ARTINALI++: Multi-dimensional Specification Mining for Complex Cyber-Physical System Security

Abstract

Cyber-Physical Systems (CPSes) have been investigated as a key area of research since they are the core of Internet of Things. CPSs integrate computing and communication with control and monitoring of entities in the physical world. Due to the tight coupling of cyber and physical domains, and to the possible catastrophic consequences of the malicious attacks on critical infrastructures, security is one of the key concerns. However, the exponential growth of IoT has led to deployment of CPSes without support for enforcing important security properties. Specification-based Intrusion Detection Systems (IDS) have been shown to be effective for securing these systems. Mining the specifications of CPSes by experts is a cumbersome and error-prone task. Therefore, it is essential to dynamically monitor the CPS to learn its common behaviors and formulate specifications for detecting malicious bugs and security attacks. Existing solutions for specification mining only combine data and events, but not time. However, time is a semantic property in CPS systems, and hence incorporating time in addition to data and events, is essential for obtaining high accuracy.This paper proposes ARTINALI++, which dynamically mines specifications in CPS systems with arbitrary size and complexity. ARTINALI++ captures the security properties by incorporating time as a substantial property of the system, and generate a multi-dimensional model for the general CPS systems. Moreover, it enhances the model through discovering invariants that represent the physical motions and distinct operational modes in complex CPS systems. We build Intrusion Detection Systems based on ARTINALI++ for three CPSes with various levels of complexity including smart meter, smart artificial pancreas and unmanned aerial vehicle, and measure their detection accuracy. We find that the ARTINALI++ significantly reduces the ratio of false positives and false negatives by 23.45% and 73.6% on average, respectively, over other dynamic specification mining tools on the three CPS platforms.