S Lab

[Sibin Mohan]

Systems Security Research Group at GWU and University of Illinois


Anomaly detection is a problem prevalent in multiple disciplines of Engineering. Anomalies are contextual and application-speific by nature. In our research we look at applying anomaly detection techniques to the following areas:

  1. SecureCore: Behavior-based Intrusion Detection in Single-Node Real-Time Systems
  2. Multivariate Anomaly Detection in Real-Time Systems
  3. Characterizing Normal Behavior in Drone Swarms and other Distributed Real-Time Systems

Behavior-based Intrusion Detection in Single-Node Real-Time Systems

Team Members

Collaborators

Overview

Cyber-Physical Systems (CPSs) have distinct cyber and physical components that must work cohesively with each other to ensure correct operation. Examples include automobiles, power plants, avionics systems, home automation systems, etc. Traditionally such systems were isolated from external accesses and used proprietary components and protocols. Hence, they were considered to be invulnerable to cyber attacks. The recent Stuxnet worm and other similar attacks have shown that even such systems are not immune to compromise. A failure to protect these systems from harm could result in significant harm to humans, the environment or even critical infrastructure.

On the other hand, many cyber-physical systems have real-time constraints i.e., they must function correctly within predetermined time scales. Systems that have such real-time properties are predictable by design. Designers work really hard to ensure that the execution behavior of such systems (e.g., execution time, memory usage, control flow, system properties, etc.) are analyzed and controlled to a high level of detail so as to guarantee predictable behavior.

This project aims to use this very predictability of real-time CPS to detect intrusions as soon as they occur and take evasive actions. This will be then combined with the development of an architectural framework to:

  1. detect intrusions and
  2. guarantee that the underlying physical system does not come to harm.

The development of analysis techniques and intrusion-detection architectures will inherently make such systems more secure and hence, safer. It will bring us one step closer to understanding how to integrate two seemingly diverse yet important fields, CPS and security, while gaining a better understanding of both areas.

The ideas that will be developed as part of this project have the potential for significant impact on a diverse set of domains. Apart from the research community, government agencies and industry could also gain significantly from results produced as part of this research. It will make many critical aspects of modern day life such as aircraft, vehicles, critical infrastructures (power grid, water treatment plants, etc.) much safer.

Publications

  1. S3A: Secure System Simplex Architecture for Safety-Critical Supervisory Control Systems by S. Mohan, S. Bak, E. Betti, H. Yun, L. Sha and M. Caccamo published in the 2nd ACM Conference on High Confidence Networked Systems (HiCoNS), Philadelphia, Pennsylvania in April 2013.
  2. SecureCore: A Multicore Architecture for Intrusion Detection in Real-Time Control Systems by M. K. Yoon, L. Sha and S. Mohan published in the IEEE Conference on Real-Time and Embedded Technology and Applications Symposium (RTAS), Philadelphia, Pennsylvania in April 2013.
  3. On-chip control flow integrity check for real time embedded systems by F. A. T. Abad, J. V. D. Woude, Y. Lu, S. Bak, M. Caccamo, L. Sha, R. Mancuso and S. Mohan in the 1st IEEE International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA), 2013.
  4. Intrusion detection for real-time embedded applications using system call frequency distribution by M.-K. Yoon, S. Mohan, J. Choi and L. Sha submitted to the IEEE Real-Time Systems Symposium, 2014. Memory heat map: Learning memory behavior for anomaly detection in real-time systems by M.-K. Yoon, S. Mohan, J. Choi and L. Sha submitted to the IEEE Real-Time Systems Symposium 2014.

Multivariate Anomaly Detection in SecureCore

Team Members

Collaborators Sanmi Koyejo, UIUC

Overview

SecureCore provides a platform where an anomaly detector run and monitor the real-time system in real-time. It also allows the detector to obtain any signal for anomaly detection. Therefore, the focus of this project is to create a novel anomaly detection model that considers all useful signals in the system. The model aims to capture anomalies which may seem normal when looking at each signal individually but seem anomalous when considering all signals.

Publications

  1. The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection by Man-Ki Yoon, Mihai Christodorescu, Lui Sha, Sibin Mohan published in SYSTOR 2016: 1:1-1:12
  2. Learning Execution Contexts from System Call Distribution for Anomaly Detection in Smart Embedded System by Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Mihai Christodorescu, Lui Sha published in IoTDI 2017: 191-196

Funding

National Science Foundation(NSF)

Characterizing Normal Behavior in Drone Swarms and other Distributed Real-Time Systems

Team Members

Overview

Detecting anomlaies in Sensors in Cyber-Physical Systems(CPS) is a deterrent to sensor spoofing attacks which are a common attack vector in CPS systems. The goal of this project is to come up with schemes to detect anomalies in sensor values by using techniques from Control Theory and Machine Learning to model behavior in a UAV. Developing this model would require coming up with hardware and software methods to annonate sensor values in a UAV building up to device a model of trust for the platform.

We would be aiming to scale up this issue to a distributed setting using multiple UAVs, all connected via a common interface such as a Wireless Mesh network.

Funding

The Boeing Company