Context-based anomaly detection in critical infrastructures: a study in distributed systems

The modernization of critical infrastructure exposes a large attack surface in a set of systems, key to the sustainability of civilization, at a time when targeted malicious attacks are growing in sophistication, particularly with regard to stealth techniques, which are particularly difficult to unc...

Full description

Bibliographic Details
Main Author: McEvoy, Thomas Richard
Published: University of London 2013
Subjects:
Online Access:http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.603445
Description
Summary:The modernization of critical infrastructure exposes a large attack surface in a set of systems, key to the sustainability of civilization, at a time when targeted malicious attacks are growing in sophistication, particularly with regard to stealth techniques, which are particularly difficult to uncover in distributed systems due to multiple possible orderings of state. We argue that by making use of a set of known relationships (which we label a context) between states in disparate parts of a distributed system and the provision of suitable concurrent (or near-concurrent) observation and comparison mechanisms, we can provide the means to detect such anomalies and locate their source as a precursor to managing outcomes. As a necessary prerequisite to our research, we establish an adversary capability model which allows us to make explicit statements about the feasible actions and subsequent impacts of adversary and demonstrate the validity of any dctective methods. We focus primarily on integrity attacks. The first technique we present is a security protocol, using traceback techniques, which allows us to locate processes which manipulate message content between an operator and a control unit. Thc second technique allows us to model algebraically possible sequences in host system states which may be indicative of malicious activity and detect these using a multi-threaded observation mechanism. The third technique provides a process engineering model of a basic non-linear process in a biochemical plant (pasteurization in a brewery) which shows how the provision of, even minimal, additional sensor information, outside of standard telemetry requirements, can be used to determine a failure in supervisory control due to malicious action. This last technique represents an improvement over previous approaches which focused on linear or linearized systems. All three techniques pave the way for more sophisticated approaches for realtime detection and management of attacks. Thanks go to my supervisor, Stephcn Wolthusen, for his encouragement and counsel, and to my examiners, Keith Mayes and Emiliano Cassalichio, for their comments and questions. I am also grateful to the anonymous reviewers of the papers submitted for publication as part of the work for this dissertation for their comments, advice and corrections and to Diageo PLC for access to data on their beer pasteurization process. Finally, I would like to thank my wife and family for their patience and support over the past seven years. iv