A Survey of Specification-based Intrusion Detection Techniques for Cyber-Physical Systems

Cyber-physical systems (CPS) integrate computation and communication capabilities to monitor and control physical systems. Even though this integration improves the performance of the overall system and facilitates the application of CPS in several domains, it also introduces security challenges. Over the years, intrusion detection systems (IDS) have been deployed as one of the security controls for addressing these security challenges. Traditionally, there are three main approaches to IDS, namely: anomaly detection, misuse detection and specificationbased detection. However, due to the unique attributes of CPS, the traditional IDS need to be modified or completely replaced before it can be deployed for CPS. In this paper, we present a survey of specification-based intrusion detection techniques for CPS. We classify the existing specification-based intrusion detection techniques in the literature according to the following attributes: specification source, specification extraction, specification modelling, detection mechanism, detector placement and validation strategy. We also discuss the details of each attribute and describe our observations, concerns and future research directions. We argue that reducing the efforts and time needed to extract the system specification of specification-based intrusion detection techniques for CPS and verifying the correctness of the extracted system specification are open issues that must be addressed in the future. Keywords—Cyber-physical systems; intrusion detection systems; specification-based intrusion detection mechanism; security

[1]  D.K. Nilsson,et al.  An approach to specification-based attack detection for in-vehicle networks , 2008, 2008 IEEE Intelligent Vehicles Symposium.

[2]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[3]  Karl N. Levitt,et al.  Formal Reasoning About a Specification-Based Intrusion Detection for Dynamic Auto-configuration Protocols in Ad Hoc Networks , 2005, Formal Aspects in Security and Trust.

[4]  Ing-Ray Chen,et al.  Behavior-Rule Based Intrusion Detection Systems for Safety Critical Smart Grid Applications , 2013, IEEE Transactions on Smart Grid.

[5]  Tomoyuki Ishida,et al.  The 28 th International Conference on Distributed Computing Systems Workshops , 2008 .

[6]  Jason Smith,et al.  Specification-Based Intrusion Detection in WLANs , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[7]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[8]  Jia Zhou,et al.  A Survey of Intrusion Detection for In-Vehicle Networks , 2020, IEEE Transactions on Intelligent Transportation Systems.

[9]  Ravishankar K. Iyer,et al.  Using a Specification-based Intrusion Detection System to Extend the DNP3 Protocol with Security Functionalities , 2012 .

[10]  Ing-Ray Chen,et al.  Adaptive Intrusion Detection of Malicious Unmanned Air Vehicles Using Behavior Rule Specifications , 2014, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[11]  Insha Altaf A Specification-based Intrusion Detection Model for OLSR , 2017 .

[12]  Kôki Abe,et al.  A Protocol Specification-Based Intrusion Detection System for VoIP and Its Evaluation , 2008, IEICE Trans. Commun..

[13]  Miguel Correia,et al.  Specification-based Intrusion Detection System for Carrier Ethernet , 2007, WEBIST.

[14]  S. Shankar Sastry,et al.  Secure Control: Towards Survivable Cyber-Physical Systems , 2008, 2008 The 28th International Conference on Distributed Computing Systems Workshops.

[15]  Karl N. Levitt,et al.  A specification-based intrusion detection system for AODV , 2003, SASN '03.

[16]  Mohy Mahmoud,et al.  Securing the AODV protocol using specification-based intrusion detection , 2006, Q2SWinet '06.

[17]  Panagiotis Manolios,et al.  ACL2s: "The ACL2 Sedan" , 2007, ICSE Companion.

[18]  Robert G. Sargent,et al.  Verification, validation, and accreditation: verification, validation, and accreditation of simulation models , 2000, WSC '00.

[19]  Sushil Jajodia,et al.  VoIP Intrusion Detection Through Interacting Protocol State Machines , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[20]  Sean Carlisto de Alvarenga,et al.  A survey of intrusion detection in Internet of Things , 2017, J. Netw. Comput. Appl..

[21]  R. Sekar,et al.  Experiences with Specification-Based Intrusion Detection , 2001, Recent Advances in Intrusion Detection.

[22]  Gedare Bloom,et al.  SAIDuCANT: Specification-Based Automotive Intrusion Detection Using Controller Area Network (CAN) Timing , 2020, IEEE Transactions on Vehicular Technology.

[23]  Andreas Peter,et al.  Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol , 2017, CPS-SPC@CCS.

[24]  Anna Scaglione,et al.  Monitoring Security of Networked Control Systems: It's the Physics , 2014, IEEE Security & Privacy.

[25]  Johnny S. Wong,et al.  On the symbiosis of specification-based and anomaly-based detection , 2010, Comput. Secur..

[26]  Thomas H. Morris,et al.  A Specification-based Intrusion Detection Framework for Cyber-physical Environment in Electric Power System , 2015, Int. J. Netw. Secur..

[27]  Teerawat Issariyakul,et al.  Introduction to Network Simulator NS2 , 2008 .

[28]  Hsiao-Hwa Chen,et al.  Intrusion Detection in Cyber-Physical Systems: Techniques and Challenges , 2014, IEEE Systems Journal.

[29]  S. Mauw,et al.  Specification-based intrusion detection for advanced metering infrastructures , 2022 .

[30]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[31]  M. Moh,et al.  Specification-based intrusion detection for H.323-based voice over IP , 2005, Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005..

[32]  Ilsun You,et al.  BRIoT: Behavior Rule Specification-Based Misbehavior Detection for IoT-Embedded Cyber-Physical Systems , 2019, IEEE Access.

[33]  Edward Griffor,et al.  Framework for Cyber-Physical Systems: Volume 1, Overview , 2017 .

[34]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[35]  Ing-Ray Chen,et al.  Behavior Rule Specification-Based Intrusion Detection for Safety Critical Medical Cyber Physical Systems , 2015, IEEE Transactions on Dependable and Secure Computing.