Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System

Chen, Yuqi; Poskitt, Christopher M.; Sun, Jun

doi:10.1109/sp.2018.00016

Cited by 113 publications

(101 citation statements)

References 44 publications

Supporting

Mentioning

101

Contrasting

Order By: Relevance

“…For example, Momtazpour et al [49] conduct anomaly detection by using an ARX (Auto Regression with eXogenous input) model with pre-discovered latent variables to find invariants between wireless sensor data within multiple time steps at Intel Berkeley Research lab. Chen et al [50] use code mutation programs to generate abnormal data traces, and then use a SVM classifier and statistical model checking to find invariants between sensor data in the SWaT testbed. Nevertheless, the invariant rules generated in our work are more comprehensive than [49], [50] as actuator states which are an important part of the control dynamics in ICS are also included.…”

Section: Related Workmentioning

confidence: 99%

“…Chen et al [50] use code mutation programs to generate abnormal data traces, and then use a SVM classifier and statistical model checking to find invariants between sensor data in the SWaT testbed. Nevertheless, the invariant rules generated in our work are more comprehensive than [49], [50] as actuator states which are an important part of the control dynamics in ICS are also included.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems

Feng

Palleti

Mathur

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Industrial Control Systems (ICS) consisting of integrated hardware and software components designed to monitor and control a variety of industrial processes, are typically deployed in critical infrastructures such as water treatment plants, power grids and gas pipelines. Unlike conventional IT systems, the consequences of deviations from normal operation in ICS have the potential to cause significant physical damage to equipment, the environment and even human life. The active monitoring of invariant rules that define the physical conditions that must be maintained for the normal operation of ICS provides a means to improve the security and dependability of such systems by which early detection of anomalous system states may be achieved, allowing for timely mitigating actions-such as fault checking, system shutdown-to be taken. Generally, invariant rules are predefined by system engineers during the design phase of a given ICS build. However, this manually intensive process is costly, error-prone and, in typically complex systems, sub-optimal. In this paper we propose a novel framework that is designed to systematically generate invariant rules from information contained within ICS operational data logs, using a combination of several machine learning and data mining techniques. The effectiveness of our approach is demonstrated by experiments on two real world ICS testbeds: a water distribution system and a water treatment plant. We show that sets of invariant rules, far larger than those defined manually, can be successfully derived by our framework and that they may be used to deliver significant improvements in anomaly detection compared with the invariant rules defined by system engineers as well as the commonly used residual errorbased anomaly detection model for ICS.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems

Feng

Palleti

Mathur

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Other researches focused on the detection of anomalies with physical properties [14]. By using the specification or control logic, the monitoring system rarely emits false alarms [3,15]. However, it is relatively expensive to obtain and specify the specification or control logic.…”

Section: Introductionmentioning

confidence: 99%

Anomaly Detection for Industrial Control Systems Using Sequence-to-Sequence Neural Networks

Kim

Yun

Kim

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

This study proposes an anomaly detection method for operational data of industrial control systems (ICSs). Sequence-to-sequence neural networks were applied to train and predict ICS operational data and interpret their time-series characteristic. The proposed method requires only a normal dataset to understand ICS's normal state and detect outliers. This method was evaluated with SWaT (secure water treatment) dataset, and 29 out of 36 attacks were detected. The reported method also detects the attack points, and 25 out of 53 points were detected. This study provides a detailed analysis of false positives and false negatives of the experimental results.

show abstract

“…In this work, however, they utilize stimulant-response mechanisms to detect compromised devices based on their speci c reaction to controlled inputs, which can also be impractical for the smart grid and results can depend on several undesired networks' and physical channels' dynamics. Other relevant works propose similar a estation approaches [14,55] to detect a acks in CPS. However, these works focus on building models of the entire CPS network instead of focusing on individual devices, which impacts the overhead and the general performance of the proposed solutions.…”

Section: Related Workmentioning

confidence: 99%

A System-level Behavioral Detection Framework for Compromised CPS Devices

Babun

Aksu

Uluagac

2019

ACM Trans. Cyber-Phys. Syst.

View full text Add to dashboard Cite

Cyber-Physical Systems (CPS) play a signi cant role in our critical infrastructure networks from power-distribution to utility networks. e emerging smart-grid concept is a compelling critical CPS infrastructure that relies on two-way communications between smart devices to increase e ciency, enhance reliability, and reduce costs. However, compromised devices in the smart grid poses several security challenges. Consequences of propagating fake data or stealing sensitive smart grid information via compromised devices are costly. Hence, early behavioral detection of compromised devices is critical for protecting the smart grid's components and data. To address these concerns, in this paper, we introduce a novel and con gurable system-level framework to identify compromised smart grid devices. e framework combines system and function call tracing techniques with signal processing and statistical analysis to detect compromised devices based on their behavioral characteristics. We measure the e cacy of our framework with a realistic smart grid substation testbed that includes both resource-limited and resource-rich devices. In total, using our framework, we analyze six di erent types of compromised device scenarios with di erent resources and a ack payloads. To the best of our knowledge, the proposed framework is the rst in detecting compromised CPS smart grid devices with system and function-level call tracing techniques. e experimental results reveal an excellent rate for the detection of compromised devices. Speci cally, performance metrics include accuracy values between 95% and 99% for the di erent a ack scenarios. Finally, the performance analysis demonstrates that the use of the proposed framework has minimal overhead on the smart grid devices' computing resources.

show abstract

Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System

Cited by 113 publications

References 44 publications

A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems

A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems

Anomaly Detection for Industrial Control Systems Using Sequence-to-Sequence Neural Networks

A System-level Behavioral Detection Framework for Compromised CPS Devices

Contact Info

Product

Resources

About