Yifan Jia,Jingyi Wang,Christopher M. Poskitt,Sudipta Chattopadhyay,Jun Sun,Yuqi Chen

DOI: https://doi.org/10.1016/j.ijcip.2021.100452

IF: 3.683

2021-01-01

International Journal of Critical Infrastructure Protection

Abstract:The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

Chen Yan,Hocheol Shin,Connor Bolton,Wenyuan Xu,Yongdae Kim,Kevin Fu

DOI: https://doi.org/10.1109/sp40000.2020.00026

2020-01-01

Abstract:Over the last six years, several papers demonstrated how intentional analog interference based on acoustics, RF, lasers, and other physical modalities could induce faults, influence, or even control the output of sensors. Damage to the availability and integrity of sensor output carries significant risks to safety-critical systems that make automated decisions based on trusted sensor measurement. Established signal processing models use transfer functions to express reliability and dependability characteristics of sensors, but existing models do not provide a deliberate way to express and capture security properties meaningfully. Our work begins to fill this gap by systematizing knowledge of analog attacks against sensor circuitry and defenses. Our primary contribution is a simple sensor security model such that sensor engineers can better express analog security properties of sensor circuitry without needing to learn significantly new notation. Our model introduces transfer functions and a vector of adversarial noise to represent adversarial capabilities at each stage of a sensor's signal conditioning chain. The primary goals of the systematization are (1) to enable more meaningful quantification of risk for the design and evaluation of past and future sensors, (2) to better predict new attack vectors, and (3) to establish defensive design patterns that make sensors more resistant to analog attacks.

Roberto Vigo,Flemming Nielson,Hanne Riis Nielson

DOI: https://doi.org/10.2168/LMCS-12%284%3A5%292016

2016-10-19

Abstract:In the design of software and cyber-physical systems, security is often perceived as a qualitative need, but can only be attained quantitatively. Especially when distributed components are involved, it is hard to predict and confront all possible attacks. A main challenge in the development of complex systems is therefore to discover attacks, quantify them to comprehend their likelihood, and communicate them to non-experts for facilitating the decision process. To address this three-sided challenge we propose a protection analysis over the Quality Calculus that (i) computes all the sets of data required by an attacker to reach a given location in a system, (ii) determines the cheapest set of such attacks for a given notion of cost, and (iii) derives an attack tree that displays the attacks graphically. The protection analysis is first developed in a qualitative setting, and then extended to quantitative settings following an approach applicable to a great many contexts. The quantitative formulation is implemented as an optimisation problem encoded into Satisfiability Modulo Theories, allowing us to deal with complex cost structures. The usefulness of the framework is demonstrated on a national-scale authentication system, studied through a Java implementation of the framework.

Cryptography and Security,Logic in Computer Science

Muhammad Sabir Idrees,Yves Roudier,Ludovic Apvrille

DOI: https://doi.org/10.48550/arXiv.1410.4305

2014-10-16

Cryptography and Security

Abstract:Security attacks are hard to understand, often expressed with unfriendly and limited details, making it difficult for security experts and for security analysts to create intelligible security specifications. For instance, to explain Why (attack objective), What (i.e., system assets, goals, etc.), and How (attack method), adversary achieved his attack goals. We introduce in this paper a security attack meta-model for our SysML-Sec framework, developed to improve the threat identification and modeling through the explicit representation of security concerns with knowledge representation techniques. Our proposed meta-model enables the specification of these concerns through ontological concepts which define the semantics of the security artifacts and introduced using SysML-Sec diagrams. This meta-model also enables representing the relationships that tie several such concepts together. This representation is then used for reasoning about the knowledge introduced by system designers as well as security experts through the graphical environment of the SysML-Sec framework.

Anthony Bahadir Lopez,Wen-Long Jin,Mohammad Adbullah Al Faruque

DOI: https://doi.org/10.1109/tits.2021.3123193

IF: 8.5

2021-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:With newer technologies, the embedded hardware and software in traditional vehicles and traffic control infrastructure continue to become more interconnected and more vulnerable. To assist in dealing with existing and potential vulnerabilities, we present a novel attack modeling methodology, taxonomy, and metrics (relative average waiting time, average network flow, impacts and rate of changes) to model, simulate, and meaningfully evaluate the security of Intelligent Transportation Systems. We implement our work in two different architectures: 1) Newell’s Car-Following Model with Bounded Acceleration (the BA-Newell Model) in Matlab and 2) Intelligent Driver Model in Veins. Our code is entirely open-sourced and will be maintained so that the ITS community may use it as a tool. We observe that the architectural-related metric values for sample attack simulation results are similar and transferable; where, for example, the rate of change values have range of average distances 1.8-3.5% for network flow impact and 3.3-9.6% for wait time impact.

engineering, electrical & electronic,transportation science & technology, civil

Adam M. Houser,Matthew L. Bolton,Adam M. HouserMatthew L. Boltona Johns Hopkins University Applied Physics Laboratory,Laurel,MD,USAb Department of Systems and Information Engineering,University of Virginia,Charlottesville,VA,USAAdam M. Houser received the Ph.D. in industrial engineering from the State University of New York at Buffalo in Buffalo,New York,USA in 2018. Since then,he has worked at the Johns Hopkins University Applied Physics Laboratory as a senior systems engineer.Matthew Bolton is an Associate Professor of Systems and Information Engineering at the University of Virginia. He obtained his Ph.D. in Systems Engineering from UVA in 2010. He previously held academic appointments at the University of Illinois in Chicago and the University at Buffalo.

DOI: https://doi.org/10.1080/10447318.2024.2314353

IF: 4.92

2024-03-08

International Journal of Human-Computer Interaction

Abstract:Human users are increasingly recognized as a vector of cybersecurity attack. One problem that contributes to this condition is the growing complexity of digital tools. Such complexity can make it difficult for users to understand how tools work and how their actions will impact security. This work sought to answer the research question: Can mental modeling analyses (from human factors engineering and human-automation interaction) be developed to effectively discover cybersecurity risks? To answer this, we extend mental models with cybersecurity-specific concepts. The resulting models are then incorporated into model checking analyses (an automated approach to formal verification) to discover if and when mismatches between human mental models and systems can cause security failures. We evaluated our approach by successfully applying it to a case study regarding the security configuration of a popular cloud data storage service. We ultimately discuss the results of this analysis and outline future research possibilities.

computer science, cybernetics,ergonomics

Eric Rothstein-Morris,Sun Jun

DOI: https://doi.org/10.48550/arXiv.1811.10400

2018-11-16

Abstract:This work aims to solve a practical problem, i.e., how to quantify the risk brought upon a system by different attackers. The answer is useful for optimising resource allocation for system defence. Given a set of safety requirements, we quantify the attacker capability in terms of the set of safety requirements an attacker can compromise. Given a system (in the presence of an attacker), model checking it against each safety requirement one by one is expensive and wasteful since the same state space is explored many times. We thus propose model checking multiple properties efficiently by means of coalgebraic model checking using enhanced coinduction techniques. We apply the proposed technique to a real-world water treatment system and the results show that our approach can effectively reduce the effort required for model checking.

Logic in Computer Science,Formal Languages and Automata Theory

Luca Allodi,Sandro Etalle

DOI: https://doi.org/10.1145/3140368.3140372

2018-01-14

Abstract:Current threat models typically consider all possible ways an attacker can penetrate a system and assign probabilities to each path according to some metric (e.g. time-to-compromise). In this paper we discuss how this view hinders the realness of both technical (e.g. attack graphs) and strategic (e.g. game theory) approaches of current threat modeling, and propose to steer away by looking more carefully at attack characteristics and attacker environment. We use a toy threat model for ICS attacks to show how a realistic view of attack instances can emerge from a simple analysis of attack phases and attacker limitations.

Cryptography and Security,Computer Science and Game Theory

Tyler Malloy,Cleotilde Gonzalez

2023-06-04

Abstract:Designing cyber defense systems to account for cognitive biases in human decision making has demonstrated significant success in improving performance against human attackers. However, much of the attention in this area has focused on relatively simple accounts of biases in human attackers, and little is known about adversarial behavior or how defenses could be improved by disrupting attacker's behavior. In this work, we present a novel model of human decision-making inspired by the cognitive faculties of Instance-Based Learning Theory, Theory of Mind, and Transfer of Learning. This model functions by learning from both roles in a security scenario: defender and attacker, and by making predictions of the opponent's beliefs, intentions, and actions. The proposed model can better defend against attacks from a wide range of opponents compared to alternatives that attempt to perform optimally without accounting for human biases. Additionally, the proposed model performs better against a range of human-like behavior by explicitly modeling human transfer of learning, which has not yet been applied to cyber defense scenarios. Results from simulation experiments demonstrate the potential usefulness of cognitively inspired models of agents trained in attack and defense roles and how these insights could potentially be used in real-world cybersecurity.

Artificial Intelligence,Cryptography and Security,Machine Learning

Georgios Bakirtzis,Ufuk Topcu

DOI: https://doi.org/10.48550/arXiv.2203.16343

2022-03-04

Abstract:Autonomous systems require the management of several model views to assure properties such as safety and security among others. A crucial issue in autonomous systems design assurance is the notion of emergent behavior; we cannot use their parts in isolation to examine their overall behavior or performance. Compositional verification attempts to combat emergence by implementing model transformation as structure-preserving maps between model views. AlgebraicDynamics relies on categorical semantics to draw relationships between algebras and model views. We propose AlgebraicSystems, a conglomeration of algebraic methods to assign semantics and categorical primitives to give computational meaning to relationships between models so that the formalisms and resulting tools are interoperable through vertical and horizontal composition.

Logic in Computer Science,Systems and Control

hasan cam,pierre mouallem,yilin mo,bruno sinopoli,benjamin nkrumah

DOI: https://doi.org/10.1109/CogSIMA.2014.6816560

2014-01-01

Abstract:A distributed cyber control system comprises various types of assets, including sensors, intrusion detection systems, scanners, controllers, and actuators. The modeling and analysis of these components usually require multi-disciplinary approaches. This paper presents a modeling and dynamic analysis of a distributed cyber control system for situational awareness by taking advantage of control theory and time Petri net. Linear time-invariant systems are used to model the target system, attacks, assets influences, and an anomaly-based intrusion detection system. Time Petri nets are used to model the impact and timing relationships of attacks, vulnerability, and recovery at every node. To characterize those distributed control systems that are perfectly attackable, algebraic and topological attackability conditions are derived. Numerical evaluation is performed to determine the impact of attacks on distributed control system.

Orly Stan,Ron Bitton,Michal Ezrets,Moran Dadon,Masaki Inokuchi,Ohta Yoshinobu,Yagyu Tomohiko,Yuval Elovici,Asaf Shabtai

DOI: https://doi.org/10.1109/tdsc.2020.3041999

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:An attack graph is a method used to enumerate the possible paths that an attacker can take in the organizational network. MulVAL is a known open-source framework used to automatically generate attack graphs. MulVAL's default modeling has two main shortcomings. First, it lacks the ability to represent network protocol vulnerabilities, and thus it cannot be used to model common network attacks, such as ARP poisoning. Second, it does not support advanced types of communication, such as wireless and bus communication, and thus it cannot be used to model cyber-attacks on networks that include IoT devices or industrial components. In this article, we present an extended network security model for MulVAL that: (1) considers the physical network topology, (2) supports short-range communication protocols, (3) models vulnerabilities in the design of network protocols, and (4) models specific industrial communication architectures. Using the proposed extensions, we were able to model multiple attack techniques including: spoofing, man-in-the-middle, and denial of service attacks, as well as attacks on advanced types of communication. We demonstrate the proposed model in a testbed which implements a simplified network architecture comprised of both IT and industrial components.

computer science, information systems, software engineering, hardware & architecture

Ariel Futoransky,Luciano Notarfrancesco,Gerardo Richarte,Carlos Sarraute

DOI: https://doi.org/10.48550/arXiv.1006.1916

2010-06-10

Abstract:In this work we start walking the path to a new perspective for viewing cyberwarfare scenarios, by introducing conceptual tools (a formal model) to evaluate the costs of an attack, to describe the theater of operations, targets, missions, actions, plans and assets involved in cyberwarfare attacks. We also describe two applications of this model: autonomous planning leading to automated penetration tests, and attack simulations, allowing a system administrator to evaluate the vulnerabilities of his network.

Cryptography and Security,Artificial Intelligence

Hampei Sasahara,Henrik Sandberg

DOI: https://doi.org/10.1109/TAC.2023.3340978

2023-12-07

Abstract:This paper addresses the question whether model knowledge can guide a defender to appropriate decisions, or not, when an attacker intrudes into control systems. The model-based defense scheme considered in this study, namely Bayesian defense mechanism, chooses reasonable reactions through observation of the system's behavior using models of the system's stochastic dynamics, the vulnerability to be exploited, and the attacker's objective. On the other hand, rational attackers take deceptive strategies for misleading the defender into making inappropriate decisions. In this paper, their dynamic decision making is formulated as a stochastic signaling game. It is shown that the belief of the true scenario has a limit in a stochastic sense at an equilibrium based on martingale analysis. This fact implies that there are only two possible cases: the defender asymptotically detects the attack with a firm belief, or the attacker takes actions such that the system's behavior becomes nominal after a finite time step. Consequently, if different scenarios result in different stochastic behaviors, the Bayesian defense mechanism guarantees the system to be secure in an asymptotic manner provided that effective countermeasures are implemented. As an application of the finding, a defensive deception utilizing asymmetric recognition of vulnerabilities exploited by the attacker is analyzed. It is shown that the attacker possibly stops the attack even if the defender is unaware of the exploited vulnerabilities as long as the defender's unawareness is concealed by the defensive deception.

Cryptography and Security,Computer Science and Game Theory,Systems and Control

Erick Galinkin,John Carter,Spiros Mancoridis

DOI: https://doi.org/10.48550/arXiv.2109.11592

2021-09-23

Cryptography and Security

Abstract:In cybersecurity, attackers range from brash, unsophisticated script kiddies and cybercriminals to stealthy, patient advanced persistent threats. When modeling these attackers, we can observe that they demonstrate different risk-seeking and risk-averse behaviors. This work explores how an attacker's risk seeking or risk averse behavior affects their operations against detection-optimizing defenders in an Internet of Things ecosystem. Using an evaluation framework which uses real, parametrizable malware, we develop a game that is played by a defender against attackers with a suite of malware that is parameterized to be more aggressive and more stealthy. These results are evaluated under a framework of exponential utility according to their willingness to accept risk. We find that against a defender who must choose a single strategy up front, risk-seeking attackers gain more actual utility than risk-averse attackers, particularly in cases where the defender is better equipped than the two attackers anticipate. Additionally, we empirically confirm that high-risk, high-reward scenarios are more beneficial to risk-seeking attackers like cybercriminals, while low-risk, low-reward scenarios are more beneficial to risk-averse attackers like advanced persistent threats.

Eric Rothstein-Morris,Sun Jun,Sudipta Chattopadhyay

DOI: https://doi.org/10.48550/arXiv.1911.05808

2019-11-14

Abstract:In this work, we study the problem of verification of systems in the presence of attackers using bounded model checking. Given a system and a set of security requirements, we present a methodology to generate and classify attackers, mapping them to the set of requirements that they can break. A naive approach suffers from the same shortcomings of any large model checking problem, i.e., memory shortage and exponential time. To cope with these shortcomings, we describe two sound heuristics based on cone-of-influence reduction and on learning, which we demonstrate empirically by applying our methodology to a set of hardware benchmark systems.

Cryptography and Security

Georgios Bakirtzis,Cody H. Fleming,Christina Vasilakopoulou

DOI: https://doi.org/10.1145/3461669

2021-04-26

Abstract:Cyber-physical systems require the construction and management of various models to assure their correct, safe, and secure operation. These various models are necessary because of the coupled physical and computational dynamics present in cyber-physical systems. However, to date the different model views of cyber-physical systems are largely related informally, which raises issues with the degree of formal consistency between those various models of requirements, system behavior, and system architecture. We present a category-theoretic framework to make different types of composition explicit in the modeling and analysis of cyber-physical systems, which could assist in verifying the system as a whole. This compositional framework for cyber-physical systems gives rise to unified system models, where system behavior is hierarchically decomposed and related to a system architecture using the systems-as-algebras paradigm. As part of this paradigm, we show that an algebra of (safety) contracts generalizes over the state of the art, providing more uniform mathematical tools for constraining the behavior over a richer set of composite cyber-physical system models, which has the potential of minimizing or eliminating hazardous behavior.

Logic in Computer Science,Systems and Control,Category Theory

Ziad Ismail,Jean Leneutre,Alia Fourati

DOI: https://doi.org/10.1007/978-3-319-40385-4_11

2016-01-01

Abstract:The improved communication and remote control capabilities of industrial control systems equipment have increased their attack surface. As a result, managing the security risk became a challenging task. The consequences of attacks in an industrial control system can go beyond targeted equipment to impact services in the industrial process. In addition, the success likelihood of an attack is highly correlated to the attacker profile and his knowledge of the architecture of the system. In this paper, we present the Attack Execution Model (AEM), which is an attack graph representing the evolution of the adversary’s state in the system after each attack step. We are interested in assessing the risk of cyber attacks on an industrial control system before the next maintenance period. Given a specific attacker profile, we generate all potential attacker actions that could be executed in the system. Our tool outputs the probability and the time needed to compromise a target equipment or services in the system.

Christoph Ponikwar,Hans-Joachim Hof,Smriti Gopinath,Lars Wischhof

DOI: https://doi.org/10.48550/arXiv.1607.08277

2016-07-28

Abstract:In recent time, the standards for Vehicular Ad-hoc Networks (VANETs) and Intelligent Transportation Systems (ITSs) matured and scientific and industry interest is high especially as autonomous driving gets a lot of media attention. Autonomous driving and other assistance systems for cars make heavy use of VANETs to exchange <a class="link-external link-http" href="http://information.They" rel="external noopener nofollow">this http URL</a> may provide more comfort, security and safety for drivers. However, it is of crucial importance for the user's trust in these assistance systems that they could not be influenced by malicious users. VANETs are likely attack vectors for such malicious users, hence application-specific security requirements must be considered during the design of applications using VANETs. In literature, many attacks on vehicular communication have been described but attacks on specific vehicular networking applications are often missing. This paper fills in this gap by describing standardized vehicular networking applications, defining and extending previous attacker models, and using the resulting new models to characterize the possible attackers interested in the specific vehicular networking application. The attacker models presented in this paper hopefully provide great benefit for the scientific community and industry as they allow to compare security evaluations of different works, characterize attackers, their intentions and help to plan application-specific security controls for vehicular networking applications.

Cryptography and Security,Networking and Internet Architecture

Paul Griffioen,Sean Weerakkody,Bruno Sinopoli

DOI: https://doi.org/10.1109/tac.2020.3005686

IF: 6.549

2021-05-01

IEEE Transactions on Automatic Control

Abstract:This article considers the design and analysis of multiple moving target defenses for recognizing and isolating attacks on cyber-physical systems. We consider attackers who perform integrity attacks on some set of sensors and actuators in a control system. In such cases, it has been shown that a model aware adversary can carefully design attack vectors to bypass bad data detection and identification filters while causing damage to the control system. To counter such an attacker, we propose the moving target defense which introduces stochastic, time-varying parameters in the control system. The underlying random dynamics of the system limit an attacker&#x27;s knowledge of the model and inhibit his or her ability to construct stealthy attack sequences. Moreover, the time-varying nature of the dynamics thwarts adaptive adversaries. We explore three main designs. First, we consider a hybrid system where parameters within the existing plant are switched among multiple modes. We demonstrate how such an approach can enable both the detection and identification of malicious nodes. Next, we investigate the addition of an extended system with dynamics that are coupled to the original plant but do not affect the system performance. Here, an attack on the original system will affect the authenticating subsystem and in turn be revealed by a set of sensors measuring the extended plant. Finally, we propose the use of sensor nonlinearities to enhance the effectiveness of the moving target defense. The nonlinear dynamics act to conceal normal operational behavior from an attacker who has tampered with the system state, further hindering an attacker&#x27;s ability to glean information about the time-varying dynamics. In all cases mechanisms for analysis and design are proposed. Finally, we analyze attack detectability for each moving target defense by investigating expected lower bounds on the detection statistic. Our contributions are also tested via simulation.

automation & control systems,engineering, electrical & electronic