Abstract
Smart grid deployment initiatives have been witnessed in recent years. Smart grids provide bidirectional communication between meters and head-end systems through Advanced Metering Infrastructure (AMI). Recent studies highlight the threats targeting AMI. Despite the need for tailored Intrusion Detection Systems (IDSs) for smart grids, very limited progress has been made in this area. Unlike traditional networks, smart grids have their own unique challenges, such as limited computational power devices and potentially high deployment cost, that restrict the deployment options of intrusion detectors. We show that smart grids exhibit deterministic and predictable behavior that can be accurately modeled to detect intrusion. However, it can also be leveraged by the attackers to launch evasion attacks. To this end, in this article, we present a robust mutation-based intrusion detection system that makes the behavior unpredictable for the attacker while keeping it deterministic for the system. We model the AMI behavior using event logs collected at smart collectors, which in turn can be verified using the invariant specifications generated from the AMI behavior and mutable configuration. Event logs are modeled using fourth-order Markov chain and specifications are written in Linear Temporal Logic (LTL). To counter evasion and mimicry attacks, we propose a configuration randomization module. The approach provides robustness against evasion and mimicry attacks; however, we discuss that it still can be evaded to a certain extent. We validate our approach on a real-world dataset of thousands of meters collected at the AMI of a leading utility provider.
- M. Q. Ali and E. Al-Shaer. 2013. Configuration-based IDS for advanced metering infrastructure. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS'13). ACM. Google ScholarDigital Library
- M. Q. Ali, E. Al-Shaer, and Q. Duan. 2013. Randomizing AMI configuration for proactive defense in smart grid. In SmartGridComm.Google Scholar
- Ambient Communication Nodes. 2014. Smart Grid Nodes. Retrieved from http://www.ambientcorp.com/prod-nodes/.Google Scholar
- ARM. 2015. Smart Meter. Retreived from http://www.arm.com/markets/embedded/smart-meter.php.Google Scholar
- C. Baier and J. P. Katoen. 2008. Principles of Model Checking. MIT Press. Google ScholarDigital Library
- T. Baumeister. 2010. Literature Review on Smart Grid Cyber Security. Technical Report. Department of Information and Computer Sciences, University of Hawaii.Google Scholar
- R. Berthier and W. Sanders. 2011. Specification-based intrusion detection for advanced metering infrastructures. In IEEE 17th Pacific Rim International Symposium on Dependable Computing (PRDC'11). Google ScholarDigital Library
- R. Berthier, W. Sanders, and H. Khurana. 2010. Intrusion detection for advanced metering infrastructures: Requirements and architectural directions. In 1st IEEE International Conference on Smart Grid Communications (SmartGridComm'10).Google Scholar
- D. C. Challener, S. T. Elliott, J. P. Hoff, and J. P. Ward. 2002. Storing keys in a cryptology device. US Patent App. 10/051,495.Google Scholar
- Y. Chen, H. Mao, M. Jaeger, T.-D. Nielsen, K. G. Larsen, and B. Nielsen. 2012. Learning markov models for stationary system behaviors. In NASA Formal Methods. Google ScholarDigital Library
- F. M. Cleveland. 2008. Cyber security issues for advanced metering infrastructure (AMI). In IEEE Power and Energy Society General Meeting - Conversion and Delivery of Electrical Energy in the 21st Century.Google Scholar
- Echelon. 2015. Data Concentrator. Retrieved from http://www.echelon.com/products/controllers/meter-data-concentrator/default.htm.Google Scholar
- M. A. Faisal, Z. Aung, J. Williams, and A. Sanchez. 2012. Securing advanced metering infrastructure using intrusion detection system with data stream mining. In Proceedings of Pacific Asia Workshop on Intelligence and Security Informatics (PAISI'12). Google ScholarDigital Library
- P. Garcia-Teodoro, J. E. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez. 2009. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security. Google ScholarDigital Library
- Y. Gu, A. McCullum, and D. Towsley. 2005. Detecting anomalies in network traffic using maximum entropy estimation. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement (IMC'05). Google ScholarDigital Library
- HPROF. 2014. HPROF: A Heap/CPU Profiling Tool. Retrieved from http://docs.oracle.com/javase/7/docs/technotes/samples/hprof.html.Google Scholar
- Idaho National Laboratory. May 2010. Idaho National Laboratory (INL). NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses.Google Scholar
- J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. 2004. Fast portscan detection using sequential hypothesis testing. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- M. Krotofil and Á. A. Cárdenas. 2014. Is this a good time?: Deciding when to launch attacks on process control systems. In Proceedings of the 3rd International Conference on High Confidence Networked Systems (HiCoNS'14). ACM. Google ScholarDigital Library
- M. Kwiatkowska and D. Parker. 2012. Advances in probabilistic model checking. In Proceedings of the 2011 Marktoberdorf Summer School: Tools for Analysis and Verification of Software Safety and Security.Google Scholar
- M. Mantere, M. Sailio, and S. Noponen. 2014. A module for anomaly detection in ICS networks. In Proceedings of the 3rd International Conference on High Confidence Networked Systems (HiCoNS'14). ACM. Google ScholarDigital Library
- D. Mashima and A. A. Cárdenas. 2012. Evaluating electricity theft detectors in smart grid networks. In Research in Attacks, Intrusions, and Defenses. Google ScholarDigital Library
- S. McLaughlin, D. Podkuiko, and P. McDaniel. 2010a. Energy theft in the advanced metering infrastructure. Critical Information Infrastructures Security. Google ScholarDigital Library
- S. McLaughlin, D. Podkuiko, S. Miadzvezhanka, A. Delozier, and P. McDaniel. 2010b. Multi-vendor penetration testing in the advanced metering infrastructure. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC'10). Google ScholarDigital Library
- M. Merhav, M. Gutman, and J. Ziv. 1989. On the estimation of the order of a markov chain and universal data compression. IEEE Transactions on Information Theory. Google ScholarDigital Library
- R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee. 2009. McPAD: A multiple classifier system for accurate payload-based anomaly detection. Computer Networks. Google ScholarDigital Library
- PRISM. 2012. Probabilistic Symbolic Model Checker PRISM. Retrieved from http://www.prismmodelchecker.org/.Google Scholar
- Smart Grid Lab. 2012. Duke Energy Smart Grid Lab. Retrieved from http://epic.uncc.edu/laboratories/duke-energy-smart-grid-laboratory.Google Scholar
- Smart Grid News. 2015. Homepage. Retrieved from http://www.smartgridnews.com.Google Scholar
- C. Ten, J. Hong, and C. Liu. 2011. Anomaly detection for cybersecurity of the substations. IEEE Transactions on Smart Grid.Google ScholarCross Ref
- G. Thamilarasu and R. Sridhar. 2008. Intrusion detection in RFID systems. In Military Communications Conference (MILCOM'08). IEEE.Google Scholar
- The White House. December. 2003. The White House. Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization and Protection.Google Scholar
- U.S. Government Accountability Office (GAO). 2008. U.S. Government Accountability Office (GAO). Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks.Google Scholar
- K. Wang and S. J. Stolfo. 2004. Anomalous payload-based network intrusion detection. In Recent Advances in Intrusion Detection (RAID'04).Google Scholar
- Yices. 2015. Yices: An SMT Solver. Retrieved from http://yices.csl.sri.com/.Google Scholar
- Y. Zhang, L. Wang, W. Sun, R. Green, and M. Alam. 2011. Distributed intrusion detection system in a multi-layer network architecture of smart grids. IEEE Transactions on Smart Grid.Google ScholarCross Ref
- B. Zhu and S. Sastry. 2010. SCADA-specific intrusion detection/prevention systems: A survey and taxonomy. In 1st Workshop on Secure Control Systems (SCS'10).Google Scholar
Index Terms
- Randomization-Based Intrusion Detection System for Advanced Metering Infrastructure*
Recommendations
Deep Learning-Based Intrusion Detection System for Advanced Metering Infrastructure
NISS '19: Proceedings of the 2nd International Conference on Networking, Information Systems & SecuritySmart grid is an alternative solution of the conventional power grid which harnesses the power of the information technology to save the energy and meet todays' environment requirements. Due to the inherent vulnerabilities in the information technology, ...
Configuration-based IDS for advanced metering infrastructure
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securitySmart grid deployment initiatives have been witnessed in the past recent years. Smart grids provide bi-directional communication between meters and headend system through Advanced Metering Infrastructure (AMI). Recent studies highlight the threats ...
A framework for intrusion detection system in advanced metering infrastructure
Advanced metering infrastructure AMI is one of the key elements in smart grid, which facilitates the communication of metering data to a substation in one direction and control messages in the reverse direction. Using wireless technologies and ...
Comments