Behavior Rule
Specification-based Intrusion
Detection for
Safety Critical Medical Cyber
Physical
Systems
Abstract:
We
propose and analyze a behavior-rule specification-based technique for intrusion
detection of medical devices embedded in a medical cyber physical system (MCPS)
in which the patient’s safety is of the utmost importance. We propose a
methodology to transform behavior rules to a state machine, so that a device
that is being monitored for its behavior can easily be checked against the
transformed state machine for deviation from its behavior specification. Using
vital sign monitor medical devices as an example; we demonstrate that our
intrusion detection technique can effectively trade false positives off for a
high detection probability to cope with more sophisticated and hidden attackers
to support ultra safe and secure MCPS applications. Moreover, through a
comparative analysis, we demonstrate that our behavior-rule specification based
IDS technique outperforms two existing anomaly-based techniques for detecting
abnormal patient behaviors in pervasive healthcare applications.
Algorithm:
IDS
techniques:
We demonstrate that our behavior-rule
specification based IDS technique outperforms two existing anomaly-based techniques
for detecting abnormal patient behaviors in pervasive healthcare applications.
Anomaly-based techniques using
statistical analysis: one studies user sessions (to detect live intruders), and the other studies the runtime behavior of programs (to detect malicious code). We propose
semi-supervised anomaly-based IDS targeted for assisted living environments. Their design is behavior-based and audits
series of events which they call episodes. The authors’ events are 3-tuples
comprising sensor ID, start time and duration.
Key points:
1. live intruders
2. runtime behavior
3. living
environments
Existing System:
Existing work only considered
specification-based state machines for intrusion detection of communication
protocol misbehaving patterns. Before that not using trust based techniques to
avoid delay due to trust aggregation and propagation to promptly react to
malicious behaviors in safety critical MCPSs.
Proposed System:
We propose a methodology to transform
behavior rules to a state machine, so that a device that is being monitored for
its behavior can easily be checked against the transformed state machine for
deviation from its behavior specification. We also investigate the impact of
attacker behaviors on the effectiveness of MCPS intrusion detection. We
demonstrate that our specification based IDS technique can effectively trade
higher false positives off for lower false negatives to cope with more sophisticated
and hidden attackers. We show results for a range of configurations to
illustrate this trade. Because the key motivation in MCPS is safety, our
solution is deployed in a configuration yielding a high detection rate without
compromising the false positive probability. Our approach is monitoring-based
relying on the use of peer devices to monitor and measure the compliance degree
of a trustee device connected to the monitoring node by the CPS network. The
rules comparing monitor and trustee physiology (blood pressure, oxygen
saturation, pulse, respiration and temperature) exceeds protection possible by
considering devices in isolation.
System architecture
Modules:
The system is proposed
to have the following modules along with functional requirements.
- Threat
Model
- Attacker
Archetypes
- Behavior
Rules
- Intrusion
detection system
1. Threat Model
We focus on defeating inside
attackers that violate the integrity of the MCPS with the objective to disable
the MCPS functionality. Our design is also effective against attacks such as
subtle manipulations that change medical doses slightly to cause long term harm
to patients or medical or billing record exfiltrations which violate privacy.
There are two distinct stages in an attack: before a node is compromised and
after a node is compromised. Before a node is compromised, the adversary
focuses on the tactical goal of achieving a foothold on the target system.
2. Attacker
Archetypes
We differentiate two attacker
archetypes: reckless, random and opportunistic. A reckless attacker performs
attacks whenever it has a chance to impair the MCPS functionality as soon as
possible. A random attacker, on the other hand, performs attacks only randomly
to avoid detection. It is thus insidious and hidden with the objective to
cripple the MCPS functionality. We model the attacker behavior by a random attack
probability pa. When pa = 1 the attacker is a reckless adversary. Random
attacks are typically implemented with on off attacks in real-world scenarios,
so pa is not a random variable drawn from uniform distribution U(0, 1) but
rather a probability that a malicious node is performing attacks at any time
with this on-off attack behavior. An opportunistic attacker is the third
archetype. An opportunistic attacker exploits ambient noise modeled by perr
(probability of mis-monitoring)to perform attacks.
3. Behavior
Rules
Behavior rules for a device are
specified during the design and testing phase of an MCPS. Our intrusion
detection protocol takes a set of behavior rules for a device as input and
detects if a device’s behavior deviates from the expected behavior specified by
the set of behavior rules. Since the intrusion detection activity is performed
in the background, it allows behavior rules to be changed if incomplete or
imprecise specifications are discovered during the operational phase
Without
disrupting the MCPS operation. Our IDS design for the reference MCPS model
relies on
The use of
lightweight specification-based behavior rules for each sensor or actuator
medical device.
4. Intrusion
detection system
Intrusion detection system (IDS) design
for cyber physical systems (CPSs) has attracted considerable because of the
dire consequence of CPS failure. In this paper, we consider specification
rather than signature-based detection to deal with unknown attacker patterns.
We consider specification rather than anomaly based techniques to avoid using
resource constrained
Sensors or
actuators in an MCPS for profiling anomaly patterns (e.g., through learning)
and to avoid high false positives. We consider specification rather than trust based
techniques to avoid delay due to trust aggregation and propagation to promptly
react to malicious behaviors in Safety critical MCPSs.
Software Requirements:
Technologies :
Asp .Net and C#.Net
Database :
MS-SQL Server 2005/2008
IDE : Visual Studio 2008
Hardware Requirements:
Processor :
Pentium IV
RAM :
1GB
No comments:
Post a Comment