Phase-space detection of cyber events

Jarilyn M. Hernández, Aaron Ferber, Stacy Prowell, Lee Hively

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

8 Scopus citations

Abstract

Energy Delivery Systems (EDS) are a network of processes that produce, transfer and distribute energy. EDS are increasingly dependent on networked computing assets, as are many Industrial Control Systems. Consequently, cyber-attacks pose a real and pertinent threat, as evidenced by Stuxnet, Shamoon and Dragonfly. Hence, there is a critical need for novel methods to detect, prevent, and mitigate effects of such attacks. To detect cyber-attacks in EDS, we developed a framework for gathering and analyzing timing data that involves establishing a baseline execution profile and then capturing the effect of perturbations in the state from injecting various malware. The data analysis was based on nonlinear dynamics and graph theory to improve detection of anomalous events in cyber applications. The goal was the extraction of changing dynamics or anomalous activity in the underlying computer system. Takens' theorem in nonlinear dynamics allows reconstruction of topologically invariant, time-delay-embedding states from the computer data in a sufficiently high-dimensional space. The resultant dynamical states were nodes, and the state-to-state transitions were links in a mathematical graph. Alternatively, sequential tabulation of executing instructions provides the nodes with corresponding instruction-to-instruction links. Graph theorems guarantee graphinvariant measures to quantify the dynamical changes in the running applications. Results showed a successful detection of cyber events.

Original languageEnglish
Title of host publicationProceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450333450
DOIs
StatePublished - Apr 7 2015
Event10th Annual Cyber and Information Security Research Conference, CISRC 2015 - Oak Ridge, United States
Duration: Apr 6 2015Apr 8 2015

Publication series

NameACM International Conference Proceeding Series
Volume06-08-April-2015

Conference

Conference10th Annual Cyber and Information Security Research Conference, CISRC 2015
Country/TerritoryUnited States
CityOak Ridge
Period04/6/1504/8/15

Funding

This manuscript has been authored by UT-Battelle, LLC under Contract No. DE-AC05-00OR22725 with the U.S. Department of Energy. The United States Government retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, world-wide license to publish or reproduce the published form of this manuscript, or allow others to do so, for United States Government purposes. The Department of Energy will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan).

Keywords

  • Cyber anomaly detection
  • Cyber-attacks
  • Energy Delivery Systems
  • Graph theory
  • Malware
  • Phase-space analysis
  • Rootkits

Fingerprint

Dive into the research topics of 'Phase-space detection of cyber events'. Together they form a unique fingerprint.

Cite this