Cyber-physical security metric inference in smart grid critical infrastructures based on system administrators' responsive behavior

ww.sciencedirect.com

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 1

Available online at w

journal homepage: www.elsevier .com/locate/cose

Cyber-physical security metric inference in smart gridcritical infrastructures based on system administrators’responsive behavior

Saman Zonouz a,*, Parisa Haghani b

aUniversity of Miami, USAbUniversity of Illinois at Urbana-Champaign, USA

a r t i c l e i n f o

Article history:

Received 11 March 2013

Received in revised form

24 June 2013

Accepted 1 July 2013

Keywords:

Power grid critical infrastructure

Intrusion detection and response

Security metric

Situational awareness

Cyber-physical system security

* Corresponding author.E-mail addresses: [email protected] (

Please cite this article in press as: Zonofrastructures based on system administj.cose.2013.07.003

0167-4048/$ e see front matter ª 2013 Elsevhttp://dx.doi.org/10.1016/j.cose.2013.07.003

a b s t r a c t

To protect complex power-grid control networks, efficient security assessment techniques

are required. However, efficiently making sure that calculated security measures match the

expert knowledge is a challenging endeavor. In this paper, we present EliMet, a framework

that combines information from different sources and estimates the extent to which a

control network meets its security objective. Initially, EliMet passively observes system op-

erators’ online reactive behavior against security incidents, and accordingly refines the

calculated security measure values. To make the values comply with the expert knowledge,

EliMet actively queries operators regarding those states forwhich sufficient informationwas

not gained during the passive observation. Finally, EliMet makes use of the estimated se-

curity measure values for predictive situational awareness by ranking potential cyber-

physical contingencies that the security administrators should plan for upfront. Our

experimental results show that EliMet can optimally make use of prior knowledge as well as

automated inference techniques tominimizehuman involvementand efficiently deduce the

expert knowledge regarding individual states of that particular system.

ª 2013 Elsevier Ltd. All rights reserved.

1. Introduction against U.S. electrical grid caused approximately $100 million

The bulk electricity delivery system known as the power grid is

extremely fundamental to most aspects of modern society.

Power grid critical infrastructures form a vast and inter-

connected cyber-physical network for delivering electricity

from generation plants to end-point consumers. Traditionally,

power system operators, sitting in control network rooms,

monitor and control the underlying physical system in order

to guarantee secure energy delivery. Due to their importance,

power control networks have been a very attractive attack

surface for malicious attackers and nation-state terrorists

to penetrate in the network and consequently cause cata-

strophic physical damage. Remote malicious cyber attacks

S. Zonouz), parisa.haghan

uz S, Haghani P, Cyberrators’ responsive beha

ier Ltd. All rights reserved

of damage cost in 2009 (Electricity grid in U.S. penetrated by

spies, 2009). The most recent control system malware called

Stuxnet (Falliere et al., 2010) was crafted to sabotage nuclear

power plants. Stuxnet specifically raised new questions about

power grid security cite10.1109-MSP.2009.76 protecting which

is strictly recommended by the government as destruction of

those systems would have a debilitating impact on national

security (Stouffer et al., 2006).

Currently, to protect the power grid critical infrastructures,

operators watch scrolling alerts from intrusion detection sys-

tems (IDSes) andmanually take response and recovery actions

if they notice a malicious network activity. However, with

increasing complexity of large-scale control systems and

[email protected] (P. Haghani).

-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/

.

mailto:[email protected]

mailto:[email protected]

www.sciencedirect.com/science/journal/01674048

www.elsevier.com/locate/cose

http://dx.doi.org/10.1016/j.cose.2013.07.003




sophisticatedtargetedattacksaswell asoverwhelmingamount

of daily triggered IDS alerts, manual maintenance of those in-

frastructures is not anymore feasible (Bearavoluet al., 2003). On

the other hand, automation of intrusion response solutions

requiresveryaccurate andmeaningful system-specific security

metrics to compare different system security states in order to

automatically choose optimal response strategies.

Previous efforts in designing scalable and efficient system

security metrics have fallen short in two major aspects. First,

existing solutions rely heavily on expert knowledge and

human involvement (Ranum et al., 1997). As a case in point,

McIntyre et al. (2007) introduce amulti-stepmanual process to

assess security of a power control network. The system

administrator must go over different system states in an off-

line phase, and manually assess their security level. As

manual inspection of system states becomes very tedious in

practice, other researchers have attempted to automate the

system metric assessment procedure by making use of some

generic notions and heuristics. For instance, Wang et al.

(2008a) propose a generic probabilistic security metric which

is based on heuristics and can be calculated automatically for

each system security state. However, complete validation of

such generic and heuristics-based metrics, i.e., to verify

whether the calculated values really match the expert

knowledge, is not always feasible. Consequently, if such

metrics are employed for an automated intrusion response

support, irrelevant response actionsmay be chosen that could

potentially result in another insecure system state.

This paper builds on our previous work (Zonouz et al.,

2012). We present EliMet that is a hybrid security metric

assessment framework. EliMet exploits the expert knowledge

passively and minimizes the explicit human involvement to

efficiently calculate realistic and system-specific security

measure values for large-scale power control networks. In

particular, EliMet employs a game-theoretic state-based

model of the power control network, called competitive Mar-

kov decision process, as well as the expert knowledge by

passively observing power system operators while they

receive IDS alerts in real-time and carry out responsive and

maintenance actions. After the passive learning phase, EliMet

actively queries system operators only regarding the system

states whose security measures have not been accurately

refined during the learning phase. Consequently, EliMet stores

the calculated security measure value for each state that can

be used later by automated response solutions to respond to

attackers when power system operators are not present.

Furthermore, EliMet makes use of the calculated security

measure values for cyber-physical contingency analysis to

inform the operators of the next immediate potential adver-

sarial actions so that they can protect the power network by

planning ahead or monitoring the critical points more closely.

In particular, during the online phase, EliMet employs a

game-theoretic state-based model of the system, called

competitiveMarkovdecisionprocess, anddynamicallyupdates

the current system state estimate according to alerts triggered

by intrusion detection systems. Given the current systemstate,

the passive observation module employs an inverse reinforce-

ment learning algorithm to calculate security measure values

by observing the operators’ responsive behavior. The respon-

sive behavior is formulated as a sequenceof (state, action) pairs

Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003

such as (<A, B, C>, Restore B) where the operator decides to

restore host B once systems A, B, and C are identified to be

compromised. Since the passive learning interval may not be

sufficient to accurately refine the security measures as some

system states may rarely happen in practice, the active

querying module asks the operators what actions they would

take if systemwas in particular states. For instance, EliMet asks

for the operator’s best response out of the possible response set

{Restore A, Restore B, Restore C} (according to the CMDPmodel) if

the system was in state <A, B, C>. An information-theoretic

approach is used to minimize the number of questions by

iteratively askingquestions that lead to themaximumexpected

information gain. Consequently, the active querying module

produces refined securitymeasurevalues that areused later for

predictive situational awareness, i.e., cyber physical contin-

gency analysis, or automated intrusion response purposes.

2. State estimation

Reciprocal interaction between the adversary and power sys-

tem operator or automated response engine in EliMet is

modeled as a game on a stated-based model of the power grid,

i.e., competitive Markov decision process (CMDP), in which

each player tries to maximize his or her own benefit. Formally,

A discrete CMDP G is defined as a tuple ðS;A;Secð:Þ;P;gÞwhere S

is the security state space, assumed to be an arbitrary non-

empty set endowed with the discrete topology. A is the set of

actions, which itself is partitioned into response actions and

adversarial actions depending on the player. For every s˛S,AðsÞ3A is the set of admissible actions at state s. The measur-

able function Sec : S/½0;1� is the security measure calculated

for each state, and P is the transition probability function; that

is, if the present state of the system is s˛S and an action a3AðsÞis taken, resulting in state transition to state s0 with probability

Pðs0j:s;aÞ, an immediate reward Secðs0Þ, i.e., security measure

valueof thestate s0, is obtainedby theplayer taking theaction.g

is the discount factor and is normalized, i.e., 0 < g < 1.

Before the security measure refinement, at each time

instant, EliMet needs to determine system’s current security

state based on the triggered IDS alerts. However, the exact

system state is usually not completely observable due to IDS

inaccuracies, i.e., false positive and negative rates. To address

the partial observability problem, we define the notion of the

system’s belief state b˛B, which formally is a probability dis-

tribution over all states in the state space of the system s˛S.Therefore, at each time instant, instead of the exact current

state, EliMet estimates the system’s belief state b0 based on the

previous belief state b and current observations (IDS alerts) O:

b0b;Oðs0Þ ¼

Xs˛S

fbðsÞ$X

aa˛AðbÞ½Pðs0js;aaÞ$PðaajOÞ�g; (1)

where b(s) denotes the probability of the system being at state

s given that the current belief state is b. A(b) is the set of ad-

missible actions in stateswith nonzero probabilities according

to b, i.e., AðbÞ ¼ Ws˛S:bðsÞs0AðsÞ. Furthermore,

PðaajOÞ ¼ 1oaa˛O$½1� Pðaajoaa Þ� þ 1oaa;O$½Pðaajoaa Þ� (2)

is probability that the attacker performed action aa given the

current observations. 1 is the indicator function, and oaa is the




c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 1 3

IDS alert reporting occurrence of the incident (adversarial ac-

tion) aa. Pðaaj:oaa Þ and Pðaaj:oaa Þ denote false positive and nega-

tive rates, respectively, that depend on the intrusion detection

system by which the corresponding alerts are triggered. Here,

we assume false positive and negative rates for intrusion

detection systems are given1; otherwise they both are set to

0 bydefault. Similarly, the system’s belief state is updatedonce

a response action ar˛A is taken; however, the update equation

is simpler in that case as the selected action is known.

3. Optimal response selection

In this section, we explain how EliMet models the response

action selection procedure by the operator. EliMet then uses

this model to infer security measure values which the oper-

ator’s response strategies are implicitly based on.

In particular, EliMet solves the power grid’s CMDPmodel to

find the optimal action which maximizes the expected accu-

mulative long-run reward measure received after a sequence

of response and adversarial actions.2 Using the infinite-horizon

discounted cost technique (Kaelbling et al., 1995), EliMet gives

more weight to nearer future rewards by recursively adding

up the immediate reward, i.e., security measure value Sec(.),

and the discounted expected game value from then on.

To formulate, EliMet computes the optimal policy p*(.) that

associates with any belief state b˛B an optimal response ac-

tion p*(b). EliMet formulates the response action selection

procedure as a game-theoreticmaximin problem. In particular,

every policy p is assigned a value function Vp that associates

every belief state b˛B with an expected global reward Vp(b)

obtained by applying p in b. Bellman’s optimality equation

(Equation (3)) characterizes the unique optimal value function

V*, from which an optimal policy p* can be easily derived:

V�ðbÞ ¼ maxar˛AðbÞ

JðV�; b;arÞ; (3)

where J denotes the value function given that a specific

response action is taken:

JðV�;b; aÞ ¼ r�b0b;a

�þ ffiffiffi

gp

$ minaa˛Aðb0b;aÞ

hr�b00b0 ;aa

�þ ffiffiffi

gp

$V�b00b0 ;aa

�i);

(4)

in which b0b;a denotes the updated next belief state if the cur-

rent state is b and action a is taken:

b0b;aðs0Þ ¼

Xs˛S

½Pðs0js; aÞ:bðsÞ�; (5)

and the r function computes security measure values for

belief states using security levels of individual states:

rðbÞ ¼Xs˛S

½bðsÞ$SecðsÞ�: (6)

Briefly, to calculate V* numerically, EliMet uses the value

iteration algorithm (Bellman, 1957) that applies dynamic

1 EliMet can take qualitative values, e.g., {low, medium, high},which are later translated into crisp values, i.e., {0.25, 0.5, 0.75}.

2 As discussed in Section 4, EliMet can model operators withdifferent expertise levels who may not always select optimalresponse strategies.


programming iterative updates to gradually improve on the

value until it converges to the 3-optimal value function

(Bellman, 1957), i.e. jVtðbÞ � Vt�1ðbÞj < 3. Through improvement

of the value, the policy is implicitly improved aswell. Once the

partially observable decision process is formulated and the

3-optimal value function is calculated, EliMet determines the

optimal response strategy p* at any given belief state using:

p�ðbÞ ¼ arg maxar˛AðbÞ

JðV�; b;arÞ: (7)

In the rest of this section, we discuss how EliMet makes use

of the operator’s responsive behavior at a subset of states to

calculate the security measure values. The ultimate goal is to

make sure that the automatically calculated optimal policy p*

(using the calculated values and the optimal response action

selection algorithm discussed above) matches the response

strategies taken by the expert operator.

4. Passive observation

Computation of a security measure function that explains the

operator’s response policy is essentially an inverse control

problem inwhich Sec(.) is desired givenp*. In particular, EliMet

employs a game-theoretic inverse reinforcement learning al-

gorithm to consider the operator’s policy as evidence, and

consequently update the apriori security measure values

Seci(.). The apriori values can be either assigned initial arbi-

trary values, e.g., 0, or to accelerate the convergence, calcu-

lated using generic (possibly inaccurate) security assessment

algorithms (e.g. Wang et al., 2008a). EliMet will refine the

apriori values iteratively such that they match the expert

knowledge about the system as closely as possible.

Similar to Ramachandran and Amir (2007), uncertainty of

the prior security measure knowledge is modeled using the

Laplace density function:

PðSecðsÞ ¼ rÞ ¼ 12s

e�jr�Seci ðsÞj

2s ;cs˛S; (8)

where P(Sec(s) ¼ r) denotes the probability that the security

measure value for the state s is equal to r. As a distribution

parameter, s denotes the predefined uncertainty level.

Formally, EliMet takes the operator’s noisy response policy

during an attack scenario as well as the above apriori knowl-

edge to derive the posterior distribution of the system security

measure. In particular, an attack scenario T is represented as a

sequence of (state, action) pairs T ¼ ½ðs1; a1Þ; ðs1;a1Þ;/; ðsn;anÞ�that denotes the system states and the operator’s corre-

sponding responses.

Due to the Markov property of CMDP, determination of

response actions, at each time instant, depends only on the

present state. Therefore,

PðTjSecÞ ¼ Pððs1;a1ÞjSecÞ$Pððs1;a1ÞjSecÞ/Pððsn;anÞjSecÞ; (9)

where Pððsi;aiÞj:SecÞ denotes the probability that ai is selected

as the optimal policy at state si given the security measure

function Sec. It is important to highlight that the optimal

policy value is always unique; however, the above probability

distribution encodes the noise in the optimal policy samples

due to the operator’s expertise level.





The optimal policy p* maximizes the J function in Equa-

tion (7). Therefore, the largerJ is, the more likely it is that the

operator would take action p*(s) at state s. Additionally, this

likelihood increases aswe getmore confident in the operator’s

expertise level, i.e., he or she can respond appropriately

(Ramachandran and Amir, 2007):

Pððs; aÞjSecÞ ¼ es$JðV;s;aÞPa0˛A

es$JðV;s;a0Þ ; (10)

where s is a non-negative constant, which represents the

operator’s expertise level. EliMet calculates the security

measure’s posterior distribution using the following equation:

PðSecjTÞ ¼ PðTjSecÞ$PðSecÞPðTÞ ¼ 1

Zes$P1�i�n

JðV;si ;aiÞ; (11)

which applies the Bayes theorem. Z denotes the normalizing

constant, and n is the length of the attack scenario T.

It can be proved that if the security measures are set to

mean of the above posterior distribution, expected value of

the squared error loss function��Sec� dSec��

2is minimized

(Berger, 1993). Sec and dSec denote the actual and estimated

security measures, respectively. For many practical cases, the

security measure’s posterior distribution is complex, and

hence analytical derivation of its mean value is hard. EliMet

makes use of a sampling algorithm to estimate its value;

samples from distributions are generated, and the sample

mean is returned as the true mean estimate.

In particular, we introduce an extended version of the

PolicyWalk algorithm (Ramachandran and Amir, 2007), that is

a Markov Chain Monte Carlo (MCMC) technique essentially.

The algorithm generates a MetropoliseHastings Markov chain

(Chib and Greenberg, 1995) on the intersection points of a grid

of length D in the security measure region ð0;1�jSj (denoted

Algorithm 1 e Posterior di


ð0;1�jSj=D). Although PolicyWalk is proved to produce correct

estimates, its main drawback in practice is the slow conver-

gence to an equilibrium distribution. To accelerate the

convergence, EliMet concurrently generate several sample

paths in parallel, and aggregates the results finally. As the

paths are independent, they can be initiated separately on

individual cores of a multi-core platform.

HðsÞ ¼ � 1

jAðsÞj$jSamplesjX

sec ˛ Samples

dðp;Pðajs; secÞÞ$z; (12)

where

z ¼ log

0B@P

sec ˛ Samples

dðp; Pðajs; secÞÞ

jSamplesj

1CA: (13)

Algorithm 1 shows the pseudocode of the algorithm that

EliMet implements to estimate the security measure’s poste-

rior distribution. Themain inputs (Line 1) are the CMDPmodel,

the evidence likelihood PðTj:SecÞ (Equation (9)), the prior secu-

rity measure P(Sec) (Equation (8)), Markov chain step size D,

number of coresm, and a timeout threshold for the algorithm.

Initially m random measure functions are generated from

ð0;1�jSj=D, and the corresponding optimal policies are calcu-

lated (Lines 2e3). A neighbor in ð0; 1�jSj=D is chosen randomly

for eachsecuritymeasure function (core) concurrently, and the

corresponding JD functions are computed (Lines 5e7).

Using the new security measures, EliMet computes the

optimal policy for the CMDP (Line 8) and updates the old

functions and policies with probability a (Lines 9e11). In

particular, a (Chib and Greenberg, 1995) is a function of like-

lihood ratio PðdSecÞ=PðSecÞ and the ratio of the proposal density

PbpðTj:dSecÞ=PpðTj:SecÞ. Finally, the subroutine estimates and

returns the security measure posterior distribution (Lines

15e16). d denotes the Kronecker delta function.

stribution evaluation.





Consequently, the passive observation results in a refined

security measure function. The good point is that the more

common system states and incidents are encountered during

the passive observation, and hence their security measures

are accurately refined. Therefore, if the refined measures are

later used in automated intrusion response solutions, the

response policies would be selected correctly for common

system security states.

However, accuracy level of the measures for the whole

state space is strongly dependent upon the observation phase.

In particular, the longer the observation phase is and themore

states are encountered, themore accurate the refined security

measure function will be. Additionally, the operator’s exper-

tise level could have positive or negative impact on the

refinement procedure results.

5. Active querying

Although EliMet also estimates the security measures for

rarely encountered system states indirectly, sufficient infor-

mation may not be gained during the passive observation

phase for some of the states. Therefore, EliMet makes use of

an active learning algorithm to select the states with the

highest uncertainty in order, and explicitly query the operator

for the action.

In particular, EliMet determines the order of the selected

states based on two criteria. First, like in generic artificial

intelligence settings (Lopes et al., 2009), the less EliMet

knows about a particular state the more chance that state

has to be selected. Second, in addition to amount of the

expected information gain, the probability that the system

enters a particular state also affects its chance of being

selected. As a case in point, given CMDP’s initial state s0 ¼ ,

in which there no ongoing attack and is usually the most

common system state, accurate security measure estimation

of its immediate neighbors is more important than that of

the states reaching to which requires a large number of state

transitions.

For every state selection iteration, EliMet uses the calculated

posterior distribution PðSecj:TÞ as well as the inter-state dis-

tance values to choose the most informative and important

state. TheproblemwithdirectlyusingPðSecj:TÞ is that it denotesthe distribution over the security measure functions, and not

individual states (Algorithm1, Line 15). To resolve the issue,we

define the m density function as follows (Lopes et al., 2009):

ms;aðpÞbPðPððs;aÞÞ ¼ pÞjTÞ; (14)

which characterizes distribution of the policy (Equation (10))

given the attack scenario for individual state-action pairs. The

m function can be calculated using the generated samples

during the passive observation phase:

ms;aðpÞ ¼1

jSamplesjX

sec ˛ Samples

dðp;Pððs; aÞjsecÞÞ; (15)

EliMet uses the m function to distinguish states with the

highest policy uncertainties. To quantify the policy uncer-

tainty of individual states, EliMet measures the Shannon en-

tropy associated with the m function:


H�ms;a

� ¼ �Z1

0

ms;aðpÞ log�ms;aðpÞ

dp: (16)

Hence, the mean entropy for each individual system state

HðsÞ ¼ 1

jAðsÞjXa

H�ms;a

�(17)

is calculated using Equation (12) which is derived by few

simple replacements. Consequently, EliMet selects the best

state choice:

s� ¼ argmaxs˛S

HðsÞlog dðs0; sÞ ; (18)

and queries the operator about the correct action a* in that

particular state. As shown, the optimization takes into ac-

count the amount of entropy (uncertainty) on the policy, and

distance between the state and the initial state s0. Given the

correct action, EliMet updates the posterior distribution

PðSecj:T; ðs�;a�ÞÞ and continues the iterative state selection

procedure by choosing the next most suitable state.

It is noteworthy that EliMet can take proper response ac-

tions to protect the system against even unknown attacks, i.e.,

the attacks that had not been encountered during the security

metric elicitation phase (passive observation and active

querying steps). This is because the way EliMet calculates the

security metric values is that, intuitively, the response engine

learns where the secure system states are concentrated within

the generated system CMDP model according to the response

actions taken by the operator. Consequently, when the

learned security model is used as an intrusion response sys-

tem, once system enters a known or unknown security state,

EliMet takes the response actions that drive the system to-

wards the secure system states where there is no compro-

mised privilege domain left in the network.

6. Cyber-physical contingency analysis

Contingency analysis is one of the most fundamental pre-

dictive situational awareness tools for monitoring the power

grid infrastructures. Once the state estimator program de-

termines the system’s current state estimate based on the IDS

alerts, the estimate is used to run a series of “what if” sce-

narios referred to as contingency analysis. Briefly, the con-

tingency analysis allows operators to know the state of the

system in the event of a contingency (Grainger and Stevenson,

1994). In this section, we present how the estimated security

measure values can be used by EliMet for cyber-physical

contingency analysis in smart grid.

To perform the smart grid contingency analysis using the

CMDP model, EliMet will act as the attacker using the esti-

mated security measurement values. Formally, EliMet picks

the optimal adversarial actions given the current belief state

of the system

V�aðbÞ ¼ min

aa˛AðbÞJa

�V�

a;b;aa

�; (19)

where Ja denotes the value function given that a specific

response action is taken





Ja

�V�

a;b;a� ¼ r

�b0b;a

�þ ffiffiffi

gp

$ maxar˛Aðb0b;aÞ

hr�b00b0 ;ar

�þ ffiffiffi

gp

$Va

�b00b0 ;ar

�i):

(20)

Given the adversarial optimal value function V�a, let us

define the Qa function to be

Qaðs;aaÞ ¼ Ja

�V�

a; s;aa

�aa˛AaðsÞ; (21)

which represents the cost that the adversary should pay by

taking aa as the first next immediate action, and the rest of the

game is played by both of the players selecting optimal adver-

sarial and response actions (Equations (3) and (19)). Conse-

quently, given the power grid’s current security belief state b,

EliMet ranks the most critical system-wide cyber-physical

contingencies, i.e., adversarial actions ða1a;a

2a;/; ajAsðsÞj

a Þ, that thesecurity administrators should plan for the most, by ranking

the Qðs; :Þ function values such that

Qa

�s;a1

a

� � Qa

�s; a2

a

� � / � Qa

�s; ajAaðsÞj

a

�: (22)

The above-mentioned contingency analysis algorithm,

however, assumes that the current system security state is

exactly determined. To take into account the IDS inaccuracies,

EliMet calculates the expected adversarial cost function

values as follows, given the current belief state estimate b

Qaðb;aaÞ ¼X

s˛Sjaa˛AaðsÞ

�bðsÞ$Ja

�V�

a; b;aa

�; (23)

and calculates the ranked contingency list as discussed above.

As EliMet focuses on contingencies originating atmalicious

cyber attacks, initial contingencies will be all remote cyber-

side vulnerability exploitations. This is because physical de-

vices are almost never directly accessible from a remote ma-

chine, unless the attacker has already penetrated deep into

the control network. EliMet takes into consideration possible

physical contingencies once states with the required set of

privileges (compromised host systems) for physical conse-

quences have been achieved by the adversaries.

The proposed solution can be employed dynamically dur-

ing the smart grid’s operational mode to provide the security

officers with predictive situational awareness capabilities. In

particular, they can monitor how future actions by attackers

could impact the smart grid globally given the current system

state estimate (Section 2). EliMet enables the officers to decide

which critical components should be monitored more closely

in order to detect potential exploitations of cyber vulnerabil-

ities or adversarial actions with physical impact.

7. Evaluations

In particular, we designed a set of experiments to empirically

answer the following questions: How accurately do the pas-

sive observation and active learning phases in EliMet estimate

the security measure values? How efficiently does EliMet

improve the confidence level of the refined measure values

(how many questions does EliMet need to ask the operator?)

How much does using EliMet improve the ultimate response

strategies by automated response systems? and finally, how

efficiently does EliMet provide the predictive situational


awareness through its cyber-physical contingency analysis

capability? We start by describing the experimentation setup,

and then proceed to examine these five questions.

For our case study evaluations, a unified XML format was

used to describe the power network topology and global ac-

cess control policies. During the offline phase, EliMet used the

NetAPT tool (Nicol et al., 2008) to perform a comprehensive

security analysis of the access policy rules and to produce the

network connectivity matrix according to the control network

topology input. The matrix was later translated into an CMDP

model. The CMDP model generation is implemented in C/

Cþþ, and the inverse reinforcement learning and decision

making solutions are implemented in MATLAB (we have

partially used the source code provided by authors of

Ramachandran and Amir (2007) and Lopes et al. (2009)).

We evaluated EliMet on a simulated power grid infra-

structure that consisted of two control networks controlling

and monitoring the IEEE 24-bus reliability test system (R. T. S.

T. F. of the Application of Probability Methods Subcommittee,

Nov. 1979). The control networkmodels had identical network

topologies and access control policies, andwere built based on

topology of a real power control network which is kept

anonymous due to the non-disclosure agreement. In our ex-

periments, given the power network topology and the access

policy rules, i.e., 103 Cisco PIX firewall rules, EliMet efficiently

constructed the network connectivity matrix and generated

the corresponding CMDP model.

7.1. How accurate is the metric elicitation in EliMet?

It is considered crucial for EliMet to accurately refine the initial

measure values to make sure the final refined values truly

reflect the network-specific expert knowledge about any

particular power control network. We evaluated the accuracy

of the end result of the presented security measure refine-

ment algorithms by running them on our case study control

network (Fig. 1).

7.1.1. Security measure refinement (metric elicitation)Fig. 2 shows the refined security measure values for indi-

vidual states of the case study CMDP model. In particular, for

the evaluation purposes, we implemented an operator

simulator, using the algorithm discussed in Section 3, that

would get the CMDP model as well as security measure

values as input, and would calculate optimal response ac-

tions for individual states. Then, having known the case

study power control network, we intuitively assigned each

state a security measure value. Those values were used by

the operator simulator and are denoted by “Operator’s Se-

curity Measures” on Fig. 2. Consequently, we evaluated Eli-

Met by having the operator simulator send EliMet the chosen

optimal actions. To clarify, EliMet did not know about the

assigned security measures, and instead, estimated

them using the optimal actions reported by the operator

simulator. We also implemented the proposed active

learning algorithms that EliMet used to further refine the

security measures. Fig. 3 shows a sample EliMet-Operator

interaction scenario during the active querying phase (the

responses could be extended to include more complicated

actions).




Fig. 1 e Automatically generated competitive Markov decision process for the case study power control networks.


7.1.2. Uncertainty reduction (improvement of the confidenceabout the estimated measure values)A trivial alternative querying technique to EliMet’s entropy

minimization-based algorithm (Section 5) would be to select

queries randomly according to a uniform distribution and

ask the operator for the optimal policies. We evaluated how

the presented active learning algorithm maximizes the in-

formation gain by asking the operator the most informative

questions. Fig. 4 shows how active optimization and inquiry

of informative questions accelerates the security measure

refinement process compared to the situation in which

questions are picked and asked randomly. The vertical axis

represents the policy uncertainty (Section 5) after every

single query. Estimation of the posterior security measure

distribution was done using 200 samples, and each query

took 7.2 s on average to be processed. The illustrated results

were averaged over 10 independent runs.

7.2. Automated response improvement by using EliMet

One of EliMet’s main use cases is to calculate and refine the

state-based security measure values for automated intrusion

response solutions in such a way that the automatically

selected response strategies match those of the operators

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 3

Se

cu

rity

Me

as

ure

Va

lu

es

Sta

Fig. 2 e Incremental security measure refineme


closely. We implemented the automated intrusion response

system presented in Section 3.

7.2.1. Response policy refinement (ultimate responsecapability improvement)One of the main factors affecting accuracy of the secure

measure estimates after the passive observation phase was

that how long the operator’s behavior is observed. Fig. 5

shows the rate at which security measure values converge

to their true values, i.e. the values used by the operator

simulator. More specifically, the vertical axis denotes 2-norm

differences between the calculated policies Pððs; aÞj:SecÞ and

the operator’s policy. The policies were represented as

matrices with jSj � j:Arj: dimensions (jArj denotes number of

possible response actions). The reported scalar difference

values (vertical axis) were calculated over all the states. Fig. 5

reports the results for two different observed attack sce-

narios: 1) random attacks in which the operator is encoun-

tered with a random sequence of states in the CMDP graph;

and 2) concentrated attacks that mostly follow real-world

attack patterns and the operator is faced mostly with the

few states around the initial system state. The figure also

compares those two attack scenarios with a situation where

states are picked using the active learning algorithm. As

1 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61tes

Operator's Security Measures

Refined Security Measures

nts for the case study CMDP’s state space.




Fig. 3 e A sample EliMet-operator interaction scenario.


shown in the figure, random attack scenarios and active

querying led to the minimum and maximum security mea-

sure convergence rate, respectively.

7.2.2. Comparison: operator vs. engineFinally, we evaluated how closely the operator’s responsive

behavior and the automatically selected response strategies,

using the security measure values, match before and after the

security measure values are refined. Fig. 6 shows average

optimal policy values VðsÞcs˛S calculated using security

measure estimates 1) after the initial security assessment; 2)

once the values are refined; and compares them to the oper-

ator’s policy. The security measure refinement procedure

used 200 randomly selected reward samples in total (Section

4) and took 15.2 s to complete.

7.3. Performance analysis

host computers, EliMet analyzed the inputs and generated the

CMDP model within 24 ms. The vulnerability factor of 2 is

often very pessimistic according to the extremely strict fire-

wall configurations and protection solutions in real-world

power control networks; however, intention in doing this

experiment was to evaluate, under such pessimistic as-

sumptions, how the increasing network size affects size of the

CMDP model. For such cases, EliMet generated the corre-

sponding CMDP graph within 400 ms for networks with 37

nodes.

7.3.1. Semi-real-time intrusion responseTo be practical, the intrusion response solution needs to

decide upon response actions quickly to minimize overall

damage cost due to the attack. Fig. 7 shows the decision

making time requirement for CMDPs of different sizes. As

illustrated, value functions are solved for and optimal

response actions are decided upon within 2 s for fairly large

CMDPs.

Fig. 4 e Gradual uncertainty reduction.


7.4. Cyber-physical contingency analysis

We implemented the proposed cyber-physical contingency

analysis solution on our power grid case study. Our imple-

mentations take each state si in theCMDPmodel and calculates

the Qa function values for all individual adversarial actions

admissible from that state aa˛AaðsiÞ. Table 1 shows the results

of thecontingencyanalysis. Eachentry in the table corresponds

to different contingencies that can occur from a particular

CMDP state. As discussed in Section 6, the contingencies are

ranked based on their accumulative global impact in the future

on the whole power grid. In particular, the destination states

(i.e., the resulting states if the contingencies take place by the

adversaries successfully) are listed in the table.

8. Related work

Intrusion detection alert-based system security metrics and

evaluation techniques for critical assets fall into two cate-

gories. First, manual solutions, such as FLIPS (Ke et al., 2005)

and SoSMART (Musman and Flesher, 2000), in which an IDS

alert scoring value is hard-coded on each detection rule; the

(alert, score) mappings are stored in a lookup table to be used

later to prioritize alerts. Other static approaches include TRI-

NETR (Yu et al., 2005), M-Correlator (Porras et al., 2002), FuzMet

(Alsubhi et al., 2008), and causal analysis (Lee and Qin, 2005).

These techniques use manually filled knowledge bases of

system configuration and target importance to associate a

context with each alert and to provide situational awareness

accordingly. The advantages of the static techniques are their

simplicity and their rapidity. However, they suffer from a lack

of flexibility, mainly because they completely ignore the sys-

tem configuration as well as scalability, since it is infeasible to

predict all the alert combinations from IDSes in a large-scale

network.

00.10.20.30.40.50.60.70.80.9

1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61

Un

ce

rta

in

ty

Queries

Random States (queries)

Active Query

Fig. 5 e Gradual policy improvement.




0

2

4

6

8

10

12

14

1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61

Op

tim

al P

olic

y V

alu

e

States

Initial Security Assessment Refined Operator

Fig. 6 e Optimal policy value comparison.

Table 1 e The contingency analysis results for individualpower grid security states.

s0 / s1, s60, s54 s1 / s59, s0, s2s2 / s3, s56, s48, s54, s28, s44 s3 / s20, s21, s4s4 / s9, s15, s18, s5 s5 / s4, s7, s6s6 / s15, s8, s5 s7 / s9, s8s8 / s10, s7 s9 / s10, s13, s7s10 / s9, s11, s8 s11 / s13, s12s12 / s11, s14 s13 / s11, s14s14 / s13, s12 s15 / s4, s10, s16, s6s16 / s11, s18, s17 s17 / s16s18 / s13, s16, s19 s19 / s18, s17, s14s20 / s3, s22, s15 s21 / s22, s9s22 / s21, s24, s10, s23 s23 / s22s24 / s25, s11 s25 / s24, s26, s13s26 / s25, s27 s27 / s24, s26, s12s28 / s4, s33, s39, s42, s29 s29 / s28, s31, s30s30 / s39, s32, s29 s31 / s33, s32s32 / s34, s31 s33 / s34, s9, s37, s31s34 / s33, s10, s35, s32 s35 / s11, s37, s36s36 / s35, s12, s38 s37 / s35, s13, s38s38 / s37, s36, s14 s39 / s28, s34, s15, s40, s30s40 / s16, s35, s42, s41 s41 / s40s42 / s37, s40, s18, s43 s43 / s42, s41, s19, s38s44 / s2, s46, s45 s45 / s54, s47, s44s46 / s48, s47 s47 / s49, s46s48 / s21, s51, s33, s49, s46 s49 / s50, s22, s34, s48, s47s50 / s51 s51 / s50, s25, s52, s37s52 / s51, s53 s53 / s50, s27, s52, s36s54 / s20, s49, s2, s39, s55, s45 s55 / s56, s57, s50, s40, s58s56 / s51, s55 s57 / s16s58 / s55 s59 / s60, s48s60 / s59, s49


Second, there are automated methods, which are mostly

based on attack tree analyses. The main idea is to capture

potential system vulnerabilities, and then extract all possible

attack paths. The generated graph can be used to compute

security metrics (Kotenko and Stepashkin, 2006; Wang et al.,

2007, 2008b), to qualitatively assess the security strength of a

network (Pamula et al., 2006; Wang et al., 2006), to identify the

most critical assets in the organization (Sawilla and Ou, 2008),

or for security visualization (Noel et al., 2005). In particular,

Noel and Jajodia (2008) uses an approach called Topological

Vulnerability Analysis (TVA) (Jajodia et al., 2005; Jajodia and

Noel, 2008) to match network configuration with attack

simulation in order to optimize IDS sensor placement and to

prioritize IDS alerts. The main issue with automated tech-

niques is that they often make generic assumptions about

network configurations and how critical individual assets are,

and furthermore, they rarely are customized specifically for

the networks in which they are deployed in. Consequently,

the calculated security measure values could possibly be

inaccurate marking insecure states as secure or vice versa.

In addition to the above-mentioned low system-level

(microscopic viewpoint) solutions that investigate security of

each individual critical asset, several high-level critical infra-

structure protection solutions have also been proposed. These

solutions concentrate on security analysis of the critical in-

frastructures from macroscopic viewpoint, e.g., the depen-

dence among various networked critical assets. De Porcellinis

et al. (2009) propose a hybrid technique to analyze inter-asset

dependencies, such as physical, cyber, geographical and

logical interdependencies, in critical infrastructures. The

proposed solution uses reductionistic techniques to model

critical infrastructures as sets of interconnected elementary

0200400600800

10001200140016001800

0 5000 10000 15000 20000

Tim

e (

ms

ec

)

CMDP size (#states)

Fig. 7 e Time requirements for automated intrusion

response.


elements that are interconnected to achieve a unique objec-

tive collaboratively. Oliva et al. (2010) present an inputeoutput

inter-dependency model to analyze energy grid in-

frastructures. The inputeoutput model formulates resource

exchanges among sub-systems mathematically where pa-

rameters are later estimated using real data sets and expert

knowledge. Theoharidou et al. (2010, 2011) propose a holistic

criticality assessment methodology that aims to integrate

existing security plans and risk assessments performed in

isolated sub-systems. The authors achieve the above-

mentioned objective through a three-layer hierarchical secu-

rity assessment, i.e., operator, sector and national layers. Utne

et al. (2011) present an inter-asset dependency assessment

technique to perform a cross-sector vulnerability analysis in

critical infrastructures by accomplishing two analysis steps: 1)

hazardous event identification; and 2) detailed analysis of

dependencies among the identified events. Zio and Sansavini

(2011) analyze cascading failures and propagation of faults in

distributed systems that occur due to functional and logical

interdependencies among the network components. The au-

thors introduce the average cascade size concept tomeasure the

degree of coupling/inter-dependence within a given distrib-

uted system topology. Kotzanikolaou et al. (2013) address the

lack of past effective solutions in the area of multiorder de-

pendencies, i.e., assessing the cumulative effects of a single

incident, on infrastructures that are connected indirectly. The

proposed technique utilizes firstorder dependency graphs to

assess the effect of a disruption to consequent infrastructures,

and hence to identify and prevent security threats of very high





impact from a macroscopic view. EliMet provides a security

metric elicitation framework that can be integrated with the

above-mentioned macroscopic solutions to take into account

the inter-sector dependencies while learning security mea-

sures and predicting attackers’ next potential steps. In

particular, response actions in EliMet could be both micro-

level, e.g., to delete a virus file on a computer, or macro-

level, to shed a large neighborhood load to retrieve the

power grid normal operation. In other words, EliMet can be

used to learn security measure values at different intercon-

nection levels such as host system level, substation level or

transmission level.

9. Conclusions and future work

In this paper, we presented EliMet, a semi-automated security

metric elicitation algorithm for power control networks, that

combines informationfromdifferentsources,andconsequently

estimates the security level of individual system states. EliMet

makes use of the expert knowledge by passively observing the

operator’s responsive behavior, and in the meanwhile, mini-

mizes the explicit human involvement by actively asking the

operator themost informative clarificationquestions.Asshown

in our experiments, such security measure values can be used

for real-time situational awareness or automated intrusion

responsepurposes. casestudypowercontrolnetworkshowthat

EliMet accurately estimates security measure values that

significantly improves quality of the automated situational

awareness and intrusion response capabilities.

Following the promising experimental results, we are

currently investigating two potential future work extensions

to EliMet. First, we are working on real-world deployment of

EliMet on a small-scale power grid control network testbed.

The main challenge that we face in practice is dynamic

reconfiguration of the underlying system that EliMet should

get notified about, because the system models that EliMet

generates and makes use of depends heavily on the underly-

ing system configuration. Additionally, we need to investigate

how the dynamical evolution of the system topology affect the

security metric elicitation in EliMet as security measures for

different system models may differ; however, the difference

margins need to be evaluated in practice. Second, We are

looking at using the algorithms introduced in EliMet to

quantify adversarial decision makings. In particular, would it

be possible to observe an attacker’s action sequence during

the initial stages of an attack, create his or her attack behav-

ioral model, and predict the next adversarial steps? We are

considering to use the introduced security elicitation algo-

rithms to create the attacker’s behavioral model, i.e., security

measure values that he or she uses to make the decisions

upon how to penetrate into the control network assets.

r e f e r e n c e s

Alsubhi K, Al-Shaer E, Boutaba R. Alert prioritization in intrusiondetection systems. In: IEEE network operations andmanagement symposium (NOMS) 2008. p. 33e40.


Bearavolu R, Lakkaraju K, Yurcik W, Raje H. A visualization toolfor situational awareness of tactical and strategic securityevents on large and complex computer networks. In:Proceedings of the 2003 IEEE conference on militarycommunications e vol. II, ser. MILCOM’03. Washington, DC,USA: IEEE Computer Society; 2003. p. 850e5.

Bellman R. Dynamic programming. Princeton University Press;1957 republished 2003.

Berger JO. Statistical decision theory and Bayesian analysis. NewYork: Springer; 1993.

Chib S, Greenberg E. Understanding the Metropolis-Hastingsalgorithm. The American Statistician 1995;49(4):327e35[Online]. Available: http://dx.doi.org/10.2307/2684568.

De Porcellinis Stefano, Oliva Gabriele, Panzieri Stefano,Setola Roberto. A holistic-reductionistic approach formodeling interdependencies. In: Critical infrastructureprotection III. Springer; 2009. p. 215e27.

Electricity grid inU.S. penetratedby spies.Availableonline at, http://online.wsj.com/article/SB123914805204099085.html; 2009.

Falliere N, Murchu LO, Chien E. W32.Stuxnet Dossier. SymanticSecurity Response; Oct. 2010. Tech. Rep.

Grainger JJ, Stevenson WD. Power system analysis. McGraw Hill;1994.

Jajodia S, Noel S. Topological vulnerability analysis: a powerfulnew approach for network attack prevention, detection, andresponseIn Indian statistical institute monograph series; 2008.

Jajodia S, Noel S, O’Berry B. Topological analysis of network attackvulnerability. In: Managing cyber threats 2005. p. 247e66.

Kaelbling L, Littman M, Cassandra A. Partially observable Markovdecision processes for artificial intelligence. In: Proceedings ofthe German conference on artificial intelligence: advances inartificial intelligence, vol. 981; 1995. p. 1e17.

Ke ML, Wang K, Keromytis AD, Stolfo SJ. Flips: hybrid adaptiveintrusion prevention. In: Proceedings of the symposium onrecent advances in intrusion detection (RAID) 2005. p. 82e101.

Kotenko I, StepashkinM.Attack graphbasedevaluationofnetworksecurity. In: Comm. and multimedia security 2006. p. 216e27.

Kotzanikolaou Panayiotis, Theoharidou Marianthi,Gritzalis Dimitris. Assessing n-order dependencies betweencritical infrastructures. International Journal of CriticalInfrastructures 2013;9(1):93e110.

Lee W, Qin X. Statistical causality analysis of infosec alert data.In: Managing cyber threats 2005. p. 101e27.

Lopes M, Melo F, Montesano L. Active learning for rewardestimation in inverse reinforcement learning. In: Proceedingsof the European conference on machine learning andknowledge discovery in databases: part II, ser. ECML PKDD’09.Berlin, Heidelberg: Springer-Verlag; 2009. p. 31e46 [Online].Available: http://dx.doi.org/10.1007/978-3-642-04174-7_3.

McIntyre A, Becker B, Halbgewachs R. Security metrics for processcontrol systems; 2007. Sandia Report.

Musman S, Flesher P. System or security managers adaptiveresponse tool. In: Proceedings of the DARPA informationsurvivability conference and exposition, vol. 2; 2000.p. 56e68.

Nicol DM, Sanders WH, Singh S, Seri M. Usable global networkaccess policy for process control systems. IEEE Security andPrivacy 2008;6:30e6.

Noel S, Jajodia S. Optimal ids sensor placement and alertprioritization using attack graphs. Journal of Network andSystems Management September 2008;16:259e75 [Online].Available: http://dl.acm.org/citation.cfm?id¼1459115.1459116.

Noel S, Jacobs M, Kalapa P, Jajodia S. Multiple coordinated viewsfor network attack graphs. In: IEEE workshop on visualizationfor computer security (VizSEC) 2005. p. 99e106.

Oliva Gabriele, Panzieri Stefano, Setola Roberto. Agent-basedinputeoutput interdependency model. International Journalof Critical Infrastructure Protection 2010;3(2):76e82.


http://refhub.elsevier.com/S0167-4048(13)00094-1/sref1
















http://dx.doi.org/10.2307/2684568






http://online.wsj.com/article/SB123914805204099085.html

http://online.wsj.com/article/SB123914805204099085.html































http://dx.doi.org/10.1007/978-3-642-04174-7_3












http://dl.acm.org/citation.cfm?id=1459115.1459116














Pamula J, Jajodia S, Ammann P, Swarup V. A weakest-adversarysecurity metric for network configuration security analysis. In:Proceedings of the ACM workshop on quality of protection2006. p. 38.

Porras P, Fong M, Valdes A. A mission-impact-based approach toINFOSEC alarm correlation. In: Proceedings of the symposiumon recent advances in intrusion detection 2002. p. 95e114.

R. T. S. T. F. of the Application of Probability MethodsSubcommittee. IEEE reliability test system. IEEE Transactionson PowerApparatus and SystemsNov. 1979;PAS-98(6):2047e54.

Ramachandran D, Amir E. Bayesian inverse reinforcementlearning. In: Proceedings of the 20th international jointconference on artificial intelligence, ser. IJCAI’07. SanFrancisco, CA, USA: Morgan Kaufmann Publishers Inc.; 2007.p. 2586e91 [Online]. Available: http://dl.acm.org/citation.cfm?id¼1625275.1625692.

Ranum MJ, Landfield K, Stolarchuk MT, Sienkiewicz M,Lambeth A, Wall E. Implementing a generalized tool fornetwork monitoring. In: Proceedings of the USENIXconference on systems administration 1997. p. 1e8.

Sawilla R, Ou X. Identifying critical attack assets in dependencyattack graphs. In: Computer security-ESORICS 2008. p. 18e34.

Stouffer K, Falco J, Kent K. Guide to supervisory control and dataacquisitionand industrialcontrolsystemssecurity. In:SPIN2006.

Theoharidou Marianthi, Kotzanikolaou Panayiotis,Gritzalis Dimitris. A multi-layer criticality assessmentmethodology based on interdependencies. Computers &Security 2010;29(6):643e58.

Theoharidou Marianthi, Kotzanikolaou Panayiotis,Gritzalis Dimitris. Risk assessment methodology forinterdependent critical infrastructures. International Journalof Risk Assessment and Management 2011;15(2):128e48.

Utne IB, Hokstad P, Vatn J. A method for risk modeling ofinterdependencies in critical infrastructures. ReliabilityEngineering & System Safety 2011;96(6):671e8.

Wang L, Noel S, Jajodia S. Minimum-cost network hardeningusing attack graphs. Computer Communications2006;29(18):3812e24.

Wang L, Singhal A, Jajodia S. Measuring the overall security ofnetwork configurations using attack graphs. In: Proceedings ofthe 21st annual IFIP WG 11.3 working conference on data andapplications security. Springer-Verlag; 2007. p. 98e112.


Wang L, Islam T, Long T, Singhal A, Jajodia S. An attack graph-based probabilistic securitymetric. In: Atluri V, editor. Data andapplications security XXII, ser. Lecture notes in computerscience, vol. 5094. Berlin/Heidelberg: Springer; 2008a. p. 283e96.http://dx.doi.org/10.1007/978-3-540-70567-3_22 [Online].Available: http://dx.doi.org/10.1007/978-3-540-70567-3_22.

Wang L, Islam T, Long T, Singhal A, Jajodia S. An attack graph-based probabilistic security metric. In: Data and applicationssecurity XXII 2008. p. 283e96.

Yu J, Ramana Reddy Y, Selliah S, Reddy S, Bharadwaj V,Kankanahalli S. TRINETR: an architecture for collaborativeintrusion detection and knowledge-based alert evaluation.Advanced Engineering Informatics 2005;19(2):93e101.

Zio Enrico, Sansavini Giovanni. Modeling interdependentnetwork systems for identifying cascade-safe operatingmargins. Reliability, IEEE Transactions on 2011;60(1):94e101.

Zonouz S, Houmansadr A, Haghani P. EliMet: security metricelicitation in power grid critical infrastructures by observingsystem administrators’ responsive behavior. In: IEEE/IFIPinternational conference on dependable systems andnetworks 2012. p. 1e12.

Saman Zonouz is an Assistant Professor in the Electrical andComputer Engineering Department at the University ofMiami. Hereceived his Ph.D. in Computer Science from the University ofIllinois at Urbana-Champaign in 2011. He has worked on intru-sion response and recovery, information flow-based securitymetrics for power-grid critical infrastructures and online digitalforensics analysis. His research interests include: computer se-curity and survivable systems, control/game theory, intrusionresponse and recovery systems, and trustworthy power-gridcritical infrastructures.

Parisa Haghani received her Ph.D. in Computer Science from theDistributed Information Systems Laboratory under the supervi-sion of Professor Karl Aberer at EPFL, Lausanne, Switzerland. Herresearch interests include cyber security, cryptography, efficientprocessing of ranked queries in peer-to-peer networks. Shereceived her M.Sc. in Computer Engineering from Sharif Univer-sity of Technology. She later got another M.Sc. degree in Electricaland Computer Engineering at the University of Illinois at Urbana-Champaign.


















































http://dx.doi.org/10.1007/978-3-540-70567-3_22

http://dx.doi.org/10.1007/978-3-540-70567-3_22






















Documents

Cyber-physical security metric inference in smart grid critical infrastructures based on system administrators' responsive behavior