Visible to the public Biblio

Found 107 results

Jiani Li, Xenofon Koutsoukos.  Submitted.  Resilient Distributed Diffusion in Networks with Adversaries. IEEE Transactions on Signal and Information Processing over Networks. Under review..
Saqib Hasan, Abhishek Dubey, Gabor Karsai, Xenofon Koutsoukos.  Submitted.  A Game-Theoretic Approach for Power Systems Defense Against Dynamic Cyber-Attacks. International Journal of Electric Power and Energy Systems. Under review..
Ákos Lédeczi, MiklÓs MarÓti, Hamid Zare, Bernard Yett, Nicole Hutchins, Brian Broll, Peter Volgyesi, Michael B. Smith, Timothy Darrah, Mary Metelko et al..  2019.  Teaching Cybersecurity with Networked Robots. 50th ACM Technical Symposium on Computer Science Education . :885-891.

The paper presents RoboScape, a collaborative, networked robotics environment that makes key ideas in computer science accessible to groups of learners in informal learning spaces and K-12 classrooms. RoboScape is built on top of NetsBlox, an open-source, networked, visual programming environment based on Snap! that is specifically designed to introduce students to distributed computation and computer networking. RoboScape provides a twist on the state of the art of robotics learning platforms. First, a user's program controlling the robot runs in the browser and not on the robot. There is no need to download the program to the robot and hence, development and debugging become much easier. Second, the wireless communication between a student's program and the robot can be overheard by the programs of the other students. This makes cybersecurity an immediate need that students realize and can work to address. We have designed and delivered a cybersecurity summer camp to 24 students in grades between 7 and 12. The paper summarizes the technology behind RoboScape, the hands-on curriculum of the camp and the lessons learned.

Goncalo Martins, Anirban Bhattacharjee, Abhishek Dubey, Xenofon Koutsoukos.  2014.  Performance evaluation of an authentication mechanism in time-triggered networked control systems. 7th International Symposium on Resilient Control Systems (ISRCS). :1-6.

An important challenge in networked control systems is to ensure the confidentiality and integrity of the message in order to secure the communication and prevent attackers or intruders from compromising the system. However, security mechanisms may jeopardize the temporal behavior of the network data communication because of the computation and communication overhead. In this paper, we study the effect of adding Hash Based Message Authentication (HMAC) to a time-triggered networked control system. Time Triggered Architectures (TTAs) provide a deterministic and predictable timing behavior that is used to ensure safety, reliability and fault tolerance properties. The paper analyzes the computation and communication overhead of adding HMAC and the impact on the performance of the time-triggered network. Experimental validation and performance evaluation results using a TTEthernet network are also presented.

Bradley Potteiger, William Emfinger, Himanshu Neema, Xenofon Koutsoukos, CheeYee Tang, Keith Stouffer.  2017.  Evaluating the effects of cyber-attacks on cyber physical systems using a hardware-in-the-loop simulation testbed. Resilience Week (RWS). :177-183.

Cyber-Physical Systems (CPS) consist of embedded computers with sensing and actuation capability, and are integrated into and tightly coupled with a physical system. Because the physical and cyber components of the system are tightly coupled, cyber-security is important for ensuring the system functions properly and safely. However, the effects of a cyberattack on the whole system may be difficult to determine, analyze, and therefore detect and mitigate. This work presents a model based software development framework integrated with a hardware-in-the-loop (HIL) testbed for rapidly deploying CPS attack experiments. The framework provides the ability to emulate low level attacks and obtain platform specific performance measurements that are difficult to obtain in a traditional simulation environment. The framework improves the cybersecurity design process which can become more informed and customized to the production environment of a CPS. The developed framework is illustrated with a case study of a railway transportation system.

Abhishek Dubey, Gabor Karsai, William Otte.  2014.  A resilient and secure software platform and architecture for distributed spacecraft. 9085

A distributed spacecraft is a cluster of independent satellite modules flying in formation that communicate via ad-hoc wireless networks. This system in space is a cloud platform that facilitates sharing sensors and other computing and communication resources across multiple applications, potentially developed and maintained by different organizations. Effectively, such architecture can realize the functions of monolithic satellites at a reduced cost and with improved adaptivity and robustness. Openness of these architectures pose special challenges because the distributed software platform has to support applications from different security domains and organizations, and where information flows have to be carefully managed and compartmentalized. If the platform is used as a robust shared resource its management, configuration, and resilience becomes a challenge in itself. We have designed and prototyped a distributed software platform for such architectures. The core element of the platform is a new operating system whose services were designed to restrict access to the network and the file system, and to enforce resource management constraints for all non-privileged processes Mixed-criticality applications operating at different security labels are deployed and controlled by a privileged management process that is also pre-configuring all information flows. This paper describes the design and objective of this layer.

Subhav Pradhan, William Otte, Abhishek Dubey, Csanad Szabo, Aniruddha Gokhale, Gabor Karsai.  2014.  Towards a Self-adaptive Deployment and Configuration Infrastructure for Cyber-Physical Systems.

Multi-module Cyber-Physical Systems (CPSs), such as satellite clusters, swarms of Unmanned Aerial Vehicles (UAV), and fleets of Unmanned Underwater Vehicles (UUV) are examples of managed distributed real-time systems where mission-critical applications, such as sensor fusion or coordinated flight control, are hosted. These systems are dynamic and reconfigurable, and provide a “CPS cluster-as-a-service” for mission-specific scientific applications that can benefit from the elasticity of the cluster membership and heterogeneity of the cluster members. Distributed and remote nature of these systems often necessitates the use of Deployment and Configuration (D&C) services to manage lifecycle of software applications. Fluctuating resources, volatile cluster membership and changing environmental conditions require resilience. However, due to the dynamic nature of the system, human intervention is often infeasible. This necessitates a self-adaptive D&C infrastructure that supports autonomous resilience. Such an infrastructure must have the ability to adapt existing applications on the fly in order to provide application resilience and must itself be able to adapt to account for changes in the system as well as tolerate failures.

This paper describes the design and architectural considerations to realize a self-adaptive, D&C infrastructure for CPSs. Previous efforts in this area have resulted in D&C infrastructures that support application adaptation via dynamic re-deployment and re-configuration mechanisms. Our work, presented in this paper, improves upon these past efforts by implementing a self- adaptive D&C infrastructure which itself is resilient. The paper concludes with experimental results that demonstrate the autonomous resilience capabilities of our new D&C infrastructure.

Gabor Karsai, Daniel Balasubramanian, Abhishek Dubey, William Otte.  2014.  Distributed and Managed: Research Challenges and Opportunities of the Next Generation Cyber-Physical Systems. 17th IEEE Symposium on Object/Component/Service-oriented Real-time Distributed Computing.

Cyber-physical systems increasingly rely on distributed computing platforms where sensing, computing, actuation, and communication resources are shared by a multitude of applications. Such `cyber-physical cloud computing platforms' present novel challenges because the system is built from mobile embedded devices, is inherently distributed, and typically suffers from highly fluctuating connectivity among the modules. Architecting software for these systems raises many challenges not present in traditional cloud computing. Effective management of constrained resources and application isolation without adversely affecting performance are necessary. Autonomous fault management and real-time performance requirements must be met in a verifiable manner. It is also both critical and challenging to support multiple end-users whose diverse software applications have changing demands for computational and communication resources, while operating on different levels and in separate domains of security.

The solution presented in this paper is based on a layered architecture consisting of a novel operating system, a middleware layer, and component-structured applications. The component model facilitates the construction of software applications from modular and reusable components that are deployed in the distributed system and interact only through well-defined mechanisms. The complexity of creating applications and performing system integration is mitigated through the use of a domain-specific model-driven development process that relies on a domain-specific modeling language and its accompanying graphical modeling tools, software generators for synthesizing infrastructure code, and the extensive use of model-based analysis for verification and validation.

Saqib Hasan, Amin Ghafouri, Abhishek Dubey, Gabor Karsai, Xenofon Koutsoukos.  2018.  Vulnerability analysis of power systems based on cyber-attack and defense models. 2018 IEEE Power Energy Society Innovative Smart Grid Technologies Conference (ISGT). :1-5.

Reliable operation of power systems is a primary challenge for the system operators. With the advancement in technology and grid automation, power systems are becoming more vulnerable to cyber-attacks. The main goal of adversaries is to take advantage of these vulnerabilities and destabilize the system. This paper describes a game-theoretic approach to attacker / defender modeling in power systems. In our models, the attacker can strategically identify the subset of substations that maximize damage when compromised. However, the defender can identify the critical subset of substations to protect in order to minimize the damage when an attacker launches a cyber-attack. The algorithms for these models are applied to the standard IEEE-14, 39, and 57 bus examples to identify the critical set of substations given an attacker and a defender budget.

Saqib Hasan, Amin Ghafouri, Abhishek Dubey, Gabor Karsai, Xenofon Koutsoukos.  2017.  Heuristics-Based Approach for Identifying Critical N - k Contingencies in Power Systems. 2017 Resilience Week (RWS).

Reliable operation of electrical power systems in the presence of multiple critical N − k contingencies is an important challenge for the system operators. Identifying all the possible N − k critical contingencies to design effective mitigation strategies is computationally infeasible due to the combinatorial explosion of the search space. This paper describes two heuristic algorithms based on the iterative pruning of the candidate contingency set to effectively and efficiently identify all the critical N − k contingencies resulting in system failure. These algorithms are applied to the standard IEEE-14 bus system, IEEE-39 bus system, and IEEE-57 bus system to identify multiple critical N − k contingencies. The algorithms are able to capture all the possible critical N − k contingencies (where 1 ≤ k ≤ 9) without missing any dangerous contingency.

Goncalo Martins, Sajal Bhatia, Xenofon Koutsoukos, Keith Stouffer, CheeYee Tang, Richard Candell.  2015.  Towards a Systematic Threat Modeling Approach for Cyber-physical Systems. 3rd International Symposium on Resilient Cyber Systems. 2015

Cyber-Physical Systems (CPS) are systems with seamless integration of physical, computational and networking components. These systems can potentially have an impact on the physical components, hence it is critical to safeguard them against a wide range of attacks. In this paper, it is argued that an effective approach to achieve this goal is to systematically identify the potential threats at the design phase of building such systems, commonly achieved via threat modeling. In this context, a tool to perform systematic analysis of threat modeling for CPS is proposed. A real-world wireless railway temperature monitoring system is used as a case study to validate the proposed approach. The threats identified in the system are subsequently mitigated using National Institute of Standards and Technology (NIST) standards.

Mark Yampolskiy, Peter Horvath, Xenofon Koutsoukos, Yuan Xue, Janos Sztipanovits.  2015.  A language for describing attacks on cyber-physical systems. International Journal of Critical Infrastructure Protection. 8:40-52.

The security of cyber-physical systems is of paramount importance because of their pervasiveness in the critical infrastructure. Protecting cyber-physical systems greatly depends on a deep understanding of the possible attacks and their properties. The prerequisite for quantitative and qualitative analyses of attacks is a knowledge base containing attack descriptions. The structure of the attack descriptions is the indispensable foundation of the knowledge base.

This paper introduces the Cyber-Physical Attack Description Language (CP-ADL), which lays a cornerstone for the structured description of attacks on cyber-physical systems. The core of the language is a taxonomy of attacks on cyber-physical systems. The taxonomy specifies the semantically distinct aspects of attacks on cyber-physical systems that should be described. CP-ADL extends the taxonomy with the means to describe relationships between semantically distinct aspects, despite the complex relationships that exist for attacks on cyber-physical systems. The language is capable of expressing relationships between attack descriptions, including the links between attack steps and the folding of attack details.

Aron Laszka, Waseem Abbas, Yevgeniy Vorobeychik, Xenofon Koutsoukos.  2018.  Synergistic Security for the Industrial Internet of Things: Integrating Redundancy, Diversity, and Hardening. IEEE International Conference on Industrial Internet (ICII). :153-158.

As the Industrial Internet of Things (IIot) becomes more prevalent in critical application domains, ensuring security and resilience in the face of cyber-attacks is becoming an issue of paramount importance. Cyber-attacks against critical infrastructures, for example, against smart water-distribution and transportation systems, pose serious threats to public health and safety. Owing to the severity of these threats, a variety of security techniques are available. However, no single technique can address the whole spectrum of cyber-attacks that may be launched by a determined and resourceful attacker. In light of this, we consider a multi-pronged approach for designing secure and resilient IIoT systems, which integrates redundancy, diversity, and hardening techniques. We introduce a framework for quantifying cyber-security risks and optimizing IIoT design by determining security investments in redundancy, diversity, and hardening. To demonstrate the applicability of our framework, we present a case study in water-distribution systems. Our numerical evaluation shows that integrating redundancy, diversity, and hardening can lead to reduced security risk at the same cost.

Xenofon Koutsoukos, Gabor Karsai, Aron Laszka, Himanshu Neema, Bradley Potteiger, Peter Volgyesi, Yevgeniy Vorobeychik, Janos Sztipanovits.  2018.  SURE: A Modeling and Simulation Integration Platform for Evaluation of Secure and Resilient Cyber–Physical Systems. Proceedings of the IEEE. 106:93-112.

The exponential growth of information and communication technologies have caused a profound shift in the way humans engineer systems leading to the emergence of closed-loop systems involving strong integration and coordination of physical and cyber components, often referred to as cyber-physical systems (CPSs). Because of these disruptive changes, physical systems can now be attacked through cyberspace and cyberspace can be attacked through physical means. The paper considers security and resilience as system properties emerging from the intersection of system dynamics and the computing architecture. A modeling and simulation integration platform for experimentation and evaluation of resilient CPSs is presented using smart transportation systems as the application domain. Evaluation of resilience is based on attacker-defender games using simulations of sufficient fidelity. The platform integrates 1) realistic models of cyber and physical components and their interactions; 2) cyber attack models that focus on the impact of attacks to CPS behavior and operation; and 3) operational scenarios that can be used for evaluation of cybersecurity risks. Three case studies are presented to demonstrate the advantages of the platform: 1) vulnerability analysis of transportation networks to traffic signal tampering; 2) resilient sensor selection for forecasting traffic flow; and 3) resilient traffic signal control in the presence of denial-of-service attacks.

Amin Ghafouri, Aron Laszka, Xenofon Koutsoukos.  2018.  Application-Aware Anomaly Detection of Sensor Measurements in Cyber-Physical Systems. Sensors. 18:2448.

Detection errors such as false alarms and undetected faults are inevitable in any practical anomaly detection system. These errors can create potentially significant problems in the underlying application. In particular, false alarms can result in performing unnecessary recovery actions while missed detections can result in failing to perform recovery which can lead to severe consequences. In this paper, we present an approach for application-aware anomaly detection (AAAD). Our approach takes an existing anomaly detector and configures it to minimize the impact of detection errors. The configuration of the detectors is chosen so that application performance in the presence of detection errors is as close as possible to the performance that could have been obtained if there were no detection errors. We evaluate our result using a case study of real-time control of traffic signals, and show that the approach outperforms significantly several baseline detectors.

Jiani Li, Xenofon Koutsoukos.  2018.  Resilient Distributed Diffusion for Multi-task Estimation. 14th International Conference on Distributed Computing in Sensor Systems (DCOSS). :93-102.

Distributed diffusion is a powerful algorithm for multi-task state estimation which enables networked agents to interact with neighbors to process input data and diffuse infor- mation across the network. Compared to a centralized approach, diffusion offers multiple advantages that include robustness to node and link failures. In this paper, we consider distributed diffusion for multi-task estimation where networked agents must estimate distinct but correlated states of interest by processing streaming data. By exploiting the adaptive weights used for diffusing information, we develop attack models that drive normal agents to converge to states selected by the attacker. The attack models can be used for both stationary and non- stationary state estimation. In addition, we develop a resilient distributed diffusion algorithm under the assumption that the number of compromised nodes in the neighborhood of each normal node is bounded by F and we show that resilience may be obtained at the cost of performance degradation. Finally, we evaluate the proposed attack models and resilient distributed diffusion algorithm using stationary and non-stationary multi- target localization.

Waseem Abbas, Aron Laszka, Xenofon Koutsoukos.  2018.  Improving Network Connectivity and Robustness Using Trusted Nodes With Application to Resilient Consensus. IEEE Transactions on Control of Network Systems. 5:2036-2048.

To observe and control a networked system, especially in failure-prone circumstances, it is imperative that the underlying network structure be robust against node or link failures. A common approach for increasing network robustness is redundancy: deploying additional nodes and establishing new links between nodes, which could be prohibitively expensive. This paper addresses the problem of improving structural robustness of networks without adding extra links. The main idea is to ensure that a small subset of nodes, referred to as the trusted nodes, remains intact and functions correctly at all times. We extend two fundamental metrics of structural robustness with the notion of trusted nodes, network connectivity, and r-robustness, and then show that by controlling the number and location of trusted nodes, any desired connectivity and robustness can be achieved without adding extra links. We study the complexity of finding trusted nodes and construction of robust networks with trusted nodes. Finally, we present a resilient consensus algorithm with trusted nodes and show that, unlike existing algorithms, resilient consensus is possible in sparse networks containing few trusted nodes.

Waseem Abbas, Yevgeniy Vorobeychik, Xenofon Koutsoukos.  2014.  Resilient consensus protocol in the presence of trusted nodes. 7th International Symposium on Resilient Control Systems (ISRCS). :1-7.

In this paper, we propose a scheme for a resilient distributed consensus problem through a set of trusted nodes within the network. Currently, algorithms that solve resilient consensus problem demand networks to have high connectivity to overrule the effects of adversaries, or require nodes to have access to some non-local information. In our scheme, we incorporate the notion of trusted nodes to guarantee distributed consensus despite any number of adversarial attacks, even in sparse networks. A subset of nodes, which are more secured against the attacks, constitute a set of trusted nodes. It is shown that the network becomes resilient against any number of attacks whenever the set of trusted nodes form a connected dominating set within the network. We also study a relationship between trusted nodes and the network robustness. Simulations are presented to illustrate and compare our scheme with the existing ones.

Mark Yampolskiy, Yevgeniy Vorobeychik, Xenofon Koutsoukos, Peter Horvath, Heath LeBlanc, Janos Sztipanovits.  2014.  Resilient Distributed Consensus for Tree Topology. 3rd ACM International Conference on High Confidence Networked Systems (HiCoNS 2014).

Distributed consensus protocols are an important class of distributed algorithms. Recently, an Adversarial Resilient Consensus Protocol (ARC-P) has been proposed which is capable to achieve consensus despite false information pro- vided by a limited number of malicious nodes. In order to withstand false information, this algorithm requires a mesh- like topology, so that multiple alternative information flow paths exist. However, these assumptions are not always valid. For instance, in Smart Grid, an emerging distributed CPS, the node connectivity is expected to resemble the scale free network topology. Especially closer to the end customer, in home and building area networks, the connectivity graph resembles a tree structure.

In this paper, we propose a Range-based Adversary Re- silient Consensus Protocol (R.ARC-P). Three aspects dis- tinguish R.ARC-P from its predecessor: This protocol op- erates on the tree topology, it distinguishes between trust- worthiness of nodes in the immediate neighborhood, and it uses a valid value range in order to reduce the number of nodes considered as outliers. R.ARC-P is capable of reach- ing global consensus among all genuine nodes in the tree if assumptions about maximal number of malicious nodes in the neighborhood hold. In the case that this assumption is wrong, it is still possible to reach Strong Partial Consensus, i.e., consensus between leafs of at least two different parents.

Emeka Eyisi, Xenofon Koutsoukos.  2014.  Energy-Based Attack Detection in Networked Control Systems. 3rd ACM International Conference on High Confidence Networked Systems (HiCoNS 2014).

The increased prevalence of attacks on Cyber-Physical Systems (CPS) as well as the safety-critical nature of these systems, has resulted in increased concerns regarding the security of CPS. In an effort towards the security of CPS, we consider the detection of attacks based on the fundamental notion of a system’s energy. We propose a discrete-time Energy-Based Attack Detection mech- anism for networked cyber-physical systems that are dissipative or passive in nature. We present analytical results to show that the de- tection mechanism is effective in detecting a class of attack models in networked control systems (NCS). Finally, using simulations we illustrate the effectiveness of the proposed approach in detecting attacks.

Amin Ghafouri, Xenofon Koutsoukos, Yevgeniy Vorobeychik.  2018.  Adversarial Regression for Detecting Attacks in Cyber-Physical Systems. Twenty-Seventh International Joint Conference on Artificial Intelligence.

Attacks in cyber-physical systems (CPS) which manipulate sensor readings can cause enormous physical damage if undetected. Detection of attacks on sensors is crucial to mitigate this issue. We study supervised regression as a means to detect anoma- lous sensor readings, where each sensor’s measure- ment is predicted as a function of other sensors. We show that several common learning approaches in this context are still vulnerable to stealthy at- tacks, which carefully modify readings of compro- mised sensors to cause desired damage while re- maining undetected. Next, we model the interac- tion between the CPS defender and attacker as a Stackelberg game in which the defender chooses detection thresholds, while the attacker deploys a stealthy attack in response. We present a heuris- tic algorithm for finding an approximately optimal threshold for the defender in this game, and show that it increases system resilience to attacks without significantly increasing the false alarm rate.

Amin Ghafouri, Xenofon Koutsoukos, Yevgeniy Vorobeychik, Waseem Abbas, Aron Laszka.  2019.  A game-theoretic approach for selecting optimal time-dependent thresholds for anomaly detection. International Foundation for Autonomous Agents and Multi-Agent Systems Journal. 33

Adversaries may cause significant damage to smart infrastructure using malicious attacks. To detect and mitigate these attacks before they can cause physical damage, operators can deploy anomaly detection systems (ADS), which can alarm operators to suspicious activities. However, detection thresholds of ADS need to be configured properly, as an oversensitive detector raises a prohibitively large number of false alarms, while an undersensitive detector may miss actual attacks. This is an especially challenging problem in dynamical environments, where the impact of attacks may significantly vary over time. Using a game-theoretic approach, we formulate the problem of computing optimal detection thresholds which minimize both the number of false alarms and the probability of missing actual attacks as a two-player Stackelberg security game. We provide an efficient dynamic programming-based algorithm for solving the game, thereby finding optimal detection thresholds. We analyze the performance of the proposed algorithm and show that its running time scales polynomially as the length of the time horizon of interest increases. In addition, we study the problem of finding optimal thresholds in the presence of both random faults and attacks. Finally, we evaluate our result using a case study of contamination attacks in water networks, and show that our optimal thresholds significantly outperform fixed thresholds that do not consider that the environment is dynamical.

Hamidreza Tavafoghi, Demos Teneketzis.  2014.  Optimal Contract Design for Energy Procurement. 52nd IEEE Annual Allerton Conference on Communication, Control, and Computing.
We consider a mechanism design problem for strategic agents with multi-dimensional private information and uncertainty in their utility/cost functions. We show that the optimal mechanism is a menu of contracts that can be implemented as a nonlinear pricing scheme. We illustrate the result by considering an optimal energy procurement mechanism from a strategic seller with conventional (deterministic) and renewable (random) plants. We address the problem of risk-sharing and ex post voluntary participation (commitment) under uncertainty.