Zhengxiong Luo,Feilong Zuo,Yuheng Shen,Xun Jiao,Wanli Chang,Yu Jiang

DOI: https://doi.org/10.1109/dac18072.2020.9218603

2020-01-01

Abstract:Industrial Control System (ICS) protocols play an essential role in building communications among system components. Recently, many severe vulnerabilities, such as Stuxnet and DragonFly, exposed in ICS protocols have affected a wide distribution of devices. Therefore, it is of vital importance to ensure their correctness. However, the vulnerability detection efficiency of traditional techniques such as fuzzing is challenged by the complexity and diversity of the protocols.In this paper, we propose to equip the traditional protocol fuzzing with coverage-guided packet crack and generation. We collect the coverage information during the testing procedure, save those valuable packets that trigger new path coverage and crack them into pieces, based on which, we can construct higher-quality new packets for further testing. For evaluation, we build Peach * on top of Peach, which is one of the most widely used protocol fuzzers, and conduct experiments on several ICS protocols such as Modbus and DNP3. Results show that, compared with the original Peach, Peach * achieves the same code coverage and bug detection numbers at the speed of 1.2X-25X. It also gains final increase with 8.35%-36.84% more paths within 24 hours and has exposed 9 previously unknown vulnerabilities.

Xuejun Zong,Wenjie Luo,Bowei Ning,Kan He,Lian Lian,Yifei Sun

DOI: https://doi.org/10.1109/access.2024.3399820

IF: 3.9

2024-05-22

IEEE Access

Abstract:With the opening of industrial networks in the information age, the characteristic of Industrial Control Protocols (ICPs) to transmit plaintext without encryption exposes serious security risks, threatening the safe and stable operation of Industrial Control Systems (ICSs). Exploring the work of mining vulnerabilities in ICPs can use fuzzing to mine potential vulnerabilities in protocols to ensure the safe operation of ICS. However, traditional fuzzing methods require the construction of test cases based on expert experience and the format syntax specification of ICPs. This process is time-consuming, labor-intensive, inefficient, and limited when facing unknown ICPs. In response to these issues, this paper proposes an automated fuzzing method for ICPs based on the Denoising Diffusion Probabilistic Model (DDPM). Specifically, DDPM achieves the conversion from noise to data samples, which can easily and quickly generate test cases. On this basis, we designed a universal fuzzing framework, DiffusionFuzz, that can be applied to most ICPs. The experimental results obtained on ICPs such as Modbus/TCP in the Industrial Attack-Defense Range of the Key Laboratory of Information Security for Petrochemical Industry in Liaoning Province demonstrate that the test cases generated by this method are diverse, and outperform other fuzzing methods in terms of acceptance rate and ability to trigger exceptions. Certainly, DiffusionFuzz can enhance the effectiveness of fuzzing, identify vulnerabilities in ICPs, and thereby reduce potential economic risks and impacts.

computer science, information systems,telecommunications,engineering, electrical & electronic

Puzhuo Liu,Yaowen Zheng,Zhanwei Song,Dongliang Fang,Shichao Lv,Limin Sun

DOI: https://doi.org/10.1016/j.sysarc.2022.102483

IF: 5.836

2022-06-01

Journal of Systems Architecture

Abstract:Programmable controllers, critical components in Industrial Control Systems (ICS), are the bridge between cyberspace and physical world. With the development of the Industrial Internet of Things (IIoT), they are no longer physically isolated, allowing remote hackers to exploit vulnerabilities to attack them. However, due to the high degree of privatization and the complicated work flow of programmable controllers, the existing work is not suitable for discovering programmable controller vulnerabilities. In our research, we propose a traffic-driven protocol fuzzing approach for programmable controllers. Specifically, we perform proprietary protocol fuzzing on the network daemon by selecting seeds and guiding states of the device. In the fuzzing process, in addition to monitoring the network status, an oscilloscope is also used to automatically monitor the status of underlying control services. The triggering of these vulnerabilities invalidate the control of actuators by programmable controllers and directly affect the physical world. Moreover, it is extremely difficult to recover compromised devices to normal production tasks. We evaluated our prototype on 15 real-world programmable controllers from six popular manufacturers. We found 26 vulnerabilities based on analysis results, 20 of which can directly cause physical control services to crash.

computer science, software engineering, hardware & architecture

Feilong Zuo,Zhengxiong Luo,Junze Yu,Ting Chen,Zichen Xu,Aiguo Cui,Yu Jiang

DOI: https://doi.org/10.1109/tcad.2022.3201471

IF: 2.9

2022-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Industrial control system (ICS) employs complex multistate protocols to realize high-reliability communication and intelligent control over automation equipment. ICS has been widely used in various embedded fields, such as autonomous vehicle systems, power automation systems, etc. However, in recent years, many attacks have been performed on ICS, especially its protocols, such as the hijacks over Jeep Uconnect and Tesla Autopilot autonomous systems, also the Stuxnet and DragonFly viruses over national infrastructures. It is important to guarantee the security of ICS protocols. In this article, we present Charon, an efficient fuzzing platform for the vulnerability detection of ICS protocol implementations. In Charon, we propose an innovative fuzzing strategy that leverages state guidance to maximize cross-state code coverage instead of focusing on isolated states during the fuzzing of ICS protocols. Moreover, we devise a novel feedback collection method that employs program status inferring to avoid the restart of the ICS protocol at each iteration, allowing for continuous fuzzing. We evaluate Charon on several popular ICS protocol implementations, including real-time publish subscribe, IEC61850-MMS, MQTT, etc. Compared with typical fuzzers, such as American fuzzy lop, Polar, AFLNET, Boofuzz, and Peach, it averagely improves branch coverage by 234.2%, 194.4%, 215.9%, 52.58%, and 35.18%, respectively. Moreover, it has already confirmed 21 previously unknown vulnerabilities (e.g., stack buffer overflow) among these ICS protocols, most of which are security critical and corresponding patches from vendors have been released accordingly.

Min Tang,Bowei Zhang,Weifeng Sun,Jianqiao Ding

DOI: https://doi.org/10.1109/SmartIoT55134.2022.00018

2022-08-01

Abstract:Industrial control network security is undoubtedly important for an industrial control system. Fuzzy testing is an important method to detect network protocol program security vulnerabilities. In order to perform protocol fuzzing effectively, test data must be generated under the guidance of protocol forma, and the protocol needs to be analyzed before the fuzzy test to generate high-quality fuzzy test cases. In this article, we propose a fuzzy testing framework called MaskFuzzer to solve the problems. A generation adversarial network model is used to automatically learn the data structure of system communication, to generate false messages conforming to protocol specifications. In order to prove the availability of our method, we used MaskFuzzer to test the Modbus-Tcpemulator and successfully find some vulnerabilities. In addition, compared with the GAN-based test case generation method and Peach, our method is best.

Computer Science,Engineering

Liu Ke,Wang Jing-Yi,Wei Qiang,Guizhou University,Sun Jun,Ma Rong-Kuan,Deng Rui-Long

DOI: https://doi.org/10.1007/s11390-021-1647-7

2021-01-01

Abstract:Programmable logic controllers (PLCs) play a critical role in many industrial control systems, yet face increasingly serious cyber threats. In this paper, we propose a novel PLC-compatible software-based defense mechanism, called Heterogeneous Redundant Proactive Defense Framework (HRPDF). We propose a heterogeneous PLC architecture in HRPDF, including multiple heterogeneous, equivalent, and synchronous runtimes, which can thwart multiple types of attacks against PLC without the need of external devices. To ensure the availability of PLC, we also design an inter-process communication algorithm that minimizes the overhead of HRPDF. We implement a prototype system of HRPDF and test it in a real-world PLC and an OpenPLC-based device, respectively. The results show that HRPDF can defend against multiple types of attacks with 10.22% additional CPU and 5.56% additional memory overhead, and about 0.6 ms additional time overhead.

Wanyou Lv,Jiawen Xiong,Jianqi Shi,Yanhong Huang,Shengchao Qin

DOI: https://doi.org/10.1007/s10845-020-01584-z

IF: 8.3

2020-05-23

Journal of Intelligent Manufacturing

Abstract:A growing awareness is brought that the safety and security of industrial control systems cannot be dealt with in isolation, and the safety and security of industrial control protocols (ICPs) should be considered jointly. Fuzz testing (fuzzing) for the ICP is a common way to discover whether the ICP itself is designed and implemented with flaws and network security vulnerability. Traditional fuzzing methods promote the safety and security testing of ICPs, and many of them have practical applications. However, most traditional fuzzing methods rely heavily on the specification of ICPs, which makes the test process a costly, time-consuming, troublesome and boring task. And the task is hard to repeat if the specification does not exist. In this study, we propose a smart and automated protocol fuzzing methodology based on improved deep convolution generative adversarial network and give a series of performance metrics. An automated and intelligent fuzzing framework BLSTM-DCNNFuzz for application is designed. Several typical ICPs, including Modbus and EtherCAT, are applied to test the effectiveness and efficiency of our framework. Experiment results show that our methodology outperforms the existing ones like General Purpose Fuzzer and other deep learning based fuzzing methods in convenience, effectiveness, and efficiency.

engineering, manufacturing,computer science, artificial intelligence

Andrei Bytes,Prashant Hari Narayan Rajput,Constantine Doumanidis,Nils Ole Tippenhauer,Michail Maniatakos,Jianying Zhou

2023-07-31

Abstract:Networked Programmable Logic Controllers (PLCs) are proprietary industrial devices utilized in critical infrastructure that execute control logic applications in complex proprietary runtime environments that provide standardized access to the hardware resources in the PLC. These control applications are programmed in domain-specific IEC 61131-3 languages, compiled into a proprietary binary format, and process data provided via industrial protocols. Control applications present an attack surface threatened by manipulated traffic. For example, remote code injection in a control application would directly allow to take over the PLC, threatening physical process damage and the safety of human operators. However, assessing the security of control applications is challenging due to domain-specific challenges and the limited availability of suitable methods. Network-based fuzzing is often the only way to test such devices but is inefficient without guidance from execution tracing. This work presents the FieldFuzz framework that analyzes the security risks posed by the Codesys runtime (used by over 400 devices from 80 industrial PLC vendors). FieldFuzz leverages efficient network-based fuzzing based on three main contributions: i) reverse-engineering enabled remote control of control applications and runtime components, ii) automated command discovery and status code extraction via network traffic and iii) a monitoring setup to allow on-system tracing and coverage computation. We use FieldFuzz to run fuzzing campaigns, which uncover multiple vulnerabilities, leading to three reported CVE IDs. To study the cross-platform applicability of FieldFuzz, we reproduce the findings on a diverse set of Industrial Control System (ICS) devices, showing a significant improvement over the state-of-the-art.

Cryptography and Security

Fan Zhang,Qianmei Wu,Bohan Xuan,Yuqi Chen,Wei Lin,Christopher M. Poskitt,Jun Sun,Binbin Chen

DOI: https://doi.org/10.1109/tse.2023.3309330

2020-01-01

Abstract:Cyber-physical systems (CPSs) automating critical public infrastructure face a pervasive threat of attack, motivating research into different types of countermeasures. Assessing the effectiveness of these countermeasures is challenging, however, as benchmarks are difficult to construct manually, existing automated testing solutions often make unrealistic assumptions, and blindly fuzzing is ineffective at finding attacks due to the enormous search spaces and resource requirements. In this work, we propose active sensor fuzzing , a fully automated approach for building test suites without requiring any a prior knowledge about a CPS. Our approach employs active learning techniques. Applied to a real-world water treatment system, our approach manages to find attacks that drive the system into 15 different unsafe states involving water flow, pressure, and tank levels, including nine that were not covered by an established attack benchmark. Furthermore, we successfully generate targeted multi-point attacks which have been long suspected to be possible. We reveal that active sensor fuzzing successfully extends the attack benchmarks generated by our previous work, an ML-guided fuzzing tool, with two more kinds of attacks. Finally, we investigate the impact of active learning on models and the reason that the model trained with active learning is able to discover more attacks.

Hanxiao Wanyan,Yingxu Lai,Jing Liu,Hao Chen

DOI: https://doi.org/10.1016/j.cose.2024.103811

IF: 5.105

2024-03-28

Computers & Security

Abstract:Industrial control systems (ICSs) have many vulnerabilities owing to the lack of protective measures. Once exploited, such vulnerabilities can result in significant economic loss and security concerns because an ICS controls the entire production process. Although fuzzing is a prevalent technique for finding potential vulnerabilities, current approaches have the disadvantages of blind mutations and low efficiency in vulnerability mining. In this study, we propose a personalized fuzzing method for ICS protocols based on non-critical field mutations and test case combinations. In our approach, we select appropriate protocol fields for personalized mutations based on the information entropy of each output, which can increase the diversity of test cases while preserving their availability. We developed a novel test case sending method that improves the efficiency of finding specific vulnerabilities by grouping related test cases. Our approach also introduces a detection method based on expected message validation to locate triggered vulnerabilities quickly. Compared to Peach and Boofuzz, our method improved the test target anomaly rate by 63.53% and 34.95%, respectively, and found one 0-day vulnerability and five n-day vulnerabilities.

computer science, information systems

Zhengxiong Luo,Zhe Liu,Yu Jiang,Junze Yu,Feilong Zuo

DOI: https://doi.org/10.1109/DAC18074.2021.9586321

2021-12-05

Abstract:The rapid development of in-vehicle networks and protocols brings efficient communication service but also increases the risk of attack. Any vulnerability may be leveraged to cause serious consequences. It is of vital importance to guarantee their security. However, the vulnerability detection efficiency of traditional techniques such as fuzzing is challenged by the complex relations among protocol states.In this paper, we propose PAVFuzz, a state-sensitive fuzz testing framework to secure those protocols used in autonomous vehicles. It automatically learns relations between two data elements in different protocol states. The relations will then be used to calculate and update the mutation weight of each data element continuously. Accordingly, PAVFuzz is able to select the target data elements and perform state-sensitive mutation to boost the efficiency. Experiments show that, compared with state-of-the-art fuzzers Peach and AFL, PAVFuzz increases branch coverage by averagely 22.51% and 369.19% within 24 hours. It has successfully exposed 12 serious previously unknown vulnerabilities among several protocols that are widely used in autonomous vehicles, such as RTPS and SOME/IP. We have reported them to the developers and corresponding patches have been released.

Engineering,Computer Science

Kang-Di Lu,Zheng-Guang Wu

DOI: https://doi.org/10.1109/tcsii.2022.3181827

2022-01-01

Abstract:In cyber-physical power systems (CPPSs), false data injection attack (FDIA) has drawn much attention due to its stealthiness. It is of great importance to investigate the potential behaviors of attackers to improve the cyber-security of CPPSs. However, most FDIA models are often constructed separately on the effect of attackers or the impact of attacks. Accordingly, this brief proposes a multi-objective stealthy FDIA scheme in AC grid model. The attack model is described as a multi-objective optimization problem, where minimization of contaminated measurements and maximization of the attack impact are considered as two objectives while remaining stealthy. To deal with the established attack model, a non-dominated sorting genetic algorithm II (NSGAII) is introduced as the solver. To improve the efficiency of generating attack vector, a new representation mechanism is proposed to describe locations and values of injected states. Additionally, during the evolutionary process, we propose a mutation operation to balance the sparsity and impact of FDIA. Simulation results on the IEEE 14-bus, 30-bus, and 118-bus systems demonstrate the feasibility of the NSGAII-based FDIA model.

Beibei Li,Gaoxi Xiao,Rongxing Lu,Ruilong Deng,Haiyong Bao

DOI: https://doi.org/10.1109/tii.2019.2922215

IF: 12.3

2019-01-01

IEEE Transactions on Industrial Informatics

Abstract:Recent studies have investigated the possibilities of proactively detecting the high-profile false data injection (FDI) attacks on power grid state estimation by using the distributed flexible ac transmission system (D-FACTS) devices, termed as proactive false data detection (PFDD) approach. However, the feasibility and limitations of such an approach have not been systematically studied in the existing literature. In this paper, we explore the feasibility and limitations of adopting the PFDD approach to thwart FDI attacks on power grid state estimation. Specifically, we thoroughly study the feasibility of using PFDD to detect FDI attacks by considering single-bus, uncoordinated multiple-bus, and coordinated multiple-bus FDI attacks, respectively. We prove that PFDD can detect all these three types of FDI attacks targeted on buses or super-buses with degrees larger than 1, if and only if the deployment of D-FACTS devices covers branches at least containing a spanning tree of the grid graph. The minimum efforts required for activating D-FACTS devices to detect each type of FDI attacks are, respectively, evaluated. In addition, we also discuss the limitations of this approach; it is strictly proved that PFDD is not able to detect FDI attacks targeted on buses or super-buses with degrees equalling 1.

Matthias Niedermaier,Florian Fischer,Alexander von Bodisco

DOI: https://doi.org/10.23919/AE.2017.8053600

2019-10-17

Abstract:Programmable Logic Controllers are used for smart homes, in production processes or to control critical infrastructures. Modern industrial devices in the control level are often communicating over proprietary protocols on top of TCP/IP with each other and SCADA systems. The networks in which the controllers operate are usually considered as trustworthy and thereby they are not properly secured. Due to the growing connectivity caused by the Internet of Things (IoT) and Industry 4.0 the security risks are rising. Therefore, the demand of security assessment tools for industrial networks is high. In this paper, we introduce a new fuzzing framework called PropFuzz, which is capable to fuzz proprietary industrial control system protocols and monitor the behavior of the controller. Furthermore, we present first results of a security assessment with our framework.

Cryptography and Security

Zhengxiong Luo,Junze Yu,Qingpeng Du,Yanyang Zhao,Feifan Wu,Heyuan Shi,Wanli Chang,Yu Jiang

DOI: https://doi.org/10.1109/tcad.2024.3444705

IF: 2.9

2024-11-09

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Internet of Things (IoT) messaging protocols play an important role in facilitating communications between users and IoT devices. Mainstream IoT platforms employ brokers, server-side implementations of IoT messaging protocols, to enable and mediate this user-device communication. Due to the complex nature of managing communications among devices with diverse roles and functionalities, comprehensive testing of the protocol brokers necessitates collaborative parallel fuzzing. However, being unaware of the relationship between test packets generated by different parties, existing parallel fuzzing methods fail to explore the brokers' diverse processing logic effectively. This article introduces MPFuzz, a parallel fuzzing tool designed to secure IoT messaging protocols through collaborative packet generation. The approach leverages the critical role of certain fields within IoT messaging protocols that specify the logic for message forwarding and processing by protocol brokers. MPFuzz employs an information synchronization mechanism to synchronize these key fields across different fuzzing instances and introduces a semantic-aware refinement module that optimizes generated test packets by utilizing the shared information and field semantics. This strategy facilitates a collaborative refinement of test packets across otherwise isolated fuzzing instances, thereby boosting the efficiency of parallel fuzzing. We evaluated MPFuzz on six widely used IoT messaging protocol implementations. Compared to two state-of-the-art protocol fuzzers with parallel capabilities, Peach and AFLNet, as well as two representative parallel fuzzers, SPFuzz and AFLTeam, MPFuzz achieves (6.1%, ), (20.2%, ), (1.9%, ), and (17.4%, ) higher branch coverage and fuzzing speed under the same computing resource. Furthermore, MPFuzz exposed seven previously unknown vulnerabilities in these extensively tested projects, all of which have been assigned with CVE identifiers.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Yuqi Chen,Bohan Xuan,Christopher M. Poskitt,Jun Sun,Fan Zhang

DOI: https://doi.org/10.1145/3395363.3397376

2020-07-16

Abstract:Cyber-physical systems (CPSs) in critical infrastructure face a pervasive threat from attackers, motivating research into a variety of countermeasures for securing them. Assessing the effectiveness of these countermeasures is challenging, however, as realistic benchmarks of attacks are difficult to manually construct, blindly testing is ineffective due to the enormous search spaces and resource requirements, and intelligent fuzzing approaches require impractical amounts of data and network access. In this work, we propose active fuzzing, an automatic approach for finding test suites of packet-level CPS network attacks, targeting scenarios in which attackers can observe sensors and manipulate packets, but have no existing knowledge about the payload encodings. Our approach learns regression models for predicting sensor values that will result from sampled network packets, and uses these predictions to guide a search for payload manipulations (i.e. bit flips) most likely to drive the CPS into an unsafe state. Key to our solution is the use of online active learning, which iteratively updates the models by sampling payloads that are estimated to maximally improve them. We evaluate the efficacy of active fuzzing by implementing it for a water purification plant testbed, finding it can automatically discover a test suite of flow, pressure, and over/underflow attacks, all with substantially less time, data, and network access than the most comparable approach. Finally, we demonstrate that our prediction models can also be utilised as countermeasures themselves, implementing them as anomaly detectors and early warning systems.

Software Engineering,Cryptography and Security,Machine Learning

Yisen Wang,Weiyu Dong,Zicong Gao,Rui Chang

DOI: https://doi.org/10.1002/cpe.5756

2020-04-08

Abstract:Fuzzing is an effective approach to detect software vulnerabilities utilizing changeable generated inputs. However, fuzzing the network protocol on the firmware of IoT devices is limited by inefficiency of test case generation, cross‐architecture instrumentation, and fault detection. In this article, we propose the Fw‐fuzz, a coverage‐guided and crossplatform framework for fuzzing network services running in the context of firmware on embedded architectures, which can generate more valuable test cases by introspecting program runtime information and using a genetic algorithm model. Specifically, we propose novel dynamic instrumentation in Fw‐fuzz to collect the running state of the firmware program. Then Fw‐fuzz adopts a genetic algorithm model to guide the generation of inputs with high code coverage. We fully implement the prototype system of Fw‐fuzz and conduct evaluations on network service programs of various architectures in MIPS, ARM, and PPC. By comparing with the protocol fuzzers Boofuzz and Peach in metrics of edge coverage, our prototype system achieves an average growth of 33.7% and 38.4%, respectively. We further verify six known vulnerabilities and discover 5 0‐day vulnerabilities with the Fw‐fuzz, which prove the validity and utility of our framework. The overhead of our system expressed as an additional 5% of memory growth.

Computer Science,Engineering

Jianlei Gao,Jun Li,Hao Jiang,Yaobing Li,Hengzhi Quan

DOI: https://doi.org/10.1109/cac51589.2020.9327136

2020-01-01

Abstract:Measurement and control system integrating different software and hardware is used to measure parameters, monitor process and control operation, which has been widely applied in critical infrastructures and has adopted Ethernet for data exchange. The recent publications have indicated that measurement and control systems are very vulnerable when they are exposed to cyber-attacks due to various intrinsic security weakness. Fins protocol as one of the most popular protocols is built into a larger number of Ormon devices that are used in different kinds of measurement, and control systems and has been targeted as the desirable candidate for cyber-attack. However, the traditional detection method based on traffic analysis and function code compliance detection is unable to detect mode-switching attack that is consistent with the protocol syntax, and it is a very harmful network attack against industrial devices. In this paper, we analyze the defects of measurement and control system using Fins protocol, launch mode-switching attack against Ormon PLC devices and display how to defend against this attack by designing a detection rules insert into Snort. Then, this detection approach is carried out to protect the security of Ormon PLC. Finally, the experimental results show that our detection approach can distinguish and detect this malicious cyber-attack efficiently.

Ya Ma

DOI: https://doi.org/10.52783/jes.3438

2024-04-25

Abstract:The protection of industrialized management systems and related network protocols is guaranteed by vulnerability mining innovation. The inadequate receiving efficiency and insufficient vulnerability mining capacity of vulnerability mining strategies are their drawbacks. So, this study analyzes the network protocol vulnerability mining using fuzz testing combined with deep learning (DL). In this study, Modbus TCP is employed as a network protocol regarding vulnerability mining. This paper presents a unique threshold-sample-driven deep neural network (T-s DNN) framework. Based on the TSDNN, we construct a fuzzing framework (T-s DNN Fuzzer) for Modbus TCP protocols. The DNN algorithm is first trained to understand the meaning of the protocol's data unit using this framework. The likelihood distribution of every value in the information is quantified using the softmax mechanism. The technique then examines the highest likelihood and the random variable's threshold in deciding whether to use the information value with the optimal likelihood in place of the existing information value. The MBAP header has been finished by the protocol standard. Fuzz tests demonstrate that in addition to increasing sample receipt levels and exploitability, fuzzing devices can identify protocol vulnerabilities rapidly. Experiments conducted with the T-s DNN fuzzer demonstrate that it can detect industrial control protocol vulnerabilities greater in addition to increasing test case reception scores and exploitability.

Computer Science,Engineering

Yuqi Chen,Christopher M. Poskitt,Jun Sun,Sridhar Adepu,Fan Zhang

DOI: https://doi.org/10.1109/ase.2019.00093

2019-11-01

Abstract:The threat of attack faced by cyber-physical systems (CPSs), especially when they play a critical role in automating public infrastructure, has motivated research into a wide variety of attack defence mechanisms. Assessing their effectiveness is challenging, however, as realistic sets of attacks to test them against are not always available. In this paper, we propose smart fuzzing, an automated, machine learning guided technique for systematically finding ‘test suites’ of CPS network attacks, without requiring any knowledge of the system’s control programs or physical processes. Our approach uses predictive machine learning models and metaheuristic search algorithms to guide the fuzzing of actuators so as to drive the CPS into different unsafe physical states. We demonstrate the efficacy of smart fuzzing by implementing it for two real-world CPS testbeds-a water purification plant and a water distribution system–finding attacks that drive them into 27 different unsafe states involving water flow, pressure, and tank levels, including six that were not covered by an established attack benchmark. Finally, we use our approach to test the effectiveness of an invariant-based defence system for the water treatment plant, finding two attacks that were not detected by its physical invariant checks, highlighting a potential weakness that could be exploited in certain conditions.