Show simple item record

dc.contributor.advisorCardenas, Alvaro A
dc.creatorUrbina Fuentes, David Ignacio
dc.date.accessioned2017-01-24T16:07:33Z
dc.date.available2017-01-24T16:07:33Z
dc.date.created2016-12
dc.date.issued2016-12
dc.date.submittedDecember 2016
dc.identifier.urihttp://hdl.handle.net/10735.1/5218
dc.description.abstractIn the past couple of years we have seen an emerging field of research focusing on using the intrinsic physical properties of an Industrial Control System process for anomaly detection; however, these efforts have been mostly disconnected, finding little common ground between each other to create a foundation from which other researchers can build improvements. In this dissertation, we review previous work based on a unified taxonomy that allows us to identify limitations, unexplored challenges, and new solutions. In particular, we propose a new adversary model and a way to compare previous work with a new evaluation metric based on the trade-off between false alarms and the negative impact of undetected attacks, which defines the worst-case adversary model for detection mechanisms based on models of the physical world. We use the metric to compare design choices for detecting anomalies, and design choices for modeling the ``physics'' of the system. We also show the advantages and disadvantages of three experimental scenarios to test the performance of attacks and defenses: real-world network data captured from a large-scale operational facility, a fully-functional testbed that can be used operationally for water treatment, a simulation of a chemical process, and a simulation of a frequency control in the power grid. We also discuss practical attacks applied to a room-sized water treatment testbed. We implement scenarios in which the attacker manipulates or replaces sensor data as reported from the field devices to the control components. As a result, the attacker can change the system state vector as perceived by the controls, which will cause incorrect control decisions and potential catastrophic failures. We discuss practical challenges in setting up Man-In-The-Middle attacks on the Field Communications Network of Industrial Control Systems, and how the attacker can overcome them. Finally, we analyze the problem of security monitor placement in industrial control networks, and show that there are locations that allow to detect low-level attacks. Based on our analysis, we design a novel low-level security monitor that is able to directly observe the Field Communications Networks.en
dc.format.mimetypeapplication/pdf
dc.language.isoenen
dc.rightsCopyright ©2016 is held by the author. Digital access to this material is made possible by the Eugene McDermott Library. Further transmission, reproduction or presentation (such as public display or performance) of protected items is prohibited except with permission of the author.
dc.subjectAnomaly detection (Computer security)
dc.subjectIntrusion detection systems (Computer security)
dc.subjectComputer networks--Security measures
dc.subjectControl systems
dc.titleDeep Packet Inspection for Physics-Based Anomaly Detection in Industrial Control Systems
dc.typeDissertation
dc.date.updated2017-01-24T16:07:33Z
dc.type.materialtext
thesis.degree.grantorUniversity of Texas at Dallas
thesis.degree.departmentSoftware Engineering
thesis.degree.levelDoctoral
thesis.degree.namePHD
dc.creator.orcid0000-0001-6616-7119


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record