Optimal Configuration of Intrusion Detection Systems for Cyber-Physical Systems
In recent years, we have seen a number of successful cyber-attacks against high-profile targets, which have demonstrated that resourceful and determined attackers can penetrate even highly secure systems. In light of these attacks, it becomes apparent that defenders of cyber-physical systems cannot focus solely on preventing attackers from penetrating their systems. Instead, they must also prepare to promptly detect and mitigate security breaches, thereby limiting the impact of successful attacks. Since attackers often aim to keep security compromises covert in order to attain higher impact over a longer period of time, the detection of stealthy attacks is of key importance. To detect such attacks, defenders may deploy intrusion detection systems (IDS), which can monitor computer systems and networks for suspicious activity.
In our work, we address three fundamental challenges in intrusion-detection systems for CPS.
- First, we consider CPS consisting of resource-bounded devices, such as battery-powered devices, which cannot run an IDS continuously. For such systems, defenders must schedule when each device runs its IDS. Since attackers may exploit a schedule by launching their attack when certain devices are not running IDS, finding an optimal schedule is an important and challenging problem. To solve this problem, we presented efficient heuristic algorithms. We evaluated these algorithms using a real-world water-distribution network, and demonstrated that they perform exceptionally well in practice.
- Second, we consider the problem of configuring IDS for CPS. For any practical IDS, configuring detection sensitivity is key issue: too high sensitivity will result in a large number of false alarms, while too low sensitivity may leave actual attacks undetected. The configuration problem is especially challenging when IDS are deployed on multiple computer systems that control the same physical processes, since the optimal configuration of each IDS depends on the configurations of the other IDS. To solve this problem, we proposed a simulated-annealing based metaheuristic, which can configure multiple IDS simultaneously. We evaluated our algorithm using a real-world water-distribution network, and found that it performs substantially better than the best-possible individual configurations.
- Third, we consider time-variant physical processes, where the potential damage caused by a security breach changes over time. In these systems, the optimal configuration of an IDS must also change over time. To find a time-variant configuration, we devised an optimal polynomial-time algorithm based on dynamic programming, which we evaluated using real-world data. We found that the time-variant configuration found by our algorithm significantly outperforms the best-possible time-invariant configuration.