Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process

Stone, Samuel J.; Temple, Michael A.; Baldwin, Rusty O.

doi:10.1016/j.ijcip.2015.02.001

Cited by 25 publications

(17 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One PHY-based method supporting offensive, defensive, and exploitive network operations is Time Domain Distinct Native Attribute (TD-DNA) Fingerprinting which has been successfully used to discriminate IoT and IIoT communication devices and their operating states [9][10][11][12][13][14][15][16][17][18]. The TD-DNA fingerprinting methodology therein is well-suited for consideration here given 1) the observed ZigBee-like signal characteristics of WirelessHART signals, and 2) the ability to perform Dimensional Reduction Analysis (DRA) and identify the minimal subset of features required to achieve a given level of discrimination performance.…”

Section: Introductionmentioning

confidence: 99%

DNA Feature Selection for Discriminating WirelessHART IIoT Devices

Rondeau

Temple

2020

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

The proliferation of Wireless Highway Addressable Remote Transducer (WirelessHART) communications in support of Industrial Internet of Things (IIoT) applications is accompanied by increased vulnerability concerns that amplify the need for improved pre-attack security and post-attack forensic methods. This paper summarizes demonstration activity aimed at applying Time Domain Distinct Native Attribute (TD-DNA) fingerprinting and improving feature selection to increase computational efficiency and the potential for near-real time operational application. Assessments include both pre-classification and post-classification dimensional reduction using TD-DNA fingerprint features extracted from experimentally collected WirelessHART signals.Results show that pre-classification selection methods are superior, with average percent correct classification differential of 8% < %CD < 1% being maintained using selected feature subsets containing only 24 (10%) of the 243 full-dimensional features.

show abstract

Section: Introductionmentioning

confidence: 99%

DNA Feature Selection for Discriminating WirelessHART IIoT Devices

Rondeau

Temple

2020

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

show abstract

“…Low-cost, low-power Z-Wave devices are among the sub-internet WPAN support technologies that enable mesh networks comprised of smart devices [6], [7]. These networks support data collection and control [8] via Supervisory Control and Data Acquisition (SCADA) systems [9]. Mesh networks are used, for instance, in hospital [10] and electrical smartgrid [11] applications, both of which are CI elements within e-government and private sectors.…”

Section: Introductionmentioning

confidence: 99%

“…Device hardware ID and operating state discrimination for CI security applications has been reliably demonstrated using Physical (PHY) layer security enhancement [4], [9], [15]. As discussed in [16], PHY layer security involves either 1) adding physically traceable objects to devices [17] or 2) Radio Frequency Distinct Native Attribute (RF-DNA) fingerprinting based on PHY device emissions which overcome limitations of encryption key-based measures [18].…”

Section: Introductionmentioning

confidence: 99%

An Optimization Framework for Generalized Relevance Learning Vector Quantization with Application to Z-Wave Device Fingerprinting

Bihl¹,

Temple²,

Bauer³

2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

“…This GPIO trigger was separately probed in order to identify the boundaries of EM emission signals in order to extract the matchedfilter template trace. Stone et al continued to demonstrated that instead of using the time-domain signal as a feature vector, it is more effective to use Hilbert transformation of the EM emission signals [20]. The advantage of this approach is that, when calculating correlation of two signals, Hilbert-transformed vectors perform better than time-domain vectors for the same signalto-noise ratio (SNR) of signals.…”

Section: Related Workmentioning

confidence: 99%

Leveraging Electromagnetic Side-Channel Analysis for the Investigation of IoT Devices

Sayakkara

Le-Khac

Scanlon

2019

Digital Investigation

View full text Add to dashboard Cite

Internet of Things (IoT) devices have expanded the horizon of digital forensic investigations by providing a rich set of new evidence sources. IoT devices includes health implants, sports wearables, smart burglary alarms, smart thermostats, smart electrical appliances, and many more. Digital evidence from these IoT devices is often extracted from third party sources, e.g., paired smartphone applications or the devices' back-end cloud services. However vital digital evidence can still reside solely on the IoT device itself. The specifics of the IoT device's hardware is a black-box in many cases due to the lack of proven, established techniques to inspect IoT devices. This paper presents a novel methodology to inspect the internal software activities of IoT devices through their electromagnetic radiation emissions during live device investigation. When a running IoT device is identified at a crime scene, forensically important software activities can be revealed through an electromagnetic side-channel analysis (EM-SCA) attack. By using two representative IoT hardware platforms, this work demonstrates that cryptographic algorithms running on high-end IoT devices can be detected with over 82% accuracy, while minor software code differences in low-end IoT devices could be detected over 90% accuracy using a neural network-based classifier. Furthermore, it was experimentally demonstrated that malicious modification of the stock firmware of an IoT device can be detected through machine learning-assisted EM-SCA techniques. These techniques provide a new investigative vector for digital forensic investigators to inspect IoT devices.

show abstract

Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process

Cited by 25 publications

References 20 publications

DNA Feature Selection for Discriminating WirelessHART IIoT Devices

DNA Feature Selection for Discriminating WirelessHART IIoT Devices

An Optimization Framework for Generalized Relevance Learning Vector Quantization with Application to Z-Wave Device Fingerprinting

Leveraging Electromagnetic Side-Channel Analysis for the Investigation of IoT Devices

Contact Info

Product

Resources

About