Yifan Jia,Jingyi Wang,Christopher M. Poskitt,Sudipta Chattopadhyay,Jun Sun,Yuqi Chen

DOI: https://doi.org/10.1016/j.ijcip.2021.100452

IF: 3.683

2021-01-01

International Journal of Critical Infrastructure Protection

Abstract:The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

Shishir Kumar Shandilya,Saket Upadhyay,Ajit Kumar,Atulya K. Nagar

DOI: https://doi.org/10.1016/j.future.2021.09.018

IF: 7.307

2022-02-01

Future Generation Computer Systems

Abstract:In the current ever-changing cybersecurity scenario, active cyber defense strategies are imperative. In this work, we present a standard testbed to measure the efficacy and efficiency of customized networks while analyzing various parameters during the active attack. The presented testbed can be used for analyzing the network behavior in presence of various types of attacks and can help in fine-tuning the proposed algorithm under observation. The proposed testbed will allow users to design, implement, and evaluate the active cyber defense mechanisms with good library support of nature-inspired and AI-based techniques. Network loads, number of clusters, types of home networks, and number of nodes in each cluster and network can be customized. While using the presented testbed and incorporating active-defense strategies on existing network architectures, users can also design and propose new network architectures for effective and safe operation. In this paper, we propose a unified and standard testbed for cyber defense strategy simulation and bench-marking, which would allow the users to investigate current approaches and compare them with others, while ultimately aiding in the selection of the best approach for a given network security situation. We have compared the network performance in difference scenarios namely, normal, under attack and under attack in presence of NICS-based adaptive defense mechanism and achieved stable experimental results. The experimental results clearly show that the proposed testbed is able to simulate the network conditions effectively with minimum efforts in network configuration. The simulation results of defense mechanisms verified on the proposed testbed got the improvement on almost 80 percent while increasing the turnaround time to 1–2 percent. The applicability of proposed testbed in modern technologies like Fog Computing and Edge Computing is also discussed in this paper.

Talaya Farasat,JongWon Kim,Joachim Posegga

2024-10-24

Abstract:This paper introduces a Testbed designed for generating network traffic, leveraging the capabilities of containers, Kubernetes, and eBPF/XDP technologies. Our Testbed serves as an advanced platform for producing network traffic for machine learning based network experiments. By utilizing this Testbed, we offer small malicious network traffic dataset publically that satisfy ground truth property completely.

Cryptography and Security,Networking and Internet Architecture

Mengxiang Liu,Zexuan Jin,Jinhui Xia,Mingyang Sun,Ruilong Deng,Peng Cheng

DOI: https://doi.org/10.1109/infocomwkshps51825.2021.9484453

2021-01-01

Abstract:In DC microgrids (DCmGs), distributed control is becoming a promising framework due to prominent scalability and efficiency. To transmit essential data and information for system control, various communication network topologies and protocols have been employed in modern DCmGs. However, such communication also exposes the DCmG to unexpected cyber attacks. In this demo, a scalable cyber security testbed is established for conducting hardware-in-the-loop (HIL) exper-iments and comprehensively investigating the security impact on DCmGs. Specifically, the testbed employs a Typhoon HIL 602+ emulator, which is professional in power electronics system emulation, to demonstrate four (12 at most) distributed energy resources (DERs). The communication network is implemented through the self-loop RS-232 interface. Based on the testbed, we systematically investigate the impact of two kinds of typical cyber attacks (i.e., false data injection and replay attacks). Experimental results show that both attacks will deteriorate the point-of-common coupling (PCC) voltages of the DERs and jeopardize the stability of the whole DCmG.

Shishir Kumar Shandilya,Chirag Ganguli,Ivan Izonin,Prof Atulya Kumar Nagar

DOI: https://doi.org/10.1016/j.dib.2022.108771

2022-11-24

Abstract:To determine the effectiveness of any defense mechanism, there is a need for comprehensive real-time network data that solely references various attack scenarios based on older software versions or unprotected ports, and so on. This presented dataset has entire network data at the time of several cyber attacks to enable experimentation on challenges based on implementing defense mechanisms on a larger scale. For collecting the data, we captured the network traffic of configured virtual machines using Wireshark and tcpdump. To analyze the impact of several cyber attack scenarios, this dataset presents a set of ten computers connected to Router1 on VLAN1 in a Docker Bridge network, that try and exploit each other. It includes browsing the web and downloading foreign packages including malicious ones. Also, services like File Transfer Protocol (FTP) and Secure Shell (SSH) were exploited using several attack mechanisms. The presented dataset shows the importance of updating and patching systems to protect themselves to a greater extent, by following attack tactics on older versions of packages as compared to the newer and updated ones. This dataset also includes an Apache Server hosted on a different subset of VLAN2 which is connected to the VLAN1 to demonstrate isolation and cross- VLAN communication. The services on this web server were also exploited by the previously stated ten computers. The attack types include Distributed Denial of Service, SQL Injection, Account Takeover, Service Exploitation (SSH, FTP), DNS and ARP Spoofing, Scanning and Firewall Searching and Indexing (using Nmap), Hammering the services to brute-force passwords and usernames, Malware attacks, Spoofing, and Man-in-the-Middle Attack. The attack scenarios also show various scanning mechanisms and the impact of Insider Threats on the entire network.

Jose Rubio-Hernan,Juan Rodolfo-Mejias,Joaquin Garcia-Alfaro

DOI: https://doi.org/10.1007/978-3-319-61437-3_1

2017-11-30

Abstract:Traditional control environments connected to physical systems are being upgraded with novel information and communication technologies. The resulting systems need to be adequately protected. Experimental testbeds are crucial for the study and analysis of ongoing threats against those resulting cyber-physical systems. The research presented in this paper discusses some actions towards the development of a replicable and affordable cyber-physical testbed for training and research. The architecture of the testbed is based on real-world components, and emulates cyber-physical scenarios commanded by SCADA (Supervisory Control And Data Acquisition) technologies. We focus on two representative protocols, Modbus and DNP3. The paper reports as well the development of some adversarial scenarios, in order to evaluate the testbed under cyber-physical threat situations. Some detection strategies are evaluated using our proposed testbed.

Cryptography and Security

Denys Mishchenko,Irina Oleinikova,László Erdődi,Basanta Raj Pokhrel

DOI: https://doi.org/10.1109/access.2024.3375401

IF: 3.9

2024-03-19

IEEE Access

Abstract:The rapid digitalization of power systems involves enhanced interconnectivity, intelligence, and cost-efficiency across all components. In the era of Industry 5.0, the criticality of energy supply makes power systems prime targets for attacks, highlighting the need for the creation and evaluation of solutions against cyber-physical threats. Testbeds have emerged as essential tools for these purposes by representing real-world power systems in controlled environments and simulating cyber-physical attack-defense experiments. This paper introduces a Cyber-Physical Security (CPS) testbed rooted in the Smart Grid Architecture Model (SGAM) and developed adversary setup within the National Smart Grid Laboratory at the Norwegian University of Science and Technology. By adhering to the SGAM framework, this study delves into the classification and assessment of threats within the structure of the CPS testbed, examining vulnerabilities at distinct structural levels. Significantly, the strategic placement of the adversary setup within these levels enables a comprehensive evaluation of cyber-physical vulnerabilities in simulated systems, thereby facilitating the assessment of protective measures. Furthermore, this research presents case studies using three data sources as an aggregated dynamic power system model simulated in the real-time digital simulator OPAL-RT, real power grid, and playback of previously recorded data frames using virtual phasor measurement units functionality. The focus of this work is on the analysis of the five most common cyberattacks on power systems, such as passive and active reconnaissance, interruption in communication, TCP packet injection, and men-in-the-middle attacks utilizing the C37.118.2-2011 protocol. The results of the case studies illustrate the framework for the adversary setup and provide proof-of-concept attack scenarios for evaluation purposes. As part of future work, we intend to expand upon this research with a defender setup and implement more sophisticated, stealthy attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Simon Yusuf Enoch,Zhibin Huang,Chun Yong Moon,Donghwan Lee,Myung Kil Ahn,Dong Seong Kim

DOI: https://doi.org/10.1109/ACCESS.2020.3009748

2020-07-18

Abstract:With the increasing growth of cyber-attack incidences, it is important to develop innovative and effective techniques to assess and defend networked systems against cyber attacks. One of the well-known techniques for this is performing penetration testing which is carried by a group of security professionals (i.e, red team). Penetration testing is also known to be effective to find existing and new vulnerabilities, however, the quality of security assessment can be depending on the quality of the red team members and their time and devotion to the penetration testing. In this paper, we propose a novel automation framework for cyber-attacks generation named `HARMer' to address the challenges with respect to manual attack execution by the red team. Our novel proposed framework, design, and implementation is based on a scalable graphical security model called Hierarchical Attack Representation Model (HARM). (1) We propose the requirements and the key phases for the automation framework. (2) We propose security metrics-based attack planning strategies along with their algorithms. (3) We conduct experiments in a real enterprise network and Amazon Web Services. The results show how the different phases of the framework interact to model the attackers' operations. This framework will allow security administrators to automatically assess the impact of various threats and attacks in an automated manner.

Cryptography and Security

Fan Zhang,Qianmei Wu,Bohan Xuan,Yuqi Chen,Wei Lin,Christopher M. Poskitt,Jun Sun,Binbin Chen

DOI: https://doi.org/10.1109/tse.2023.3309330

2020-01-01

Abstract:Cyber-physical systems (CPSs) automating critical public infrastructure face a pervasive threat of attack, motivating research into different types of countermeasures. Assessing the effectiveness of these countermeasures is challenging, however, as benchmarks are difficult to construct manually, existing automated testing solutions often make unrealistic assumptions, and blindly fuzzing is ineffective at finding attacks due to the enormous search spaces and resource requirements. In this work, we propose active sensor fuzzing , a fully automated approach for building test suites without requiring any a prior knowledge about a CPS. Our approach employs active learning techniques. Applied to a real-world water treatment system, our approach manages to find attacks that drive the system into 15 different unsafe states involving water flow, pressure, and tank levels, including nine that were not covered by an established attack benchmark. Furthermore, we successfully generate targeted multi-point attacks which have been long suspected to be possible. We reveal that active sensor fuzzing successfully extends the attack benchmarks generated by our previous work, an ML-guided fuzzing tool, with two more kinds of attacks. Finally, we investigate the impact of active learning on models and the reason that the model trained with active learning is able to discover more attacks.

Ariel Futoransky,Luciano Notarfrancesco,Gerardo Richarte,Carlos Sarraute

DOI: https://doi.org/10.48550/arXiv.1006.1916

2010-06-10

Abstract:In this work we start walking the path to a new perspective for viewing cyberwarfare scenarios, by introducing conceptual tools (a formal model) to evaluate the costs of an attack, to describe the theater of operations, targets, missions, actions, plans and assets involved in cyberwarfare attacks. We also describe two applications of this model: autonomous planning leading to automated penetration tests, and attack simulations, allowing a system administrator to evaluate the vulnerabilities of his network.

Cryptography and Security,Artificial Intelligence

Alaa Selim,Junbo Zhao

2023-12-10

Abstract:This paper introduces a cyber-physical testbed that integrates the Real-Time Digital Simulator (RTDS) with the Real-Time Automation Controller (RTAC) to enhance cybersecurity in electrical distribution networks. Focused on addressing vulnerabilities to cyber attacks, our testbed employs an advanced control algorithm developed in Python and executed through real-time controllers. Key to our approach is the seamless integration of the host PC machine, RTDS, and RTAC via the Modbus protocol. We present a game theory-based topology control strategy as an effective response to cyber attacks, specifically targeting smart meters. This testbed validates the efficacy of our method in fully eliminating voltage violations due to load altering attacks, showcasing substantial advancements in smart grid cybersecurity via the innovative use of RTDS and RTAC to simulate and counteract complex cyber threats.

Systems and Control

Venkata S. Koganti,Mohammad Ashrafuzzaman,Ananth A. Jillepalli,Frederick T. Sheldon

DOI: https://doi.org/10.1109/malware.2017.8323960

2017-10-01

Abstract:Industrial Control Systems (ICS), at the heart of critical infrastructures, have been developing into more and more powerful tools over the years with the incorporation of networking and cyber, among other, technologies. As with great power comes great risks, ICS's inherited risks and vulnerabilities not only from the cyber domain but also gave rise to unique security risks and vulnerabilities. Security management, i.e., identifying vulnerabilities, assessing threats, preventing and tolerating malicious and harmful activities, mitigating and recovering from attacks, etc., for ICS's have been identified as a key, if not the key, area for the protection of critical infrastructures. The importance of a test-bed mimicking a real-life ICS and having capabilities to support ICS security management is paramount. In this paper, after briefly surveying the vulnerabilities in ICS and surveying the existing ICS test-beds, we describe the implementation of a virtual ICS testbed controlling the distribution breaker system of a power grid. We also describe simulating two cyber attacks using the testbed.

David Thaw,Bret Barkley,Gerry Bella,Carrie Gardner

DOI: https://doi.org/10.48550/arXiv.1905.09336

2019-05-22

Cryptography and Security

Abstract:Building upon previous research in honeynets and simulations, we present efforts from a two-and-a-half-year study using a representative simulation to collect cybersecurity data. Unlike traditional honeypots or honeynets, our experiment utilizes a full-scale operational network to model a small business environment. The simulation uses default security configurations to defend the network, testing the assumption that given standard security baseline, devices networked to the public Internet will necessarily be hacked. Given network activity appropriate for its context, results support the conclusion that no actors where able to break in, despite only default security settings.

Hetong Jiang,Taejun Choi,Ryan K. L. Ko

DOI: https://doi.org/10.1007/978-981-16-0422-5_1

2021-01-01

Abstract:Cybersecurity tools are increasingly automated with artificial intelligent (AI) capabilities to match the exponential scale of attacks, compensate for the relatively slower rate of training new cybersecurity talents, and improve of the accuracy and performance of both tools and users. However, the safe and appropriate usage of autonomous cyber attack tools–especially at the development stages for these cyber attack tools – is still largely an unaddressed gap. Our survey of current literature and tools showed that most of the existing cyber range designs are mostly using manual tools and have not considered augmenting automated tools or the potential security issues caused by the tools. In other words, there is still room for a novel cyber range design which allow security researchers to safely deploy autonomous tools and perform automated tool testing if needed. In this paper, we introduce Pandora, a safe testing environment which allows security researchers and cyber range users to perform experiments on automated cyber attack tools that may have strong potential of usage and at the same time, a strong potential for risks. Unlike existing testbeds and cyber ranges which have direct compatibility with enterprise computer systems and the potential for risk propagation across the enterprise network, our test system is intentionally designed to be incompatible with enterprise real-world computing systems to reduce the risk of attack propagation into actual infrastructure. Our design also provides a tool to convert in-development automated cyber attack tools into to executable test binaries for validation and usage realistic enterprise system environments if required. Our experiments tested automated attack tools on our proposed system to validate the usability of our proposed environment. Our experiments also proved the safety of our environment by compatibility testing using simple malicious code.

Carlos Sarraute,Fernando Miranda,Jose I. Orlicki

DOI: https://doi.org/10.48550/arXiv.1006.2407

2010-06-12

Abstract:In this work we present a prototype for simulating computer network attacks. Our objective is to simulate large networks (thousands of hosts, with applications and vulnerabilities) while remaining realistic from the attacker's point of view. The foundation for the simulator is a model of computer intrusions, based on the analysis of real world attacks. In particular we show how to interpret vulnerabilities and exploits as communication channels. This conceptual model gives a tool to describe the theater of operations, targets, actions and assets involved in multistep network attacks. We conclude with applications of the attack simulator.

Cryptography and Security

Sung -Do Chi,Jong Sou Park,Ki -Chan Jung,Jang -Se Lee

DOI: https://doi.org/10.1007/3-540-47719-5_26

2001-01-01

Abstract:The major objective of this paper is to develop the network security modeling and cyber attack simulation that is able to classify threats, specify attack mechanisms, verify protection mechanisms, and evaluate consequences. To do this, we have employed the advanced modeling and simulation concepts such as System Entity Structure / Model Base framework, DEVS (Discrete Event System Specification) formalism, and experimental frame concept underlying the object-oriented S/W environment. Our approach is to show the difference from others in that (i) it supports a hierarchical and modular modeling environment, (ii) it generates the command-level behavior of cyber attack scenario, (iii) it provides an efficient model building environment based on the experimental frame concept, and (iv) it supports the vulnerability analysis of given node on the network. Simulation test performed on sample network system will illustrate our techniques.

Y. Yang,H. T. Jiang,K. McLaughlin,L. Gao,Y. B. Yuan,W. Huang,S. Sezer

DOI: https://doi.org/10.1109/pesgm.2015.7286357

2015-01-01

Abstract:With the development and deployment of IEC 61850 based smart substations, cybersecurity vulnerabilities of supervisory control and data acquisition (SCADA) systems are increasingly emerging. In response to the emergence of cybersecurity vulnerabilities in smart substations, a test-bed is indispensable to enable cybersecurity experimentation. In this paper, a comprehensive and realistic cyber-physical test-bed has been built to investigate potential cybersecurity vulnerabilities and the impact of cyber-attacks on IEC 61850 based smart substations. This test-bed is close to a real production type environment, and has the ability to carry out end-to-end testing of cyber-attacks and physical consequences. A fuzz testing approach is proposed for detecting IEC 61850 based intelligent electronic devices (IEDs) and validated in the proposed test-bed.

Radu Marian Portase,Adrian Colesa,Gheorghe Sebestyen

DOI: https://doi.org/10.3390/s24175601

IF: 3.9

2024-09-01

Sensors

Abstract:Cybercriminals have become an imperative threat because they target the most valuable resource on earth, data. Organizations prepare against cyber attacks by creating Cyber Security Incident Response Teams (CSIRTs) that use various technologies to monitor and detect threats and to help perform forensics on machines and networks. Testing the limits of defense technologies and the skill of a CSIRT can be performed through adversary emulation performed by so-called "red teams". The red team's work is primarily manual and requires high skill. We propose SpecRep, a system to ease the testing of the detection capabilities of defenses in complex, heterogeneous infrastructures. SpecRep uses previously known attack specifications to construct attack scenarios based on attacker objectives instead of the traditional attack graphs or a list of actions. We create a metalanguage to describe objectives to be achieved in an attack together with a compiler that can build multiple attack scenarios that achieve the objectives. We use text processing tools aided by large language models to extract information from freely available white papers and convert them to plausible attack specifications that can then be emulated by SpecRep. We show how our system can emulate attacks against a smart home, a large enterprise, and an industrial control system.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Zhiyuan Yang,Shipeng Zhang,Chee-Wooi Ten,Ting Liu,Xueyue Pang,Hao Sun

DOI: https://doi.org/10.1109/tsg.2022.3192522

IF: 10.275

2022-01-01

IEEE Transactions on Smart Grid

Abstract:Capturing the anomalies of a cyber system in power control networks would promote operational awareness. Correlation of such events, e.g., intrusion attempts, traffic flow, and other signatures, together with control alarm events gives operators an in-depth understanding in order to make an informed decision. This paper proposes a threat inference framework to promote real-time vulnerability assessment associated with cyber intrusions on power communication networks. Wasserstein Generative Adversarial Networks (WGAN) is proposed to estimate the performance of the adversarial model. Additionally, a machine-learning framework is introduced to model the filtering process of the security devices, i.e., firewalls, isolation, and encryption devices, and the posterior fitting method is incorporated to establish an accurate probabilistic formulation. Finally, a testbed is established to coordinate system evaluation. Verification of the intrusion model is part of the implementation to quantify system risks based on the anomalies using (1) the open-source emulator, and (2) an externally imported system analyzer to characterize resulting impacts. The effectiveness and feasibility of the generative models are verified in a comparison study where the proper parameter settings could be obtained. The proposed framework is justified with extensive studies of substation networks using real-world settings.

Pin-Yu Chen,Sutanay Choudhury,Luke Rodriguez,Alfred Hero,Indrajit Ray

DOI: https://doi.org/10.48550/arXiv.1905.01002

2019-05-03

Cryptography and Security

Abstract:Lateral movement attacks are a serious threat to enterprise security. In these attacks, an attacker compromises a trusted user account to get a foothold into the enterprise network and uses it to attack other trusted users, increasingly gaining higher and higher privileges. Such lateral attacks are very hard to model because of the unwitting role that users play in the attack and even harder to detect and prevent because of their low and slow nature. In this paper, a theoretical framework is presented for modeling lateral movement attacks and for proposing a methodology for designing resilient cyber systems against such attacks. The enterprise is modeled as a tripartite graph capturing the interaction between users, machines, and applications, and a set of procedures is proposed to harden the network by increasing the cost of lateral movement. Strong theoretical guarantees on system resilience are established and experimentally validated for large enterprise networks.