State-aware anomaly detection for industrial control systems

Anomaly detection for industrial control systems (ICS) can leverage process data to detect malicious derivations from expected process behavior. We propose state-aware anomaly detection that uses state dependent detection thresholds, which provide tighter constraints for an attacker trying to manipulate the process. In particular, our system provides: (i) estimation of system state from the knowledge of the network and the physical process (ii) a state-aware cumulative sum of residuals for monitoring the industrial control system (iii) and a novel state-aware anomaly detection technique. We implement and evaluate our anomaly detection technique on a real-world ICS. We pre-compute the process-state parameters using a big data framework for ICS and train the detector leveraging more than 120 GB of historical data from the ICS. The results show that the proposed method improves prior works by providing less time-to-detect of attacks while generating fewer false alarms.

[1]  B. Brumback,et al.  A Chi-square test for fault-detection in Kalman filters , 1987 .

[2]  Rajnikant Sharma,et al.  Attack Mitigation in Adversarial Platooning Using Detection-Based Sliding Mode Control , 2015, CPS-SPC '15.

[3]  Nils Ole Tippenhauer,et al.  Gamifying ICS Security Training and Research: Design, Implementation, and Results of S3 , 2017, CPS-SPC@CCS.

[4]  J. L. Roux An Introduction to the Kalman Filter , 2003 .

[5]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[6]  Michail Maniatakos,et al.  The Cybersecurity Landscape in Industrial Control Systems , 2016, Proceedings of the IEEE.

[7]  Nils Ole Tippenhauer,et al.  HAMIDS: Hierarchical Monitoring Intrusion Detection System for Industrial Control Systems , 2016, CPS-SPC '16.

[8]  Igor V. Nikiforov,et al.  A statistical method for detecting cyber/physical attacks on SCADA systems , 2014, 2014 IEEE Conference on Control Applications (CCA).

[9]  Bruno Sinopoli,et al.  Detecting Integrity Attacks on SCADA Systems , 2014, IEEE Transactions on Control Systems Technology.

[10]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[11]  Eduardo D. Sontag,et al.  Mathematical Control Theory: Deterministic Finite Dimensional Systems , 1990 .

[12]  Nils Ole Tippenhauer,et al.  SWaT: a water treatment testbed for research and training on ICS security , 2016, 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater).

[13]  Greg Welch,et al.  An Introduction to Kalman Filter , 1995, SIGGRAPH 2001.

[14]  Oliver Kosut,et al.  Cyber attacks on AC state estimation: Unobservability and physical consequences , 2014, 2014 IEEE PES General Meeting | Conference & Exposition.

[15]  Alvaro A. Cárdenas,et al.  Attacking Fieldbus Communications in ICS: Applications to the SWaT Testbed , 2016, SG-CRC.

[16]  Alvaro A. Cárdenas,et al.  Using Visual Challenges to Verify the Integrity of Security Cameras , 2015, ACSAC.

[17]  Béla Genge,et al.  A clustering-based approach to detect cyber attacks in process control systems , 2015, 2015 IEEE 13th International Conference on Industrial Informatics (INDIN).

[18]  Mani Srivastava,et al.  PyCRA: Physical Challenge-Response Authentication For Active Sensors Under Spoofing Attacks , 2015, CCS.

[19]  Ahmad-Reza Sadeghi,et al.  Security and privacy challenges in industrial Internet of Things , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[20]  Zhu Han,et al.  Coordinated data-injection attack and detection in the smart grid: A detailed look at enriching detection solutions , 2012, IEEE Signal Processing Magazine.

[21]  Dieter Gollmann,et al.  The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems , 2015, AsiaCCS.

[22]  Henrik Sandberg,et al.  Survey and New Directions for Physics-Based Attack Detection in Control Systems , 2016 .