TY - JOUR
T1 - Checking is Believing
T2 - Event-Aware Program Anomaly Detection in Cyber-Physical Systems
AU - Cheng, Long
AU - Tian, Ke
AU - Yao, Danfeng Daphne
AU - Sha, Lui
AU - Beyah, Raheem A.
N1 - Funding Information:
This work has been supported by the Office of Naval Research under Grant ONR-N00014-17-1-2498, National Science Foundation under Grant OAC-1541105, and Security and Software Engineering Research Center (S2ERC), a NSF sponsored multi-university Industry/University Cooperative Research Center (I/UCRC).
Publisher Copyright:
© 2004-2012 IEEE.
PY - 2021/3/1
Y1 - 2021/3/1
N2 - Securing cyber-physical systems (CPS) against malicious attacks is of paramount importance because these attacks may cause irreparable damages to physical systems. Recent studies have revealed that control programs running on CPS devices suffer from both control-oriented attacks (e.g., code-injection or code-reuse attacks) and data-oriented attacks (e.g., non-control data attacks). Unfortunately, existing detection mechanisms are insufficient to detect runtime data-oriented exploits, due to the lack of runtime execution semantics checking. In this work, we propose Orpheus, a new security methodology for defending against data-oriented attacks by enforcing cyber-physical execution semantics. We first present a general method for reasoning cyber-physical execution semantics of a control program (i.e., causal dependencies between the physical context/event and program control flows), including the event identification and dependence analysis. As an instantiation of Orpheus, we then present a new program behavior model, i.e., the event-Aware finite-state automaton (eFSA). eFSA takes advantage of the event-driven nature of CPS control programs and incorporates event checking in anomaly detection. It detects data-oriented exploits if a specific physical event is missing along with the corresponding event dependent state transition. We evaluate our prototype's performance by conducting case studies under data-oriented attacks. Results show that eFSA can successfully detect different runtime attacks. Our prototype on Raspberry Pi incurs a low overhead, taking 0.0001s for each state transition integrity checking, and 0.063s$\sim$ ∼ 0.211s for the cyber-physical contextual consistency checking.
AB - Securing cyber-physical systems (CPS) against malicious attacks is of paramount importance because these attacks may cause irreparable damages to physical systems. Recent studies have revealed that control programs running on CPS devices suffer from both control-oriented attacks (e.g., code-injection or code-reuse attacks) and data-oriented attacks (e.g., non-control data attacks). Unfortunately, existing detection mechanisms are insufficient to detect runtime data-oriented exploits, due to the lack of runtime execution semantics checking. In this work, we propose Orpheus, a new security methodology for defending against data-oriented attacks by enforcing cyber-physical execution semantics. We first present a general method for reasoning cyber-physical execution semantics of a control program (i.e., causal dependencies between the physical context/event and program control flows), including the event identification and dependence analysis. As an instantiation of Orpheus, we then present a new program behavior model, i.e., the event-Aware finite-state automaton (eFSA). eFSA takes advantage of the event-driven nature of CPS control programs and incorporates event checking in anomaly detection. It detects data-oriented exploits if a specific physical event is missing along with the corresponding event dependent state transition. We evaluate our prototype's performance by conducting case studies under data-oriented attacks. Results show that eFSA can successfully detect different runtime attacks. Our prototype on Raspberry Pi incurs a low overhead, taking 0.0001s for each state transition integrity checking, and 0.063s$\sim$ ∼ 0.211s for the cyber-physical contextual consistency checking.
KW - Cyber-physical systems
KW - cyber-physical execution semantics
KW - data-oriented attacks
KW - program anomaly detection
UR - http://www.scopus.com/inward/record.url?scp=85102770270&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85102770270&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2019.2906161
DO - 10.1109/TDSC.2019.2906161
M3 - Article
AN - SCOPUS:85102770270
SN - 1545-5971
VL - 18
SP - 825
EP - 842
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 2
M1 - 8669815
ER -