Julian L. Rrushi
Citation
Julian L. Rrushi. "Composite Intrusion Detection in Process Control Networks". PhD thesis, University of Milano, April, 2009.
Abstract
An intrusion detection ensemble, i.e. a set of diverse intrusion detection algorithms
employed as a group, has been shown to outperform each one those diverse algorithms employed individually. Moving along this line, we have devised an intrusion detection ensemble that inspects network packets that fow across the process control network of a digitally controlled physical system such as a power plant.
Such process control specific intrusion detection ensemble is comprised of a statistical
anomaly intrusion detection algorithm called the Estimation-Inspection (EI) algorithm,
a physical process aware specification-based approach, a theory of deception
for intrusion detection that we call mirage theory, and an alert fusion technique in
the form of a Bayesian theory of confirmation. In this research we leverage evolutions
of the content of specific locations in the random access memory (RAM) of control
systems into means of characterizing the normalcy or abnormality of network traffic.
The EI algorithm uses estimation methods from applied statistics and probability
theory to estimate normal evolutions of RAM content. The physical process aware
specification-based approach defines normal evolutions of RAM content via specifications developed manually through expert knowledge. Mirage theory consistently
introduces deceptive evolutions of RAM content, and hence employs communicating
finite state machines to detect any deviations caused by malicious network packets.
The alert fusion technique also leverages evolutions of RAM content to estimate the
degrees to which network traffic normalcy and abnormality hypotheses are confirmed
on evidence. In this dissertation we provide a detailed discussion of these intrusion
detection algorithms along with a detailed discussion of the alert fusion technique.
We also discuss an empirical testing of the proposed intrusion detection ensemble in a
small testbed comprised of Linux PC-based control systems that resemble the process
control environment of a power plant; and in the case of the EI algorithm, a probabilistic
validation via stochastic activity networks with activity-marking oriented reward structures.
Electronic downloads
- Dissertation-IDS-PowerPlants.pdf · application/pdf · 1462 kbytes
| Citation formats |
- HTML
Julian L. Rrushi. <a href="http://www.truststc.org/pubs/628.html" ><i>Composite Intrusion Detection in Process Control Networks</i></a>, PhD thesis, University of Milano, April, 2009.
- Plain text
Julian L. Rrushi. "Composite Intrusion Detection in Process Control Networks". PhD thesis, University of Milano, April, 2009.
- BibTeX
@phdthesis{Rrushi09_CompositeIntrusionDetectionInProcessControlNetworks, author = {Julian L. Rrushi}, title = {Composite Intrusion Detection in Process Control Networks}, school = {University of Milano}, month = {April}, year = {2009}, abstract = {An intrusion detection ensemble, i.e. a set of diverse intrusion detection algorithms employed as a group, has been shown to outperform each one those diverse algorithms employed individually. Moving along this line, we have devised an intrusion detection ensemble that inspects network packets that fow across the process control network of a digitally controlled physical system such as a power plant. Such process control specific intrusion detection ensemble is comprised of a statistical anomaly intrusion detection algorithm called the Estimation-Inspection (EI) algorithm, a physical process aware specification-based approach, a theory of deception for intrusion detection that we call mirage theory, and an alert fusion technique in the form of a Bayesian theory of confirmation. In this research we leverage evolutions of the content of specific locations in the random access memory (RAM) of control systems into means of characterizing the normalcy or abnormality of network traffic. The EI algorithm uses estimation methods from applied statistics and probability theory to estimate normal evolutions of RAM content. The physical process aware specification-based approach defines normal evolutions of RAM content via specifications developed manually through expert knowledge. Mirage theory consistently introduces deceptive evolutions of RAM content, and hence employs communicating finite state machines to detect any deviations caused by malicious network packets. The alert fusion technique also leverages evolutions of RAM content to estimate the degrees to which network traffic normalcy and abnormality hypotheses are confirmed on evidence. In this dissertation we provide a detailed discussion of these intrusion detection algorithms along with a detailed discussion of the alert fusion technique. We also discuss an empirical testing of the proposed intrusion detection ensemble in a small testbed comprised of Linux PC-based control systems that resemble the process control environment of a power plant; and in the case of the EI algorithm, a probabilistic validation via stochastic activity networks with activity-marking oriented reward structures.}, URL = {http://www.truststc.org/pubs/628.html} }
Posted by Julian L. Rrushi on 8 Jun 2009.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.