Power grids are very susceptible to large-scale attacks from intruders. Current intrusion-detection systems are complicated, not very accurate, and not preeemptive. Our goal here is to build a specification-based intrusion detection to detect cyber attacks in power systems. We have developed theory and experimental evaluation of preemptive intrusion-detection systems. Experiments are performed using data of real-world security incidents collected at the National Center for Supercomputing Applications (NCSA), from 2008–2013.
Semantic Attack Detection in the Power Grid
The research goal is to detect sophisticated semantic attacks that drive a power grid into an unsafe state without exhibiting any obvious protocol-level red flags. In order to achieve this goal, we seek to combine system knowledge of both cyber and physical infrastructure in power grids to estimate the execution consequence of maliciously crafted control commands. Specifically, we adapt Bro, a real-time network traffic analyzer to support proprietary protocols in power systems. Then, we augment Bro IDS with power-flow-assessment tools to perform run-time state estimation to predict consequences of executing (potentially maliciously crafted) a control command.
Preemptive Intrusion Detection
Targeted cyber-attacks often use stolen credentials to gain access into organizations’ systems. Disguised as authorized users, attackers effectively bypass traditional defenses, leaving discernible traces. We aim to detect such attacks sufficiently before intruders launch the attack payloads (i.e., before the system is misused), in order to stop the attack. Current intrusion-detection systems examine system and network traces as individual events, instead of correlating the events as a whole to relate to the current state of a user. We then use a factor graph model to define evolution of the attack, in which observed events and state of a user are linked by factor functions representing functional relations among the variables. Based on this model, we demonstrated how progressing attacks can be detected in advance of actual misuse and implemented a system to automatically assess whether the user account is compromised (i.e., the user state is malicious). Using data on 24 real-world credential-stealing incidents that occurred over a six-year period at NCSA, our system detected 75% of attacks early (from minutes to tens of hours before attack payloads are executed) in real time. Compared with rule-based and machine-learning classification techniques, our method has a higher attack-detection rate, a rapid response time, and a lower rate of false positives.
Attacker Intention Predictions Using Game Theory
Attacks in cyber security are not only increasing in numbers but are becoming sophisticated in complexity. Detection and protection measures from the system side are getting complicated accordingly. Detection and protection is not free, but comes with overhead. Such an observation seeks a possibility of dynamically optimizing the security configuration based on prediction of attacker intention. For predicting attacker intention, we consider two aspects: attackers as a rational decision maker, and the data of attack traces from previous attacks. Through collaboration with Dr. Charles Kamhoua and his colleagues at the Air Force Research Laboratory, we explore variation of game theoretic and machine-learning algorithms.