NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems

Chuadhry Mujeeb Ahmed; Martin  Ochoa; Jianying   Zhou; Rizwan  Qadeer; C.G. Murguia Rendon; Justin Ruths

doi:10.1145/3196494.3196532

NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems

Chuadhry Mujeeb Ahmed, Martin Ochoa, Jianying Zhou, Rizwan Qadeer, C.G. Murguia Rendon, Justin Ruths

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

64 Citations (Scopus)

Abstract

An attack detection scheme is proposed to detect data integrity attacks on sensors in Cyber-Physical Systems (CPSs). A combined fingerprint for sensor and process noise is created during the normal operation of the system. Under sensor spoofing attack, noise pattern deviates from the fingerprinted pattern enabling the proposed scheme to detect attacks. To extract the noise (difference between expected and observed value) a representative model of the system is derived. A Kalman filter is used for the purpose of state estimation. By subtracting the state estimates from the real system states, a residual vector is obtained. It is shown that in steady state the residual vector is a function of process and sensor noise. A set of time domain and frequency domain features is extracted from the residual vector. Feature set is provided to a machine learning algorithm to identify the sensor and process. Experiments are performed on two testbeds, a real-world water treatment (SWaT) facility and a water distribution (WADI) testbed. A class of zero-alarm attacks, designed for statistical detectors on SWaT are detected by the proposed scheme. It is shown that a multitude of sensors can be uniquely identified with accuracy higher than 90% based on the noise fingerprint.

Original language	English
Title of host publication	ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security
Place of Publication	New York
Publisher	Association for Computing Machinery, Inc.
Pages	483–497
Number of pages	15
ISBN (Electronic)	9781450355766
DOIs	https://doi.org/10.1145/3196494.3196532
Publication status	Published - 29 May 2018
Externally published	Yes
Event	ASIACCS '18: Asia Conference on Computer and Communications Security - Songdo, Korea, Republic of Duration: 4 Jun 2018 → 8 Jun 2018

Conference

Conference	ASIACCS '18: Asia Conference on Computer and Communications Security
Country/Territory	Korea, Republic of
City	Songdo
Period	4/06/18 → 8/06/18

Keywords

Actuators
CPS/ICS Security
Cyber Physical Systems
Device Fingerprinting
Physical Attacks
Security
Sensors

Access to Document

10.1145/3196494.3196532

Cite this

Ahmed, C. M., Ochoa, M., Zhou, J., Qadeer, R., Murguia Rendon, C. G., & Ruths, J. (2018). NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems. In ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security (pp. 483–497). Association for Computing Machinery, Inc.. https://doi.org/10.1145/3196494.3196532

@inproceedings{d41484a3767b44cda1cbf223a5d15a57,

title = "NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems",

abstract = "An attack detection scheme is proposed to detect data integrity attacks on sensors in Cyber-Physical Systems (CPSs). A combined fingerprint for sensor and process noise is created during the normal operation of the system. Under sensor spoofing attack, noise pattern deviates from the fingerprinted pattern enabling the proposed scheme to detect attacks. To extract the noise (difference between expected and observed value) a representative model of the system is derived. A Kalman filter is used for the purpose of state estimation. By subtracting the state estimates from the real system states, a residual vector is obtained. It is shown that in steady state the residual vector is a function of process and sensor noise. A set of time domain and frequency domain features is extracted from the residual vector. Feature set is provided to a machine learning algorithm to identify the sensor and process. Experiments are performed on two testbeds, a real-world water treatment (SWaT) facility and a water distribution (WADI) testbed. A class of zero-alarm attacks, designed for statistical detectors on SWaT are detected by the proposed scheme. It is shown that a multitude of sensors can be uniquely identified with accuracy higher than 90% based on the noise fingerprint.",

keywords = "Actuators, CPS/ICS Security, Cyber Physical Systems, Device Fingerprinting, Physical Attacks, Security, Sensors",

author = "Ahmed, {Chuadhry Mujeeb} and Martin Ochoa and Jianying Zhou and Rizwan Qadeer and {Murguia Rendon}, C.G. and Justin Ruths",

year = "2018",

month = may,

day = "29",

doi = "10.1145/3196494.3196532",

language = "English",

pages = "483–497",

booktitle = "ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc.",

address = "United States",

note = "ASIACCS '18: Asia Conference on Computer and Communications Security ; Conference date: 04-06-2018 Through 08-06-2018",

}

Ahmed, CM, Ochoa, M, Zhou, J, Qadeer, R, Murguia Rendon, CG & Ruths, J 2018, NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems. in ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc., New York, pp. 483–497, ASIACCS '18: Asia Conference on Computer and Communications Security, Songdo, Korea, Republic of, 4/06/18. https://doi.org/10.1145/3196494.3196532

NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems. / Ahmed, Chuadhry Mujeeb; Ochoa, Martin ; Zhou, Jianying et al.
ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security. New York: Association for Computing Machinery, Inc., 2018. p. 483–497.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - NoisePrint

T2 - ASIACCS '18: Asia Conference on Computer and Communications Security

AU - Ahmed, Chuadhry Mujeeb

AU - Ochoa, Martin

AU - Zhou, Jianying

AU - Qadeer, Rizwan

AU - Murguia Rendon, C.G.

AU - Ruths, Justin

PY - 2018/5/29

Y1 - 2018/5/29

N2 - An attack detection scheme is proposed to detect data integrity attacks on sensors in Cyber-Physical Systems (CPSs). A combined fingerprint for sensor and process noise is created during the normal operation of the system. Under sensor spoofing attack, noise pattern deviates from the fingerprinted pattern enabling the proposed scheme to detect attacks. To extract the noise (difference between expected and observed value) a representative model of the system is derived. A Kalman filter is used for the purpose of state estimation. By subtracting the state estimates from the real system states, a residual vector is obtained. It is shown that in steady state the residual vector is a function of process and sensor noise. A set of time domain and frequency domain features is extracted from the residual vector. Feature set is provided to a machine learning algorithm to identify the sensor and process. Experiments are performed on two testbeds, a real-world water treatment (SWaT) facility and a water distribution (WADI) testbed. A class of zero-alarm attacks, designed for statistical detectors on SWaT are detected by the proposed scheme. It is shown that a multitude of sensors can be uniquely identified with accuracy higher than 90% based on the noise fingerprint.

AB - An attack detection scheme is proposed to detect data integrity attacks on sensors in Cyber-Physical Systems (CPSs). A combined fingerprint for sensor and process noise is created during the normal operation of the system. Under sensor spoofing attack, noise pattern deviates from the fingerprinted pattern enabling the proposed scheme to detect attacks. To extract the noise (difference between expected and observed value) a representative model of the system is derived. A Kalman filter is used for the purpose of state estimation. By subtracting the state estimates from the real system states, a residual vector is obtained. It is shown that in steady state the residual vector is a function of process and sensor noise. A set of time domain and frequency domain features is extracted from the residual vector. Feature set is provided to a machine learning algorithm to identify the sensor and process. Experiments are performed on two testbeds, a real-world water treatment (SWaT) facility and a water distribution (WADI) testbed. A class of zero-alarm attacks, designed for statistical detectors on SWaT are detected by the proposed scheme. It is shown that a multitude of sensors can be uniquely identified with accuracy higher than 90% based on the noise fingerprint.

KW - Actuators

KW - CPS/ICS Security

KW - Cyber Physical Systems

KW - Device Fingerprinting

KW - Physical Attacks

KW - Security

KW - Sensors

UR - http://www.scopus.com/inward/record.url?scp=85049213203&partnerID=8YFLogxK

U2 - 10.1145/3196494.3196532

DO - 10.1145/3196494.3196532

M3 - Conference contribution

SP - 483

EP - 497

BT - ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc.

CY - New York

Y2 - 4 June 2018 through 8 June 2018

ER -

NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this