems need the provisioning of another layer of defense beyond the
conventional recovery phase.
The attack model in this research realistically represents today’s era of cyber warfare and
competitive open market. The attacker is assumed to be resourceful, adaptive and stealthy. An
aggressive attacker is easily detected, but stealthy attackers deploy multi-stage stealth attacks.
Thus, they are more capable of hiding longer and corrupting the final mission response. Current
literature assumes that a stealthy attacker stays stealthy throughout the mission life cycle.
However, when a certain conditions are met (like, contingency plan activated on discovery), a
stealthy and adaptive attacker can turn aggressive. Thus, the attack model used here considers

2. attacker’s capability to alter his initial behavior (stealthy or aggressive) based on the perceived
state of the system (like success/failure of the attempted attack). Consequently, the defense
scheme employs deceptive and adaptive measures to ensure mission survivability against such
attackers.
The proposed framework focuses on ensuring mission survivability against stealthy attackers by
employing a deception-based secure proactive recovery scheme. This scheme has three major
components. The first component is the surreptitious detection of signs of intrusion without
raising an alert. Since this step is based entirely on the host intrusion detection system, there is
a need to ensure that it is working tamper-proof at all times. This brings us to the classic
problem of ‘who watches the watcher’. To address this concern, cyclic monitoring topologies
are employed that leverage the parallelism offered by multi-core architecture for increased
effectiveness. Second component is the scheme to make detection information invisible and
inaccessible to the attacker. This is achieved using redundant and unused design for test (DFT)
circuitry on the system processor. Third component is the use of deception-based recovery
scheme to increase the probability of mission survival. So far, a centralized system employing
this scheme has been developed. A multi-phase evaluation methodology has also been
developed for performance evaluation of this system under realistic operating conditions.
Results are found to be promising with low time and performance overhead.
Future work involves enhancing this solution for its deployment in a decentralized environment
while still maintaining its tamper-resistance and mission survivability properties.