Abstract
In the analysis of coordinated network attacks on electric power cyber-physical system (CPS), it is difficult to restore the complete attack path, and the intent of the attack cannot be identified automatically. A method is therefore proposed for the extracting patterns of coordinated network attacks on electric power CPS based on temporal-topological correlation. First, the attack events are aggregated according to the alarm log of the cyber space, and a temporal-causal Bayesian network-based cyber attack recognition algorithm is proposed to parse out the cyber attack sequences of the same attacker. Then, according to the characteristic curves of different attack measurement data in physical space, a combination of physical attack event criteria algorithm is designed to distinguish the types of physical attack events. Finally, physical attack events and cyber attack sequences are matched via temporal-topological correlation, frequent patterns of attack sequences are extracted, and hidden multi-step attack patterns are found from scattered grid measurement data and information from alarm logs. The effectiveness and efficiency of the proposed method are verified by the testbed at Mississippi State University.
Highlights
The ‘‘Ukrainian Blackout’’ in 2015, a landmark event in history in which a cyber attack was made on a power grid, fully confirms that cyber attack could cripple essential public systems
WORK This paper proposes a new method for the automatic mining of attack patterns from measurement data and information alarm logs based on the characteristics of coordinated network attacks that occur in physical space and cyber space, and the temporal and topological correlation between each attack step
The proposed method can restore the complete attack path of the attacker and identify the key cyber and physical components that are vulnerable in the electric power cyber-physical system (CPS) network
Summary
The ‘‘Ukrainian Blackout’’ in 2015, a landmark event in history in which a cyber attack was made on a power grid, fully confirms that cyber attack could cripple essential public systems. The SANS ICS information security organization has clearly stated that the cause of the incident was a coordinated network attack [1]. In traditional information security technology, the intrusion process of the physical system is not considered, and it is difficult to effectively identify potential physical attack behavior [4]. Due to the combination of both cyber and physical attacks, the existing protection methods, such as intrusion detection system (IDS), firewalls, and abnormal data detection, lack effective correlation capabilities and cannot identify multi-step coordinated network attacks [5]. There is an urgent need to study how to extract hidden multi-step attack patterns to reveal the complete process of intrusion behavior via the integration of physical grid operation information and cyber system alarm information
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
