1

Universita degli Studi di Milano

Composite Intrusion Detection in Process Control Networks

Julian L. Rrushi

2

Overview

• This dissertation develops a multi-algorithmic intrusion detection approach for operation in a networked process control environment

• The intrusion detection approach can be used to detect layer-7 attacks on industrial process control systems

• It can also be used to detect spread of worm code over a process control network, network insertion of rootkit code into the memory of a compromised control system, synchronization of logic bombs or other malware in a process control network, and valid but destructive network packets generated by malicious insiders

3

Background

4

Capturing the Behavior of a Cyber-Physical System

• We have found that the behavior of a physical process is reflected as evolutions of specific RAM content…

• …and that the behavior of network traffic in a process control network is also reflected as evolutions of specific RAM content

• Well-behaved network traffic and physical processes are characterized by specific evolutions of specific RAM content, which in this research we refer to as normal evolutions

• For a network packet to be classified as normal, its payload should cause a normal evolution of RAM content

• Thus, in this work the challenge of anomaly detection takes the form of estimating normal evolutions of RAM content

5

Estimation-Inspection (EI) Algorithm

• The evolutions of values of each variable are modeled as a stochastic vector

• The challenge is the construction of probability mass functions, which consult RAM content and return stochastic vectors

• In this dissertation a probability mass function is developed via a series of logistic regression models

• The Estimation part of the EI algorithm uses logistic regression and maximum likelihood estimation to estimate statistical parameters

• The Inspection part of the EI algorithm uses those statistical parameters in logistic regression formulae to estimate the normalcy probability of payload content

6

Probabilistic Validation of the EI Algorithm

On the Rationality of Simulation-based Validation

• Simulation-based validation is commonly employed in environments in which experimentation with real world equipment and/or physical phenomena is not available or feasible

• Examples include conflict detection algorithms that are used in airborne collision avoidance systems

• Several procedures for validating the effectiveness of radar algorithms to detect and classify moving targets

• And so forth

8

Leveraging Specification-based Detection

9

Supervisory Control Specifications

• A system operator interacts with an HMI to operate a nuclear power plant over a process control network. Such operation is conducted according to precise supervisory instructions

• An example of a supervisory instruction is the consultation of a power-to-flow operating map to keep thermal power within predefined thresholds

• It is such supervisory instructions from which we derive specifications in the form of activity network models that reason in terms of network packets

• A concrete case study is the development of an activity network model that detects any network packet that has potential for inducing stresses on the walls of a reactor pressure vessel

10

Automatic Control Specifications

• The logic of automatic operation is encoded into control applications that run in control systems

• We derive specifications in the form of activity network models from control applications

• Redundant program execution does not seem to be necessary

• We consider functions of a control application that read from or write to network sockets in conjunction with program variables stored in the RAM of a control system

• A case study is the development of an activity network model that recognizes network packets that protect a reactor from unsafe conditions created by a fault in any of the water pumps

11

Mirage Theory - Definition

Mirage theory is comprised of actions that are devised to deliberately mislead an adversary as to digitally controlled physical processes and equipment such as nuclear power plants, thereby causing the adversary to take specific actions that will contribute to the detection of his/her intrusion in process control networks

Inspired from operation Fortitude South, mirage theory exploits the adversary's reliance on analysis of intercepted network data to derive the presence and characteristics of physical targets, and the lack of means to verify that intercepted traffic is indeed generated by existing physical targets

12

Exploiting Reconnaissance Analyses

13

Elements of Mirage Theory

• A continuous space constructed via computer simulation or emulation of physical processes and equipment

• A discrete space formed by process control systems and networks that are deployed and configured as if they were to monitor and control a real physical process through real sensors and actuators

• An artificial boundary between continuous and discrete spaces developed ad-hoc to allow for a regular interaction between the said spaces, and to also prevent an adversary from crossing the discrete space

14

Boundary Between Continuous and Discrete Spaces

15

Detecting Foreign Network Traffic

Bayesian Theory of Confirmation

Deriving an Incomplete-data Space

Estimation of Hypothesis-based Probabilities

• We compute the complete-data sample expected by a given probability distribution first

• We then compute the maximum likelihood estimate, i.e. the probability distribution that maximizes the probability of the complete-data sample

• The maximum likelihood estimate is equal to the relative frequency estimate, given that our probability model is unconstrained

• This cycle is repeated until reaching a probability distribution that produces a maximal probability of the complete-data sample

• The hypothesis-based probability of evidence is equal to the product of the hypothesis-based probabilities of the individual variables that compose it

Estimation of Prior Hypotheses Probabilities

Bayesian Comparison of Competing Hypotheses

We apply the Bayes' theorem in its ratio form to have the normalcy and abnormality hypotheses compete again each-other:

The hypotheses that holds is the one with the highest probability as estimated by the Bayes' theorem

Empirical Testing

• The multi-algorithmic IDS was tested in a testbed that resembles the networked process control environment of a nuclear power plant

• A number of test vulnerabilities and exploitations were introduced to facilitate the tests

• Both the EI algorithm and the physical process aware specification-based approach exhibited a false alarms rate of 0 false positives/hr and a probability of detection of 0.98

• The Bayesian theory of confirmation was tested via a technique that we refer to as detection failure injection

• The corrective effects of the Bayesian theory of confirmation resulted to be proportional to the degree of detection failure injection

Conclusions

• The effectiveness of the multi-algorithmic IDS is indicative of the potential of evolutions of specific RAM content to capture the normal behavior of a cyber-physical system such as a power plant

• The application of statistics and probability theory along with expert knowledge within the multi-algorithmic IDS has proven to be effective in leveraging those evolutions for anomaly detection

• The multi-algorithmic IDS provides for near-real-time detection of attacks, and hence is not heavyweight

• This is mainly due to the fact that the detection intelligence is created offline before deployment