On Survivability of Mobile Cyber Physical Systemswith Intrusion Detection

1

Presented by: Ting Hua

Authors: Robert Mitchell, Ing-Ray Chen

Outline

2

• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion

Introduction

3

• Problem– address the survivability issue of a mobile cyber

physical system(MCPS)• Key issue

– best balance between energy conservation and intrusion tolerance

• Highlight of the scheme– dynamic voting-based intrusion detection

Outline

4

• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion

Node Model

5

Computing

Sensing Energy

Communicating

System Model

6

• Ranging– transmit a CDMA waveform to neighbors– receive the waveform from neighbors– transform received waveform into distance

• Sensing– sensing data– analyzing sensed data

• Intrusion detection– choose m intrusion detectors– vote

• Node capture

• Bad data injection– Attack from inside– False vote

Attack Model

7

Attack

• Security Failure： Byzantine fault model– One-third or more of the nodes are compromised, then the

system fails.• Energy Exhaustion• Our goal: maximizing the lifetime until energy exhaustion

System Fails

8

Attack

Per-node Security Fault

• Per-node false negative– a single intrusion detector misidentifies a bad

node as a good node.

• Per-node false positive – a single intrusion detector misidentifies a good

node as a bad node

9

System-wide Security Fault

• System-wide false negative – a pool of intrusion detectors reaches an incorrect

majority decision that a bad node is good.

• System-wide false positive– a pool of intrusion detectors reaches an incorrect

majority decision that a good node is bad.

10

Combined intrusion detection• Per-host intrusion detection

– event sequence matching： determines a sequence of location of a neighbor node

• System intrusion detection – Select m voters

• coordinator is selected randomly among neighbors• The coordinator then selects m voters randomly (including itself)

– Voting• Majority• Dynamical: m, detection interval, depending on the percentage of bad nodes

𝑝 𝑓𝑛𝑝 𝑓 𝑝

𝑃 𝑓 𝑛𝑃 𝑓 𝑝

Outline

12

• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion

SPN model for MCPS

• Nodes: places to hold tokens.• Ng: the number of good nodes.• Nb: the number of bad nodes undetected. • Ne: the number of nodes evicted.• Energy: a binary variable.

• 1 : energy availability. • 0 : indicating energy exhaustion.

SPN model for MCPS

• Events: transitions.• TCP: good nodes being compromised.• TFP: a good node being falsely identified as compromised.• TIDS: a bad node being detected as compromised correctly.• TENERGY: energy exhaustion.

Voting-based intrusion detection

Underlying semi-Markov model of the SPN mode

Initial state128 sensor-carried mobile nodes

Underlying semi-Markov model of the SPN mode

TCP-Good nodes may become compromised because of insider attacks -per-node compromising rate λ

aggregate rate

Underlying semi-Markov model of the SPN mode

TIDS-a bad node is detected as compromised

(𝑁 𝑔 ,𝑁𝑏−1 ,𝑁𝑒+1 ,𝑒𝑛𝑒𝑟𝑔𝑦 )

Underlying semi-Markov model of the SPN mode

TFP-a good node is detected as compromised

(𝑁 𝑔−1 ,𝑁 𝑏 ,𝑁𝑒+1 ,𝑒𝑛𝑒𝑟𝑔𝑦 )

Underlying semi-Markov model of the SPN mode

TENERGY-system energy is exhausted after N × TIDS intervals-energy exhaustion event can possibly occur in any state, when energy is still available

(𝑁 𝑔−1 ,𝑁 𝑏 ,𝑁𝑒+1 ,𝑒𝑛𝑒𝑟𝑔𝑦 )

False Alarm Probability

selecting a majority of bad nodes

selecting a majority of good nodes

K of good nodes make false negative decision

choose a minority of bad nodes from the setof all bad nodes

Choose a majority of bad nodes from the set o f all bad nodes

Choose a minority of good nodes from the set o f all good nodes

False Alarm Probability

selecting a majority of bad nodes

selecting a majority of good nodes

K of good nodes make false negative decision

choose a minority of bad nodes from the setof all bad nodes

Choose a majority of bad nodes from the set o f all bad nodes

Choose a minority of good nodes from the set o f all good nodes

Underlying semi-Markov model of the SPN mode

dynamically adjust the transition ratesto TIDS and TFP

Dynamic voting-based intrusion detection in response to changing environments

Survivability Assessment

• Mean time to failure(MTTF)– Failure

• Energy is exhausted: energy=0• Big bad node population:

– How to Calculate?• the accumulated “ reward” o f the underlying semi-

Markov reward model

• Reward

Outline

24

• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion

• Objective– Optimal values of TIDS and m to maximize MTTF

• Maximum number N of intrusion detection cycles before energy exhaustion

Numerical Data

System Model

26

• Ranging– transmit a CDMA waveform to neighbors– receive the waveform from neighbors– transform received waveform into distance

• Sensing– sensing data(navigation and multipath mitigation data)– analyzing sensed data

• Intrusion detection– choose m intrusion detectors– vote

Numerical Data

Energy spent for ranging, sensing, and intrusion detection in a TIDS interval per node

Node population in MCPS

neighborsrepeated for α times for determining a sequence o f locations

Energy spent in choosing m intrusion detectors to evaluate a target node

Energy spent in m intrusion detectors to vote

• TIDS

– Too small• performs ranging, sensing and

intrusion detection too frequently

• quickly exhausts energy– Increases

• save more energy and lifetime increases

– Too large• intrusion detection less

frequently, fails to catch bad nodes often enough

• Byzantine failure: 1 /3 or more bad nodes out of the total population

Results-Theoretical

• M: number of intrusion detectors – General trend

• m decreases, optimal TIDS value

• Less intrusion detection, higher invocation frequency to prevent security failures

– M=5• too many

– energy exhaustion failure• too few

– security failure

Results-Theoretical

• Compromising rate λ increases– MTTF decreases

• higher λ will cause more compromised nodes

– Optimal TIDS decreases• more compromised

nodes, intrusion detection more frequently to maximize MTTF

Results-Theoretical

• MTTF- – Low

• lower m benefits MTTF– High

• higher m benefits MTTF

Results-Theoretical

Outline

32

• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion

• Simulation Tool– SMPL

• Schedules events– node capture– intrusion detection audits– energy exhaustion

• A simulation run ends：– security failure– exhausts energy– all nodes have been evicted

• MTTF– grand mean out of a large number of MTTF– batch means analysis to satisfy 95% confidence level and 10% accuracy

requirements – grand mean falls within 10% of the true mean with 95% confidence

Results-Simulation

Results-Simulation

Simulation Results Analytical results

• Matches well– One peak with similar peak value– a left/positive skew– pronounced right tail

Outline

35

• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion

• System failure definition– energy exhaustion– security failure

• Optimal design settings for voting-based intrusion detection– Input:

• per-node false alarm probabilities • pre-node compromise rates λ

– Output• Best number of detectors (m )• Best intrusion detection interval (TIDS)

Conclusion