Abstract
The modernization of critical infrastructure exposes a large attack surface in a set of systems, key to the sustainability of civilization, at a time when targeted malicious attacks are growing in sophistication, particularly with regard to stealth techniques, which are particularly difficult to uncover in distributed systems due to multiple possible orderings of state.
We argue that by making use of a set of known relationships (which we label a \emph{context}) between states in disparate parts of a distributed system and the provision of suitable concurrent (or near-concurrent) observation and comparison mechanisms, we can provide the means to detect such anomalies and locate their source as a precursor to managing outcomes.
As a necessary prerequisite to our research, we establish an adversary capability model which allows us to make explicit statements about the feasible actions and subsequent impacts of adversary and demonstrate the validity of any detective methods.
We focus primarily on integrity attacks. The first technique we present is a security protocol, using traceback techniques, which allows us to locate processes which manipulate message content between an operator and a control unit. The second technique allows us to model algebraically possible sequences in host system states which may be indicative of malicious activity and detect these using a multi-threaded observation mechanism. The third technique provides a process engineering model of a basic non-linear process in a biochemical plant (pasteurization in a brewery) which shows how the provision of, even minimal, additional sensor information, outside of standard telemetry requirements, can be used to determine a failure in supervisory control due to malicious action. This last technique represents an improvement over previous approaches which focused on linear or linearized systems.
All three techniques pave the way for more sophisticated approaches for real-time detection and management of attacks.
We argue that by making use of a set of known relationships (which we label a \emph{context}) between states in disparate parts of a distributed system and the provision of suitable concurrent (or near-concurrent) observation and comparison mechanisms, we can provide the means to detect such anomalies and locate their source as a precursor to managing outcomes.
As a necessary prerequisite to our research, we establish an adversary capability model which allows us to make explicit statements about the feasible actions and subsequent impacts of adversary and demonstrate the validity of any detective methods.
We focus primarily on integrity attacks. The first technique we present is a security protocol, using traceback techniques, which allows us to locate processes which manipulate message content between an operator and a control unit. The second technique allows us to model algebraically possible sequences in host system states which may be indicative of malicious activity and detect these using a multi-threaded observation mechanism. The third technique provides a process engineering model of a basic non-linear process in a biochemical plant (pasteurization in a brewery) which shows how the provision of, even minimal, additional sensor information, outside of standard telemetry requirements, can be used to determine a failure in supervisory control due to malicious action. This last technique represents an improvement over previous approaches which focused on linear or linearized systems.
All three techniques pave the way for more sophisticated approaches for real-time detection and management of attacks.
Original language | English |
---|---|
Qualification | Ph.D. |
Awarding Institution |
|
Supervisors/Advisors |
|
Award date | 1 Jan 2014 |
Publication status | Unpublished - 2013 |
Keywords
- critical infrastructures
- anomaly detection
- distributed systems
- IP traceback
- non-linear
- adversary capability model
- threat model
- process algebra
- pi calculus