Composite Intrusion Detection in Process Control Networks

An intrusion detection ensemble, i.e. a set of diverse intrusion detection algorithms employed as a group, has been shown to outperform each one those diverse algorithms employed individually. Moving along this line, we have devised an intrusion detection ensemble that inspects network packets that flow across the process control network of a digitally controlled physical system such as a power plant. Such process control specific intrusion detection ensemble is comprised of a statistical anomaly intrusion detection algorithm called the Estimation-Inspection (EI) algorithm, a physical process aware specification-based approach, a theory of deception for intrusion detection that we call mirage theory, and an alert fusion technique in the form of a Bayesian theory of confirmation. In this research we leverage evolutions of the content of specific locations in the random access memory (RAM) of control systems into means of characterizing the normalcy or abnormality of network traffic. The EI algorithm uses estimation methods from applied statistics and probability theory to estimate normal evolutions of RAM content. The physical process aware specification-based approach defines normal evolutions of RAM content via specifications developed manually through expert knowledge. Mirage theory consistently introduces deceptive evolutions of RAM content, and hence employs communicating finite state machines to detect any deviations caused by malicious network packets. The alert fusion technique also leverages evolutions of RAM content to estimate the degrees to which network traffic normalcy and abnormality hypotheses are confirmed on evidence. In this dissertation we provide a detailed discussion of these intrusion detection algorithms along with a detailed discussion of the alert fusion technique. We also discuss an empirical testing of the proposed intrusion detection ensemble in a small testbed comprised of Linux PC-based control systems that resemble the process

[1]  J. Navarro-Pedreño Numerical Methods for Least Squares Problems , 1996 .

[2]  William H. Sanders,et al.  Construction and solution of performability models based on stochastic activity networks , 1988 .

[3]  Csilla Farkas,et al.  PAID: A Probabilistic Agent-Based Intrusion Detection system , 2005, Comput. Secur..

[4]  François E. Cellier,et al.  Continuous System Simulation , 2006 .

[5]  E. L. Lehmann,et al.  Theory of point estimation , 1950 .

[6]  P. Maher Subjective and Objective Confirmation , 1996, Philosophy of Science.

[7]  Ronald L. Krutz Securing SCADA systems , 2005 .

[8]  Ajantha Herath,et al.  Intrusion detection using the chi-square goodness-of-fit test for information assurance, network, forensics and software security , 2007 .

[9]  Jon Williamson Inductive Influence , 2007, The British Journal for the Philosophy of Science.

[10]  Patrick Maher,et al.  Betting on Theories , 1993 .

[11]  Yoav Freund,et al.  Experiments with a New Boosting Algorithm , 1996, ICML.

[12]  Alvaro A. Cárdenas,et al.  Principled reasoning and practical applications of alert fusion in intrusion detection systems , 2008, ASIACCS '08.

[13]  Roy H. Campbell,et al.  Using deception to facilitate intrusion detection in nuclear power plants , 2008 .

[14]  Wolfgang Reisig,et al.  Petri net , 2008, Scholarpedia.

[15]  S. Shankar Sastry,et al.  Research Challenges for the Security of Control Systems , 2008, HotSec.

[16]  Jonas Berge Fieldbuses for Process Control: Engineering, Operation, and Maintenance , 2001 .

[17]  Neil C. Rowe,et al.  Finding Logically Consistent Resource-Deception Plans for Defense in Cyberspace , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[18]  William H. Sanders,et al.  The Möbius Framework and Its Implementation , 2002, IEEE Trans. Software Eng..

[19]  M. Kendall Theoretical Statistics , 1956, Nature.

[20]  Jens Hektor,et al.  Advanced Honeypot-Based Intrusion Detection , 2006, login Usenix Mag..

[21]  Edwin T. Jaynes,et al.  Prior Probabilities , 1968, Encyclopedia of Machine Learning.

[22]  Michael J. Demler High-speed analog-to-digital conversion , 1991 .

[23]  William H. Sanders,et al.  A Unified Approach for Specifying Measures of Performance, Dependability and Performability , 1991 .

[24]  Leo Breiman,et al.  Bagging Predictors , 1996, Machine Learning.

[25]  Esa M. Rantanen,et al.  Imperfect Automation in Aviation Traffic Alerts: A Review of Conflict Detection Algorithms and Their Implications for Human Factors Research , 2003 .

[26]  Tim Bass,et al.  Intrusion detection systems and multisensor data fusion , 2000, CACM.

[27]  Roy H. Campbell,et al.  Detecting Cyber Attacks On Nuclear Power Plants , 2008, Critical Infrastructure Protection.

[28]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[29]  D. Kleinbaum,et al.  Applied Regression Analysis and Multivariable Methods , 1999 .

[30]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[31]  R. Zboray,et al.  An Experimental and Modelling Study of Natural-Circulation Boiling Water Reactor Dynamics , 2002 .

[32]  Richard P. Lippmann,et al.  1999 DARPA Intrusion Detection Evaluation: Design and Procedures , 2001 .

[33]  Alexander M. Millkey The Black Swan: The Impact of the Highly Improbable , 2009 .

[34]  Shirley Dex,et al.  JR 旅客販売総合システム(マルス)における運用及び管理について , 1991 .

[35]  Jess Marcum,et al.  A statistical theory of target detection by pulsed radar , 1948, IRE Trans. Inf. Theory.

[36]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security (final draft) | NIST , 2008 .

[37]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[38]  Frank D. Petruzella,et al.  Programmable Logic Controllers , 1989 .

[39]  C. Bellettini,et al.  Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[40]  Azzedine Boukerche,et al.  Parallel simulation of communicating finite state machines , 1993, PADS '93.

[41]  Guofei Gu,et al.  Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems , 2006, Sixth International Conference on Data Mining (ICDM'06).

[42]  Branden Fitelson The Plurality of Bayesian Measures of Confirmation and the Problem of Measure Sensitivity , 1999, Philosophy of Science.

[43]  Deborah A. Frincke,et al.  Configurable middleware-level intrusion detection for embedded systems , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[44]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[45]  Iain D. Craig,et al.  Analog-to-Digital and Digital-to-Analog Conversion Techniques (Second Edition) by David F. Hoeschele, John Wiley, New York, 1994, 397 pages including index (Hbk, £58) , 1995, Robotica.

[46]  David H. Wolpert,et al.  Stacked generalization , 1992, Neural Networks.

[47]  Richards J. Heuer,et al.  Psychology of Intelligence Analysis , 1999 .

[48]  W. Brogan Modern Control Theory , 1971 .

[49]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[50]  Qi Shi,et al.  Intrusion Detection in Pervasive Networks Based on a Chi-Square Statistic Test , 2006, 30th Annual International Computer Software and Applications Conference (COMPSAC'06).

[51]  David W. Hosmer,et al.  Applied Logistic Regression , 1991 .

[52]  David M. Nicol,et al.  Parallel execution for serial simulators , 1996, TOMC.

[53]  Neil C. Rowe,et al.  Two Taxonomies of Deception for Attacks on Information Systems , 2004 .

[54]  George Cybenko,et al.  Cognitive Hacking: A Battle for the Mind , 2002, Computer.

[55]  William DuMouchel,et al.  Computer Intrusion Detection Based on Bayes Factors for Comparing Command Transition Probabilities , 1999 .

[56]  Joseph Lebacqz,et al.  SUBJECTIVE AND OBJECTIVE , 1967 .

[57]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[58]  David F. Hoeschele,et al.  Analog-to-digital, digital-to-analog conversion techniques , 1968 .

[59]  Connie M. Borror,et al.  Scalable Chi-Square Distance versus Conventional Statistical Distance for Process Monitoring with Uncorrelated Data Variables , 2003 .

[60]  Timothy L. Thomas,et al.  Russia's Reflexive Control Theory and the Military , 2004 .

[61]  William H. Sanders,et al.  Stochastic Activity Networks: Formal Definitions and Concepts , 2002, European Educational Forum: School on Formal Methods and Performance Analysis.

[62]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[63]  Sukumar Nandi,et al.  Utilizing statistical characteristics of N-grams for intrusion detection , 2003, Proceedings. 2003 International Conference on Cyberworlds.

[64]  M. Naedele,et al.  Human-Assisted Intrusion Detection for Process Control Systems , 2004 .

[65]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[66]  Craig S. Jones,et al.  The Perception Management Process , 1998 .

[67]  Stephanie Forrest,et al.  Infect Recognize Destroy , 1996 .

[68]  Francisco Ferreira,et al.  Theory and Evidence , 2009 .

[69]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[70]  R. Herrnstein,et al.  The bell curve : intelligence and class structure in American life , 1995 .

[71]  Kenneth C. Knowlton,et al.  A Combination Hardware-Software Debugging System , 1968, IEEE Transactions on Computers.

[72]  Eugene H. Spafford,et al.  A pattern-matching model for intrusion detection , 1994 .

[73]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[74]  Michael K. Molloy,et al.  Petri net , 2003 .

[75]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[76]  Norman S. Nise,et al.  Control Systems Engineering , 1991 .

[77]  R. Sekar,et al.  Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications , 1999, USENIX Security Symposium.

[78]  Thomas G. Dietterich Multiple Classifier Systems , 2000, Lecture Notes in Computer Science.

[79]  Edmond A. Jonckheere,et al.  Dynamic Modeling of Internet Traffic for Intrusion Detection , 2002, Proceedings of the 2002 American Control Conference (IEEE Cat. No.CH37301).

[80]  Qiang Chen,et al.  Probabilistic techniques for intrusion detection based on computer audit data , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[81]  P. Maher The Concept of Inductive Probability , 2006 .

[82]  R. Sekar,et al.  Experiences with Specification-Based Intrusion Detection , 2001, Recent Advances in Intrusion Detection.

[83]  Yehuda Vardi,et al.  A Hybrid High-Order Markov Chain Model for Computer Intrusion Detection , 2001 .

[84]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[85]  D. Rubin,et al.  Maximum likelihood from incomplete data via the EM - algorithm plus discussions on the paper , 1977 .

[86]  Steven Kay,et al.  Fundamentals Of Statistical Signal Processing , 2001 .

[87]  Ewen Montagu,et al.  The man who never was. , 1982 .

[88]  Kelvin T. Erickson Programmable Logic Controllers: An Emphasis on Design and Application, Third Edition , 2005 .

[89]  Karl N. Levitt,et al.  Using Specification-Based Intrusion Detection for Automated Response , 2003, RAID.

[90]  J. Yuill,et al.  Honeyfiles: deceptive files for intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[91]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[92]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[93]  R. Fisher 001: On an Absolute Criterion for Fitting Frequency Curves. , 1912 .