CORGIDS: A Correlation-based Generic Intrusion Detection System

Transcription

1 CORGIDS: A Correlation-based Generic Intrusion Detection System Authors: Ekta Aggarwal, Mehdi Karimibiuki, Karthik Pattabiraman, and Andre Ivanov Presented at: CPS-SPC 2018, Toronto, Canada October 19, 2018

2 Introduction Cyber-Physical system (CPS) consist of software and physical components knitted together. Properties in CPS must follow laws of physics. Physical properties of a drone: altitude, distance travelled, speed, and flight time. 2

3 Security attacks in CPS The Jeep Hack ( Hackable Cardiac Devices from St. Jude ( TRENDnet Webcam Hack ( 3

4 Distance Spoofing Attack Altitude, Distance, Speed, Altitude, Time Distance, Speed, Altitude, Time Distance, Speed, Time 97.9, 570, 600, 4, 97.9, , 630, 4, 100.9, , 660, 4, 50 4

5 What is an Invariant? Something that does not change under a transformation Speed Distance Speed Take away: " #$%& Invariants are used to detect security attacks. CORGIDS During uses execution, physical observation invariants to is: detect intrusion Speed NOT Distance Speed " #$%& 5

6 RELATED WORK DATA INVARIANTS TEMPORAL INVARIANTS PHYSICAL INVARIANTS Eg. len(array) < 20 Eg. G(guest login XF authorized) Eg. x(k + 1) x(k) = α(ui(k) uo(k)) Daikon Dysy DSD-Crasher Gibraltar Perracotta Javert OCD TEXADA MANUALLY DEFINED Mitchell and Chen BRUIDS Choudhari et. al. Adepu and Mathur AUTOMATICALLY GENERATED 6

7 Automatically Generated Physical Invariants Generic Raiyat et. al. [FSE 2017] Take away Chen : at. al. No prior work builds a GENERIC use water IDS using purification PHYSICAL INVARIANTS which are system AUTOMATICALLY GENERATED ARTINALI use data, temporal and time invariants OUR GOAL Chen at. al. [IEEE S&P 2018] Zohrevand et.al. [IEEE Big Data 2016] Krotofil et. al. [CCS 2015] Iturbe et. al. [IEEE/IFIP 2016] Physical invariants 7

8 Contributions Use Hidden Markov Models (HMM) to infer the logical correlations to detect intrusions. Design CORrelation based Generic Intrusion Detection System - CORGIDS. Demonstrate CORGIDS on two CPS an unmanned aerial vehicle (UAV) and a smart artificial pancreas (SAP). Perform five targeted attacks on the CPS. CORGIDS is able to successfully detect attacks. 8

9 Threat Model Capability to gain read and write access to the communication channel between the system under test (SUT) and controller. Has root access to the SUT. Capable of spoofing, flooding, tampering, and rebooting. 9

10 Hidden Markov Model (HMM) Finite model used to describe probability distribution over possible sequences of a given system. HMM Example: Reinforcement learning and pattern recognition such Finding as speech, correlations in multidimensional, nonlinear gesture time recognition. series systems like CPS. handwriting and Likelihood of data belonging from a dataset. An Example: Hidden states = ( Rainy, Sunny ) Observations = ( Walk, Shop, Clean ) Source: 10

11 Work-flow of CORGIDS 1. Logging Phase Altitude (m) Battery left (%) Distance travelled (m) Flight time (s) Build an Intrusion Detector 3. Detecting Intrusion Phase Logging module System Traces

12 Work-flow of CORGIDS 1. Logging Phase SYSTEM TRACE Altitude, Distance, Speed, Time 2. Build an Intrusion Detector Build HMM by varying hidden states Hidden states Detecting Intrusion Phase Trained HMM + Mean Log Likelihood (MLL) 15 hidden state HMM + MLL =

13 Work-flow of CORGIDS 1. Logging Phase CURRENT SYSTEM TRACE Altitude, Distance, Speed, Time Trained HMM (MLL = )! = Build an Intrusion Detector Current Log Likelihood (CLL) = Detecting Intrusion Phase NO CLL > (MLL -!) YES INTRUSION NO INTRUSION 13

14 Experimental setup Unmanned Aerial Vehicle (UAV) ArudPilot s Software in the Loop (SITL) ( Smart Artificial Pancreas (SAP) Open Artificial Pancreas System (OpenAPS) ( 14

15 Attacks UAV Distance Spoofing Flooding Battery Tampering SAP Insulin Tampering Glucose Spoofing 15

16 Distance Spoofing Attack Altitude, Distance, Speed, Time 97.9, 570, 600, 4,

17 Evaluation Criteria False positive rate (FP) False negative rate (FN) Attacks Detected Attacks Attempted False Negatives Attacks Attempted False Positives!" Attacks Detected Precision =!"#$" Recall = 1 '( Performance overhead = Additional time take by CORGIDS Memory overhead = Additional memory take by CORGIDS 17

18 Sensitivity Analysis Find values of w,! and λ for which highest value of Precision and Recall is achieved. Three experimental factors: Window size (w) in minutes Time (mins) Acceptable range (!) in standard deviations Threshold of consecutive decisions (λ) λ = 21 FAULTY BENIGN FAULTY FAULTY t t + 1 t + 2 t + 3 FAULTY FAULTY Time (mins)! = 20 Mean Loglikelihood = -100 BENIGN BENIGN 18

19 Sensitivity Analysis: Result δ = 1 and λ = W (minutes) Precision Recall w Precision & Recall δ Precision & Recall λ Precision & Recall 19

20 Evaluation TESTBED TARGETED ATTACKS FP (%) FN (%) Battery Tampering UAV Flooding Distance Spoofing SAP Insulin Tampering Glucose Spoofing Table: FP and FN obtained by CORGIDS 20

21 Overheads OpenAPS platform: Raspberry Pi3 Approximately 1GB of RAM With quad-core 64-bit ARM Cortex running at 1.2 GHz Average of 10 executions Memory overhead CORGIDS consumed MB Performance overhead CORGIDS took 1.25 seconds Memory overhead comparable with other IDS. CORGIDS is initial implementation and overhead can be reduced by optimization. Execution cycle time 5 minutes Time taken by CORGIDS was negligible. 21

22 Summary Physical properties of CPS are indicative of its behavior. HMM are good at finding correlations among properties. CORGIDS was able to detect intrusion with higher Precision and Recall. Contact 22