Upload
parisa
View
212
Download
0
Embed Size (px)
Citation preview
ww.sciencedirect.com
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 1
Available online at w
journal homepage: www.elsevier .com/locate/cose
Cyber-physical security metric inference in smart gridcritical infrastructures based on system administrators’responsive behavior
Saman Zonouz a,*, Parisa Haghani b
aUniversity of Miami, USAbUniversity of Illinois at Urbana-Champaign, USA
a r t i c l e i n f o
Article history:
Received 11 March 2013
Received in revised form
24 June 2013
Accepted 1 July 2013
Keywords:
Power grid critical infrastructure
Intrusion detection and response
Security metric
Situational awareness
Cyber-physical system security
* Corresponding author.E-mail addresses: [email protected] (
Please cite this article in press as: Zonofrastructures based on system administj.cose.2013.07.003
0167-4048/$ e see front matter ª 2013 Elsevhttp://dx.doi.org/10.1016/j.cose.2013.07.003
a b s t r a c t
To protect complex power-grid control networks, efficient security assessment techniques
are required. However, efficiently making sure that calculated security measures match the
expert knowledge is a challenging endeavor. In this paper, we present EliMet, a framework
that combines information from different sources and estimates the extent to which a
control network meets its security objective. Initially, EliMet passively observes system op-
erators’ online reactive behavior against security incidents, and accordingly refines the
calculated security measure values. To make the values comply with the expert knowledge,
EliMet actively queries operators regarding those states forwhich sufficient informationwas
not gained during the passive observation. Finally, EliMet makes use of the estimated se-
curity measure values for predictive situational awareness by ranking potential cyber-
physical contingencies that the security administrators should plan for upfront. Our
experimental results show that EliMet can optimally make use of prior knowledge as well as
automated inference techniques tominimizehuman involvementand efficiently deduce the
expert knowledge regarding individual states of that particular system.
ª 2013 Elsevier Ltd. All rights reserved.
1. Introduction against U.S. electrical grid caused approximately $100 million
The bulk electricity delivery system known as the power grid is
extremely fundamental to most aspects of modern society.
Power grid critical infrastructures form a vast and inter-
connected cyber-physical network for delivering electricity
from generation plants to end-point consumers. Traditionally,
power system operators, sitting in control network rooms,
monitor and control the underlying physical system in order
to guarantee secure energy delivery. Due to their importance,
power control networks have been a very attractive attack
surface for malicious attackers and nation-state terrorists
to penetrate in the network and consequently cause cata-
strophic physical damage. Remote malicious cyber attacks
S. Zonouz), parisa.haghan
uz S, Haghani P, Cyberrators’ responsive beha
ier Ltd. All rights reserved
of damage cost in 2009 (Electricity grid in U.S. penetrated by
spies, 2009). The most recent control system malware called
Stuxnet (Falliere et al., 2010) was crafted to sabotage nuclear
power plants. Stuxnet specifically raised new questions about
power grid security cite10.1109-MSP.2009.76 protecting which
is strictly recommended by the government as destruction of
those systems would have a debilitating impact on national
security (Stouffer et al., 2006).
Currently, to protect the power grid critical infrastructures,
operators watch scrolling alerts from intrusion detection sys-
tems (IDSes) andmanually take response and recovery actions
if they notice a malicious network activity. However, with
increasing complexity of large-scale control systems and
[email protected] (P. Haghani).
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/
.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 12
sophisticatedtargetedattacksaswell asoverwhelmingamount
of daily triggered IDS alerts, manual maintenance of those in-
frastructures is not anymore feasible (Bearavoluet al., 2003). On
the other hand, automation of intrusion response solutions
requiresveryaccurate andmeaningful system-specific security
metrics to compare different system security states in order to
automatically choose optimal response strategies.
Previous efforts in designing scalable and efficient system
security metrics have fallen short in two major aspects. First,
existing solutions rely heavily on expert knowledge and
human involvement (Ranum et al., 1997). As a case in point,
McIntyre et al. (2007) introduce amulti-stepmanual process to
assess security of a power control network. The system
administrator must go over different system states in an off-
line phase, and manually assess their security level. As
manual inspection of system states becomes very tedious in
practice, other researchers have attempted to automate the
system metric assessment procedure by making use of some
generic notions and heuristics. For instance, Wang et al.
(2008a) propose a generic probabilistic security metric which
is based on heuristics and can be calculated automatically for
each system security state. However, complete validation of
such generic and heuristics-based metrics, i.e., to verify
whether the calculated values really match the expert
knowledge, is not always feasible. Consequently, if such
metrics are employed for an automated intrusion response
support, irrelevant response actionsmay be chosen that could
potentially result in another insecure system state.
This paper builds on our previous work (Zonouz et al.,
2012). We present EliMet that is a hybrid security metric
assessment framework. EliMet exploits the expert knowledge
passively and minimizes the explicit human involvement to
efficiently calculate realistic and system-specific security
measure values for large-scale power control networks. In
particular, EliMet employs a game-theoretic state-based
model of the power control network, called competitive Mar-
kov decision process, as well as the expert knowledge by
passively observing power system operators while they
receive IDS alerts in real-time and carry out responsive and
maintenance actions. After the passive learning phase, EliMet
actively queries system operators only regarding the system
states whose security measures have not been accurately
refined during the learning phase. Consequently, EliMet stores
the calculated security measure value for each state that can
be used later by automated response solutions to respond to
attackers when power system operators are not present.
Furthermore, EliMet makes use of the calculated security
measure values for cyber-physical contingency analysis to
inform the operators of the next immediate potential adver-
sarial actions so that they can protect the power network by
planning ahead or monitoring the critical points more closely.
In particular, during the online phase, EliMet employs a
game-theoretic state-based model of the system, called
competitiveMarkovdecisionprocess, anddynamicallyupdates
the current system state estimate according to alerts triggered
by intrusion detection systems. Given the current systemstate,
the passive observation module employs an inverse reinforce-
ment learning algorithm to calculate security measure values
by observing the operators’ responsive behavior. The respon-
sive behavior is formulated as a sequenceof (state, action) pairs
Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003
such as (<A, B, C>, Restore B) where the operator decides to
restore host B once systems A, B, and C are identified to be
compromised. Since the passive learning interval may not be
sufficient to accurately refine the security measures as some
system states may rarely happen in practice, the active
querying module asks the operators what actions they would
take if systemwas in particular states. For instance, EliMet asks
for the operator’s best response out of the possible response set
{Restore A, Restore B, Restore C} (according to the CMDPmodel) if
the system was in state <A, B, C>. An information-theoretic
approach is used to minimize the number of questions by
iteratively askingquestions that lead to themaximumexpected
information gain. Consequently, the active querying module
produces refined securitymeasurevalues that areused later for
predictive situational awareness, i.e., cyber physical contin-
gency analysis, or automated intrusion response purposes.
2. State estimation
Reciprocal interaction between the adversary and power sys-
tem operator or automated response engine in EliMet is
modeled as a game on a stated-based model of the power grid,
i.e., competitive Markov decision process (CMDP), in which
each player tries to maximize his or her own benefit. Formally,
A discrete CMDP G is defined as a tuple ðS;A;Secð:Þ;P;gÞwhere S
is the security state space, assumed to be an arbitrary non-
empty set endowed with the discrete topology. A is the set of
actions, which itself is partitioned into response actions and
adversarial actions depending on the player. For every s˛S,AðsÞ3A is the set of admissible actions at state s. The measur-
able function Sec : S/½0;1� is the security measure calculated
for each state, and P is the transition probability function; that
is, if the present state of the system is s˛S and an action a3AðsÞis taken, resulting in state transition to state s0 with probability
Pðs0j:s;aÞ, an immediate reward Secðs0Þ, i.e., security measure
valueof thestate s0, is obtainedby theplayer taking theaction.g
is the discount factor and is normalized, i.e., 0 < g < 1.
Before the security measure refinement, at each time
instant, EliMet needs to determine system’s current security
state based on the triggered IDS alerts. However, the exact
system state is usually not completely observable due to IDS
inaccuracies, i.e., false positive and negative rates. To address
the partial observability problem, we define the notion of the
system’s belief state b˛B, which formally is a probability dis-
tribution over all states in the state space of the system s˛S.Therefore, at each time instant, instead of the exact current
state, EliMet estimates the system’s belief state b0 based on the
previous belief state b and current observations (IDS alerts) O:
b0b;Oðs0Þ ¼
Xs˛S
fbðsÞ$X
aa˛AðbÞ½Pðs0js;aaÞ$PðaajOÞ�g; (1)
where b(s) denotes the probability of the system being at state
s given that the current belief state is b. A(b) is the set of ad-
missible actions in stateswith nonzero probabilities according
to b, i.e., AðbÞ ¼ Ws˛S:bðsÞs0AðsÞ. Furthermore,
PðaajOÞ ¼ 1oaa˛O$½1� Pðaajoaa Þ� þ 1oaa;O$½Pðaajoaa Þ� (2)
is probability that the attacker performed action aa given the
current observations. 1 is the indicator function, and oaa is the
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 1 3
IDS alert reporting occurrence of the incident (adversarial ac-
tion) aa. Pðaaj:oaa Þ and Pðaaj:oaa Þ denote false positive and nega-
tive rates, respectively, that depend on the intrusion detection
system by which the corresponding alerts are triggered. Here,
we assume false positive and negative rates for intrusion
detection systems are given1; otherwise they both are set to
0 bydefault. Similarly, the system’s belief state is updatedonce
a response action ar˛A is taken; however, the update equation
is simpler in that case as the selected action is known.
3. Optimal response selection
In this section, we explain how EliMet models the response
action selection procedure by the operator. EliMet then uses
this model to infer security measure values which the oper-
ator’s response strategies are implicitly based on.
In particular, EliMet solves the power grid’s CMDPmodel to
find the optimal action which maximizes the expected accu-
mulative long-run reward measure received after a sequence
of response and adversarial actions.2 Using the infinite-horizon
discounted cost technique (Kaelbling et al., 1995), EliMet gives
more weight to nearer future rewards by recursively adding
up the immediate reward, i.e., security measure value Sec(.),
and the discounted expected game value from then on.
To formulate, EliMet computes the optimal policy p*(.) that
associates with any belief state b˛B an optimal response ac-
tion p*(b). EliMet formulates the response action selection
procedure as a game-theoreticmaximin problem. In particular,
every policy p is assigned a value function Vp that associates
every belief state b˛B with an expected global reward Vp(b)
obtained by applying p in b. Bellman’s optimality equation
(Equation (3)) characterizes the unique optimal value function
V*, from which an optimal policy p* can be easily derived:
V�ðbÞ ¼ maxar˛AðbÞ
JðV�; b;arÞ; (3)
where J denotes the value function given that a specific
response action is taken:
JðV�;b; aÞ ¼ r�b0b;a
�þ ffiffiffi
gp
$ minaa˛Aðb0b;aÞ
hr�b00b0 ;aa
�þ ffiffiffi
gp
$V�b00b0 ;aa
�i);
(4)
in which b0b;a denotes the updated next belief state if the cur-
rent state is b and action a is taken:
b0b;aðs0Þ ¼
Xs˛S
½Pðs0js; aÞ:bðsÞ�; (5)
and the r function computes security measure values for
belief states using security levels of individual states:
rðbÞ ¼Xs˛S
½bðsÞ$SecðsÞ�: (6)
Briefly, to calculate V* numerically, EliMet uses the value
iteration algorithm (Bellman, 1957) that applies dynamic
1 EliMet can take qualitative values, e.g., {low, medium, high},which are later translated into crisp values, i.e., {0.25, 0.5, 0.75}.
2 As discussed in Section 4, EliMet can model operators withdifferent expertise levels who may not always select optimalresponse strategies.
Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003
programming iterative updates to gradually improve on the
value until it converges to the 3-optimal value function
(Bellman, 1957), i.e. jVtðbÞ � Vt�1ðbÞj < 3. Through improvement
of the value, the policy is implicitly improved aswell. Once the
partially observable decision process is formulated and the
3-optimal value function is calculated, EliMet determines the
optimal response strategy p* at any given belief state using:
p�ðbÞ ¼ arg maxar˛AðbÞ
JðV�; b;arÞ: (7)
In the rest of this section, we discuss how EliMet makes use
of the operator’s responsive behavior at a subset of states to
calculate the security measure values. The ultimate goal is to
make sure that the automatically calculated optimal policy p*
(using the calculated values and the optimal response action
selection algorithm discussed above) matches the response
strategies taken by the expert operator.
4. Passive observation
Computation of a security measure function that explains the
operator’s response policy is essentially an inverse control
problem inwhich Sec(.) is desired givenp*. In particular, EliMet
employs a game-theoretic inverse reinforcement learning al-
gorithm to consider the operator’s policy as evidence, and
consequently update the apriori security measure values
Seci(.). The apriori values can be either assigned initial arbi-
trary values, e.g., 0, or to accelerate the convergence, calcu-
lated using generic (possibly inaccurate) security assessment
algorithms (e.g. Wang et al., 2008a). EliMet will refine the
apriori values iteratively such that they match the expert
knowledge about the system as closely as possible.
Similar to Ramachandran and Amir (2007), uncertainty of
the prior security measure knowledge is modeled using the
Laplace density function:
PðSecðsÞ ¼ rÞ ¼ 12s
e�jr�Seci ðsÞj
2s ;cs˛S; (8)
where P(Sec(s) ¼ r) denotes the probability that the security
measure value for the state s is equal to r. As a distribution
parameter, s denotes the predefined uncertainty level.
Formally, EliMet takes the operator’s noisy response policy
during an attack scenario as well as the above apriori knowl-
edge to derive the posterior distribution of the system security
measure. In particular, an attack scenario T is represented as a
sequence of (state, action) pairs T ¼ ½ðs1; a1Þ; ðs1;a1Þ;/; ðsn;anÞ�that denotes the system states and the operator’s corre-
sponding responses.
Due to the Markov property of CMDP, determination of
response actions, at each time instant, depends only on the
present state. Therefore,
PðTjSecÞ ¼ Pððs1;a1ÞjSecÞ$Pððs1;a1ÞjSecÞ/Pððsn;anÞjSecÞ; (9)
where Pððsi;aiÞj:SecÞ denotes the probability that ai is selected
as the optimal policy at state si given the security measure
function Sec. It is important to highlight that the optimal
policy value is always unique; however, the above probability
distribution encodes the noise in the optimal policy samples
due to the operator’s expertise level.
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 14
The optimal policy p* maximizes the J function in Equa-
tion (7). Therefore, the largerJ is, the more likely it is that the
operator would take action p*(s) at state s. Additionally, this
likelihood increases aswe getmore confident in the operator’s
expertise level, i.e., he or she can respond appropriately
(Ramachandran and Amir, 2007):
Pððs; aÞjSecÞ ¼ es$JðV;s;aÞPa0˛A
es$JðV;s;a0Þ ; (10)
where s is a non-negative constant, which represents the
operator’s expertise level. EliMet calculates the security
measure’s posterior distribution using the following equation:
PðSecjTÞ ¼ PðTjSecÞ$PðSecÞPðTÞ ¼ 1
Zes$P1�i�n
JðV;si ;aiÞ; (11)
which applies the Bayes theorem. Z denotes the normalizing
constant, and n is the length of the attack scenario T.
It can be proved that if the security measures are set to
mean of the above posterior distribution, expected value of
the squared error loss function���Sec� dSec���
2is minimized
(Berger, 1993). Sec and dSec denote the actual and estimated
security measures, respectively. For many practical cases, the
security measure’s posterior distribution is complex, and
hence analytical derivation of its mean value is hard. EliMet
makes use of a sampling algorithm to estimate its value;
samples from distributions are generated, and the sample
mean is returned as the true mean estimate.
In particular, we introduce an extended version of the
PolicyWalk algorithm (Ramachandran and Amir, 2007), that is
a Markov Chain Monte Carlo (MCMC) technique essentially.
The algorithm generates a MetropoliseHastings Markov chain
(Chib and Greenberg, 1995) on the intersection points of a grid
of length D in the security measure region ð0;1�jSj (denoted
Algorithm 1 e Posterior di
Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003
ð0;1�jSj=D). Although PolicyWalk is proved to produce correct
estimates, its main drawback in practice is the slow conver-
gence to an equilibrium distribution. To accelerate the
convergence, EliMet concurrently generate several sample
paths in parallel, and aggregates the results finally. As the
paths are independent, they can be initiated separately on
individual cores of a multi-core platform.
HðsÞ ¼ � 1
jAðsÞj$jSamplesjX
sec ˛ Samples
dðp;Pðajs; secÞÞ$z; (12)
where
z ¼ log
0B@P
sec ˛ Samples
dðp; Pðajs; secÞÞ
jSamplesj
1CA: (13)
Algorithm 1 shows the pseudocode of the algorithm that
EliMet implements to estimate the security measure’s poste-
rior distribution. Themain inputs (Line 1) are the CMDPmodel,
the evidence likelihood PðTj:SecÞ (Equation (9)), the prior secu-
rity measure P(Sec) (Equation (8)), Markov chain step size D,
number of coresm, and a timeout threshold for the algorithm.
Initially m random measure functions are generated from
ð0;1�jSj=D, and the corresponding optimal policies are calcu-
lated (Lines 2e3). A neighbor in ð0; 1�jSj=D is chosen randomly
for eachsecuritymeasure function (core) concurrently, and the
corresponding JD functions are computed (Lines 5e7).
Using the new security measures, EliMet computes the
optimal policy for the CMDP (Line 8) and updates the old
functions and policies with probability a (Lines 9e11). In
particular, a (Chib and Greenberg, 1995) is a function of like-
lihood ratio PðdSecÞ=PðSecÞ and the ratio of the proposal density
PbpðTj:dSecÞ=PpðTj:SecÞ. Finally, the subroutine estimates and
returns the security measure posterior distribution (Lines
15e16). d denotes the Kronecker delta function.
stribution evaluation.
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 1 5
Consequently, the passive observation results in a refined
security measure function. The good point is that the more
common system states and incidents are encountered during
the passive observation, and hence their security measures
are accurately refined. Therefore, if the refined measures are
later used in automated intrusion response solutions, the
response policies would be selected correctly for common
system security states.
However, accuracy level of the measures for the whole
state space is strongly dependent upon the observation phase.
In particular, the longer the observation phase is and themore
states are encountered, themore accurate the refined security
measure function will be. Additionally, the operator’s exper-
tise level could have positive or negative impact on the
refinement procedure results.
5. Active querying
Although EliMet also estimates the security measures for
rarely encountered system states indirectly, sufficient infor-
mation may not be gained during the passive observation
phase for some of the states. Therefore, EliMet makes use of
an active learning algorithm to select the states with the
highest uncertainty in order, and explicitly query the operator
for the action.
In particular, EliMet determines the order of the selected
states based on two criteria. First, like in generic artificial
intelligence settings (Lopes et al., 2009), the less EliMet
knows about a particular state the more chance that state
has to be selected. Second, in addition to amount of the
expected information gain, the probability that the system
enters a particular state also affects its chance of being
selected. As a case in point, given CMDP’s initial state s0 ¼ ,
in which there no ongoing attack and is usually the most
common system state, accurate security measure estimation
of its immediate neighbors is more important than that of
the states reaching to which requires a large number of state
transitions.
For every state selection iteration, EliMet uses the calculated
posterior distribution PðSecj:TÞ as well as the inter-state dis-
tance values to choose the most informative and important
state. TheproblemwithdirectlyusingPðSecj:TÞ is that it denotesthe distribution over the security measure functions, and not
individual states (Algorithm1, Line 15). To resolve the issue,we
define the m density function as follows (Lopes et al., 2009):
ms;aðpÞbPðPððs;aÞÞ ¼ pÞjTÞ; (14)
which characterizes distribution of the policy (Equation (10))
given the attack scenario for individual state-action pairs. The
m function can be calculated using the generated samples
during the passive observation phase:
ms;aðpÞ ¼1
jSamplesjX
sec ˛ Samples
dðp;Pððs; aÞjsecÞÞ; (15)
EliMet uses the m function to distinguish states with the
highest policy uncertainties. To quantify the policy uncer-
tainty of individual states, EliMet measures the Shannon en-
tropy associated with the m function:
Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003
H�ms;a
� ¼ �Z1
0
ms;aðpÞ log�ms;aðpÞ
dp: (16)
Hence, the mean entropy for each individual system state
HðsÞ ¼ 1
jAðsÞjXa
H�ms;a
�(17)
is calculated using Equation (12) which is derived by few
simple replacements. Consequently, EliMet selects the best
state choice:
s� ¼ argmaxs˛S
HðsÞlog dðs0; sÞ ; (18)
and queries the operator about the correct action a* in that
particular state. As shown, the optimization takes into ac-
count the amount of entropy (uncertainty) on the policy, and
distance between the state and the initial state s0. Given the
correct action, EliMet updates the posterior distribution
PðSecj:T; ðs�;a�ÞÞ and continues the iterative state selection
procedure by choosing the next most suitable state.
It is noteworthy that EliMet can take proper response ac-
tions to protect the system against even unknown attacks, i.e.,
the attacks that had not been encountered during the security
metric elicitation phase (passive observation and active
querying steps). This is because the way EliMet calculates the
security metric values is that, intuitively, the response engine
learns where the secure system states are concentrated within
the generated system CMDP model according to the response
actions taken by the operator. Consequently, when the
learned security model is used as an intrusion response sys-
tem, once system enters a known or unknown security state,
EliMet takes the response actions that drive the system to-
wards the secure system states where there is no compro-
mised privilege domain left in the network.
6. Cyber-physical contingency analysis
Contingency analysis is one of the most fundamental pre-
dictive situational awareness tools for monitoring the power
grid infrastructures. Once the state estimator program de-
termines the system’s current state estimate based on the IDS
alerts, the estimate is used to run a series of “what if” sce-
narios referred to as contingency analysis. Briefly, the con-
tingency analysis allows operators to know the state of the
system in the event of a contingency (Grainger and Stevenson,
1994). In this section, we present how the estimated security
measure values can be used by EliMet for cyber-physical
contingency analysis in smart grid.
To perform the smart grid contingency analysis using the
CMDP model, EliMet will act as the attacker using the esti-
mated security measurement values. Formally, EliMet picks
the optimal adversarial actions given the current belief state
of the system
V�aðbÞ ¼ min
aa˛AðbÞJa
�V�
a;b;aa
�; (19)
where Ja denotes the value function given that a specific
response action is taken
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 16
Ja
�V�
a;b;a� ¼ r
�b0b;a
�þ ffiffiffi
gp
$ maxar˛Aðb0b;aÞ
hr�b00b0 ;ar
�þ ffiffiffi
gp
$Va
�b00b0 ;ar
�i):
(20)
Given the adversarial optimal value function V�a, let us
define the Qa function to be
Qaðs;aaÞ ¼ Ja
�V�
a; s;aa
�aa˛AaðsÞ; (21)
which represents the cost that the adversary should pay by
taking aa as the first next immediate action, and the rest of the
game is played by both of the players selecting optimal adver-
sarial and response actions (Equations (3) and (19)). Conse-
quently, given the power grid’s current security belief state b,
EliMet ranks the most critical system-wide cyber-physical
contingencies, i.e., adversarial actions ða1a;a
2a;/; ajAsðsÞj
a Þ, that thesecurity administrators should plan for the most, by ranking
the Qðs; :Þ function values such that
Qa
�s;a1
a
� � Qa
�s; a2
a
� � / � Qa
�s; ajAaðsÞj
a
�: (22)
The above-mentioned contingency analysis algorithm,
however, assumes that the current system security state is
exactly determined. To take into account the IDS inaccuracies,
EliMet calculates the expected adversarial cost function
values as follows, given the current belief state estimate b
Qaðb;aaÞ ¼X
s˛Sjaa˛AaðsÞ
�bðsÞ$Ja
�V�
a; b;aa
�; (23)
and calculates the ranked contingency list as discussed above.
As EliMet focuses on contingencies originating atmalicious
cyber attacks, initial contingencies will be all remote cyber-
side vulnerability exploitations. This is because physical de-
vices are almost never directly accessible from a remote ma-
chine, unless the attacker has already penetrated deep into
the control network. EliMet takes into consideration possible
physical contingencies once states with the required set of
privileges (compromised host systems) for physical conse-
quences have been achieved by the adversaries.
The proposed solution can be employed dynamically dur-
ing the smart grid’s operational mode to provide the security
officers with predictive situational awareness capabilities. In
particular, they can monitor how future actions by attackers
could impact the smart grid globally given the current system
state estimate (Section 2). EliMet enables the officers to decide
which critical components should be monitored more closely
in order to detect potential exploitations of cyber vulnerabil-
ities or adversarial actions with physical impact.
7. Evaluations
In particular, we designed a set of experiments to empirically
answer the following questions: How accurately do the pas-
sive observation and active learning phases in EliMet estimate
the security measure values? How efficiently does EliMet
improve the confidence level of the refined measure values
(how many questions does EliMet need to ask the operator?)
How much does using EliMet improve the ultimate response
strategies by automated response systems? and finally, how
efficiently does EliMet provide the predictive situational
Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003
awareness through its cyber-physical contingency analysis
capability? We start by describing the experimentation setup,
and then proceed to examine these five questions.
For our case study evaluations, a unified XML format was
used to describe the power network topology and global ac-
cess control policies. During the offline phase, EliMet used the
NetAPT tool (Nicol et al., 2008) to perform a comprehensive
security analysis of the access policy rules and to produce the
network connectivity matrix according to the control network
topology input. The matrix was later translated into an CMDP
model. The CMDP model generation is implemented in C/
Cþþ, and the inverse reinforcement learning and decision
making solutions are implemented in MATLAB (we have
partially used the source code provided by authors of
Ramachandran and Amir (2007) and Lopes et al. (2009)).
We evaluated EliMet on a simulated power grid infra-
structure that consisted of two control networks controlling
and monitoring the IEEE 24-bus reliability test system (R. T. S.
T. F. of the Application of Probability Methods Subcommittee,
Nov. 1979). The control networkmodels had identical network
topologies and access control policies, andwere built based on
topology of a real power control network which is kept
anonymous due to the non-disclosure agreement. In our ex-
periments, given the power network topology and the access
policy rules, i.e., 103 Cisco PIX firewall rules, EliMet efficiently
constructed the network connectivity matrix and generated
the corresponding CMDP model.
7.1. How accurate is the metric elicitation in EliMet?
It is considered crucial for EliMet to accurately refine the initial
measure values to make sure the final refined values truly
reflect the network-specific expert knowledge about any
particular power control network. We evaluated the accuracy
of the end result of the presented security measure refine-
ment algorithms by running them on our case study control
network (Fig. 1).
7.1.1. Security measure refinement (metric elicitation)Fig. 2 shows the refined security measure values for indi-
vidual states of the case study CMDP model. In particular, for
the evaluation purposes, we implemented an operator
simulator, using the algorithm discussed in Section 3, that
would get the CMDP model as well as security measure
values as input, and would calculate optimal response ac-
tions for individual states. Then, having known the case
study power control network, we intuitively assigned each
state a security measure value. Those values were used by
the operator simulator and are denoted by “Operator’s Se-
curity Measures” on Fig. 2. Consequently, we evaluated Eli-
Met by having the operator simulator send EliMet the chosen
optimal actions. To clarify, EliMet did not know about the
assigned security measures, and instead, estimated
them using the optimal actions reported by the operator
simulator. We also implemented the proposed active
learning algorithms that EliMet used to further refine the
security measures. Fig. 3 shows a sample EliMet-Operator
interaction scenario during the active querying phase (the
responses could be extended to include more complicated
actions).
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/
Fig. 1 e Automatically generated competitive Markov decision process for the case study power control networks.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 1 7
7.1.2. Uncertainty reduction (improvement of the confidenceabout the estimated measure values)A trivial alternative querying technique to EliMet’s entropy
minimization-based algorithm (Section 5) would be to select
queries randomly according to a uniform distribution and
ask the operator for the optimal policies. We evaluated how
the presented active learning algorithm maximizes the in-
formation gain by asking the operator the most informative
questions. Fig. 4 shows how active optimization and inquiry
of informative questions accelerates the security measure
refinement process compared to the situation in which
questions are picked and asked randomly. The vertical axis
represents the policy uncertainty (Section 5) after every
single query. Estimation of the posterior security measure
distribution was done using 200 samples, and each query
took 7.2 s on average to be processed. The illustrated results
were averaged over 10 independent runs.
7.2. Automated response improvement by using EliMet
One of EliMet’s main use cases is to calculate and refine the
state-based security measure values for automated intrusion
response solutions in such a way that the automatically
selected response strategies match those of the operators
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 3
Se
cu
rity
Me
as
ure
Va
lu
es
Sta
Fig. 2 e Incremental security measure refineme
Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003
closely. We implemented the automated intrusion response
system presented in Section 3.
7.2.1. Response policy refinement (ultimate responsecapability improvement)One of the main factors affecting accuracy of the secure
measure estimates after the passive observation phase was
that how long the operator’s behavior is observed. Fig. 5
shows the rate at which security measure values converge
to their true values, i.e. the values used by the operator
simulator. More specifically, the vertical axis denotes 2-norm
differences between the calculated policies Pððs; aÞj:SecÞ and
the operator’s policy. The policies were represented as
matrices with jSj � j:Arj: dimensions (jArj denotes number of
possible response actions). The reported scalar difference
values (vertical axis) were calculated over all the states. Fig. 5
reports the results for two different observed attack sce-
narios: 1) random attacks in which the operator is encoun-
tered with a random sequence of states in the CMDP graph;
and 2) concentrated attacks that mostly follow real-world
attack patterns and the operator is faced mostly with the
few states around the initial system state. The figure also
compares those two attack scenarios with a situation where
states are picked using the active learning algorithm. As
1 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61tes
Operator's Security Measures
Refined Security Measures
nts for the case study CMDP’s state space.
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/
Fig. 3 e A sample EliMet-operator interaction scenario.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 18
shown in the figure, random attack scenarios and active
querying led to the minimum and maximum security mea-
sure convergence rate, respectively.
7.2.2. Comparison: operator vs. engineFinally, we evaluated how closely the operator’s responsive
behavior and the automatically selected response strategies,
using the security measure values, match before and after the
security measure values are refined. Fig. 6 shows average
optimal policy values VðsÞcs˛S calculated using security
measure estimates 1) after the initial security assessment; 2)
once the values are refined; and compares them to the oper-
ator’s policy. The security measure refinement procedure
used 200 randomly selected reward samples in total (Section
4) and took 15.2 s to complete.
7.3. Performance analysis
host computers, EliMet analyzed the inputs and generated the
CMDP model within 24 ms. The vulnerability factor of 2 is
often very pessimistic according to the extremely strict fire-
wall configurations and protection solutions in real-world
power control networks; however, intention in doing this
experiment was to evaluate, under such pessimistic as-
sumptions, how the increasing network size affects size of the
CMDP model. For such cases, EliMet generated the corre-
sponding CMDP graph within 400 ms for networks with 37
nodes.
7.3.1. Semi-real-time intrusion responseTo be practical, the intrusion response solution needs to
decide upon response actions quickly to minimize overall
damage cost due to the attack. Fig. 7 shows the decision
making time requirement for CMDPs of different sizes. As
illustrated, value functions are solved for and optimal
response actions are decided upon within 2 s for fairly large
CMDPs.
Fig. 4 e Gradual uncertainty reduction.
Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003
7.4. Cyber-physical contingency analysis
We implemented the proposed cyber-physical contingency
analysis solution on our power grid case study. Our imple-
mentations take each state si in theCMDPmodel and calculates
the Qa function values for all individual adversarial actions
admissible from that state aa˛AaðsiÞ. Table 1 shows the results
of thecontingencyanalysis. Eachentry in the table corresponds
to different contingencies that can occur from a particular
CMDP state. As discussed in Section 6, the contingencies are
ranked based on their accumulative global impact in the future
on the whole power grid. In particular, the destination states
(i.e., the resulting states if the contingencies take place by the
adversaries successfully) are listed in the table.
8. Related work
Intrusion detection alert-based system security metrics and
evaluation techniques for critical assets fall into two cate-
gories. First, manual solutions, such as FLIPS (Ke et al., 2005)
and SoSMART (Musman and Flesher, 2000), in which an IDS
alert scoring value is hard-coded on each detection rule; the
(alert, score) mappings are stored in a lookup table to be used
later to prioritize alerts. Other static approaches include TRI-
NETR (Yu et al., 2005), M-Correlator (Porras et al., 2002), FuzMet
(Alsubhi et al., 2008), and causal analysis (Lee and Qin, 2005).
These techniques use manually filled knowledge bases of
system configuration and target importance to associate a
context with each alert and to provide situational awareness
accordingly. The advantages of the static techniques are their
simplicity and their rapidity. However, they suffer from a lack
of flexibility, mainly because they completely ignore the sys-
tem configuration as well as scalability, since it is infeasible to
predict all the alert combinations from IDSes in a large-scale
network.
00.10.20.30.40.50.60.70.80.9
1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61
Un
ce
rta
in
ty
Queries
Random States (queries)
Active Query
Fig. 5 e Gradual policy improvement.
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/
0
2
4
6
8
10
12
14
1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61
Op
tim
al P
olic
y V
alu
e
States
Initial Security Assessment Refined Operator
Fig. 6 e Optimal policy value comparison.
Table 1 e The contingency analysis results for individualpower grid security states.
s0 / s1, s60, s54 s1 / s59, s0, s2s2 / s3, s56, s48, s54, s28, s44 s3 / s20, s21, s4s4 / s9, s15, s18, s5 s5 / s4, s7, s6s6 / s15, s8, s5 s7 / s9, s8s8 / s10, s7 s9 / s10, s13, s7s10 / s9, s11, s8 s11 / s13, s12s12 / s11, s14 s13 / s11, s14s14 / s13, s12 s15 / s4, s10, s16, s6s16 / s11, s18, s17 s17 / s16s18 / s13, s16, s19 s19 / s18, s17, s14s20 / s3, s22, s15 s21 / s22, s9s22 / s21, s24, s10, s23 s23 / s22s24 / s25, s11 s25 / s24, s26, s13s26 / s25, s27 s27 / s24, s26, s12s28 / s4, s33, s39, s42, s29 s29 / s28, s31, s30s30 / s39, s32, s29 s31 / s33, s32s32 / s34, s31 s33 / s34, s9, s37, s31s34 / s33, s10, s35, s32 s35 / s11, s37, s36s36 / s35, s12, s38 s37 / s35, s13, s38s38 / s37, s36, s14 s39 / s28, s34, s15, s40, s30s40 / s16, s35, s42, s41 s41 / s40s42 / s37, s40, s18, s43 s43 / s42, s41, s19, s38s44 / s2, s46, s45 s45 / s54, s47, s44s46 / s48, s47 s47 / s49, s46s48 / s21, s51, s33, s49, s46 s49 / s50, s22, s34, s48, s47s50 / s51 s51 / s50, s25, s52, s37s52 / s51, s53 s53 / s50, s27, s52, s36s54 / s20, s49, s2, s39, s55, s45 s55 / s56, s57, s50, s40, s58s56 / s51, s55 s57 / s16s58 / s55 s59 / s60, s48s60 / s59, s49
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 1 9
Second, there are automated methods, which are mostly
based on attack tree analyses. The main idea is to capture
potential system vulnerabilities, and then extract all possible
attack paths. The generated graph can be used to compute
security metrics (Kotenko and Stepashkin, 2006; Wang et al.,
2007, 2008b), to qualitatively assess the security strength of a
network (Pamula et al., 2006; Wang et al., 2006), to identify the
most critical assets in the organization (Sawilla and Ou, 2008),
or for security visualization (Noel et al., 2005). In particular,
Noel and Jajodia (2008) uses an approach called Topological
Vulnerability Analysis (TVA) (Jajodia et al., 2005; Jajodia and
Noel, 2008) to match network configuration with attack
simulation in order to optimize IDS sensor placement and to
prioritize IDS alerts. The main issue with automated tech-
niques is that they often make generic assumptions about
network configurations and how critical individual assets are,
and furthermore, they rarely are customized specifically for
the networks in which they are deployed in. Consequently,
the calculated security measure values could possibly be
inaccurate marking insecure states as secure or vice versa.
In addition to the above-mentioned low system-level
(microscopic viewpoint) solutions that investigate security of
each individual critical asset, several high-level critical infra-
structure protection solutions have also been proposed. These
solutions concentrate on security analysis of the critical in-
frastructures from macroscopic viewpoint, e.g., the depen-
dence among various networked critical assets. De Porcellinis
et al. (2009) propose a hybrid technique to analyze inter-asset
dependencies, such as physical, cyber, geographical and
logical interdependencies, in critical infrastructures. The
proposed solution uses reductionistic techniques to model
critical infrastructures as sets of interconnected elementary
0200400600800
10001200140016001800
0 5000 10000 15000 20000
Tim
e (
ms
ec
)
CMDP size (#states)
Fig. 7 e Time requirements for automated intrusion
response.
Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003
elements that are interconnected to achieve a unique objec-
tive collaboratively. Oliva et al. (2010) present an inputeoutput
inter-dependency model to analyze energy grid in-
frastructures. The inputeoutput model formulates resource
exchanges among sub-systems mathematically where pa-
rameters are later estimated using real data sets and expert
knowledge. Theoharidou et al. (2010, 2011) propose a holistic
criticality assessment methodology that aims to integrate
existing security plans and risk assessments performed in
isolated sub-systems. The authors achieve the above-
mentioned objective through a three-layer hierarchical secu-
rity assessment, i.e., operator, sector and national layers. Utne
et al. (2011) present an inter-asset dependency assessment
technique to perform a cross-sector vulnerability analysis in
critical infrastructures by accomplishing two analysis steps: 1)
hazardous event identification; and 2) detailed analysis of
dependencies among the identified events. Zio and Sansavini
(2011) analyze cascading failures and propagation of faults in
distributed systems that occur due to functional and logical
interdependencies among the network components. The au-
thors introduce the average cascade size concept tomeasure the
degree of coupling/inter-dependence within a given distrib-
uted system topology. Kotzanikolaou et al. (2013) address the
lack of past effective solutions in the area of multiorder de-
pendencies, i.e., assessing the cumulative effects of a single
incident, on infrastructures that are connected indirectly. The
proposed technique utilizes firstorder dependency graphs to
assess the effect of a disruption to consequent infrastructures,
and hence to identify and prevent security threats of very high
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 110
impact from a macroscopic view. EliMet provides a security
metric elicitation framework that can be integrated with the
above-mentioned macroscopic solutions to take into account
the inter-sector dependencies while learning security mea-
sures and predicting attackers’ next potential steps. In
particular, response actions in EliMet could be both micro-
level, e.g., to delete a virus file on a computer, or macro-
level, to shed a large neighborhood load to retrieve the
power grid normal operation. In other words, EliMet can be
used to learn security measure values at different intercon-
nection levels such as host system level, substation level or
transmission level.
9. Conclusions and future work
In this paper, we presented EliMet, a semi-automated security
metric elicitation algorithm for power control networks, that
combines informationfromdifferentsources,andconsequently
estimates the security level of individual system states. EliMet
makes use of the expert knowledge by passively observing the
operator’s responsive behavior, and in the meanwhile, mini-
mizes the explicit human involvement by actively asking the
operator themost informative clarificationquestions.Asshown
in our experiments, such security measure values can be used
for real-time situational awareness or automated intrusion
responsepurposes. casestudypowercontrolnetworkshowthat
EliMet accurately estimates security measure values that
significantly improves quality of the automated situational
awareness and intrusion response capabilities.
Following the promising experimental results, we are
currently investigating two potential future work extensions
to EliMet. First, we are working on real-world deployment of
EliMet on a small-scale power grid control network testbed.
The main challenge that we face in practice is dynamic
reconfiguration of the underlying system that EliMet should
get notified about, because the system models that EliMet
generates and makes use of depends heavily on the underly-
ing system configuration. Additionally, we need to investigate
how the dynamical evolution of the system topology affect the
security metric elicitation in EliMet as security measures for
different system models may differ; however, the difference
margins need to be evaluated in practice. Second, We are
looking at using the algorithms introduced in EliMet to
quantify adversarial decision makings. In particular, would it
be possible to observe an attacker’s action sequence during
the initial stages of an attack, create his or her attack behav-
ioral model, and predict the next adversarial steps? We are
considering to use the introduced security elicitation algo-
rithms to create the attacker’s behavioral model, i.e., security
measure values that he or she uses to make the decisions
upon how to penetrate into the control network assets.
r e f e r e n c e s
Alsubhi K, Al-Shaer E, Boutaba R. Alert prioritization in intrusiondetection systems. In: IEEE network operations andmanagement symposium (NOMS) 2008. p. 33e40.
Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003
Bearavolu R, Lakkaraju K, Yurcik W, Raje H. A visualization toolfor situational awareness of tactical and strategic securityevents on large and complex computer networks. In:Proceedings of the 2003 IEEE conference on militarycommunications e vol. II, ser. MILCOM’03. Washington, DC,USA: IEEE Computer Society; 2003. p. 850e5.
Bellman R. Dynamic programming. Princeton University Press;1957 republished 2003.
Berger JO. Statistical decision theory and Bayesian analysis. NewYork: Springer; 1993.
Chib S, Greenberg E. Understanding the Metropolis-Hastingsalgorithm. The American Statistician 1995;49(4):327e35[Online]. Available: http://dx.doi.org/10.2307/2684568.
De Porcellinis Stefano, Oliva Gabriele, Panzieri Stefano,Setola Roberto. A holistic-reductionistic approach formodeling interdependencies. In: Critical infrastructureprotection III. Springer; 2009. p. 215e27.
Electricity grid inU.S. penetratedby spies.Availableonline at, http://online.wsj.com/article/SB123914805204099085.html; 2009.
Falliere N, Murchu LO, Chien E. W32.Stuxnet Dossier. SymanticSecurity Response; Oct. 2010. Tech. Rep.
Grainger JJ, Stevenson WD. Power system analysis. McGraw Hill;1994.
Jajodia S, Noel S. Topological vulnerability analysis: a powerfulnew approach for network attack prevention, detection, andresponseIn Indian statistical institute monograph series; 2008.
Jajodia S, Noel S, O’Berry B. Topological analysis of network attackvulnerability. In: Managing cyber threats 2005. p. 247e66.
Kaelbling L, Littman M, Cassandra A. Partially observable Markovdecision processes for artificial intelligence. In: Proceedings ofthe German conference on artificial intelligence: advances inartificial intelligence, vol. 981; 1995. p. 1e17.
Ke ML, Wang K, Keromytis AD, Stolfo SJ. Flips: hybrid adaptiveintrusion prevention. In: Proceedings of the symposium onrecent advances in intrusion detection (RAID) 2005. p. 82e101.
Kotenko I, StepashkinM.Attack graphbasedevaluationofnetworksecurity. In: Comm. and multimedia security 2006. p. 216e27.
Kotzanikolaou Panayiotis, Theoharidou Marianthi,Gritzalis Dimitris. Assessing n-order dependencies betweencritical infrastructures. International Journal of CriticalInfrastructures 2013;9(1):93e110.
Lee W, Qin X. Statistical causality analysis of infosec alert data.In: Managing cyber threats 2005. p. 101e27.
Lopes M, Melo F, Montesano L. Active learning for rewardestimation in inverse reinforcement learning. In: Proceedingsof the European conference on machine learning andknowledge discovery in databases: part II, ser. ECML PKDD’09.Berlin, Heidelberg: Springer-Verlag; 2009. p. 31e46 [Online].Available: http://dx.doi.org/10.1007/978-3-642-04174-7_3.
McIntyre A, Becker B, Halbgewachs R. Security metrics for processcontrol systems; 2007. Sandia Report.
Musman S, Flesher P. System or security managers adaptiveresponse tool. In: Proceedings of the DARPA informationsurvivability conference and exposition, vol. 2; 2000.p. 56e68.
Nicol DM, Sanders WH, Singh S, Seri M. Usable global networkaccess policy for process control systems. IEEE Security andPrivacy 2008;6:30e6.
Noel S, Jajodia S. Optimal ids sensor placement and alertprioritization using attack graphs. Journal of Network andSystems Management September 2008;16:259e75 [Online].Available: http://dl.acm.org/citation.cfm?id¼1459115.1459116.
Noel S, Jacobs M, Kalapa P, Jajodia S. Multiple coordinated viewsfor network attack graphs. In: IEEE workshop on visualizationfor computer security (VizSEC) 2005. p. 99e106.
Oliva Gabriele, Panzieri Stefano, Setola Roberto. Agent-basedinputeoutput interdependency model. International Journalof Critical Infrastructure Protection 2010;3(2):76e82.
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 1 11
Pamula J, Jajodia S, Ammann P, Swarup V. A weakest-adversarysecurity metric for network configuration security analysis. In:Proceedings of the ACM workshop on quality of protection2006. p. 38.
Porras P, Fong M, Valdes A. A mission-impact-based approach toINFOSEC alarm correlation. In: Proceedings of the symposiumon recent advances in intrusion detection 2002. p. 95e114.
R. T. S. T. F. of the Application of Probability MethodsSubcommittee. IEEE reliability test system. IEEE Transactionson PowerApparatus and SystemsNov. 1979;PAS-98(6):2047e54.
Ramachandran D, Amir E. Bayesian inverse reinforcementlearning. In: Proceedings of the 20th international jointconference on artificial intelligence, ser. IJCAI’07. SanFrancisco, CA, USA: Morgan Kaufmann Publishers Inc.; 2007.p. 2586e91 [Online]. Available: http://dl.acm.org/citation.cfm?id¼1625275.1625692.
Ranum MJ, Landfield K, Stolarchuk MT, Sienkiewicz M,Lambeth A, Wall E. Implementing a generalized tool fornetwork monitoring. In: Proceedings of the USENIXconference on systems administration 1997. p. 1e8.
Sawilla R, Ou X. Identifying critical attack assets in dependencyattack graphs. In: Computer security-ESORICS 2008. p. 18e34.
Stouffer K, Falco J, Kent K. Guide to supervisory control and dataacquisitionand industrialcontrolsystemssecurity. In:SPIN2006.
Theoharidou Marianthi, Kotzanikolaou Panayiotis,Gritzalis Dimitris. A multi-layer criticality assessmentmethodology based on interdependencies. Computers &Security 2010;29(6):643e58.
Theoharidou Marianthi, Kotzanikolaou Panayiotis,Gritzalis Dimitris. Risk assessment methodology forinterdependent critical infrastructures. International Journalof Risk Assessment and Management 2011;15(2):128e48.
Utne IB, Hokstad P, Vatn J. A method for risk modeling ofinterdependencies in critical infrastructures. ReliabilityEngineering & System Safety 2011;96(6):671e8.
Wang L, Noel S, Jajodia S. Minimum-cost network hardeningusing attack graphs. Computer Communications2006;29(18):3812e24.
Wang L, Singhal A, Jajodia S. Measuring the overall security ofnetwork configurations using attack graphs. In: Proceedings ofthe 21st annual IFIP WG 11.3 working conference on data andapplications security. Springer-Verlag; 2007. p. 98e112.
Please cite this article in press as: Zonouz S, Haghani P, Cyberfrastructures based on system administrators’ responsive behaj.cose.2013.07.003
Wang L, Islam T, Long T, Singhal A, Jajodia S. An attack graph-based probabilistic securitymetric. In: Atluri V, editor. Data andapplications security XXII, ser. Lecture notes in computerscience, vol. 5094. Berlin/Heidelberg: Springer; 2008a. p. 283e96.http://dx.doi.org/10.1007/978-3-540-70567-3_22 [Online].Available: http://dx.doi.org/10.1007/978-3-540-70567-3_22.
Wang L, Islam T, Long T, Singhal A, Jajodia S. An attack graph-based probabilistic security metric. In: Data and applicationssecurity XXII 2008. p. 283e96.
Yu J, Ramana Reddy Y, Selliah S, Reddy S, Bharadwaj V,Kankanahalli S. TRINETR: an architecture for collaborativeintrusion detection and knowledge-based alert evaluation.Advanced Engineering Informatics 2005;19(2):93e101.
Zio Enrico, Sansavini Giovanni. Modeling interdependentnetwork systems for identifying cascade-safe operatingmargins. Reliability, IEEE Transactions on 2011;60(1):94e101.
Zonouz S, Houmansadr A, Haghani P. EliMet: security metricelicitation in power grid critical infrastructures by observingsystem administrators’ responsive behavior. In: IEEE/IFIPinternational conference on dependable systems andnetworks 2012. p. 1e12.
Saman Zonouz is an Assistant Professor in the Electrical andComputer Engineering Department at the University ofMiami. Hereceived his Ph.D. in Computer Science from the University ofIllinois at Urbana-Champaign in 2011. He has worked on intru-sion response and recovery, information flow-based securitymetrics for power-grid critical infrastructures and online digitalforensics analysis. His research interests include: computer se-curity and survivable systems, control/game theory, intrusionresponse and recovery systems, and trustworthy power-gridcritical infrastructures.
Parisa Haghani received her Ph.D. in Computer Science from theDistributed Information Systems Laboratory under the supervi-sion of Professor Karl Aberer at EPFL, Lausanne, Switzerland. Herresearch interests include cyber security, cryptography, efficientprocessing of ranked queries in peer-to-peer networks. Shereceived her M.Sc. in Computer Engineering from Sharif Univer-sity of Technology. She later got another M.Sc. degree in Electricaland Computer Engineering at the University of Illinois at Urbana-Champaign.
-physical security metric inference in smart grid critical in-vior, Computers & Security (2013), http://dx.doi.org/10.1016/