Context Based Anomaly Detection in Critical Infrastructures

Thomas Richard Mcevoy

Research output: ThesisDoctoral Thesis

963 Downloads (Pure)


The modernization of critical infrastructure exposes a large attack surface in a set of systems, key to the sustainability of civilization, at a time when targeted malicious attacks are growing in sophistication, particularly with regard to stealth techniques, which are particularly difficult to uncover in distributed systems due to multiple possible orderings of state.

We argue that by making use of a set of known relationships (which we label a \emph{context}) between states in disparate parts of a distributed system and the provision of suitable concurrent (or near-concurrent) observation and comparison mechanisms, we can provide the means to detect such anomalies and locate their source as a precursor to managing outcomes.

As a necessary prerequisite to our research, we establish an adversary capability model which allows us to make explicit statements about the feasible actions and subsequent impacts of adversary and demonstrate the validity of any detective methods.

We focus primarily on integrity attacks. The first technique we present is a security protocol, using traceback techniques, which allows us to locate processes which manipulate message content between an operator and a control unit. The second technique allows us to model algebraically possible sequences in host system states which may be indicative of malicious activity and detect these using a multi-threaded observation mechanism. The third technique provides a process engineering model of a basic non-linear process in a biochemical plant (pasteurization in a brewery) which shows how the provision of, even minimal, additional sensor information, outside of standard telemetry requirements, can be used to determine a failure in supervisory control due to malicious action. This last technique represents an improvement over previous approaches which focused on linear or linearized systems.

All three techniques pave the way for more sophisticated approaches for real-time detection and management of attacks.
Original languageEnglish
Awarding Institution
  • Royal Holloway, University of London
  • Wolthusen, Stephen D., Supervisor
Award date1 Jan 2014
Publication statusUnpublished - 2013


  • critical infrastructures
  • anomaly detection
  • distributed systems
  • IP traceback
  • non-linear
  • adversary capability model
  • threat model
  • process algebra
  • pi calculus

Cite this