secure detection using binary sensors - ptolemy project · conventional methods of security...
TRANSCRIPT
Secure Detection Using Binary Sensors
Rohan Chabukswar Yilin Mo
Bruno Sinopoli
SCADA Systems
• Supervisory Control And Data Acquisition Systems
• Used to Monitor and Control critical processes
– Industrial Processes (Production, Refining)
– Infrastructure (Water/Gas/Power Distribution)
– Facility Based (Airports, Buildings, Ships)
Importance of Security
Attacker could:
• Gain access and modify sensors, actuators
• Cause commercial loss
• Cause grid failure, communication breakdown, air traffic disruption
• Weaken community before full-fledged invasion
• Endanger human lives
Example
• The Stuxnet worm recorded sensor outputs of certain centrifuges in normal working conditions
• It played back these outputs while making the centrifuges spin above and below the rated speeds
• The attack was virtually undetectable because the sensors would pose that the centrifuges were in normal working conditions
Conventional Methods of Security
• Obscurity
• Presumed Security
• Redundancy
• Cryptographic Principles
• Authorization
• Authentication
Secure Detection Using Binary Variables
• Binary state, binary sensors • More than just an interesting case to look at • Superfluous to consider continuous readings
from all sensors • Infeasible for sparse, low-powered
communication network • Infeasible for small embedded processors • Sensors make a decision based on the
information they have • Controller makes the overall decision
Problem Formulation
• Binary random variable X
• P0, P1 ≥ 0 P0 + P1 = 1
P1 ≥ P0
X =0 with probability P0
1 with probability P1
ì
íï
îï
Problem Formulation
Y =
y1
y2
ym
æ
è
ççççç
ö
ø
÷÷÷÷÷
Î 0,1{ }m
Measurement Vector
P yi =1 X = 0( ) =ai
P yi = 0 X = 0( ) =1-ai
False Alarm
P yi =1 X =1( ) = bi
P yi = 0 X =1( ) =1- bi
Detection
i =1,2,… m
Attack Strategy
• Attacker wants to increase probability of the detector making a wrong estimate of x – x ̂= f(Y).
• Attacker has ability to flip up to l of the m sensors measurements (of course, the detector does not know which l have been changed)
• Conservatively, the attacker has full information of the system — the state X, and the all measurements y1, y2, …, ym.
• Full disclosure — attacker knows the detection/estimation function used (f).
Detection Problem
• Select optimal detector
• To minimize probability of error(or maximize probability of detection)
x̂ = f yc( ) = f yÅ ya( )
ya Î 0,1{ }m, ya £ l
Imperturbable Sets
• We are maximizing worst-case probability of error
• We focus on all such sensor measurements, such that if those are the measurements provided by the sensors, the adversary can never affect enough of them to change the detector output
Y0 = y f yÅ ya( ) = 0,"ya Î 0,1{ }m, ya £ l{ }
Y1 = y f yÅ ya( ) =1,"ya Î 0,1{ }m, ya £ l{ }
Example
• Consider f to be a simple voting scheme among 4 sensors
• Attacker can attack up to 2 sensors
f y( ) =0 if y £ 4
1 if y > 4
ì
íï
îï
Y0 = y ya £ 2{ }
Y1 = y ya ³ 7{ }
Detection Problem
maxY0,Y1
P0 aiyi
i=1
m
Õ · 1-ai( )1-yi( )
i=1
m
Õæ
è
çç
ö
ø
÷÷
yÎY0
å +P1 biyi
i=1
m
Õ · 1-bi( )1-yi( )
i=1
m
Õæ
è
çç
ö
ø
÷÷
yÎY1
å
Half or More Sensors Attacked
• Theorem
If more than half the sensors are attacked, at least one of Y0 or Y1 is empty
• If more than half the sensors are attacked, the detector should throw away all measurements and always give an output based on a priori probabilities, P0 and P1
Fewer Than Half Sensors Attacked
• Lemma For any Y0, Y1 such that d(Y0, Y1) ≥ 2l+1, and detector f that uses d(y, Yo) ≶ d(y, Y1), Y0 and Y1 are imperturbable sets
• An intuitive way to see this result is that since
each attacked sensors counteracts the measurement provided by an unattacked sensor, an attack on l out of m sensors essentially means that the detection is carried out using the measurements provided by (m − 2l) sensors
Special Case — l=(m–1)/2
• Y0 and Y1 are singleton sets
Y0
Y1
Complexity of Search Space
• The space of all possible measurements is {0,1}m, i.e., 2m possible values of y
• Each value can be in Y0, Y1, or neither
• This gives us a formidable possible ways of designing the detector
32m
Complexity
• Once Y0 is fixed, for a given l, Y1 can be maximized by using all points that are at distance 2l + 1 or more from all points in Y0
• This involves finding out all points at a distance 2l + 1 or more from each point in Y0, and then taking the intersection of these
• Even so, we need to fix Y0, which can still leaves us with possible ways
• This double-exponential behavior of the enumerations makes a brute-force search impractical beyond a very small value of m
• Computers will run out of memory by m = 5, m = 6 is intractable
22m
Case — All Sensors Equivalent
• It is unlikely to ever be the case, that each sensor is unlike every other sensors
• In a practical application, most, if not all, sensors would have their false alarm and detection rate equal
• Even if the performance parameters are not exactly equal, they would be close enough to each other, that the sensors can be assumed to be equivalent
Case — All Sensors Equivalent
The detector function is a symmetric boolean function, and the output of the detector is a function of only the number of ones or zeros in the measurement y (Wegener (1987))
maxY0,Y1
P0 ay
· 1-a( )m- y( )( )
yÎY0
å +P1 by
· 1-b( )m- y( )( )
yÎY0
å
ai =a,bi = b
"i =1,2,… ,m
• Theorem
The optimal function , defined to be a symmetric boolean function with the maximum worst-case probability of detection, is monotonically increasing.
g y( )
Outline of Proof
Y0 Y1 Y1 Y0 y
g
Outline of Proof
Y0 Y1 y
g
Outline of Proof
Y0 Y1 Y1 Y0 y
g
Outline of Proof
Y0 Y1 y
g
Outline of Proof
• The worst-case probability of detection of any function g can only be increased by removing the first such kink in g
• If the g has more than one kink, upon removal of the first kink in g, there will be a new “first kink” in the new function
• The above result can be applied successively to each such kink
• The optimal g, the one that has the maximum worst-case probability of detection, has no such kinks
• The optimal g has to be monotonically increasing, defined by one 0→1 transition at n
Detector Function
Y0 = y y £ n{ }
Y1 = y y ³ n+ 2l +1{ }
f y( ) =0 if y £ n+ l
1 if y ³ n+ l +1
ì
íï
îï
Value of n
P0 = P1 = 0.5, α=0.3, β=0.7
Value of n
P0 = P1 = 0.5, α=0.3, β=0.35
Value of n
P0 = 0.3, P1 = 0.7, α=0.2, β=0.8
Value of n
• Impossible to predict a closed form expression for n
• Only solution is exhaustive search for n = 0 through n = m − 2l − 1
• This is a linear search, tractable even for large values of m and l
Two Classes of Sensors
• There is an often-encountered case in practical applications, where the sensors can be grouped into two classes — “good” sensors, and “better” sensors.
• This is usually the case when the sensors of a legacy network are being upgraded in steps, or when the better sensors are much more expensive than the good ones to be considered worth it.
• In such a case, a compromise can be reached by only installing a few better sensors, while most of the network is composed of the cheaper sensors.
• For example, Phasor Measurement Units (PMUs) are so expensive compared to power meters, that only a few substations have them installed.
Two Classes of Sensors
ai =aa,bi = ba
i =1,2,… ,ma
ai =ab,bi = bb
i =ma +1,ma + 2,… ,ma +mb =m
y = y1 y2 yma
ya
yma+1 yma+2 yma+mb
ya
æ
è
çççç
ö
ø
÷÷÷÷
T
• The detector function is a boolean function symmetric in ya and yb f y1, y2,… , ym( ) = g ya , yb( )
Detection Problem
maxY0,Y1
P0 aaya 1-aa( )
ma- ya( )abyb 1-ab( )
mb- yb( )( )yÎY0
å
+P1 baya 1-ba( )
ma- ya( )bbyb 1-bb( )
mb- yb( )( )yÎY1
å
Two Classes
• This case reduces to a search over a 2-D space
• However, equivalent conditions of monotonicity do not hold
Counter-Example
||ya||
||y
b||
1 2 3 4 5
1
2
3
4
Optimal Y0 and Y1ma=4, mb=3, P0=P1=0.5, αa=0.1, βa=0.9, αb=0.2, βb=0.8
Complexity of Search Space
• Search needs to be carried over a space of
• Significant reduction of complexity over the double-exponential nature of the original problem
• Tractable for m ≤ 12
2ma+1( ) mb+1( )
Conclusions and Future Work
• A new approach to estimate a binary random variable
• Tractable form of the detector was derived for some cases
• Future: Reducing the search space for two classes of detectors
• Future: Extending results to sensors with integer outputs