Subtree Hypergraph-Based Attack Detection Model for Signature Matching over SCADA HMI

Layered inter-network communications, and dynamic control mechanisms of intra-connected testbeds in cyber-physical systems (CPS) paves way for controlling the PLCs and HMIs in a distributive manner. This intuits the idea of monitoring and logging the CPS traffic by embedding the motorized sensor/actuator readings into an IP-network packet. Attackers commence the network packet intervention of a CPS traffic as an initial phase for launching cyber-based attacks over critical public infrastructures. Log sequences captured for such an instance, required the security professional to observe the log sub-sequences that might possibly lead to an attack, unlisted in the signature repository of the existing defense mechanisms. Hence, this paper defines a hypergraph based attack detection model where constraints can be parameterized based on the type of CPS traffic in order to provide adaptable degree of representing possible attack incidents for the existing intrusion detection systems. Post defining the model’s parameterized constraints; we study the attack scenarios over Secure Water Treatment (SWaT) dataset from SUTD’s iTrust lab.

[1]  Sridhar Adepu,et al.  Design and assessment of an Orthogonal Defense Mechanism for a water treatment facility , 2018, Robotics Auton. Syst..

[2]  Barry W. Boehm,et al.  Value Driven Security Threat Modeling Based on Attack Path Analysis , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[3]  Sridhar Adepu,et al.  Generalized Attacker and Attack Models for Cyber Physical Systems , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[4]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[5]  Wolter Pieters,et al.  ANKH: Information Threat Analysis with Actor-NetworK Hypergraphs , 2010 .

[6]  Sridhar Adepu,et al.  Using Process Invariants to Detect Cyber Attacks on a Water Treatment System , 2016, SEC.

[7]  Fabrizio Baiardi,et al.  Assessing the Risk of an Information Infrastructure Through Security Dependencies , 2006, CRITIS.

[8]  Qinghua Hu,et al.  Hierarchical feature selection with subtree based graph regularization , 2019, Knowl. Based Syst..

[9]  V. S. Subrahmanian,et al.  Fast Activity Detection: Indexing for Temporal Stochastic Automaton-Based Activity Models , 2013, IEEE Transactions on Knowledge and Data Engineering.

[10]  Nils Ole Tippenhauer,et al.  SWaT: a water treatment testbed for research and training on ICS security , 2016, 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater).

[11]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[12]  Sushil Jajodia,et al.  Scalable Analysis of Attack Scenarios , 2011, ESORICS.

[13]  Santiago Grijalva,et al.  A Hybrid Attack Model for Cyber-Physical Security Assessment in Electricity Grid , 2019, 2019 IEEE Texas Power and Energy Conference (TPEC).

[14]  Claude Berge,et al.  Hypergraphs - combinatorics of finite sets , 1989, North-Holland mathematical library.

[15]  Giovanni Vigna,et al.  A Topological Characterization of TCP/IP Security , 2003, FME.

[16]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[17]  Sridhar Adepu,et al.  Distributed Detection of Single-Stage Multipoint Cyber Attacks in a Water Treatment Plant , 2016, AsiaCCS.