Behavior-Based Zero-Day Intrusion Detection for Real-Time Cyber-Physical Systems

funded by the National Science Foundation

researchers: Sibin Mohan and Lui Sha

Reports of security violations are becoming more common in cyber-physical systems (CPS), especially ones that have real-time properties. CPS were once considered to be invulnerable to such attacks, but today, failure to protect such systems from harm could result in significant harm to humans, the environment, or critical infrastructure. CPSes often control physical systems such as automobiles, power plants, and avionics, and zero-day attacks (such as Stuxnet) are particularly challenging. On the other hand, systems with real-time properties are predictable by design. Designers work hard to ensure that their execution characteristics, such as timing, control flow, system properties, and memory reference patterns are analyzed to a high level of detail so as to provide predictable behavior.

The research team believes that those behavioral traits can be characterized by integrated modeling and even machine learning. Hence, this project is working to use those properties of real-time CPSes to detect intrusions as soon as possible; any deviations from expected behavior can be suspicious. The team is analyzing such systems to extract those behavioral profiles, and will combine the results with a monitoring framework based on a multicore processor architecture to detect problems. The high-level contributions of this work will be 1) development of analysis techniques to capture the predictable execution behavior of CPS with real-time properties; 2) development of an architectural framework that can monitor the execution of such systems to check for deviations and ensure that the underlying physical system that is being controlled does not come to harm; and 3) development of analysis methods and architectures to detect intrusions in CPS to make such systems more secure, and hence safer.

The project will take us one step closer to understanding the integration of two diverse fields, CPS and security, while gaining a better understanding of both fields.