On Survivability of Mobile Cyber Physical Systems with Intrusion Detection
description
Transcript of On Survivability of Mobile Cyber Physical Systems with Intrusion Detection
On Survivability of Mobile Cyber Physical Systemswith Intrusion Detection
1
Presented by: Ting Hua
Authors: Robert Mitchell, Ing-Ray Chen
Outline
2
• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion
Introduction
3
• Problem– address the survivability issue of a mobile cyber
physical system(MCPS)• Key issue
– best balance between energy conservation and intrusion tolerance
• Highlight of the scheme– dynamic voting-based intrusion detection
Outline
4
• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion
Node Model
5
Computing
Sensing Energy
Communicating
System Model
6
• Ranging– transmit a CDMA waveform to neighbors– receive the waveform from neighbors– transform received waveform into distance
• Sensing– sensing data– analyzing sensed data
• Intrusion detection– choose m intrusion detectors– vote
• Node capture
• Bad data injection– Attack from inside– False vote
Attack Model
7
Attack
• Security Failure: Byzantine fault model– One-third or more of the nodes are compromised, then the
system fails.• Energy Exhaustion• Our goal: maximizing the lifetime until energy exhaustion
System Fails
8
Attack
Per-node Security Fault
• Per-node false negative– a single intrusion detector misidentifies a bad
node as a good node.
• Per-node false positive – a single intrusion detector misidentifies a good
node as a bad node
9
System-wide Security Fault
• System-wide false negative – a pool of intrusion detectors reaches an incorrect
majority decision that a bad node is good.
• System-wide false positive– a pool of intrusion detectors reaches an incorrect
majority decision that a good node is bad.
10
Combined intrusion detection• Per-host intrusion detection
– event sequence matching: determines a sequence of location of a neighbor node
• System intrusion detection – Select m voters
• coordinator is selected randomly among neighbors• The coordinator then selects m voters randomly (including itself)
– Voting• Majority• Dynamical: m, detection interval, depending on the percentage of bad nodes
𝑝 𝑓𝑛𝑝 𝑓 𝑝
𝑃 𝑓 𝑛𝑃 𝑓 𝑝
Outline
12
• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion
SPN model for MCPS
• Nodes: places to hold tokens.• Ng: the number of good nodes.• Nb: the number of bad nodes undetected. • Ne: the number of nodes evicted.• Energy: a binary variable.
• 1 : energy availability. • 0 : indicating energy exhaustion.
SPN model for MCPS
• Events: transitions.• TCP: good nodes being compromised.• TFP: a good node being falsely identified as compromised.• TIDS: a bad node being detected as compromised correctly.• TENERGY: energy exhaustion.
Voting-based intrusion detection
Underlying semi-Markov model of the SPN mode
Initial state128 sensor-carried mobile nodes
Underlying semi-Markov model of the SPN mode
TCP-Good nodes may become compromised because of insider attacks -per-node compromising rate λ
aggregate rate
Underlying semi-Markov model of the SPN mode
TIDS-a bad node is detected as compromised
(𝑁 𝑔 ,𝑁𝑏−1 ,𝑁𝑒+1 ,𝑒𝑛𝑒𝑟𝑔𝑦 )
Underlying semi-Markov model of the SPN mode
TFP-a good node is detected as compromised
(𝑁 𝑔−1 ,𝑁 𝑏 ,𝑁𝑒+1 ,𝑒𝑛𝑒𝑟𝑔𝑦 )
Underlying semi-Markov model of the SPN mode
TENERGY-system energy is exhausted after N × TIDS intervals-energy exhaustion event can possibly occur in any state, when energy is still available
(𝑁 𝑔−1 ,𝑁 𝑏 ,𝑁𝑒+1 ,𝑒𝑛𝑒𝑟𝑔𝑦 )
False Alarm Probability
selecting a majority of bad nodes
selecting a majority of good nodes
K of good nodes make false negative decision
choose a minority of bad nodes from the setof all bad nodes
Choose a majority of bad nodes from the set o f all bad nodes
Choose a minority of good nodes from the set o f all good nodes
False Alarm Probability
selecting a majority of bad nodes
selecting a majority of good nodes
K of good nodes make false negative decision
choose a minority of bad nodes from the setof all bad nodes
Choose a majority of bad nodes from the set o f all bad nodes
Choose a minority of good nodes from the set o f all good nodes
Underlying semi-Markov model of the SPN mode
dynamically adjust the transition ratesto TIDS and TFP
Dynamic voting-based intrusion detection in response to changing environments
Survivability Assessment
• Mean time to failure(MTTF)– Failure
• Energy is exhausted: energy=0• Big bad node population:
– How to Calculate?• the accumulated “ reward” o f the underlying semi-
Markov reward model
• Reward
Outline
24
• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion
• Objective– Optimal values of TIDS and m to maximize MTTF
• Maximum number N of intrusion detection cycles before energy exhaustion
Numerical Data
System Model
26
• Ranging– transmit a CDMA waveform to neighbors– receive the waveform from neighbors– transform received waveform into distance
• Sensing– sensing data(navigation and multipath mitigation data)– analyzing sensed data
• Intrusion detection– choose m intrusion detectors– vote
Numerical Data
Energy spent for ranging, sensing, and intrusion detection in a TIDS interval per node
Node population in MCPS
neighborsrepeated for α times for determining a sequence o f locations
Energy spent in choosing m intrusion detectors to evaluate a target node
Energy spent in m intrusion detectors to vote
• TIDS
– Too small• performs ranging, sensing and
intrusion detection too frequently
• quickly exhausts energy– Increases
• save more energy and lifetime increases
– Too large• intrusion detection less
frequently, fails to catch bad nodes often enough
• Byzantine failure: 1 /3 or more bad nodes out of the total population
Results-Theoretical
• M: number of intrusion detectors – General trend
• m decreases, optimal TIDS value
• Less intrusion detection, higher invocation frequency to prevent security failures
– M=5• too many
– energy exhaustion failure• too few
– security failure
Results-Theoretical
• Compromising rate λ increases– MTTF decreases
• higher λ will cause more compromised nodes
– Optimal TIDS decreases• more compromised
nodes, intrusion detection more frequently to maximize MTTF
Results-Theoretical
• MTTF- – Low
• lower m benefits MTTF– High
• higher m benefits MTTF
Results-Theoretical
Outline
32
• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion
• Simulation Tool– SMPL
• Schedules events– node capture– intrusion detection audits– energy exhaustion
• A simulation run ends:– security failure– exhausts energy– all nodes have been evicted
• MTTF– grand mean out of a large number of MTTF– batch means analysis to satisfy 95% confidence level and 10% accuracy
requirements – grand mean falls within 10% of the true mean with 95% confidence
Results-Simulation
Results-Simulation
Simulation Results Analytical results
• Matches well– One peak with similar peak value– a left/positive skew– pronounced right tail
Outline
35
• Introduction• System Model / Reference Configuration• Theoretical Analysis• Numerical Data• Simulation• Conclusion
• System failure definition– energy exhaustion– security failure
• Optimal design settings for voting-based intrusion detection– Input:
• per-node false alarm probabilities • pre-node compromise rates λ
– Output• Best number of detectors (m )• Best intrusion detection interval (TIDS)
Conclusion