EliMet: Security metric elicitation in power grid critical infrastructures by observing system administrators' responsive behavior

To protect complex power-grid control networks, efficient security assessment techniques are required. However, efficiently making sure that calculated security measures match the expert knowledge is a challenging endeavor. In this paper, we present EliMet, a framework that combines information from different sources and estimates the extent to which a control network meets its security objective. Initially, during an offline phase, a state-based model of the network is generated, and security-level of each state is measured using a generic and easy-to-compute metric. EliMet then passively observes system operators' online reactive behavior against security incidents, and accordingly refines the calculated security measure values. Finally, to make the values comply with the expert knowledge, EliMet actively queries operators regarding those states for which sufficient information was not gained during the passive observation. Our experimental results show that EliMet can optimally make use of prior knowledge as well as automated inference techniques to minimize human involvement and efficiently deduce the expert knowledge regarding individual states of that particular system.

[1]  J. Berger Statistical Decision Theory and Bayesian Analysis , 1988 .

[2]  Leslie Pack Kaelbling,et al.  Partially Observable Markov Decision Processes for Artificial Intelligence , 1995, KI.

[3]  S. Chib,et al.  Understanding the Metropolis-Hastings Algorithm , 1995 .

[4]  J. Filar,et al.  Competitive Markov Decision Processes , 1996 .

[5]  Marcus J. Ranum,et al.  Implementing a generalized tool for network monitoring , 1997, Inf. Secur. Tech. Rep..

[6]  Mohammad Shahidehpour,et al.  The IEEE Reliability Test System-1996. A report prepared by the Reliability Test System Task Force of the Application of Probability Methods Subcommittee , 1999 .

[7]  S. Mnsman,et al.  System or security managers adaptive response tool , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[8]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[9]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[10]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[11]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[12]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[13]  William Yurcik,et al.  A visualization tool for situational awareness of tactical and strategic security events on large and complex computer networks , 2003, IEEE Military Communications Conference, 2003. MILCOM 2003..

[14]  Sean R Eddy,et al.  What is dynamic programming? , 2004, Nature Biotechnology.

[15]  Y. V. Ramana Reddy,et al.  TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation , 2005, Adv. Eng. Informatics.

[16]  Sushil Jajodia,et al.  Multiple coordinated views for network attack graphs , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[17]  Salvatore J. Stolfo,et al.  FLIPS: Hybrid Adaptive Intrusion Prevention , 2005, RAID.

[18]  Igor V. Kotenko,et al.  Attack Graph Based Evaluation of Network Security , 2006, Communications and Multimedia Security.

[19]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[20]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[21]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[22]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[23]  Sushil Jajodia,et al.  Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[24]  Eyal Amir,et al.  Bayesian Inverse Reinforcement Learning , 2007, IJCAI.

[25]  Ehab Al-Shaer,et al.  Alert prioritization in Intrusion Detection Systems , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[26]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[27]  Xuxian Jiang,et al.  Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach , 2008, IEEE Transactions on Parallel and Distributed Systems.

[28]  Sushil Jajodia,et al.  Topological Vulnerability Analysis: A Powerful New Approach For Network Attack Prevention, Detection, and Response , 2008 .

[29]  William H. Sanders,et al.  Usable Global Network Access Policy for Process Control Systems , 2008, IEEE Security & Privacy Magazine.

[30]  Sushil Jajodia,et al.  Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs , 2008, Journal of Network and Systems Management.

[31]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[32]  Manuel Lopes,et al.  Active Learning for Reward Estimation in Inverse Reinforcement Learning , 2009, ECML/PKDD.

[33]  Patrick D. McDaniel,et al.  Security and Privacy Challenges in the Smart Grid , 2009, IEEE Security & Privacy.

[34]  Xiaoqi Jia,et al.  Cross-Layer Damage Assessment for Cyber Situational Awareness , 2010, Cyber Situational Awareness.

[35]  Xin-She Yang,et al.  Introduction to Algorithms , 2021, Nature-Inspired Optimization Algorithms.