ARTINALI:DynamicInvariantDetec4on
forCyber-PhysicalSystemSecurity
MaryamRaiyatAliabadi,AmitaKamath,JulienGascon-Samson,KarthikPa8abiraman
2
C1
PhysicalProcess
Network
s2s1
s3
a1a2
a3
Sensors Actuators
DistributedControllers
C2 C3
Cyber-PhysicalSystems
3
Mo4va4on
CPSSecurityRequirements
1.5sec
4
1.5sec 1.5sec
Goal:DesignanAutomated,Real-4meand
AHack-neutralsecuritysolu>onforCPSeswithrespecttotheirresourceconstraints
Real->meconstraints Resourceconstraints
Zero-dayaEacks Nohuman-in-the-loop
5
CyberProcess(ControlAlgorithm)
PhysicalProcess
Communica>onnetwork
Measurements
Commands
A
C
B
ThreatModel D
Stuxnet[2010]
[HealthCom2013]
CVE-2016-1516[2016]
[USENIX’2015]
A C D
DENIED
Previouswork
6
• IntrusionDetec>onSystem(IDS)– Signature-basedIDSs[CSUR2014]– Anomaly-basedIDSs[Computers&Security2009]
– Specifica>on-basedIDSs[SmarGridCom2010]
• Sta>canalysis• Dynamicanalysis
• Invariant– Energyusage>=0
7
Data
Event
Time
Daikon[ICSE’01]
Gk-tail[ICSE’08]
Perfumepropertyminer[ASE’14]
Texada[ASE’15]
DynamicAnalysis-basedTechniques(Invariant-based)
MainIdea:Breakdownthesearchspace
T1
E2 E4E3
D2
E1
T2 T3
D5D4D3
T1
E1
Tk
Ej
D1D1
Ej
Di
D2
D|E E|T
D,E,T
10
D:DataE:EventT:Time
Methodology
• ARTINALI:ARealTime-specificInvariantiNferenceALgorIthm
– 3dimensionsand6classesofinvariants
9
Data
Event
Time
DatapereventP(D|E)
TimepereventP(E|T)
Dataper4meP(D|T)
CPSplaYorms
• Advancedmeteringinfrastructure(AMI)– SEGMeter
• hEp://smartenergygroups.com
• SmartAr>ficialPancreas(SAP)– OpenAPS
• hEps://openaps.org/10
IntrusionDetec4onSystem
11
Tracingmodule
IntrusionDetector
ARTINALI
CPS
IDSprototype
PerfumeTexadaDaikon
InvariantconverterInterface CPSmodel(invariantset)
TotestAHackdetected!
Data
Event
Time
Daikon
Perfume
Texada
12
TargetedaHacks
CPSPlaYorm TargetedaHack AHackentrypoint
AMI(SEGMeter)
Meterspoofing[ACSAC2010] Decep>ononA
Sync.Tampering[ACSAC2010] Decep>ononD
Messagedropping[CCNC2011] DoSonA
SAP(OpenAPS)
CGMspoofing[Healthcom2011] Decep>ononA
Stopbasalinjec>on[BHC2011] Decep>onandDoSonC
Resumebasalinjec>on[BHC2011] Decep>onandDoSonC
Takeaway:ARTINALIdetectedalltargetedaEacks
successfully
ArbitraryAHacks
13
Datamuta4ons
Branchflipping
Ar4ficialdelayinser4on
SmartfacialrecogniEonsystem(CVE-2016-1516)
CGMspoofinginSAP,[BHC2011]
SynchronizaEontamperinginsmartmeter,[ACSAC2010]
14
AccuracyMetrics
• FalseNega>veRate(FNR)
• FalsePosi>veRate(FPR)
• F-Score(β)
β>1
β<1
β=1
F-Score(β)-Tuning/Training
15
0
20
40
60
80
100
120
5 10 15 20 25 30 35 40
FP(%)FN(%)F-score(1)F-score(2)F-score(0.5)
MaximumF-Score(2)
Numberoftrainingtraces
ARTINALI-basedIDSforOpenAPS
%MaximumF-Score(2)
Numberoftrainingtraces
%
SEGMeter
OpenAPS
(a) Daikon(b)Texada(c)Perfume(d)ARTINALI
FalseNega4ves’Rate
16
-SEGMeter
• ARTINALI-basedIDSreducesthera>oofFNby89to95%comparedwiththeothertoolsacrossbothplalorms.
0
10
20
30
40
50
60
70
80
90
100
Daikon Texada Perfume ARTINALI
Datamuta>on
Branchflipping
Ar>ficialdelays
AggregatedFN
FNR(%)-95%confidenceinterval
FalsePosi4ves’Rate
17
-SEGMeter
• ARTINALI-basedIDSreducesthera>oofFPby20to48%comparedwiththeothertoolsacrossbothplalorms.
0
5
10
15
20
25
30
Daikon Texada Perfume ARTINALI
(15-12)/15=20%improvement
FPR(%)-95%confidenceinterval
18
Overheads
PerformanceOverhead(%)
Detec4on4me(sec)
Memoryusage
Daikon 27.3 16.63 1.24MB
Texada 23.7 14.45 3.21MB
Pefume 32.08 19.57 3.94MB
ARTINALI 31.6 19.25 2.96MB
SEGMeter
TimeT0 T0+60 T0+120
IDS1stexecu4on
CPS1stexecu4on CPS2ndexecu4on CPS3rdexecu4on
IDS2ndexecu4on
SummaryandFutureWork
• ARTINALI:AMul>-DimensionalmodelforCPS– Capturesdata-event-Emeinterplay– IntroducesReal-Emedatainvariants– IncreasesthecoverageofIDS– DecreasestherateoffalseposiEves– Imposescomparableoverheads
• ExaminegeneralizabilityofARTINALI– UnmannedAerialVehicle(UAV)
• hEps://github.com/karthikp-ubc/Ar>nali19