Assistente AI
Trascrizione
00:03:696Alessandro Brighente: Hey? Hello, okay. So
00:17:170Alessandro Brighente: they will see some of these attacks we might have in industrial control systems, and how we can detect them. Right? So the idea is again, you have these devices which can
00:33:220Alessandro Brighente: collect information about the process, thanks to their sensors. Right
00:38:402Alessandro Brighente: then, we have the controller. They're doing stuff right? It's the usual thing that we've seen up to now. So the question is,
00:45:00Alessandro Brighente: our controllers. Really, that stupid right? So can we provide them? We would ever input that we that we like. And then they're just going to accept it. And
00:55:40Alessandro Brighente: and the work based on that.
00:58:160Alessandro Brighente: And
00:59:872Alessandro Brighente: assuming that they are not that stupid. So how do we actually detect if you are attacking these the sensors. Right? So let's suppose that we are compromising a sensor. You can imagine that a sensor has not that many capabilities right. So we cannot actually encrypt the sensor readings so the the values of the sensor is recording
01:22:80Alessandro Brighente: and providing to the the controllers right? So how can we indeed verify that the measurements that the the sensor is reporting makes sense with respect to
01:33:660Alessandro Brighente: to what the process is doing? Right? So these are the the questions that we will try to answer to.
01:44:20Alessandro Brighente: Okay. So.
01:48:230Alessandro Brighente: as we already mentioned, the the the main distinction between it systems and the sub-physical system, particularly these industrial control system is the fact that we are dealing with the physical work. Right? So let's
02:03:100Alessandro Brighente: think about the it right? So we are talking about it, and we want to perform anomaly detection on the network. We can add no counter package. Right? Count the inter delay between packets we can account for the size of the packets. That's all different characteristics from the network that we can look at.
02:20:227Alessandro Brighente: In order to detect the presence of anomalies. Right in here we have something slightly different. Right? We again, we're talking about sensors reading from it, for instance, we are providing some values to the the sensor that is measuring the temperature right? So at this point we have the value comes from the register of the sensor.
02:40:990Alessandro Brighente: And what can we do with that? So we have some
02:45:230Alessandro Brighente: some similarities, you see. Right? So, for instance, we can account for how much is the variation of the temperature that we are looking at. How does it change in time? How often does the sensor report such measurements? So we have some similarities. But the idea, what we are actually measuring is fundamentally different. In some physical system we are looking at the how the physics of the process is
03:11:380Alessandro Brighente: is behaving.
03:14:530Alessandro Brighente: how do we account for what sensors are more important than other? If you want right? So this is this is ready to risk assessment. Right? So risk assessment is something that
03:29:440Alessandro Brighente: that you have in
03:31:270Alessandro Brighente: in many different scenarios right in here. We're talking about server physical system. But if you were talking about a software supply chain, you would do exactly the same right? You want to assess the risk meaning. How likely is an attack to happen, and how bad would it be if that attack? Of course. Right, if the attack is successful?
03:52:399Alessandro Brighente: And why do you do this assessment? Well, because, some of the threat factors that you might identify might be worse than than others.
04:01:650Alessandro Brighente: Okay. And maybe you want to prioritize the resources that you have in terms of security. Right? You want to protect part of the system more than another, or sooner than another based on the resources you have based on these risk assessment.
04:16:760Alessandro Brighente: Good. So this is something that we can do also in our cyber physical system in particular.
04:24:560Alessandro Brighente: when we talk about risk assessment in industrial control system, the question might be, which sensor is more likely to be attacked
04:31:490Alessandro Brighente: right. So which sensor is more exposed. How likely is an attacker to successfully being able to access the sensor really and provide fake values?
04:42:850Alessandro Brighente: And how bad would it be
04:46:50Alessandro Brighente: if the attackers proves the values of that precise sensor? Right? So if we have a a sensor that is measuring or monitoring the the pressure inside the tank. Well, that that one is important, right? Because if the pressure is too high, then Tank might slow. So that's bad. So we can assign
05:10:240Alessandro Brighente: these risks value to these different sensors.
05:13:740Alessandro Brighente: and that's more or less how you would do that on a theoretical basis.
05:20:410Alessandro Brighente: Right. So
05:22:962Alessandro Brighente: The 1st one that you observe is a well known metric is the average loss, right? So the the expected value of the loss.
05:29:510Alessandro Brighente: How do we compute the expected values of loss? Right? So we have. For instance, our sensors right? The the index of the the sensors may be I.
05:39:600Alessandro Brighente: And for each of them we associate a loss value. So how bad is the attack if it happens, and a likelihood value the probability that the attacker is successful in there.
05:54:430Alessandro Brighente: And so in that way, you're computing the the average loss
06:00:314Alessandro Brighente: you could also compute the the variance on the losses. Right? So you have this lip integration here, which is simply the the variance.
06:10:935Alessandro Brighente: But then the problem is, how do we compute this value. Right? So again, there's no standard that tells you how to do this. It depends on your
06:22:620Alessandro Brighente: situation, on your industrial control system. So you may want to assign values here. Actually, you can decide your your scale and how these values are going to change. But these will get very important, right? So
06:44:340Alessandro Brighente: now, how how can we move on from here? Right? So now, we
06:53:865Alessandro Brighente: we want to understand how badly the
06:57:550Alessandro Brighente: and that would be to specific century.
07:01:440Alessandro Brighente: How can we do that? Well, we can model our industrial control system right? So that's something that we definitely have industrial system. Someone designed it at a certain point. So we can build a model of the industrial control system. Right, it has a control model. It might be more or less complicated. Then, at this point, you know exactly the process, or you have a a machine that emulates the process of the industrial control system is
07:28:490Alessandro Brighente: It's
07:30:30Alessandro Brighente: performing is doing right. And you can see how bad it is for the process to receive certain fake inputs.
07:38:800Alessandro Brighente: Right? So, for instance, we can start from a situation where the probability of a successful attack may occur for all the sensors right? So the the probability of the attacker to be successful on a certain sensor is the same, for all the sensors
07:55:240Alessandro Brighente: say uniform one divided by the the number of sensors. And and then you want to
08:03:200Alessandro Brighente: to understand the loss, right? So what we are doing here is trying to understand the the value of the loss. Right? So how can we see whether a specific attack is really that bad or not? For our industrial control system.
08:17:350Alessandro Brighente: Good. So
08:19:540Alessandro Brighente: here we have the model of our system. Right? So let's assume that we have P sensors
08:25:76Alessandro Brighente: where at time K, we have a specific, this vector here, which are the measurements coming from the from all of the sensor.
08:33:260Alessandro Brighente: Right? So y, 1 is the 1st sensor, Y 2 sensor, and so on, so forth.
08:40:929Alessandro Brighente: So we know the sensors that we have in our industrial control system. Right? It's something that we control.
08:47:480Alessandro Brighente: and we know that each of this sensor has a certain dynamic range. Actually, if you remember, when we were looking at the tasks towards the lighters. We said that the sensor have a specific range in which they actually work. Right? So we have the region where we have no response. Then we have a linear region, then we have the saturation region.
09:05:700Alessandro Brighente: So within the linear region we have values that are actually useful for our industrial system, right? And this is exactly what you have in here, the dynamic range. Let's define the dynamic range as all the possible values that we get and output from the sensors reading, and we can define that for each of our sensors. So for the
09:27:601Alessandro Brighente: either sensor, we have a here we have a minimum value and a maximum value. So all the values that are within this range are deemed as valid by the central system, because it knows that this is how the the sensor actually works.
09:44:610Alessandro Brighente: And let's make our assumption even stricter for the target. Right? Let's assume that we are protecting these sensors. Right? We we protect the the packets that get from a certain point to another
10:00:450Alessandro Brighente: by some cryptographic team.
10:03:910Alessandro Brighente: Good. And so this thing in here. This Y. Tilde K. Is the received measurement by the controller at time. K, right? So it's not the measurement that we get from the sensor is the value that the Controller received right? Anything could happen in the
10:22:320Alessandro Brighente: in the transit of this information.
10:24:540Alessandro Brighente: right? So in the best situation ever.
10:29:180Alessandro Brighente: these 2 vectors are exactly the same right? The readings sensus readings are those that gets to the the controller, and then we act based on that. But if we have a noise, if we have an attacker, if anything occurs, these 2 vectors might not be the same right. Y might not be equal to Y Tilde. And that's a problem, because our industrial system acts based on some values that are not
10:55:480Alessandro Brighente: those gathered from the sensory
11:01:990Alessandro Brighente: good. So
11:04:760Alessandro Brighente: we can define. Some rules in the in the system, in the controller. Right? So we want to, maintain a certain operational goal.
11:17:390Alessandro Brighente: Right? So it means that the values that we'll see from each sensor should lie within their operational range within this capital YI.
11:28:190Alessandro Brighente: And if the attacker reports something that is out of this operational range for each sensor. Then we delete as an attack, right? So we see that there's a value that is weird, that it's not supposed to be like that. For the specific sense, right? So this is something that can be simply, very simply detected by fault, tolerant control algorithms.
11:49:770Alessandro Brighente: Right? So again, if I receive a value that it's not within the operational range for that sensor, I can safely say, Okay, discard that right whatever. I don't care whether it comes from an attacker whether it's some point, some malfunctioning of the sensor itself. I would just not use it, because it's not possible that the sensor provides me that value.
12:08:530Alessandro Brighente: Good. So here we do not the the attack duration right? So the attacker is not there since forever whatever. But it works in a specific time range.
12:20:280Alessandro Brighente: So here we have the the starting point of the the timing somewhere. The attacker kicks in ks a start, and then we have a ke, which is the last time when the attacker applies a known or spoof value for a specific sensor.
12:39:50Alessandro Brighente: Good. So how can we model the attacker? Right? So here's a simple model of the attack we have. The Y Tilde is exactly equal to YI for each time, instance, and for all the sensors, if the time instance is not within the the attack duration, and if, instead, we are within the attack duration, we say that the attacker is successful and spoofs some of the values from the
13:08:740Alessandro Brighente: of the sensors or the the readings of the sensors.
13:17:860Alessandro Brighente: Good. So let's start with the 2 very simple attacks. Right? So the 1st one is integrity attack.
13:23:700Alessandro Brighente: So it means that the attacker is reporting some values on behalf of these sensors which are not correct right? They are not the actual values of the sensor measure, but they may be some arbitrary non-zero value, and in order to be stealthy, such arbitrary non-zero value should lie within the operation of danger of each sensor. Right. We said before that if that's not the case, you can easily identify that something
13:48:690Alessandro Brighente: is going on, and we can neglect those. Then. So the attacker is smart enough to know about the operational ranges
13:56:120Alessandro Brighente: of these at sensors, and
14:01:70Alessandro Brighente: the second task of attacks is denial of service attack. Right? So the the the attacker blocks the communication
14:08:938Alessandro Brighente: and avoids reporting some sensor values back to the to the controller. Right? So the controller notices, there's some 0 value for that sensor rating at a specific time.
14:22:50Alessandro Brighente: So there's it's like a lack of measurement. So how do we deal with that? Well, it depends on the controller and how it is implemented. Right? So sometimes the controller what it does is to use the less valid receive the information
14:42:70Alessandro Brighente: right? So it just reuses that for a certain amount of time in the hope that the process did not change that much during that time. Or it would just use some predictive model, right? So the
14:57:627Alessandro Brighente: the common field that, for instance, that we've seen for for Jones. Right? That's an option. We don't know where the where the process is going, but we can design a model that tells us ideally where the process should be going in the successive time instance and use the those values.
15:16:480Alessandro Brighente: Okay? So we have these find some operational ranges of the
15:26:760Alessandro Brighente: of these values in order to be able in this time. So options might be. Since these readings.
15:38:360Alessandro Brighente: So now we have the assumption that these values are encrypted, which is rather strong with respect to the products that we have in industrial system. That's not the case, because usually all the communication are based on mobile Tcp, and these are not encrypted. So you can either collect
15:58:800Alessandro Brighente: metro traffic and see about these these readings understand the operational range. Maybe you don't know the exact operational range, but you see, which values are more likely to happen the alternative is that, many of the sensors that we use in these applications are
16:13:760Alessandro Brighente: standard that we say I mean, we know more or less which are the sensors that we use in certain situations. And so you can guess. Okay, very likely the industrial system is going to use these kind of sensors, and we know the operation of these sensors. Right? So, for instance, to give you the example on on the drones drones have these these devices they use to check the altitude.
16:40:384Alessandro Brighente: despite the fact that many of them come from different vendors, their operational range is more or less the same, so the frequency that they use the the signals that they send them more or less they're the same. So, although we don't know exactly the model we know how it's supposed to work. We can.
16:58:450Alessandro Brighente: You can see the and assign some values that we want to score
17:05:700Alessandro Brighente: cool. So now, what are the
17:12:339Alessandro Brighente: effects of these attacks? Right? So we have very simple attacks at this point. We just say that we have spoofing. And we have random non 0 values for certain sensibilities. And then a service where we have 0 values, or a certain sensor
17:29:00Alessandro Brighente: so in order to validate these attacks and see how classical industrial systems behave. We use this thing in here, which is called the tennis Eastman process control system. Right? So this is a classical industrial control system.
17:51:70Alessandro Brighente: I would say, simulator, right? So you have these chemical process which is controlled by rather simple controllers. Right? So we have many implementations of this
18:01:936Alessandro Brighente: and it's used for from benchmarking. So if we want to to try out new attacks, or we can test them on these model. There are many papers that the design a
18:15:940Alessandro Brighente: intrusion detection system or nomine detection system based on the values that we get from these Tennessee Eastman process. And so it's
18:26:520Alessandro Brighente: say, kind of a knowledge in the in the community. How does these system look like so? On the right, you have the graphical representation of the process.
18:39:240Alessandro Brighente: Right? So the process what it's doing is an irreversible reaction, right? Chemical process. So you have a tanker in here. And so you have a couple of bugs you have. These 4 controllers in here, and you have certain amount of sensors. Right? So the sensors are measuring different different components that that related with the final product.
19:08:510Alessandro Brighente: right? So we want to understand how much is the pressure in in the tanker. How much of a certain reactant we are adding to to the tank in order to to get the product right? So this is the the kind of reaction that we are using.
19:24:431Alessandro Brighente: What we care about is the fact that we indeed have 4 controllers. We have bots, which are the things that we actually control from a physical point of view, and they are opening and closing bots in order to to add the a certain reactant, right? So open the box to remove some of the steam that we have in the in the right
19:49:496Alessandro Brighente: and the controllers are actually working on these on designs. Right? So we did the Controller outputs that we have in here. So for instance, from
19:59:900Alessandro Brighente: 3 controller. We are working on the bulb in F 2. With the 1st controller, we are working on the bulb in f 1, and so on so forth.
20:08:660Alessandro Brighente: Okay, so if we are launching attacks against these control process, right? So what what we're doing for our the attacks that we just described.
20:19:950Alessandro Brighente: We are working on the sensor readings in here. Right? So you see that this sensor is providing inputs to the look to controller. So if we are spoofing or causing another service to to sensor Wi-fi.
20:33:130Alessandro Brighente: it means that the that we are providing fake values to the loop controller, too.
20:41:670Alessandro Brighente: If you are swooping balance for sensor y, 7, then for your controller 3, and so on. So forth. Right? So this is where we are
20:50:540Alessandro Brighente: acting. Basically, it's like the attacker is here. The customer is here, for the attacker is here.
20:57:990Alessandro Brighente: So in in the slides you have a description of the different components, and how? They work.
21:07:890Alessandro Brighente: And so, yeah, just
21:13:770Alessandro Brighente: simple description of the notation that you that you have in the figure. So when we talk about the effort, it's about the the flow of a certain component.
21:23:150Alessandro Brighente: Alright. So we want to measure the the flows, because based on the flow, we can design our control model. Right? So again, we want to have a an error function.
21:35:730Alessandro Brighente: And we want to control that right? So our our controller outputs that are acting on the bus actually deal with the the production of these
21:50:50Alessandro Brighente: this process?
21:51:940Alessandro Brighente: Good. So in terms of safety, right? So how is how can we define our system to be so one of the things that we have is to maintain the pressure of the reactor below a certain limit.
22:08:840Alessandro Brighente: Right? So if the pressure gets above a certain threshold value. Then we need to shut down the system, because otherwise it might explode right? So that's something that the Controller is dealing with. Right? So among them.
22:23:260Alessandro Brighente: You see, among the the outfits that we have in here this loop controller here is providing instructions to this volume, which is indeed the one that is written in the first.st And so it's removing part of the the content from from the tank right?
22:41:740Alessandro Brighente: And that's related with the depression.
22:45:610Alessandro Brighente: So here you have a
22:48:00Alessandro Brighente: how you minimize the operating costs. And what is the the function of the 1st solution here. So this is a linear combination of the outputs that you have from there
23:04:240Alessandro Brighente: from the different sensor reading.
23:07:260Alessandro Brighente: Right? So
23:08:861Alessandro Brighente: again, I'm sensitive reading are related to. To how much of a certain product is there
23:16:490Alessandro Brighente: at a certain time? It's at certain location in our industrial system.
23:23:410Alessandro Brighente: Good. So here's the description of the the control signals, right? And that's something that we you already discussed. Yeah.
23:35:360Alessandro Brighente: okay, so here's the description of how this system is is set right. So we have the state production. You have certain production data. You have a certain pressure that you expect, and fraction of the the product a in the in the purge, right? So here is what the attacker may want to do
23:56:910Alessandro Brighente: right. So we know that we have a certain pressure in in the tank that should be maintained when the when the system is in a stable State, which is, is 2,700 Kilo Pascal.
24:10:520Alessandro Brighente: And
24:12:640Alessandro Brighente: these might be our limit for the operational range of the pressure right? The threshold value that we said before that if the system gets above the threshold value, the tank might explode.
24:27:670Alessandro Brighente: Good. So let's assume that the attacker has access to a single sensor in time. Let's proof the value of just one sensor. The aim of the attacker is to bring the pressure inside the tank above this limiting here right without being actually detected. Right? So how do we provide fake values to the, to the controller? Such that
24:52:430Alessandro Brighente: it doesn't realize that visa is happening. And then we bring this this system to unstable state.
24:59:260Alessandro Brighente: Right? So this is very important in the sense that the you see what might be the
25:06:950Alessandro Brighente: the objective of an attacker. In this sense, right? So we know that the system is in a stable state or in a safe state as long as certain conditions are met, so the the goal of the attacker is to bring the system to an unstable state, because that means that you might break some of the safety conditions of the system.
25:36:650Alessandro Brighente: No.
25:37:920Alessandro Brighente: How do attach to this to this process look like?
25:44:910Alessandro Brighente: So what if one we look at the at the control process, and how it behaves right if you let it run
25:52:19Alessandro Brighente: the most effective attacks are what we call as Max and mean attacks. Right? So it it means that
26:00:230Alessandro Brighente: if we know the operational ranges of all the sensors, the best thing that we can do
26:07:537Alessandro Brighente: is to use either the minimum value or the maximum value for that sensor.
26:16:290Alessandro Brighente: Right? So that's exactly the attacker signal here. So this is good. It works it makes the attacker non detectable. But then based on the sensor. That we are spoofing. This might or might not, bring our industrial system to an unsafe state.
26:36:200Alessandro Brighente: Okay? So here, for instance, let's let's focus on y 7.
26:45:717Alessandro Brighente: So here,
26:52:180Alessandro Brighente: okay, so what we're doing here is just pull from the the sensor value from y. 7. And let's say that the the attack ranges between 0 and 30
27:05:440Alessandro Brighente: and what happens in here. If we report the maximum value, for instance, it means that the controller believes that a large amount of the component A is in is in the tank
27:18:805Alessandro Brighente: and
27:20:750Alessandro Brighente: the Controller, of course, tries to to react to this right? It thinks that that is the case. So after the attack, it will try to compensate for what we think that they think that happened during that contact period.
27:36:170Alessandro Brighente: Alright, so
27:39:430Alessandro Brighente: these might be what the what should serve right? So here is we find where? We measure the pressure
27:49:610Alessandro Brighente: inside. Okay.
27:51:150Alessandro Brighente: right? So this is the correct value and the the actual value that you serve from in the central system. And this is that the value is the attackers right? So what happened in here is that for a certain amount of of time we had the the original value then in here from times 10 to 30 in terms of hours
28:14:941Alessandro Brighente: we report always the maximum value for that
28:20:607Alessandro Brighente: that component right for the amount of that component we purchased.
28:24:890Alessandro Brighente: And here you see how the the pressure reacts. Right? So that's how the the system is trying to
28:33:995Alessandro Brighente: the the system to unsafe state the sequences here that the pressure is increasing and increasing, and it gets closer to the, to the critical pressure. So this attack is working. But it's not bringing the system to unsafe state. And then what happens in here is that when the attack finishes
28:55:302Alessandro Brighente: you see that there is a compensation mechanism here from the from the controller, right? So it told that the visa was the amount of the component a up to this point. And then, after this point on it thinks that the component decreased suddenly. So we'll try to
29:12:440Alessandro Brighente: bring it back up some of it. And the reaction here in terms of pressure. You see, the pressure gets decreased a lot, right? So in a very short time, you are actually decreasing a lot, the the pressure within
29:27:900Alessandro Brighente: within the tech. But again, this is close to an unsafe state, but it's not actually the
29:35:920Alessandro Brighente: the actual, unsafe state. So you see that one of the the problems we hear is that it takes a really a huge amount of time for the talk to.
29:47:450Alessandro Brighente: or something ideally. You see that in here
29:51:927Alessandro Brighente: you have these increase of pressure. So maybe if the attack lasts even longer than that, we could reach the the critical pressure value. But compromising a system and running it for 20 h might be a lot of time. Right?
30:12:770Alessandro Brighente: So since we have a very slow dynamics in the system. If we had human operators in there controlling their human machine, the basis right? And the monitors with single sign it might be 20 h might be sufficient for human operators to realize that something wrong is is happening. Right? So it's not a very effective attack in this sense
30:36:00Alessandro Brighente: that so here you have the eternity, right? So here we instead spoofing the value for y 5.
30:45:790Alessandro Brighente: So this is the the pressure that we report.
30:52:80Alessandro Brighente: And this is the the sensor rating. So that's how actually these this looks like when we're looking at the at the real system. And so that's
31:04:340Alessandro Brighente: how the real pressure is changing. So you see that you try to compensate a lot for what is happening. But again, we do not reach the the critical state.
31:13:870Alessandro Brighente: So in both of these cases we are using either the Max attack or the main attack right in the previous
31:20:220Alessandro Brighente: in the previous figure, we saw that we are reporting the maximum value for y 7 in here. Instead, we are reporting the the minimum value. Okay? So these attacks are working. But
31:34:990Alessandro Brighente: yeah, we can better than that. Right? We can try to reach the safety critical pressure.
31:46:130Alessandro Brighente: Good. So instead of relying to to human operators to to notice that something weird is going on at the sensor level. How can we? How can we detect the attacks to these sensor greetings? Right? So, although these take sneak amount of time for the system to to be in a single state with this maximum mean attacks, still, we won't be able to to detect them.
32:12:20Alessandro Brighente: Good. So one of the possible formulations that we might use is a normally based intrusion detection system.
32:22:320Alessandro Brighente: So what we monitoring here?
32:24:726Alessandro Brighente: Is a physical process, right? The idea of anomaly detection. Normally based intrusion, detection. It's not novel percent in the sense of industrial system, right? It's something that we have also in wireless network. As I mentioned before, the the difference in here is that we are not
32:44:160Alessandro Brighente: checking the size of the package. For instance, what we are checking is the coherence of the the physical process. Right? So we have. We monitor the physical process and see whether there's a a certain anomaly in the physics
32:58:640Alessandro Brighente: of the system.
33:01:300Alessandro Brighente: Good. So we know how the the physics of the process should change, because we have a model with that in order to have control of that, it means at a certain point, we need to design the the controller. But then the problem is.
33:17:147Alessandro Brighente: how do we want to model anomalies? How do we? Do we want to create signatures for for certain behaviors? Right? We do. We want to have them.
33:30:210Alessandro Brighente: So we need to design our
33:35:650Alessandro Brighente: our only detection system.
33:39:900Alessandro Brighente: And the other problem is let's say that you are using some components that that you buy. Right? So let's say that we want to design our model. We want to have a full model, our industrial control system, because if we have the full model, we know exactly how the physics should should take us to behave to certain inputs and outputs. And that would be great. But then the problem is,
34:02:314Alessandro Brighente: not necessarily. You are always able to derive the model of your full system, because maybe you bought some of these devices from some of your controls from 3rd parties
34:13:190Alessandro Brighente: and sometimes you have identification packages which help, you understand in the Controller. These 3rd party vendors implemented, but sometimes you do not have them.
34:26:909Alessandro Brighente: So how how do we approximate our system? Right? So what can we actually do?
34:36:600Alessandro Brighente: So the most common systems that we have. Also industrial systems are these
34:44:300Alessandro Brighente: linear control equation that you're saying here which should be very familiar for you because Finland also for platoons.
34:51:500Alessandro Brighente: Alright, so in here. What we have is the behavior of x times k plus one is any combination of the values that you have K, times, k
35:04:647Alessandro Brighente: plus the these controller inputs that we give to the process.
35:12:890Alessandro Brighente: Good. So also, in this case, we assume that our process is is monitored by a set of these sensors right? And the sensor ratings that we have is a model like this right? So we say that the sensor ratings are a linear combination of these values and x in here that model. How the the system behaves
35:38:890Alessandro Brighente: good. So again, this is the output measures, I think, exactly what we've seen before.
35:44:900Alessandro Brighente: which is what we need.
35:48:40Alessandro Brighente: what we model. Right? So what we predict being the the the observations at time. P. For all our sensor set again, which is not the actual value of the sensors. But it's the values that we that we modeled we predict from
36:04:700Alessandro Brighente: from our control equations.
36:08:200Alessandro Brighente: Good. So
36:09:600Alessandro Brighente: how do we perform our detection? Well, we can use some theoretical frameworks. Right? So here you have sequential detection theory which is basically a methodology that you can use to detect anomalies that leverages the time correlation between the values that you serve.
36:33:520Alessandro Brighente: Okay? So you have a detection time you choose when you want to perform this detection time, and ideally, what you would like is the detection time to be as close as possible to the event that you want to detect right, because if that is the case, you are able to respond as soon as possible to potential anomalies, inclusions, or whatever wrong is happening in your system.
36:59:620Alessandro Brighente: So
37:01:650Alessandro Brighente: the problems that we are solving in the sense of the kind of problems that we're having. They're called the optimal stopping problems. Right? When do we? We want to perform the detection. And when do we want to stop our system? Because we detected and
37:19:490Alessandro Brighente: okay, so we have 2 different formulations for these optimal solving problem. So we have sequential detection, which is sequential hypothesis testing right? So you have 2 hypothesis, one, the attack is going on the other one. The system is well, and there's nothing we should do. To change this behavior
37:39:640Alessandro Brighente: and you do it sequentially while you collect your observation. And the second one is because detection, right? So you want as soon as possible to detect certain changes in the behavior of your process right? And as soon as these change occurs, you want to
37:56:873Alessandro Brighente: to detect them. So here you have a reference to this type of problems. Right? If you want to see the
38:04:110Alessandro Brighente: the foundation on how these where this came from. You can take a look at this newspaper in here. And now we look at how they how they look like in in our scenario. But after the break.
38:33:160Alessandro Brighente: okay, let's start with this optima stopping problems which you don't see.
38:54:345Alessandro Brighente: It tells us that the break was too long.
39:18:920Alessandro Brighente: Hey? Optimist solving problems?
39:21:900Alessandro Brighente: Good. So what do we have. We have a a time series. Right? So our time series is z, 1 z 2 blah blah.
39:30:870Alessandro Brighente: right? And this is what we observe, we want to extract some information out of these series. What is our goal in the ultimate shopping problem?
39:40:898Alessandro Brighente: The definition is that we need to determine the minimum number and of samples to observe before making our decision right? So we are observing the the the measurements that we get from the sensors. And
39:55:80Alessandro Brighente: we want to decide whether something wrong is going on or not.
39:59:710Alessandro Brighente: Right by yourself in the minimum number of samples, right as low as possible.
40:05:580Alessandro Brighente: So we have 3 hypotheses. The 1st one we denoted as H. 0,
40:12:510Alessandro Brighente: right H. 0 is the number behavior. So it means that there is a no attack or the other report is h 1, right? There's a an attack we just denote them is H. 0 is one traditional visits.
40:26:170Alessandro Brighente: How we do that, how we denote the hypothesis.
40:31:620Alessandro Brighente: So we have this strategy here. Sequential detect detection strategies.
40:39:10Alessandro Brighente: Right? So what is the assumption here that we have a time series that originated either from the known attack situation or the attack hypothesis. Right? It's either these 2 hypothesis, and we want to decide that
40:55:925Alessandro Brighente: on that which a policy with him as product in the minimum amount of time
41:03:551Alessandro Brighente: we change detection instead. What we say is that the sequence originated from the legitimate system. Right? There's nothing wrong with them. And and at a certain point it changed to to the other version. Right? At a certain point the the attacker is in and changes the value that would serve. And we want to detect this change
41:26:120Alessandro Brighente: as soon as possible, right as soon as it happens. Ideally.
41:32:190Alessandro Brighente: Okay. So
41:35:300Alessandro Brighente: I mean, the the 2 strategies are fundamentally different. Right? So in the 1st one we observe them series, it's either one or the other, and we want to select which one that is in the change detection. Instead, we have a change, right? We have the legitimate situation, then the attack situation, and we want to detect right. So, of course, the way in which we design them are, fundamentally different.
42:02:470Alessandro Brighente: So
42:04:580Alessandro Brighente: let's start with the with the sequential detection. So what we do is define the porcel and probability.
42:12:180Alessandro Brighente: So, for Salama is detecting an attack
42:16:490Alessandro Brighente: when there's no attack, right? So we observe our time series, and we deem it as coming from the attacker, whereas it is not.
42:26:302Alessandro Brighente: The second probability that we define is the misdection probability, which is the probability that we do not. So the attack is, you know, there's something wrong with with our system. But we did it as a legitimate right? So we do not.
42:39:800Alessandro Brighente: Ideally, we want to minimize these probabilities right? We don't want to detect attacks when they're not, and we don't want to miss some of the tax.
42:53:180Alessandro Brighente: although this is ideal. What?
42:58:518Alessandro Brighente: What we what we actually have in our system usually is that we need to fix these 2 probabilities. So we we have targets for these probabilities. So we fix the the false alarm and the detection probabilities. And for these targets we want to minimize the number of packets that that we need in order to make a decision between the fault. Right?
43:22:740Alessandro Brighente: Good. So how do we? How do we solve this problem?
43:27:870Alessandro Brighente: So we have an algorithm which is called sequential probability ratio test, right? It's spirit spirit
43:36:764Alessandro Brighente: which is also referred to as threshold on the work. And traditionally this is something that the security papers has been used for the tech port scans worms about nets, right? Something that is more related to traditional
43:52:43Alessandro Brighente: it systems. Right? So this has a long story, right in terms of being used for for detecting attacks. And now we want to use something similar in our setting, which is the industrial control system and the spoofing of the sensor values.
44:12:330Alessandro Brighente: How does this problem look like. Besides the fact that, as usual, marketing was scrambled around the slides.
44:22:560Alessandro Brighente: Okay, so now, we have our observation. Right? Zk, is our observation. And let's say that under hypothesis, Hj, is under H. 0 or h 1 we have a certain probability distribution for which this value occur. Right? So pj, is the probability of serving zk, under hypothesis. Hj.
44:49:540Alessandro Brighente: is this fair, just definition?
44:54:120Alessandro Brighente: Okay, good.
44:56:720Alessandro Brighente: So how can we design our algorithm? So this is what you what you have in here.
45:04:200Alessandro Brighente: Right? So we define these as K values in here, and we update them in time. Right? So K, again is our time index, and we say that S and K plus one is given by the logarithm of the ratio of the probability of serving that value under certain policies.
45:25:680Alessandro Brighente: plus what we observed at the previous time. Instant visa
45:32:120Alessandro Brighente: is what is called the the log likelihood ratio. Right? So again.
45:37:176Alessandro Brighente: In here. What we have is the probability of observing the values. Okay, when we have a positive h 1, right? It comes from from the
45:48:570Alessandro Brighente: how will we define it?
45:50:280Alessandro Brighente: Each one is under the attack. Right?
45:53:460Alessandro Brighente: This is the probability of serving Zk under attack, and this is the probability of serving zk the same value in a situation where we have no attack
46:03:230Alessandro Brighente: right? And then in here we have n, which is the number of packets that we use in order to take our decision, and we want to find the infinite of N such that as N is not within this range in here.
46:20:530Alessandro Brighente: Right? So how what is this range? And how does it help us? Detecting whether we have an attack or not so. We design our decision rule in here. Right? So the N. Tells us that we are under hypothesis h. 1. If Sn is greater or equal than the upper value in here. U,
46:41:690Alessandro Brighente: and he said, we have H. 0. If S. Of N is less or equal than L, which is the lower bound
46:49:550Alessandro Brighente: right? So these 2 upper and lower bounds are given by our decided
46:56:13Alessandro Brighente: probability of false alarms at this detection. Right? So if we say that A is our desired probability of post alarm and B is our design probability of post detection. This is how we can show we can we can design our
47:10:570Alessandro Brighente: boundaries for our decisions.
47:15:530Alessandro Brighente: Why, with him?
47:19:380Alessandro Brighente: No. Why do we care about the long life include ratio? So this deals with a whole theoretical
47:29:721Alessandro Brighente: framework is related to decision theory.
47:33:500Alessandro Brighente: Right? So in particular, what you observe
47:38:630Alessandro Brighente: is that this provides you the
47:43:530Alessandro Brighente: the the best tester you could possibly have. If you design an optimization problem and you check how you can take the best decision possible based on your observation.
47:53:410Alessandro Brighente: You can do no better than that, right? So ideally what we are doing here. These will be the detection framework that you would use for a single observation. Right?
48:07:289Alessandro Brighente: we. Okay. So it means that I have my observation. Just one instance, just one. I
48:14:240Alessandro Brighente: assume that they estimated at a certain point the probability of serving a certain value under the 2 hypothesis. I take the log likelihood ratio this ratio in here, and I compare it with the threshold value. Okay, which is given by again my target probability of a Salami's detection.
48:31:170Alessandro Brighente: And if this ratio is higher than the threshold, I will decide for hypothesis. One. If this ratio is lower than the threshold, we decide for hypothesis. G. 0. And again, there's no way you can do better than this. Okay.
48:45:820Alessandro Brighente: Now, what we're doing here is leveraging the fact that these represents the possible the best possible decision making process for you and updating that in time. Right? So I'm accounting for how these changes over time. You see that they start from sk, that the time 0 is 0 and 0 don't know anything about meeting series, and then I cumulatively sum all of these log likelihood ratios in time
49:15:800Alessandro Brighente: up to the point where I can take this decision. Right? So if you see that why this works right? So I decide for a positive h 1. If Sn is higher than a pressure, it means that historically, the probability t. 1 is higher, the probability it's it's 0, right? So it's more likely that I'm serving. If it says and decided for X 0. It means that the sum of over my n observation is lower.
49:45:700Alessandro Brighente: then an edit. So it means that these are things in here
49:50:110Alessandro Brighente: one. It was higher than you want. Historically, hopefully, it helps me making a decision.
50:06:550Alessandro Brighente: Good. So this is how we can.
50:12:900Alessandro Brighente: So our
50:18:517Alessandro Brighente: so again, this is the 1st approach, right? We are observing the whole time series right and ideally, we want to minimize the number of packets that we use number of observations that we use for for taking our decision here. Instead, we have the change. Detection problem with that, we said, is, is different, right? We know that the change occurred, and we want to realize that as soon as possible. So, given our observation, we want to minimize the time that occurs between the actual change and the moment in which we we realize that such change, of course.
50:48:220Alessandro Brighente: Alright, so we have. Also here. An algorithm, right? It's the cumulative sum which is very similar to the the spirit algorithm that we've seen. Just
51:19:940Alessandro Brighente: because we are using these this function here, what the function is doing. So if we apply that to to a value, a, this function means that it's a good way, if a is greater equal than 0, and it's 0. Otherwise, right? So it's
51:37:380Alessandro Brighente: either the value or 0. And now the stopping time is given by these. This function here is the infim, such that over n. Such that s. Over n. Again, the sum of our likelihood ratio is greater or equal than Tau.
51:53:660Alessandro Brighente: Okay, so now, this, this Tau is the point in time when the change occurred. Right? So that's the point where we realize that something weird is happening. And why should that be the case? Why do we have a formulation like this? Well, again.
52:10:190Alessandro Brighente: you see, how this submission of log likelihood ratio works. Right? So if the probability, p. 1 is greater than P. 0, then our values will be
52:22:66Alessandro Brighente: will be accumulated, accumulate at a certain point there will be higher than a certain value, because it means that our process deviated from what it should look like if you said, P. 0 is
52:38:450Alessandro Brighente: usually higher than they want.
52:41:340Alessandro Brighente: Then you see that? It's not possible for this value to to increase again and again. So what we notice is that besides these positive functioning here
52:53:922Alessandro Brighente: the the custom algorithm, cumulative algorithm is exactly the straight algorithm where we set the L equal to 0 and the upper bound equal to to Tau.
53:04:270Alessandro Brighente: Right? So in this style, again, is a function of our detection. Right? So we we set these values and based on that. We we get the our threshold.
53:20:770Alessandro Brighente: Good. So
53:22:580Alessandro Brighente: all of this is nice from a theoretical point of view. Right? So now, the problem is, how can we compute these these probabilities? The problem is, how do we know the probability of serving a certain value under our hypothesis, right? Maybe we know that for for the situations where we don't have enough time.
53:42:900Alessandro Brighente: how we do, we know the probability for having a certain value under attack.
53:53:740Alessandro Brighente: Good. So if we assume a fixed probability distribution for for our attacker.
54:03:640Alessandro Brighente: somehow, it's not the representative of what the attacker might be doing right. So the attacker might generate random values according to different distributions in time. So no good
54:15:861Alessandro Brighente: so what we do is use ideas from nonparametric statistics. Right? So we do not assume a classical parametric distribution. So a Gaussian distribution with a given mean bias, and it's not something that we do instead.
54:34:770Alessandro Brighente: We we do something different.
54:40:760Alessandro Brighente: Good. So what we can do
54:45:122Alessandro Brighente: so we we need to impose some constraints on our way on our model right? So for sure, we need to make certain design choices, and one of them is to assume that we can compute the expected value of a random process. Right? So this expected value
55:04:389Alessandro Brighente: in the process of IK which generates the sequence lower case at Ik under positive H. 0. And then we can say that the expected value of these
55:18:330Alessandro Brighente: is smaller than 0, whereas these values under positive one is greater than 0. Okay, we make this assumption. We say, if we observe the sequence in the 2 hypotheses. This is how their mean value will behave
55:37:540Alessandro Brighente: so we would like this condition to be true right to hold true in in our model, in what we we use in order to perform our detection. And through this we define this value here, right? So that the ik, which is given by the difference between the value that we observe at the Controller and our predicted values through our model to take the
56:06:620Alessandro Brighente: the distance to house of these values minus a value Bi.
56:14:330Alessandro Brighente: right? So this value behind should be a small positive constant
56:18:830Alessandro Brighente: that satisfies this condition here. Right? So it's something like a bias. And so this is the the bias terms that help us ensuring our conditional truth right? So this expected value should be computed in this way and such that it's lower than 0 under hypothesis 0, right? So when we
56:41:150Alessandro Brighente: will serve our system
56:44:640Alessandro Brighente: good. So how do we we select these value Bi. Well, in this case, we can run experiments. We we can run experiments to to estimate probabilities over what we can actually observe, right? So this is something that happens in our industrial control system, we can run experiment. We can collect data on how these experiments look like.
57:07:350Alessandro Brighente: and how this value look like. And although you do not see them in figure because they've been cut for whatever reason these are the sensor reading that we have from our tensessment control process. Right? So this will should be y 4 y, 5 and y 7, right? So all of them have certain behaviors. Right? They they report some values during the the core control process. And this is what the distribution of their value look like.
57:37:240Alessandro Brighente: right? So we get these these values. And
57:43:60Alessandro Brighente: given that, we have our model, we can compute the this difference in here and the difference between the values actually reported by the sensors and the values estimated by our control process. Right? Without the attack. This is the actual process, and we get the that value in there.
58:02:540Alessandro Brighente: Right? So if we get these values in here, right, we have their distributions, we can compute their expected value. We can set a value for behind right at this point is, kind of straightforward to get the the information that we need from from our model
58:18:670Alessandro Brighente: good. So we we estimate the bi that works under the condition, right, the the legitimate condition when there's not that but given that, it satisfies the requirement that we impose before in here.
58:35:577Alessandro Brighente: This is also going to satisfy visa requirement in here because of the way we change the our observation process that the I is not just a sensory training that we have. But these these
58:49:180Alessandro Brighente: this guy in here accounting for the biaser good, so
59:06:10Alessandro Brighente: not much. I'm not going to do this today.
59:09:50Alessandro Brighente: See you on Friday.
59:17:00Alessandro Brighente: Let me know.