effect of intrusion detection and response on reliability...
TRANSCRIPT
![Page 1: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/1.jpg)
Speakers:Yanyan Ni, Yeze Li
![Page 2: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/2.jpg)
Outline
Introduction
System Model
Model and Analysis
Parameterization
Numeric Data
![Page 3: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/3.jpg)
Introduction• Cyber physical system(CPS) comprises sensors, actuators,
control units, and physical object for controlling and protecting a physical infrastructure.
• Intrusion detection system(IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.
• Three detection techniques: – Signature based– Anomaly based– Specification based
• Intrusion detection and response system(IDRS) is for detecting and responding to malicious events at runtime.
![Page 4: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/4.jpg)
Objective
• A CPS often operates in a rough environment– energy replenishment is not possible– nodes may be compromised at times.
• An IDRS must detect malicious nodes without unnecessarily wasting energy to prolong the system life time.
• To maximize the reliability or lifetime of a CPS designed to sustain malicious attacks over a prolonged mission period without energy replenishment.
![Page 5: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/5.jpg)
Methodology and Contribution
• Develop a probability model to assess the reliability property of a CPS equipped with an IDRS.
• Consider a variety of attacker behaviors and identify the best design settings of the detection and response strength, when given a set of parameter values characterizing the operational environment and network conditions.
• Parameterization of the model using the properties of the IDS system is one major contribution of the paper.
![Page 6: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/6.jpg)
System Model
![Page 7: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/7.jpg)
Reference CPS
![Page 8: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/8.jpg)
Security Failure
• Byzantine fault model– One-third or more of the nodes are compromised– The control unit is not able to obtain any sensor reading
consensus• Impairment failure– A compromised CPS node performing active attacks without
being detected can impair the functionality of the system– Impairment by a bad node over an impairment-failure
period without being detected will severely impair the system and cause the system to fail
![Page 9: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/9.jpg)
Attack Model
• Define:– Node capture attack turn a good node into a
bad insider node– Capture attacks of sensor-actuator nodes
• Models:– Persistent: probability one– Random: probability Prandom– Insidious: hidden all the time
![Page 10: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/10.jpg)
Host Intrusion Detection
• Core techniques:– Behavior rule specification
• To specify the behavior of an entity by a set of rules.– Vector similarity specification
• To compare similarity of a sequence of sensor readings, commands, or votes among entities performing the same set of functions.
• Apply to reference CPS:– Detects if the location sequence deviates from the expected
location sequence– Detects dissimilarity of vote sequences among these
neighbors.
![Page 11: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/11.jpg)
Measurement of compliance degree
• Maximum likelihood estimates of α and β:
![Page 12: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/12.jpg)
Host Intrusion Detection
![Page 13: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/13.jpg)
System Intrusion Detection
• Based on majority voting of host IDS results to cope with incomplete and uncertain information available to nodes in the CPS
• System-level IDS technique:– Selection m detectors– The invocation interval TIDS to best balance energy
conservation versus intrusion tolerance• The system IDS is characterized by: and
![Page 14: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/14.jpg)
Intrusion Response
• IDRS reacts to malicious events detected at runtime by adjusting CT
• Increasing attacker strength increasing CT
• To compensate for the negative effect, the IDRS increases the audit rate or increases the number of detectors to reduce the false positive probability at the expense of more energy consumption.
![Page 15: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/15.jpg)
Model and Analysis
![Page 16: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/16.jpg)
parameters
• Input parameters:– , , , , , , ,
• Derived parameters:– , , ,
![Page 17: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/17.jpg)
![Page 18: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/18.jpg)
![Page 19: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/19.jpg)
Parameterization
![Page 20: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/20.jpg)
Parameterization
System-Level IDS and
and highly depends on the attacker behavior
Persistent attacker
Random attacker
Insidious attacker
![Page 21: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/21.jpg)
Persistent attacker: Random attacker: Insidious attacker: else,
![Page 22: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/22.jpg)
Calculation of
The first summation aggregates the probability of a false negative stemming from selecting a majority of active bad nodes.
The second summation aggregates the probability of a false negative stemming from selecting a minority of nodes from the set of active bad nodes which always cast incorrect votes.
![Page 23: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/23.jpg)
• Persistent attacks:
• Random attacks:
• Insidious attacks:
(Using the same minimum )
The is the one in all-in attack period.
![Page 24: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/24.jpg)
![Page 25: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/25.jpg)
(Here we introduce a dynamic IDS response which….)• Dynamic IDS with a goal of maximizing the system life time. • Attacker strength: based on the observation during is compared with
: Represent the attacker strength at time t.
Bad node
![Page 26: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/26.jpg)
A simple yet efficient IDS response design
• When the attacker strength is high, to remove the active attackers in the system quickly
• when there is little attacker evidence , we lower the value of so we may quickly decrease the probability of a good node being misidentified as a bad node .
So it will prevent ……
•
linear one-to-one mapping function :
![Page 27: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/27.jpg)
1 , A node ?
A large induces a small per-host false negative probability at the expense of……
![Page 28: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/28.jpg)
•
Here a node spends energy to transmit a CDMA waveform. Its neighbors each spend energy to receive the waveform, and each spend energy to transform it into distance. This operation is repeated for times for determining a sequence of locations.
![Page 29: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/29.jpg)
Numerical Data
![Page 30: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/30.jpg)
Numerical Data Effect of Intrusion Detection Strength
![Page 31: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/31.jpg)
![Page 32: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/32.jpg)
Effect of Attacker Behavior
![Page 33: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/33.jpg)
![Page 34: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/34.jpg)
Effect of Intrusion Response
![Page 35: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/35.jpg)
![Page 36: Effect of Intrusion Detection and Response on Reliability …people.cs.vt.edu/~irchen/5214/paper/Mitchell-tr13-slide... · PPT file · Web view2015-11-16 · Anomaly based. Specification](https://reader031.vdocuments.us/reader031/viewer/2022030823/5b38de467f8b9abd438dc0ca/html5/thumbnails/36.jpg)
• investigating other intrusion detection criteria (accumulation of deviation)
• investigating other intrusion response criteria • exploring other attack behavior models • developing a more elaborate model to
describe the relationship between intrusion responses and attacker behaviors
Future Work