当前位置: X-MOL 学术IEEE Trans. Inform. Forensics Secur. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
CPS Device-Class Identification via Behavioral Fingerprinting: From Theory to Practice
IEEE Transactions on Information Forensics and Security ( IF 6.8 ) Pub Date : 2021-01-29 , DOI: 10.1109/tifs.2021.3054968
Leonardo Babun , Hidayet Aksu , A. Selcuk Uluagac

Cyber-Physical Systems (CPS) utilize different devices to collect sensitive data, communicate with other systems, and monitor essential processes in critical infrastructure applications. However, in the ecosystem of CPS, unauthorized or spoofed devices may danger or compromise the performance and security of the critical infrastructure. The unauthorized and spoofed devices may include tampered pieces of software or hardware components that can negatively impact CPS operations or collect vital CPS metrics from the network. Such devices can be outsider or insider threats trying to impersonate other real CPS devices via spoofing their legitimate identifications to gain access to systems, steal information, or spread malware. Device fingerprinting techniques are promising approaches to identify unauthorized or illegitimate devices. However, current fingerprinting solutions are not suitable as they disrupt critical real-time operations in CPS due to the nature of their extensive data analysis or too much overhead on the devices’ computational resources. To address these concerns, in this work, we propose STOP-AND- FRISK (S&F), a novel fingerprinting framework to identify CPS device classes and complement traditional security mechanisms in CPS. S&F is based on a secure challenge/response mechanism that analyzes the behavior of the CPS devices at both the hardware and OS/kernel levels. Specifically, the proposed novel mechanism combines system and function call tracing techniques, signal processing, and hardware performance analysis to create specific device-class signatures. Then, the signatures are correlated against known behavioral ground-truth to identify the device types. To test the efficacy of S&F extensively, we implemented a realistic testbed that included different classes of CPS devices with a variety of computing resources, architectures, and configurations. Our experimental results reveal an excellent rate on the CPS device-class identification. Finally, extensive performance analysis demonstrates that the use of S&F yields minimal overhead on the CPS devices’ computing resources.

中文翻译:

通过行为指纹识别CPS设备类别:从理论到实践

网络物理系统(CPS)利用不同的设备来收集敏感数据,与其他系统进行通信并监视关键基础结构应用程序中的基本过程。但是,在CPS的生态系统中,未经授权或欺骗的设备可能会危害或损害关键基础架构的性能和安全性。未经授权和欺骗的设备可能包括篡改的软件或硬件组件,可能会对CPS操作产生负面影响或从网络收集重要的CPS指标。此类设备可能是外部或内部威胁,试图通过欺骗其合法标识来假冒其他真实CPS设备,以获取对系统的访问权限,窃取信息或传播恶意软件。设备指纹技术是识别未授权或非法设备的有前途的方法。然而,当前的指纹识别解决方案由于它们广泛的数据分析的性质或设备计算资源的过多开销而破坏了CPS中的关键实时操作,因此不适合使用。为了解决这些问题,在这项工作中,我们提出了“ STOP-AND-FRISK(S&F)”,这是一种新颖的指纹识别框架,用于识别CPS设备类别并补充CPS中的传统安全机制。S&F基于安全的质询/响应机制,该机制在硬件和OS /内核级别分析CPS设备的行为。具体而言,提出的新颖机制结合了系统和功能调用跟踪技术,信号处理以及硬件性能分析,以创建特定的设备类签名。然后,将签名与已知的行为基础相关联,以识别设备类型。为了广泛测试S&F的功效,我们实施了一个实际的测试台,其中包括具有各种计算资源,体系结构和配置的不同类别的CPS设备。我们的实验结果表明,CPS设备类别识别率很高。最后,广泛的性能分析表明,使用S&F可以在CPS设备的计算资源上产生最小的开销。
更新日期:2021-02-23
down
wechat
bug