Departure-Based Intrusion Detection
Licentiatavhandling, 2019

Industrial Control Systems (ICS) combine information technology with operation technology to monitor or control physical industrial processes via computer-based programs and often operate on critical infrastructures. As such, compromised or maliciously operated ICS can cause devastating consequences on society at large. To meet efficiency requirements, ICS are becoming increasingly connected to corporate networks and to the Internet, thereby elevating the risk of cyberattacks. Resilient and sustainable highly connected ICS therefore require a serious consideration of proper security measures. Securing ICS solely from an IT perspective, while necessary, proves insufficient because, at the physical layer, the critical process would remain unmonitored and therefore vulnerable to sabotage by the attackers. The recent years have witnessed an increased interest in process-level intrusion detection where the process network connecting field devices is monitored for malicious behavior. One prominent approach in the literature proposes to build a model of the physical process, which is then used to compare a predicted state with the actual state in the hope of identifying attacks. Building and using a predictive model of the physical process, however, is non trivial, domain specific, and prone to detection inaccuracies due to noise in the process data. This thesis introduces a novel model-free approach to detecting cyberattacks on ICS by monitoring the process network in real time and deciding when the system operation is departing from normal dynamics. The proposed process-aware stealthy-attack detection mechanism processes raw sensor measurements to capture the dynamics of the underlying control system during a training phase, and then during a detection phase, it measures the extent to which current sensor observations conform with the estimated dynamics. The thesis provides a comprehensive treatment of the introduced method by thoroughly discussing its theoretical basis, proving its efficacy through extensive experiments on various systems, and, finally, demonstrating its applicability to real environments.

Singular Spectrum Analysis

Industrial Control Systems

Intrusion Detection

Departure Detection

Stealthy Attacks

PASAD

Room ED, Hörsalsvägen 11, EDIT, Johanneberg, Chalmers
Opponent: Cristina Alcaraz, University of Malaga, Spain

Författare

Wissam Aoudi

Chalmers, Data- och informationsteknik, Nätverk och system

Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems

Proceedings of the ACM Conference on Computer and Communications Security,;(2018)p. 817-831

Paper i proceeding

The Nuts and Bolts of Deploying Process-Level IDS in Industrial Control Systems

Proceedings of the 4th Annual Industrial Control System Security Workshop ,;(2018)p. 17-24

Paper i proceeding

Säkra IT-system för drift och övervakning av samhällskritisk infrastruktur

Myndigheten för samhällsskydd och beredskap (2015-828), 2015-09-01 -- 2020-08-31.

Styrkeområden

Informations- och kommunikationsteknik

Ämneskategorier

Övrig annan teknik

Datavetenskap (datalogi)

Datorsystem

Utgivare

Chalmers

Room ED, Hörsalsvägen 11, EDIT, Johanneberg, Chalmers

Opponent: Cristina Alcaraz, University of Malaga, Spain

Mer information

Senast uppdaterat

2019-04-09