Mustafa Amir Faisal

Limiting the Impact of Stealthy Attacks on Industrial Control Systems

While attacks on information systems have for most practical purposes binary outcomes (information was manipulated/eavesdropped, or not), attacks manipulating the sensor or control signals of Industrial Control Systems (ICS) can be tuned by the attacker to cause a continuous spectrum in damages. Attackers that want to remain undetected can attempt to hide their manipulation of the system by following closely the expected behavior of the system, while injecting just enough false information at each time step to achieve their goals. In this work, we study if attack-detection can limit the impact of such stealthy attacks. We start with a comprehensive review of related work on attack detection schemes in the security and control systems community. We then show that many of those works use detection schemes that are not limiting the impact of stealthy attacks. We propose a new metric to measure the impact of stealthy attacks and how they relate to our selection on an upper bound on false alarms. We finally show that the impact of such attacks can be mitigated in several cases by the proper combination and configuration of detection schemes. We demonstrate the effectiveness of our algorithms through simulations and experiments using real ICS testbeds and real ICS systems.

Securing advanced metering infrastructure using intrusion detection system with data stream mining

Advanced metering infrastructure (AMI) is an imperative component of the smart grid, as it is responsible for collecting, measuring, analyzing energy usage data, and transmitting these data to the data concentrator and then to a central system in the utility side. Therefore, the security of AMI is one of the most demanding issues in the smart grid implementation. In this paper, we propose an intrusion detection system (IDS) architecture for AMI which will act as a complimentary with other security measures. This IDS architecture consists of three local IDSs placed in smart meters, data concentrators, and central system (AMI headend). For detecting anomaly, we use data stream mining approach on the public KDD CUP 1999 data set for analysis the requirement of the three components in AMI. From our result and analysis, it shows stream data mining technique shows promising potential for solving security issues in AMI.

A Novel Ensemble Learning-Based Approach for Click Fraud Detection in Mobile Advertising

By diverting funds away from legitimate partners (a.k.a publishers), click fraud represents a serious drain on advertising budgets and can seriously harm the viability of the internet advertising market. As such, fraud detection algorithms which can identify fraudulent behavior based on user click patterns are extremely valuable. Based on the BuzzCity dataset, we propose a novel approach for click fraud detection which is based on a set of new features derived from existing attributes. The proposed model is evaluated in terms of the resulting precision, recall and the area under the ROC curve. A final ensemble model based on 6 different learning algorithms proved to be stable with respect to all 3 performance indicators. Our final model shows improved results on training, validation and test datasets, thus demonstrating its generalizability to different datasets.

Modeling Modbus TCP for intrusion detection

DFAs (Deterministic Finite Automata) and DTMCs (Discrete Time Markov Chain) have been proposed for modeling Modbus/TCP for intrusion detection in SCADA (Supervisory Control and Data Acquisition) systems. While these models can be used to learn the behavior of the system, they require the designer to know the appropriate amount of training data for building the model, to retrain models when configuration changes, and to generate understandable alert messages. In this paper, we propose to complement these learned models with the specification approaches. To build a robust model, we need to consider configuration-level specifications in addition to protocol specification. As Modbus/TCP is a simple protocol with handful function code(s) or commands for each communication channel, designing a specification-based approach is suitable for monitoring this communication. We do a comparison of DFA and DTMC approaches in two datasets and illustrate how to use our inferred specification to complement these models.

A Survey of Physics-Based Attack Detection in Cyber-Physical Systems

Monitoring the “physics” of cyber-physical systems to detect attacks is a growing area of research. In its basic form, a security monitor creates time-series models of sensor readings for an industrial control system and identifies anomalies in these measurements to identify potentially false control commands or false sensor readings. In this article, we review previous work on physics-based anomaly detection based on a unified taxonomy that allows us to identify limitations and unexplored challenges and to propose new solutions.

How the quantity and quality of training data impacts re-identification of smart meter users?

We study the feasibility of linking two disjoint smart meter datasets for the purpose of re-identification. In particular, we present an empirical results of how the quantity of electricity consumption data and the quality of data (sampling granularity) affects the re-identification accuracy, using commercial & industrial (C&I) and residential energy usage datasets. We use publicly available C&I and residential electricity consumption traces to evaluate the performance of different algorithms and different feature spaces. Our goal is to provide empirical evidence to guide the discussion of how electric utilities, public utility commissions, and regulators should define policies for collecting and handling electricity consumption data.

Incomplete clustering of electricity consumption: an empirical analysis with industrial and residential datasets

Abstract In this paper, we study the role of analytics for electricity consumption in smart grids and their possible applications like detecting fraud. Using data-sets of industrial as well as residential consumers, we show how incomplete clustering can help to reduce the search space for these applications. We provide a framework for iterative incomplete clustering and illustrate results in our data-sets. We find, incomplete clustering via correlation coefficients can identify a variety of different households and industries with unique characteristics that are missed with other clustering approaches.

Augmented Query Strategies for Active Learning in Stream Data Mining

Active learning is used in situations where the amount of unlabeled data is abundant but it is costly to manually label the data. So, depending on our available budget, from all unlabeled instances we are to select only a subset of them to ask the oracle for manual labeling. Thus, the query strategy, i.e., how relevant instances are selected to be sent to the oracle, plays an important role in active learning. Though active learning is a very established research area, only a few research works have been done on it in the context of stream data mining. Active learning for stream data is more challenging than for static data because the repetition of queries is not feasible as revisiting the data is almost impossible. In this paper, we propose two augmented query strategies for active learning in stream data mining, namely, Margin Sampling with Variable Uncertainty (MSVU) and Entropy Sampling with Uncertainty using Randomization (ESUR). These two strategies are derived and improved from the existing methods of Variable Uncertainty (VU) and Uncertainty using Randomization (UR) respectively. We evaluate the effectiveness of our proposed MSVU and ESUR strategies by comparing them against the original VU and UR on 6 different datasets using two base classifiers: Leveraging Bagging (LB) and Single Classifier Drift (SCD). Experimental results show that our proposed strategies offer promising outcomes for various datasets and detecting concept drift in the data.