Embed Size (px)
Citation preview
SecuringIoT-basedCyber-PhysicalHumanSystemsagainstCollaborativeAttacks
1
SathishA.PKumar,CoastalCarolinaUniversity,Conway,SC,USABharatBhargavaandGanapathyManiPurdueUniversity,WestLafayette,IN,USARaimundoMacêdoFederalUniversityofBahia,Ondina,Salvador,Bahia,Brazil
IntroductionandBackground
• CPHSisIntegrationofCyber,Physical,andHumanElements.
• InternetofThingsisusedasamethodologytodeployCPHSystems.
• Duetotheirunpredictability,humanbehaviorisdifficulttomodel.
• Dynamichumaninvolvementinthecontextofcollaborativeattacksneedsfurtherresearch– Multipleadversariescollude,interleave,andattack
• ResultsinsophisticatedCPSattacks• Systembehavesinbyzantinemanner
• Securingsuchsystemistougher 2
MotivationandRationale
• CPHSystemsinICU– Riskoflifethreateningsituations
• Stressfulandunfriendlyenvironments– Possibilitiesofattacksarehigh
– Effectiveandimmediateinterventionisneededtoreducetherisk
• Intrusiontolerance,prevention,anddetectionshouldworkincoordinatedandintegratedfashion
• ResearchisneededtostudyhumaninteractionsinvariousrolesinCPHS– Requirespropermodelingandtools
3
SecurityFrameworkforIoTBasedCPHSEnvironment
4
IoT Based CPHS environmentf(x1(t),x2(t),…xn(t), v1(t), v2(t)…vn(t), h1(t), h2(t),…hn(t),m1(t), m2(t),…mn(t), k(t), u(t))
Threat Modeling in IoT Based CPHS environment
Co-ordinated Intrusion Detection of Malicious Collaborating Entities in CPHS TI(t)
Adaptive Coordinated Intrusion Response
Co-ordinated Intrusion Prevention
Autonomic Intrusion Tolerance Using Byzantine Fault Tolerant Replication
A B
CDE
SecurityFrameworkforIoT BasedCPHSEnvironment(Cont)
• Theproposedframeworkusesafeedbackcontrolscheme.
• Analogoustoahumanbiologicalmodel- whereattackisdetectedbymeasuringthebodyparameters.
• VariousparametersofCPHScomponentsaremonitoredtodetectanattack.
• Ourphilosophyisthatbyidentifyingtheparametersandmonitoringthechangerapidlyinagiventimeframe,theappropriatethreatcanbeidentifiedandacorrectiveactioncanbetaken.5
IoT-basedCPHSenvironment• NotationofIoTbasedCPHSenvironment
– Attacksensitiveparameters(xn(t))• Examples- PacketDrop,QueueLength,EnergyConsumption
– Nonattacksensitiveparameters(vn(t))• Examples– PatientDemographicDetails,VehicleLocation
– Attackparameters(k(t))• Examples- DoS,CommandInjection,ARPSpoofing
– Controlparameter(u(t))• Examples– IDM,Faulttolerance
– Humanbehaviourparameters(h(t))• Examples–LoginPatterns,PasswordChanges,Accessdetails
6
ThreatModelinginCPHS- ThreatIndex(TI)
– MetricusedtodetectifaCPHSnodeisunderattackornot.
– TIquantifiesthethreatofnodeinCPHS.
– Computedusingfuzzylogicbasedonsignificantparameters.
TIEvaluationExample
0 163119 208
NS USVS
Number of packets drop, PD
µ(x)1
0
908656 1157
NS US VS
Queue length, QL
µ(x)1
0 1.661.33 1.99
NS
US
VS
Energy Consumption, EC (Joules)
µ(x)1
• NS is normal state, US is uncertain state and VS is vulnerable state• Parameters: x1 is packet drop, x2 is queue length and x3 is energy consumption• μj (xi) is the grade of membership of parameter xi for fuzzy rule j.
• Fortheparametersidentifiedtodetectthreat– Normalstate,UncertainstateandVulnerablestatethresholdsareidentified
• Xaxisindicatesthevaluesoftheparameters• Yaxisindicatesthefuzzymembershipfunctions– Foreg.,ifthepacketdropislessthan119membershipfunctionofNS
is1andtheMFforUSandVSare0– IfthePDisgreaterthan208MFofVSis1andtheMFforUSandNS
are0– IfthePDisexactly163MFofUSis1andtheMFforVSandNSare0
9
TIEvaluationExample(Cont.)
TIEvaluationExample(Cont.)• k=numberofstates=3[NS,US,VS]• iisnumberofparameters=3[PD,QL,EC]• misnoofrules=ki =33=27;• Ruleoutput[yj]cantakeanyvaluefrom1to10• Foreachrulej,therulestrength[wj]andruleoutput[yj]areidentified– RulestrengthistheminimumMFvalue[μj (xi)] amongallparametersifor rule j
– Foreg.,forrule7ifμ7 (x1) is 1, μ7 (x2) is 0.5 and μ7 (x3) is 0.25 • Min (μ7 (xi)) is 0.25
– Assuming rule output for rule 7 [[y7] is 7, – then w7y7is 7*0.25 =1.75
10
TIEvaluationExample(Cont.)
• Forallmrules– rulestrength[wj]andruleoutput[yj]arecalculated
• TIisthencalculatedas
• ForexampleifonlyonerulehasWj tobe0.25,whoseoutputyj is7andtherestofWjare0
–TIwillbe1.75/0.25=711
∑
∑
=
=
m
jj
m
jjj
w
yw
1
1TI =
DetectingCollaborativeAttacks
• Detectionofmultiplehumanentitiesusingtwokeymechanisms,– DataRoutingInformation(DRI)Table– CrossChecking
• DRItablewillhaveinformationaboutdeviceidentities,networkconnectioninformation,andlogofinteractionsofentities.
• CrosscheckingisnothingbutamechanismwhereinsideentitiescheckeachotherandDRItabletoidentifymaliciousentities. 12
DetectingCollaborativeAttacks
• AnomalydetectionbymeansofdataminingfromuncategorizedsensordataandorderedDRItabledata
• Clustering-layoutapproachtoCPHSystemswhereaCentralMonitor(CM)canvalidatenewentitiesinthesystemandcrosscheckinregulartimeintervals.– CPHsystementitieswillbegroupedinclusters– EachclusterwithCMandbackupCMs– Beaconthecompromisedentities’identitiestootherentitiesinCPHSystems
13
DetectingCollaborativeAttacks
• DeceptiveSecurityLoopholes:inthisapproach,CPHSystemwillappeartobevulnerabletolureattackers.
• Eachattempt’sinformationandtypeofattackwillbeclassifiedandstored.– Createaknowledgerepository
• Underlyingsystemanditsvulnerabilities• Defendableattacks• Novelattacks• Attacksources
– Collaborativeattackerscanbeidentifiedwithcrosscheckingtheknowledgerepositories.
14
WhyIntrusionToleranceisrequiredinCPHSystems?
• DetectionisNOTalwayspossibleortimelyfeasible.– NovelAttacks– Securityloopholes– Insiders’collaborativeattacks
• Recoveringfromintrusiondetectionistimecritical.– Criticalprocessmaynotrecover– Affectdistributedprocessing– Redundancyfromreplicas– Self-healingiscostly
15
CoordinatedIntrusionPreventionUsingCryptographicPrimitives
• DesignHashfunctionbaseddefensemechanism– GenerateCPHSentitybehavioralproofs– Containinformationfromdatatrafficandforwardingpaths
• Measureandevaluateimpactonparameters– Throughputofapplication– Resourcesdepletion– Detectionandmitigationcapability– Extentofsystemunavailability
16
Co-ordinatedIntrusionDetectionofMaliciousCollaboratingEntitiesinCPHS
• ThreatIndexTIforIoTnodeiscalculated– Usingattacksensitiveparametersandmachinelearning
• IndicatesvulnerabilityoftheCPHS• TIcanbecomputedoverperiodoftimeandcomparedwithbenchmark
• Datacollectedfromsimulationenvironmentwithandwithoutattacksisusedfortraining
• IfcomputedTI(t)isgreaterthanvulnerablestatethresholdreferenceTI’,thenodeisidentifiedtobeunderthreat 17
Co-ordinatedIntrusionDetectionofMaliciousCollaboratingEntitiesinCPHS- Example
• N1isnodeunderattack• Thresholdsofparameters[PD,QL,EC]areidentifiedtoconstructfuzzyMF
• Basedontheparameters[PD,QL,EC]observedatN1– Fuzzyrulesaregenerated– TIiscalculated– IfvalueofTIis7,itindicatesnodeisunderthreat
• TI<4isnothreat,TI>6isthreat,TIbetween4and6isvulnerable
18
AdaptiveCoordinatedIntrusionResponse
• Developandapplyautonomic/self-adaptivetechniquestoimplementadaptivecoordinatedresponseinCPHS
• Ifanodeisunderthreat,neighboringnodesaresubjectedtoresponseandprotectionalgorithm– ToidentifyintruderandisolateintruderfromCPHS
19
20
AdaptiveCoordinatedIntrusionResponseExample
• Fortheparametersobservedforneighboringnodeforanodeunderattack– IftheIftheparameterswithnormalvaluesaregreaterthanabnormalanduncertainvalues
• Thenode isflaggednormalandaccordinglycertainactionplanistaken– Elseiftheparameterswithabnormalvaluesaregreaterthannormalanduncertainvalues
• Thenode isflaggedmaliciousandaccordinglycertainactionplanistaken
– Elseiftheparameterswithuncertainvaluesaregreaterthannormalandabnormalvalues• Thenode isflaggeduncertainandaccordinglycertainactionplanistaken
AutonomicIntrusionToleranceUsingByzantineFault-tolerantReplication
21
AutonomicIntrusionToleranceUsingByzantineFault-tolerantReplication(cont.)
• n-t replicastoreplaceuptot compromisedsystems
l Intelligent adversary requires combination of replica diversity, voting and cryptographic schemes
l Dynamic and complex nature of CPHS requires self-manageable behaviour
l Feedback loop for sensing and adapting to current conditions 22
OurOngoingWorkonByzantineReplication
• BFT protocol that implements a series ofperformance optimization mechanisms: requestbatching, replica rejuvenation, etc.
l Needrightconfigurationofthesystemtoachieve:Sizeandtimeoutforbatching,checkpointperiod,rejuvenationperiod,primarybackupfailuredetectiontimeout,etc.
23
OurOngoingWorkonByzantineReplication(cont.)
• Developedaself-manageableversionofBFTtooptimizetherelationthroughput/deliverytime.
• Itisonlineadaptivebecausetheobjective“optimizingdelay/throughput”isnotmodifiedatruntime.
24
Controller PBFT
BFTparameters
clientactivityprotocol/systemperformance
Self-manageablePBFT
AutonomicBFT:Onestepahead
• BFTAdaptationpoliciesshouldbedynamicallydefinedbyCoordinatedIntrusionResponse.
• DistinctactionplanswilltriggerdistinctadaptationpoliciesoroperationmodesforBFT.Forexample,– ActionPlan3mayrequireBFTtooptimizethroughputtohandleapossibleDoSattack,evenontheexpenseofdelayingservicesresponses.
– OrAction4mayrequireBFTtoimmediatelycheck-pointingstatetodealwithapossibleshutdown.
25
ThreatModelingWithHumanEntities
• Nearly95%ofthealltheSecurityincidentsarecausedbyhumanerrors[Report:2014IBM’sCyberSecurityIntelligenceIndex].
• HumanentitiesadduncertaintytoCPHSystems.– Intentional(malicious)errors– Maliciouscollaborativeattacks– Unintentional(commonmistakes)errors– Identitycompromise– Privacybreach
26
ThreatModelingWithHumanEntities
• Nearly95%ofthealltheSecurityincidentsarecausedbyhumanerrors[Report:2014IBM’sCyberSecurityIntelligenceIndex].
• HumanentitiesadduncertaintytoCPHSystems.– Intentional(malicious)errors– Maliciouscollaborativeattacks– Unintentional(commonmistakes)errors– Identitycompromise– Privacybreach
27
ModelingAttacksUsingCausalRelationships
• Humanerrors(intentionalorintentional)areconsideredasevents(en).– Oneormorecanoccuratthesametime– Theysequentiallyfollowotherevent(s)
• e1à e2à e3e4• Eventscanbe(a)individualattacksor(b)collaborativeattacks
• Thecausalmodel:astateofanindividualattackcausedbyasequenceofintentionalhumanerrorsrepresentsfiniteperiodofindividualattackexecution. 28
Typeofcollaboration
• Weidentifytwodistincteventscalled“positive”and“negative”collaboration.
• Positivehappenswhentwoindependentattackscollaboratetoincreasethenumberandeffectsoftheresultantdamageevents.
• Oneattackinterferingwithanotherattackandnullifyingtheeffectknownasnegativecollaboration.
29
ModelingAttacksUsingCausalRelationships(cont.)
• Weemploycausalgraphtomaptheattackpatternsthroughhumanerrors.
• AcausalgraphG=<V,E>forasetofcausalrulesofanattackisalabeleddigraphwith– verticesV={e|events}– edgesE={<p,q>|∃
• acausalrelationshipc• localoperationL• predicateBsuchthat<p,c,q,L,B>isacausalmodel}.
30
AdvantagesofCausalModel
• ByidentifyingallattackeventswecanproduceaCausalAttackGraph(CAG):itcanmodelattacksthataresequentialaswellasconcurrent.
• Thepre-conditionsandpost-conditionsofattacksthatsatisfychangedynamically,thecausalmodelcancapturethechangethatthestate-of-artattackgraphreductiontechniquescannot.
• Thecausalmodelcanhelpusinmodellinglargescalenetworks. 31
AdvantagesofCausalModel(cont.)
• Thecausalmodelcandescribetimingofattacks.– Attacksmayneedtobeoperatingwithinaspecifictimeintervalandtraditionalattackgraphanalysisdidnotconsiderit.
• Thecasualmodelcanrepresentunsuccessfulattacks.– Someattemptedattacksareneversuccessfulandcannotbemodeledbytraditionalattackgraphs
32
Contributions
• HolisticFrameworktomitigatesecurityissuesinCPHSenvironment
• GuidelinesfordevelopingadaptivedefensemechanismsformaliciouscollaborativeattacksinCPHS.
• Leadstoimprovedunderstandinganddealingwithcollaborativeattacksandcoordinateddefensethrough
– Faultyhumancomponent– Byzantinefaulttolerance,– Identitymanagement(IDM)
• Autonomic,self-adaptivetechniquestoprevent,detectandcounterthoseCPHSattacks.
33
Conclusion
• DiscussedsecurityissuesinIoTbasedCPS• HumanparticipationinCPHSdeepensthosesecurityissues
• ProposedholisticsecurityframeworkforIoTbasedCPHS
• ThreatmodelinginvolvinghumanelementsinCPHS
• ProposedresearchquestionsanddirectionsfortheCPHSsecurity
34
Questions
35
Appendix
36
TIEvaluationExample(Contd.)
TI =
FOR PD=174, QL =843 and EC = 1.8Joules
m is no of rules = kn = 33 = 27;
Here, j ε {1, 2, …m }, n is the number of input metrics and k the number of membership functions for each metric
= 11.5/2.5 = 4.6
∑
∑
=
=
m
jj
m
jjj
w
yw
1
1
TI =
Here m is the number of fuzzy rules, j ε {1, 2, …m }, and m = kn where n is the number of input metrics and k the number of fuzzy membership functions.
Here, wj = min(μj (xi)) where μj (xi) indicate MF of significant parameters of that rule.
weight yj à NS, US and VS TI threshold values denoting the particular rule output.
∑
∑
=
=
m
jj
m
jjj
w
yw
1
1
TIEvaluationExample(Contd.) FOR PD=174, QL =843 and EC = 1.8Joules
Rule Number (j) μj (PD)μj (QL) μj(EC) Rule Strength, wj , min(μj(PD)μj(QL)
μj(EC))
Output, yj wjyj
10 0.25 0
01 0
20 0.25 0.4
01 0
30 0.25 0.6
01 0
40 0.75 0
01 0
50 0.75 0.4
04 0
60 0.75 0.6
04 0
70 0 0
01 0
80 0 0.4
04 0
90 0 0.6
07 0
100.75 0.25 0
01 0
110.75 0.25 0.4
0.254 1
120.75 0.25 0.6
0.254 1
130.75 0.75 0
04 0
140.75 0.75 0.4
0.44 1.6
150.75 0.75 0.6
0.64 2.4
160.75 0 0
04 0
170.75 0 0.4
04 0
180.75 0 0.6
07 0
190.25 0.25 0
01 0
200.25 0.25 0.4
0.254 1
21 0.25 0.25 0.6 0.25 7 1.7522
0.25 0.75 00
4 023
0.25 0.75 0.40.25
4 124 0.25 0.75 0.6 0.25 7 1.7525
0.25 0 00
7 026
0.25 0 0.40
7 027
0.25 0 0.60
7 0
m is no of rules = kn = 33 = 27;
Here, j ε {1, 2, …m }, n is the number of input metrics and k the number of membership functions for each metric
= 11.5/2.5 = 4.6TI =
∑
∑
=
=
m
jj
m
jjj
w
yw
1
1
39
N1
M0,1
M2,1
M3,1
M4,1
M5,1
Parameter UCLvs UCLus M01to N1 M21toN1 M31to N1 M41to N1 M51toN1 Average
(PD) 208.63 119.1 155/ US 2000/VS 20/NS 20/NS 20/NS 443
(QL) 1157.72 656.0 120/ NS 12000/VS
120/NS 120/NS 120/ NS 2496
(EC) 1.9941 1.34 1.3 /NS 3.92 /VS 2.33 /VS 2.36 /VS 2.61/ VS 2.51
Rule Number (j) μj (PD) μj (QL) μj(EC) Rule Strength, wj , min(μj(PD)μj(QL) μj(EC))
Output, yj wjyj10 0 0 1 020 0 1
01 03
0 0 00
4 040 0 1
04 05
0 1 00
1 060 1 0
04 07
0 1 10
7 081 0 0
01 09
1 0 00
4 0101 0 1
07 0
11 1 1 000 7 012
1 1 111 7 7
TI = = 7/1 = 7∑
∑
=
=
m
jj
m
jjj
w
yw
1
1
Co-ordinatedIntrusionDetectionofMaliciousCollaboratingEntitiesinCPHS- Example
