skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Attention:

The NSF Public Access Repository (PAR) system and access will be unavailable from 11:00 PM ET on Thursday, April 16 until 2:00 AM ET on Friday, April 17 due to maintenance. We apologize for the inconvenience.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Power-Grid Controller Anomaly Detection with Enhanced Temporal Deep Learning
Controllers of security-critical cyber-physical systems, like the power grid, are a very important class of computer systems. Attacks against the control code of a power-grid system, especially zero-day attacks, can be catastrophic. Earlier detection of the anomalies can prevent further damage. However, detecting zero-day attacks is extremely challenging because they have no known code and have unknown behavior. Furthermore, if data collected from the controller is transferred to a server through networks for analysis and detection of anomalous behavior, this creates a very large attack surface and also delays detection. In order to address this problem, we propose Reconstruction Error Distribution (RED) of Hardware Performance Counters (HPCs), and a data-driven defense system based on it. Specifically, we first train a temporal deep learning model, using only normal HPC readings from legitimate processes that run daily in these power-grid systems, to model the normal behavior of the power-grid controller. Then, we run this model using real-time data from commonly available HPCs. We use the proposed RED to enhance the temporal deep learning detection of anomalous behavior, by estimating distribution deviations from the normal behavior with an effective statistical test. Experimental results on a real power-grid controller show that we can detect anomalous behavior with high accuracy (>99.9%), nearly zero false positives and short (<360ms) latency.  more » « less
Award ID(s):
1814190
PAR ID:
10207983
Author(s) / Creator(s):
; ; ; ;
Date Published:
Journal Name:
18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom)
Page Range / eLocation ID:
160 to 167
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. (, arXiv Computer Science Cryptography and Security)
    In cloud computing, it is desirable if suspicious activities can be detected by automatic anomaly detection systems. Although anomaly detection has been investigated in the past, it remains unsolved in cloud computing. Challenges are: characterizing the normal behavior of a cloud server, distinguishing between benign and malicious anomalies (attacks), and preventing alert fatigue due to false alarms. We propose CloudShield, a practical and generalizable real-time anomaly and attack detection system for cloud computing. Cloudshield uses a general, pretrained deep learning model with different cloud workloads, to predict the normal behavior and provide real-time and continuous detection by examining the model reconstruction error distributions. Once an anomaly is detected, to reduce alert fatigue, CloudShield automatically distinguishes between benign programs, known attacks, and zero-day attacks, by examining the prediction error distributions. We evaluate the proposed CloudShield on representative cloud benchmarks. Our evaluation shows that CloudShield, using model pretraining, can apply to a wide scope of cloud workloads. Especially, we observe that CloudShield can detect the recently proposed speculative execution attacks, e.g., Spectre and Meltdown attacks, in milliseconds. Furthermore, we show that CloudShield accurately differentiates and prioritizes known attacks, and potential zero-day attacks, from benign programs. Thus, it significantly reduces false alarms by up to 99.0%. 
    more » « less
  2. ; ; (, IEEE Open Journal of the Communications Society)
    SATCOM is crucial for tactical networks, particularly submarines with sporadic communi- cation requirements. Emerging SATCOM technologies, such as low-earth-orbit (LEO) satellite networks, provide lower latency, greater data reliability, and higher throughput than long-distance geostationary (GEO) satellites. Software-defined networking (SDN) has been introduced to SATCOM networks due to its ability to enhance management while strengthening network control and security. In our previous work, we proposed a SD-LEO constellation for naval submarine communication networks, as well as an extreme gradient boosting (XGBoost) machine-learning (ML) approach for classifying denial-of-service attacks against the constellation. Nevertheless, zero-day attacks have the potential to cause major damage to the SATCOM network, particularly the controller architecture, due to the scarcity of data for training and testing ML models due to their novelty. This study tackles this challenge by employing a predictive queuing analysis of the SD-SATCOM controller design to rapidly generate ML training data for zero- day attack detection. In addition, we redesign our singular controller architecture to a decentralized controller architecture to eliminate singular points of failure. To our knowledge, no prior research has investigated using queuing analysis to predict SD-SATCOM controller architecture network performance for ML training to prevent zero-day attacks. Our queuing analysis accelerates the training of ML models and enhances data adaptability, enabling network operators to defend against zero-day attacks without precollected data. We utilized the CatBoost algorithm to train a multi-output regression model to predict network performance statistics. Our method successfully identified and classified normal, non-attack samples and zero-day cyberattacks with over 94% accuracy, precision, recall, and f1-scores. 
    more » « less
  3. ; ; (, IEEE)
    Cyber-attacks on microgrid systems, especially data manipulation attacks such as replay attack and Denial-of-Service (DoS), causes communication delay and unstable responses. Even though control strategies such as Consensus Control (CC) are able to coordinate electric current and voltage flow, they are at risk of malicious attacks. Communication delay leads to undetected changes in line current, and voltage leads to incorrect responses from the consensus controller, which overloads the microgrid in milliseconds. To address these challenges, this paper presents an Observer System (OS) based Dynamic Watermark (DW) detection model that detects delay-induced cyber-attacks during steady states and load fluctuations. We have developed a Grid-Specific Dynamic Watermarking (GSDW) signal that enhances real-time detection capabilities, resulting in a real-time non-zero residual showing cyber attack dynamics in the proposed observer system. Our detailed case study demonstrates real-time attack detection and prevention, ensuring the stability and integrity of Microgrid (MG) systems under challenging cyber threat conditions. Comprehensive simulations and validation demonstrate the practicality and efficacy of our approach in mitigating risks posed by delay-induced cyber attacks in MG systems. 
    more » « less
  4. ; ; (, 2024 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS))
    Zero-day vulnerabilities pose a significant challenge to robot cyber-physical systems (CPS). Attackers can exploit software vulnerabilities in widely-used robotics software, such as the Robot Operating System (ROS), to manipulate robot behavior, compromising both safety and operational effectiveness. The hidden nature of these vulnerabilities requires strong defense mechanisms to guarantee the safety and dependability of robotic systems. In this paper, we introduce ROBOCOP, a cyber-physical attack detection framework designed to protect robots from zero-day threats. ROBOCOP leverages static software features in the pre-execution analysis along with runtime state monitoring to identify attack patterns and deviations that signal attacks, thus ensuring the robot’s operational integrity. We evaluated ROBOCOP on the F1-tenth autonomous car platform. It achieves a 93% detection accuracy against a variety of zero-day attacks targeting sensors, actuators, and controller logic. Importantly, in on-robot deployments, it identifies attacks in less than 7 seconds with a 12% computational overhead. 
    more » « less
  5. ; ; ; ; ; ; (, IOS Press)
    Detection of cyber-attacks in power systems is crucial for rapid corrective actions like isolation, disinfection and asset restoration. For real-time deployment, detection methods must not only be accurate and computationally efficient, but also interpretable for further action. While physics models can reliably detect cyber-attacks, diagnosing where and how assets were attacked is computationally demanding. To supplement detection models, we propose Physics-Assisted Statistics for Anomaly Localization (PASAL), a domain-informed data-driven method that directly identifies anomalous devices. PASAL leverages domain knowledge of the grid topology and incorporates correlation and variance statistics to model inter-sensor causal relationships. Consequently, PASAL offers inherent interpretability and computational efficiency. Our study demonstrates that PASAL swiftly localizes data integrity attacks with minimal false positives and has the potential to identify the type of attack. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Text Encoded Conversion
  • XML
  • Save / Share this Record
  • Send to Email