Rule-Based Intrusion Detection System for SCADA Networks

Increased complexity and interconnectivity of Supervisory Control and Data Acquisition (SCADA) systems in Smart Grids potentially means greater susceptibility to malicious attackers. SCADA systems with legacy communication infrastructure have inherent cyber-security vulnerabilities as these systems were originally designed with little consideration of cyber threats. In order to improve cyber-security of SCADA networks, this paper presents a rule-based Intrusion Detection System (IDS) using a Deep Packet Inspection (DPI) method, which includes signature-based and model-based approaches tailored for SCADA systems. The proposed signature-based rules can accurately detect several known suspicious or malicious attacks. In addition, model-based detection is proposed as a complementary method to detect unknown attacks. Finally, proposed intrusion detection approaches for SCADA networks are implemented and verified using a ruled based method.

Intrusion Detection System for Network Security in Synchrophasor Systems

Synchrophasor systems will play a crucial role in next generation Smart Grid monitoring, protection and control. However these systems also introduce a multitude of potential vulnerabilities from malicious and inadvertent attacks, which may render erroneous operation or severe damage. This paper proposes a Synchrophasor Specific Intrusion Detection System (SSIDS) for malicious cyber attack and unintended misuse. The SSIDS comprises a heterogeneous whitelist and behavior-based approach to detect known attack types and unknown and so-called ‘zero-day’ vulnerabilities and attacks. The paper describes reconnaissance, Man-in-the-Middle (MITM) and Denial-of-Service (DoS) attack types executed against a practical synchrophasor system which are used to validate the real-time effectiveness of the proposed SSIDS cyber detection method.

Intrusion Detection System for IEC 60870-5-104 Based SCADA Networks

Increased complexity and interconnectivity of Supervisory Control and Data Acquisition (SCADA) systems in Smart Grids potentially means greater susceptibility to malicious attackers. SCADA systems with legacy communication infrastructure have inherent cyber-security vulnerabilities as these systems were originally designed with little consideration of cyber threats. In order to improve cyber-security of SCADA networks, this paper presents a rule-based Intrusion Detection System (IDS) using a Deep Packet Inspection (DPI) method, which includes signature-based and model-based approaches tailored for SCADA systems. The proposed signature-based rules can accurately detect several known suspicious or malicious attacks. In addition, model-based detection is proposed as a complementary method to detect unknown attacks. Finally, proposed intrusion detection approaches for SCADA networks are implemented and verified via Snort rules.

Multi-Attribute SCADA-Specific Intrusion Detection System for Power Networks

The increased interconnectivity and complexity of supervisory control and data acquisition (SCADA) systems in power system networks has exposed the systems to a multitude of potential vulnerabilities. In this paper, we present a novel approach for a next-generation SCADA-specific intrusion detection system (IDS). The proposed system analyzes multiple attributes in order to provide a comprehensive solution that is able to mitigate varied cyber-attack threats. The multiattribute IDS comprises a heterogeneous white list and behavior-based concept in order to make SCADA cybersystems more secure. This paper also proposes a multilayer cyber-security framework based on IDS for protecting SCADA cybersecurity in smart grids without compromising the availability of normal data. In addition, this paper presents a SCADA-specific cybersecurity testbed to investigate simulated attacks, which has been used in this paper to validate the proposed approach.

Picking up the Pieces: Self-Healing in reconfigurable networks

We consider the problem of self-healing in networks that are reconfigurable in the sense that they can change their topology during an attack. Our goal is to maintain connectivity in these networks, even in the presence of repeated adversarial node deletion, by carefully adding edges after each attack. We present a new algorithm, DASH, that provably ensures that: 1) the network stays connected even if an adversary deletes up to all nodes in the network; and 2) no node ever increases its degree by more than 2 log n, where n is the number of nodes initially in the network. DASH is fully distributed; adds new edges only among neighbors of deleted nodes; and has average latency and bandwidth costs that are at most logarithmic in n. DASH has these properties irrespective of the topology of the initial network, and is thus orthogonal and complementary to traditional topology- based approaches to defending against attack. We also prove lower-bounds showing that DASH is asymptotically optimal in terms of minimizing maximum degree increase over multiple attacks. Finally, we present empirical results on power-law graphs that show that DASH performs well in practice, and that it significantly outperforms naive algorithms in reducing maximum degree increase.

PRECYSE: Cyber-attack Detection and Response for Industrial Control Systems

In this short paper, we present an integrated approach to detecting and mitigating cyber-attacks to modern interconnected industrial control systems. One of the primary goals of this approach is that it is cost effective, and thus whenever possible it builds on open-source security technologies and open standards, which are complemented with novel security solutions that address the specific challenges of securing critical infrastructures.

Targeted Impersonation As A Tool For The Detection Of Biometric System Vulnerabilities

This paper argues that biometric verification evaluations can obscure vulnerabilities that increase the chances that an attacker could be falsely accepted. This can occur because existing evaluations implicitly assume that an imposter claiming a false identity would claim a random identity rather than consciously selecting a target to impersonate. This paper shows how an attacker can select a target with a similar biometric signature in order to increase their chances of false acceptance. It demonstrates this effect using a publicly available iris recognition algorithm. The evaluation shows that the system can be vulnerable to attackers targeting subjects who are enrolled with a smaller section of iris due to occlusion. The evaluation shows how the traditional DET curve analysis conceals this vulnerability. As a result, traditional analysis underestimates the importance of an existing score normalisation method for addressing occlusion. The paper concludes by evaluating how the targeted false acceptance rate increases with the number of available targets. Consistent with a previous investigation of targeted face verification performance, the experiment shows that the false acceptance rate can be modelled using the traditional FAR measure with an additional term that is proportional to the logarithm of the number of available targets.

TARGETED BIOMETRIC IMPERSONATION

When applying biometric algorithms to forensic verification, false acceptance and false rejection can mean a failure to identify a criminal, or worse, lead to the prosecution of individuals for crimes they did not commit. It is therefore critical that biometric evaluations be performed as accurately as possible to determine their legitimacy as a forensic tool. This paper argues that, for forensic verification scenarios, traditional performance measures are insufficiently accurate. This inaccuracy occurs because existing verification evaluations implicitly assume that an imposter claiming a false identity would claim a random identity rather than consciously selecting a target to impersonate. In addition to describing this new vulnerability, the paper describes a novel Targeted.. FAR metric that combines the traditional False Acceptance Rate (FAR) measure with a term that indicates how performance degrades with the number of potential targets. The paper includes an evaluation of the effects of targeted impersonation on an existing academic face verification system. This evaluation reveals that even with a relatively small number of targets false acceptance rates can increase significantly, making the analysed biometric systems unreliable.

Tracking smart grid hackers

The next-generation smart grid will rely highly on telecommunications infrastructure for data transfer between various systems. Anywhere we have data transfer in a system is a potential security threat. When we consider the possibility of smart grid data being at the heart of our critical systems infrastructure it is imperative that we do all we can to ensure the confidentiality, availability and integrity of the data. A discussion on security itself is outside the scope of this paper, but if we assume the network to be as secure as possible we must consider what we can do to detect when that security fails, or when the attacks comes from the inside of the network. One way to do this is to setup a hacker-trap, or honeypot. A honeypot is a device or service on a network which appears legitimate, but is in-fact a trap setup to catch breech attempts. This paper identifies the different types of honeypot and describes where each may be used. The authors have setup a test honeypot system which has been live for some time. The test system has been setup to emulate a device on a utility network. The system has had many hits, which are described in detail by the authors. Finally, the authors discuss how larger-scale systems in utilities may benefit from honeypot placement.

Network Based Malware Detection in Virtualised Environment

While virtualisation can provide many benefits to a networks infrastructure, securing the virtualised environment is a big challenge. The security of a fully virtualised solution is dependent on the security of each of its underlying components, such as the hypervisor, guest operating systems and storage.

This paper presents a single security service running on the hypervisor that could potentially work to provide security service to all virtual machines running on the system. This paper presents a hypervisor hosted framework which performs specialised security tasks for all underlying virtual machines to protect against any malicious attacks by passively analysing the network traffic of VMs. This framework has been implemented using Xen Server and has been evaluated by detecting a Zeus Server setup and infected clients, distributed over a number of virtual machines. This framework is capable of detecting and identifying all infected VMs with no false positive or false negative detection.

Inhibition of Rho-kinase protects cerebral barrier from ischaemia-evoked injury through modulations of endothelial cell oxidative stress and tight junctions

Ischaemic strokes evoke blood-brain barrier (BBB) disruption and oedema formation through a series of mechanisms involving Rho-kinase activation. Using an animal model of human focal cerebral ischaemia, this study assessed and confirmed the therapeutic potential of Rho-kinase inhibition during the acute phase of stroke by displaying significantly improved functional outcome and reduced cerebral lesion and oedema volumes in fasudil- versus vehicle-treated animals. Analyses of ipsilateral and contralateral brain samples obtained from mice treated with vehicle or fasudil at the onset of reperfusion plus 4 h post-ischaemia or 4 h post-ischaemia alone revealed these benefits to be independent of changes in the activity and expressions of oxidative stress- and tight junction-related parameters. However, closer scrutiny of the same parameters in brain microvascular endothelial cells subjected to oxygen-glucose deprivation ± reperfusion revealed marked increases in prooxidant NADPH oxidase enzyme activity, superoxide anion release and in expressions of antioxidant enzyme catalase and tight junction protein claudin-5. Cotreatment of cells with Y-27632 prevented all of these changes and protected in vitro barrier integrity and function. These findings suggest that inhibition of Rho-kinase after acute ischaemic attacks improves cerebral integrity and function through regulation of endothelial cell oxidative stress and reorganization of intercellular junctions. Inhibition of Rho-kinase (ROCK) activity in a mouse model of human ischaemic stroke significantly improved functional outcome while reducing cerebral lesion and oedema volumes compared to vehicle-treated counterparts. Studies conducted with brain microvascular endothelial cells exposed to OGD ± R in the presence of Y-27632 revealed restoration of intercellular junctions and suppression of prooxidant NADPH oxidase activity as important factors in ROCK inhibition-mediated BBB protection.

Perceptual Watermarking for Discrete Shearlet Transform

This paper presents a new perceptual watermarking model for Discrete Shearlet transform (DST). DST provides the optimal representation [10] of the image features based on multi-resolution and multi-directional analysis. This property can be exploited on for watermark embedding to achieve the watermarking imperceptibility by introducing the human visual system using Chou’s model. In this model, a spatial JND profile is adapted to fit the sub-band structure. The combination of DST and the Just-Noticeable Distortion (JND) profile improves the levels of robustness against certain attacks while minimizing the distortion; by assigning a visibility threshold of distortion to each DST sub-band coefficient in the case of grey scale image watermarking.

A Game-Theoretic Approach for Threats Detection and Intervention in Surveillance

Threat prevention with limited security resources is a challenging problem. An optimal strategy is to eectively predict attackers' targets (or goals) based on current available information, and use such predictions to prevent (or disrupt) their planned attacks. In this paper, we propose a game-theoretic framework to address this challenge which encompasses the following three elements. First, we design a method to analyze an attacker's types in order to determine the most plausible type of an attacker. Second, we propose an approach to predict possible targets of an attack and the course of actions that the attackers may take even when the attackers' types are ambiguous. Third, a game-theoretic based strategy is developed to determine the best protection actions for defenders (security resources).

Secure Communications in Smart Grid: Networking and Protocols

The key attributes of a smarter power grid include: pervasive interconnection of smart devices; extensive data generation and collection; and rapid reaction to events across a widely dispersed physical infrastructure. Modern telecommunications technologies are being deployed across power systems to support these monitoring and control capabilities. To enable interoperability, several new communications protocols and standards have been developed over the past 10 to 20 years. These continue to be refined, even as new systems are rolled out.

This new hyper-connected communications infrastructure provides an environment rich in sub-systems and physical devices that are attractive to cyber-attackers. Indeed, as smarter grid operations become dependent on interconnectivity, the communications network itself becomes a target. Consequently, we examine cyber-attacks that specifically target communications, particularly state-of-the-art standards and protocols. We further explore approaches and technologies that aim to protect critical communications networks against intrusions, and to monitor for, and detect, intrusions that infiltrate Smart Grid systems.

The effect of probe interval estimation on attack detection performance of a WLAN independent intrusion detection system

A new niche of densely populated, unprotected networks is becoming more prevalent in public areas such as Shopping Malls, defined here as independent open-access networks, which have attributes that make attack detection more challenging than in typical enterprise networks. To address these challenges, new detection systems which do not rely on knowledge of internal device state are investigated here. This paper shows that this lack of state information requires an additional metric (The exchange timeout window) for detection of WLAN Denial of Service Probe Flood attacks. Variability in this metric has a significant influence on the ability of a detection system to reliably detect the presence of attacks. A parameter selection method is proposed which is shown to provide reliability and repeatability in attack detection in WLANs. Results obtained from ongoing live trials are presented that demonstrate the importance of accurately estimating probe request and probe response timeouts in future Independent Intrusion Detection Systems.