Context Based Anomaly Detection in Critical Infrastructures. / Mcevoy, Thomas Richard.

2013. 224 p.

Research output: ThesisDoctoral Thesis

Unpublished

Standard

Context Based Anomaly Detection in Critical Infrastructures. / Mcevoy, Thomas Richard.

2013. 224 p.

Research output: ThesisDoctoral Thesis

Harvard

Mcevoy, TR 2013, 'Context Based Anomaly Detection in Critical Infrastructures', Ph.D., Royal Holloway, University of London.

APA

Vancouver

Author

BibTeX

@phdthesis{ff2bd1eee3204af0bd1d91e009b15968,
title = "Context Based Anomaly Detection in Critical Infrastructures",
abstract = "The modernization of critical infrastructure exposes a large attack surface in a set of systems, key to the sustainability of civilization, at a time when targeted malicious attacks are growing in sophistication, particularly with regard to stealth techniques, which are particularly difficult to uncover in distributed systems due to multiple possible orderings of state.We argue that by making use of a set of known relationships (which we label a \emph{context}) between states in disparate parts of a distributed system and the provision of suitable concurrent (or near-concurrent) observation and comparison mechanisms, we can provide the means to detect such anomalies and locate their source as a precursor to managing outcomes.As a necessary prerequisite to our research, we establish an adversary capability model which allows us to make explicit statements about the feasible actions and subsequent impacts of adversary and demonstrate the validity of any detective methods.We focus primarily on integrity attacks. The first technique we present is a security protocol, using traceback techniques, which allows us to locate processes which manipulate message content between an operator and a control unit. The second technique allows us to model algebraically possible sequences in host system states which may be indicative of malicious activity and detect these using a multi-threaded observation mechanism. The third technique provides a process engineering model of a basic non-linear process in a biochemical plant (pasteurization in a brewery) which shows how the provision of, even minimal, additional sensor information, outside of standard telemetry requirements, can be used to determine a failure in supervisory control due to malicious action. This last technique represents an improvement over previous approaches which focused on linear or linearized systems.All three techniques pave the way for more sophisticated approaches for real-time detection and management of attacks.",
keywords = "critical infrastructures, anomaly detection, distributed systems, IP traceback, non-linear, adversary capability model, threat model, process algebra, pi calculus",
author = "Mcevoy, {Thomas Richard}",
year = "2013",
language = "English",
school = "Royal Holloway, University of London",

}

RIS

TY - THES

T1 - Context Based Anomaly Detection in Critical Infrastructures

AU - Mcevoy, Thomas Richard

PY - 2013

Y1 - 2013

N2 - The modernization of critical infrastructure exposes a large attack surface in a set of systems, key to the sustainability of civilization, at a time when targeted malicious attacks are growing in sophistication, particularly with regard to stealth techniques, which are particularly difficult to uncover in distributed systems due to multiple possible orderings of state.We argue that by making use of a set of known relationships (which we label a \emph{context}) between states in disparate parts of a distributed system and the provision of suitable concurrent (or near-concurrent) observation and comparison mechanisms, we can provide the means to detect such anomalies and locate their source as a precursor to managing outcomes.As a necessary prerequisite to our research, we establish an adversary capability model which allows us to make explicit statements about the feasible actions and subsequent impacts of adversary and demonstrate the validity of any detective methods.We focus primarily on integrity attacks. The first technique we present is a security protocol, using traceback techniques, which allows us to locate processes which manipulate message content between an operator and a control unit. The second technique allows us to model algebraically possible sequences in host system states which may be indicative of malicious activity and detect these using a multi-threaded observation mechanism. The third technique provides a process engineering model of a basic non-linear process in a biochemical plant (pasteurization in a brewery) which shows how the provision of, even minimal, additional sensor information, outside of standard telemetry requirements, can be used to determine a failure in supervisory control due to malicious action. This last technique represents an improvement over previous approaches which focused on linear or linearized systems.All three techniques pave the way for more sophisticated approaches for real-time detection and management of attacks.

AB - The modernization of critical infrastructure exposes a large attack surface in a set of systems, key to the sustainability of civilization, at a time when targeted malicious attacks are growing in sophistication, particularly with regard to stealth techniques, which are particularly difficult to uncover in distributed systems due to multiple possible orderings of state.We argue that by making use of a set of known relationships (which we label a \emph{context}) between states in disparate parts of a distributed system and the provision of suitable concurrent (or near-concurrent) observation and comparison mechanisms, we can provide the means to detect such anomalies and locate their source as a precursor to managing outcomes.As a necessary prerequisite to our research, we establish an adversary capability model which allows us to make explicit statements about the feasible actions and subsequent impacts of adversary and demonstrate the validity of any detective methods.We focus primarily on integrity attacks. The first technique we present is a security protocol, using traceback techniques, which allows us to locate processes which manipulate message content between an operator and a control unit. The second technique allows us to model algebraically possible sequences in host system states which may be indicative of malicious activity and detect these using a multi-threaded observation mechanism. The third technique provides a process engineering model of a basic non-linear process in a biochemical plant (pasteurization in a brewery) which shows how the provision of, even minimal, additional sensor information, outside of standard telemetry requirements, can be used to determine a failure in supervisory control due to malicious action. This last technique represents an improvement over previous approaches which focused on linear or linearized systems.All three techniques pave the way for more sophisticated approaches for real-time detection and management of attacks.

KW - critical infrastructures

KW - anomaly detection

KW - distributed systems

KW - IP traceback

KW - non-linear

KW - adversary capability model

KW - threat model

KW - process algebra

KW - pi calculus

M3 - Doctoral Thesis

ER -