Team for Research in
Ubiquitous Secure Technology

Composite Intrusion Detection in Process Control Networks
Julian L. Rrushi

Citation
Julian L. Rrushi. "Composite Intrusion Detection in Process Control Networks". PhD thesis, University of Milano, April, 2009.

Abstract
An intrusion detection ensemble, i.e. a set of diverse intrusion detection algorithms employed as a group, has been shown to outperform each one those diverse algorithms employed individually. Moving along this line, we have devised an intrusion detection ensemble that inspects network packets that fow across the process control network of a digitally controlled physical system such as a power plant. Such process control specific intrusion detection ensemble is comprised of a statistical anomaly intrusion detection algorithm called the Estimation-Inspection (EI) algorithm, a physical process aware specification-based approach, a theory of deception for intrusion detection that we call mirage theory, and an alert fusion technique in the form of a Bayesian theory of confirmation. In this research we leverage evolutions of the content of specific locations in the random access memory (RAM) of control systems into means of characterizing the normalcy or abnormality of network traffic. The EI algorithm uses estimation methods from applied statistics and probability theory to estimate normal evolutions of RAM content. The physical process aware specification-based approach defines normal evolutions of RAM content via specifications developed manually through expert knowledge. Mirage theory consistently introduces deceptive evolutions of RAM content, and hence employs communicating finite state machines to detect any deviations caused by malicious network packets. The alert fusion technique also leverages evolutions of RAM content to estimate the degrees to which network traffic normalcy and abnormality hypotheses are confirmed on evidence. In this dissertation we provide a detailed discussion of these intrusion detection algorithms along with a detailed discussion of the alert fusion technique. We also discuss an empirical testing of the proposed intrusion detection ensemble in a small testbed comprised of Linux PC-based control systems that resemble the process control environment of a power plant; and in the case of the EI algorithm, a probabilistic validation via stochastic activity networks with activity-marking oriented reward structures.

Electronic downloads

Citation formats  
  • HTML
    Julian L. Rrushi. <a
    href="http://www.truststc.org/pubs/628.html"
    ><i>Composite Intrusion Detection in Process
    Control Networks</i></a>, PhD thesis, 
    University of Milano, April, 2009.
  • Plain text
    Julian L. Rrushi. "Composite Intrusion Detection in
    Process Control Networks". PhD thesis,  University of
    Milano, April, 2009.
  • BibTeX
    @phdthesis{Rrushi09_CompositeIntrusionDetectionInProcessControlNetworks,
        author = {Julian L. Rrushi},
        title = {Composite Intrusion Detection in Process Control
                  Networks},
        school = {University of Milano},
        month = {April},
        year = {2009},
        abstract = {An intrusion detection ensemble, i.e. a set of
                  diverse intrusion detection algorithms employed as
                  a group, has been shown to outperform each one
                  those diverse algorithms employed individually.
                  Moving along this line, we have devised an
                  intrusion detection ensemble that inspects network
                  packets that fow across the process control
                  network of a digitally controlled physical system
                  such as a power plant. Such process control
                  specific intrusion detection ensemble is comprised
                  of a statistical anomaly intrusion detection
                  algorithm called the Estimation-Inspection (EI)
                  algorithm, a physical process aware
                  specification-based approach, a theory of
                  deception for intrusion detection that we call
                  mirage theory, and an alert fusion technique in
                  the form of a Bayesian theory of confirmation. In
                  this research we leverage evolutions of the
                  content of specific locations in the random access
                  memory (RAM) of control systems into means of
                  characterizing the normalcy or abnormality of
                  network traffic. The EI algorithm uses estimation
                  methods from applied statistics and probability
                  theory to estimate normal evolutions of RAM
                  content. The physical process aware
                  specification-based approach defines normal
                  evolutions of RAM content via specifications
                  developed manually through expert knowledge.
                  Mirage theory consistently introduces deceptive
                  evolutions of RAM content, and hence employs
                  communicating finite state machines to detect any
                  deviations caused by malicious network packets.
                  The alert fusion technique also leverages
                  evolutions of RAM content to estimate the degrees
                  to which network traffic normalcy and abnormality
                  hypotheses are confirmed on evidence. In this
                  dissertation we provide a detailed discussion of
                  these intrusion detection algorithms along with a
                  detailed discussion of the alert fusion technique.
                  We also discuss an empirical testing of the
                  proposed intrusion detection ensemble in a small
                  testbed comprised of Linux PC-based control
                  systems that resemble the process control
                  environment of a power plant; and in the case of
                  the EI algorithm, a probabilistic validation via
                  stochastic activity networks with activity-marking
                  oriented reward structures.},
        URL = {http://www.truststc.org/pubs/628.html}
    }
    

Posted by Julian L. Rrushi on 8 Jun 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.