AU2020102142A4

AU2020102142A4 - Technique for multilayer protection from quantifiable vulnerabilities in industrial cyber physical system

Info

Publication number: AU2020102142A4
Application number: AU2020102142A
Authority: AU
Inventors: Biswaranjan Acharya; Korhan Cengiz; Arjun Choudhary; Souvik Ganguli; Vishal Kumar Goar; Nirav Karelia; Shivlal Mewada; Babita Panda; Arjyadhara Pradhan; Achyuth Sarkar; Aditi Sharma; Yudhvir Singh
Original assignee: Goar Vishal Kumar Dr; Sarkar Achyuth Dr; Singh Yudhvir Dr; Cengiz Korhan Dr
Current assignee: Goar Vishal Kumar Dr; Sarkar Achyuth Dr; Singh Yudhvir Dr; Cengiz Korhan Dr
Priority date: 2020-09-04
Filing date: 2020-09-04
Publication date: 2020-10-15
Anticipated expiration: 2028-09-04

Abstract

TECHNIQUE FOR MULTILAYER PROTECTION FROM QUANTIFIABLE VULNERABILITIES IN INDUSTRIAL CYBER PHYSICAL SYSTEM ABSTRACT The cybersecurity for industries has been elevated in recent years due to the rapid increase of attacks against the cyber-physical system. The Recent efforts of industrial control system (ICS) cybersecurity are currently based on the firewalls, unidirectional security gateway (data diode), and methods of intrusion prevention, which is not adequate for the rapid growth of cyber threats from the attackers. A cyber-attack detection system is needed to improve the cybersecurity for industries. The development of a detection system utilizes the network traffic data, host system data, and some process parameters to improve the cybersecurity ofindustries. The detection system will provide multilayer protection to save the time of protectors before the occurrence of problems in the physical system. The real-time dataset of the industrial control system may be used for the proposed detection method. Various forms of attacks need to be carried out to recognize the value of cyber-attack and to produce data for models of identification. Different classification models are expected based on network data and host device data to secure the secondary line of cyber attack detection during intrusion-prevention layer failure. In the suggested detection method, the regression model is used to improve the early attack detection framework. The Industrial Control System (ICS) Security Approach uses network data, device data, and multilayer cyber-attack identification system process data. 1| P a g e

Description

TECHNIQUE FOR MULTILAYER PROTECTION FROM QUANTIFIABLE VULNERABILITIES IN INDUSTRIAL CYBER PHYSICAL SYSTEM

Description

Field of Invention:

This field of the invention addresses the techniques for multilayer protection from the attackers in the industrial cyber-physical system. The Detection system is significant to enhance the cybersecurity for the industrial control system. The proposed solution uses a network, server, and process the data for a multilayer cyber-attack identification framework that is powered by data.

Background of the invention:

In 2010, Iranian nuclear centrifuges were attacked by the Stuxnet and cause severe equipment damages. The USB drive was affected by malware and utilized several vulnerabilities to inject the malicious code in the Siemens PLC (Programmable Logic Controller) to cause centrifuge through the natural frequencies and also at a much higher rate than we expect. At the same time, the malware faked sensor responded to mask the attack from the operators. This early attack is due to the security problem and risk of the cyber attacks over the high value of industries control system. In the year of 2015, the Ukrainian power grid was attacked by the Black Energy malware. The Triconex controllers were affected by the HatMan malware through the modification of memory by adding the extra program. In March 2018, the report released that the Kaspersky Lab solutions protected around 40 percent of industries in energy organizations were affected by malware once in the second half of 2017. In the year 2017, still, other more industries target the cyber-attack and also suggested that still, cyber-attacks will increase more as the vulnerabilities are identified. The US natural gas pipeline company has reported that the electronic communication system, along with customers, has been shut down for a more significant number of days because of the cyber attack.

The cyber event has also not proved to cause data leakage, and it indicated that the industry is vulnerable to cyber-attacks. The cybersecurity methods described by commercial information

1| P a g e technology are not adequate and suitable to acquire directly by the industries because of the difference between the industries' control system of the local control systems and the actuators. The industry's objective securities methods are preferred in order like availability, integrity, and confidentiality, but the standard IT was preferred in the way of confidentiality, integrity, and availability. Therefore, both the security preference was in reverse order. Due to the close-coupling of the physical process, industrial cyber-attacks are leading to failure and destruction in an environment. The Industries demands the highest security framework, along with intrusion prevention and identification. If motivated attackers are provided sufficient resources and time, cyber-attack performance would be substantial, including with the successful intrusion prevention systems. Using process details, the analysis of cybersecurity is minimal. By using the Least Square and Geometric method, Gawande, Bhattacharjee, and Roy have effectively established monitoring for cyber-attack detection based on nuclear power plant (NPP) process info. The cyber-attack detection model was developed by Li and Huang using the complex key component on the process info.

Objects of the invention:

• The proposed model is to develop the multilayer protection-based detection system in industrial control systems. • The proposed structure uses the machine learning algorithm for the data-driven intrusion detection system. • The Detection system is most essential to improve the cybersecurity for the industrial control system. • The proposed system utilizes the network, host, and process data for a multilayer data driven cyber-attack detection system. • Utilizing network and host data, machine learning algorithms such as a k-nearest neighbor, decision tree, bootstrap aggregation, and random forest are used to distinguish between regular activity and cyber-attack service. • For physical process data, the regression model is used to detect the attacks which are undetected by the detection of network and system data.

Summary of the invention:

21Page

Nowadays, most of the industries are adopting the cyber-physical system due to the increase of cyber-attack. Cyber-physical systems (CPS) consist of physical assets and capabilities of computation with the presence of information transfer. An ICS comes under a particular category of Cyber-physical system, and that involves the cyber aspects, including the SCADA system (supervisory control and data acquisition) and the physical process system or facilities of industries. The digitalization and development of the cyber-physical system are used widely spread with the usage of sensors, network devices, and the system of data acquisition. The Industries are deployed with the highly valued safety system, but it is not sufficient. Gradual development is needed for security requirements to include the capacity to recover quickly from difficulties to the cyber-attacks and for awareness of the situation of cyber intrusions. Big analytics can also be used to extract the information from the large volume of datasets to detect the threats and safety measures for the cyber-physical system and to make timely decisions. Several stages are present in the cyber-attack like Denial of Service (DoS), MITM (man in the middle), EoP (elevation of privilege), investigation (reconnaissance), and data tampering. The target system information was gathered first by the attackers during the investigation or observation phase to find out the network topology, software versions, attack vectors, and central points to bypass firewalls and prevention of intrusion system, removal of evidence after completion of an attack like deletion and manipulation of system logs. The type of attack like Denial of Service (DoS) against the industrial control system may target to disturb the communication between the master and slaves of the SCADA system, and resulting in the cause of the SCADA master to lose the control of local control systems and actuators. To access the low level hardware on the device to read and write to the secure machine data, a fast increase is needed. Using the zero-day attacks along using proven bugs in the operating system and the use of applications will accomplish a fast rise. The capture of commands and sensor data may be done by using a MITM attack. At the same time, data manipulation and false injection data assault can step forward to change the sensor data in motion for misleading monitoring devices and operators during assault development. Data manipulation would modify the master's commands present in SCADA to allow the actuator to function incorrectly, and to exploit the control would change the input data method. It has the potential to substitute data in the data background and change the

31Page running log and monitor associated data in order and obscure or vague the specifics of the attack and deceive the protector in the post-attack review. The intrusion-detection device can identify unauthorized entry to the machine. The device has three forms of intrusion detection. 1. Centered on a Mark, 2. Centered on paradox, and the 3. Easy on the mix. Developing a signature-based intrusion detection device is to use the recorded activity to identify the identified assaults. This form of the class would be successful for the false alarm rate for the documented attacks. Still, it won't catch zero-day attacks because the behavior is not exposed to the intrusion detection device. Anomaly-based detection framework models natural behavior by utilizing data mining techniques or machine learning algorithms and detecting deviates from regular activity as an anomaly or as a possible threat. This method of attack is adapted to each system's usual behavior for detecting attacks, unexpected attacks, challenging for the attackers to understand the intrusion detection device function, causing difficulties for the attackers to initiate undetectable attacks. This form contributes to further false-positives. The hybrid detection method is a variation of the identification centered on a signature and phenomenon. The innovative approach is the data-driven hybrid intrusion detection device that enhances industrial safety and protector situational awareness. Methods for cybersecurity analysis have been established utilizing the data mining and machine learning algorithm that is successful in cyber attack detection like SVM, Neural Network, Random Forest, Naive Bayes, clustering, decision tree, and genetic algorithms. The framework for detecting the intrusion is divided as a network or host-based solution. A network-based detection system monitors the traffic inside the network, and the host-based detection system monitors the particular actions of the host device. Deep packet inspection-based ID checks the commands to warn whether any harmful commands such as stop or close are available. State-based ID would identify the safe framework and critical state for detecting cyber attack relative to the sensitive state database. The intruder will do the data-tampering if the network-based intrusion detection system does not identify the intruder when the intruder has access to the device, and the host-based intrusion detection device does not identify the intrusion once the intruder is in the machine. Network and host data-based approaches are inadequate with the exponential growth in cyber-attacks. Unsupervised models integrate the process details to include tracking without relying on a comprehensive information and provide time to protectors to take measures to physical harm that is not retrieved until the effects of the attack.

41Page

Detailed Description of the Invention:

Figure 1 demonstrates the cyber-attack identification device layout with a definition of security. The layer of intrusion prevention is present in the first layer of defense that involves the firewalls, unidirectional access gateway (data diode), and gateways that are commonly distributed across most industries. Even the attackers can bypass the line of defense. The Second Security Layer incorporates data-driven cyber-attack monitoring focused on network traffic data and device data, and also involves the classification models indicated as M1 and M2 indicated Big Data Analytics. The classification models are focused on supervised learning techniques that detect the attack with behaviors similar to the known attacks. The Unattended Big Data Analytics models would have extra comfort for detecting intrusion. If the attack triggers conduct deviation from usual activity, Ml and M2 can include attacker identification as early as possible. If the second layer fails to identify the malicious operations, the last security line will track the process data and will use specific mathematical models that are suggested as M3 because of the cyber-attack identification of the irregular activity. The process of multilayer detection aims to boost the overall intrusion detection method. In Ml, a standard grouping methodology on network traffic data and host machine data was surveyed. Research is performed using the Regression model in M3 in physical process results. Models of growth in M2 are Large Data analytics. The features should be identified for the intrusion detection system, which is powered by details. The preprocessing of data, together with the elimination of features with a large proportion of non-a-number of values and near constant values, can not express the valuable data. It also excludes security functions that are not linked to cyber activity and threats. Memory, program method, and network activity-specific functionality can contribute to the attack identification knowledge that is chosen for the final dataset. If the device is under threat, while the device is under assault, it is noted as 1; If the device is in a good state, it is noted as 0, which means the cyber-attack is not present. To train the classifier and assess the results, the data collection is split into the training data and test data. The KNN is a primary method that classifies the item by community majority vote. As k nearest neighbor, the object is allocated as a general class. The Tree of Judgment is a tree-like framework containing the divisions and classifiers. An attribute would be evaluated for describing the internal node. A test outcome would be interpreted for the division. After weighing all characteristics, the leaf node as

51Page the classification judgment. Bagging is used to reduce decision tree uncertainty by average votes when forecasting a degree. This approach generates the m subsets from the original results, along with n tests for each subset. Even the Random Forest is made up of the decision tree centered on random selection subsets. It would generate the forecast from all the subtrees and have fewer associations relative to bagging comprising one predictor from the sub-set that would be included in the tree break. The outcomes of the forecast would be by plurality vote or weighted vote. A single decision tree can be split by selecting single characteristics while the random forest splits at each split point by selecting several characteristics. The task of processing the data is carried out using multiple methods of classification. The data is split into the data for the preparation and research. Training of the classification models is performed using the training results. Usage of the test results to analyze every model. The precision model has to be derived by matching the projected form with the real sample. The Regression model is the algorithm that is based on experience that is unsupervised. Based on the variance between the input vector and the memory vector, the projections are determined as the weighted average of memory vectors. Under evaluation, the question vector is defined as the observation, and memory vectors are described as past observations and error-free activity that is stored in memory. For computing the weight, the kernel method is used. In this case, the examination of the actual process data is utilized, and the intruder can render a destructive device shift.

61Page

Claims

TECHNIQUE FOR MULTILAYER PROTECTION FROM QUANTIFIABLE VULNERABILITIES IN INDUSTRIAL CYBER PHYSICAL SYSTEM Claims We claim,

1. A cyber attack detection system uses the concept of protection to improve the industrial control system cybersecurity.

2. The Multilayer intrusion detection system will enhance the overall cyber-security with the hybrid method (combination of signature-based and anomaly-based) analysis of the network data, host data, and process data.

3. The key goal is to incorporate network traffic data, host device data, and process data into a single structure and include several levels of cyber detection.

4. The framework also involves monitored and unregulated models ofnetwork and device data after firewall failure and uncontrolled process data models in the industries as the last cyber-attack security section, respectively.

5. Algorithms such as the closest neighbor, the decision tree, the sum of bootstraps, and the random forest to adjust regular operations by utilizing network and host info.

6. The regression model is used for predicting attacks without correlation of network and device data through physical process data.

1 Pag e

TECHNIQUE FOR MULTILAYER PROTECTION FROM QUANTIFIABLE 04 Sep 2020

VULNERABILITIES IN INDUSTRIAL CYBER PHYSICAL SYSTEM

Drawings: 2020102142

Figure 1: Multi-Layer Cyber Attack Detection System

1|Page