TWC: Option: Medium: Collaborative: Semantic Security Monitoring for Industrial Control Systems

TWC：选项：中：协作：工业控制系统的语义安全监控

• 批准号: 1314973
• 负责人: Robin Sommer
• 金额: $ 69.94万
• 依托单位: International Computer Science Institute
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-09-01 至 2018-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1314973&HistoricalAwards=false
• 关键词: TWC; Option; Medium; Collaborative; Semantic

Industrial control systems differ significantly from standard, general-purpose computing environments, and they face quite different security challenges. With physical "air gaps" now the exception, our critical infrastructure has become vulnerable to a broad range of potential attackers. In this project we develop novel network monitoring approaches that can detect sophisticated semantic attacks: malicious actions that drive a process into an unsafe state without however exhibiting any obvious protocol-level red flags. In one thrust, we conduct a measurement-centric study of ICS network activity, aimed at developing a deep understanding of operational semantics in terms of actors, workloads, dependencies, and state changes over time. In a second thrust, we develop domain-specific behavior models that abstract from low-level protocol activity to their semantic meaning according to the current state of the processes under control. Our goal is to integrate these models into operationally viable, real-time network monitoring that reports unexpected deviations as indicators of attacks or malfunction. A separate "Transition to Practice" phase advances our research results into deployment-ready technology by integrating it into the open-source Bro network monitor. Overall, our work will improve security and safety of today's critical infrastructure by providing effective, unobtrusive security monitoring tailored to their specific semantics. In addition, we tie a number of educational activities to the research and involve students at all levels.

工业控制系统与标准的通用计算环境有很大的不同，它们面临着截然不同的安全挑战。除了物理上的“气隙”，我们的关键基础设施已经变得容易受到广泛的潜在攻击者的攻击。在这个项目中，我们开发了新的网络监控方法，可以检测复杂的语义攻击：将进程驱动到不安全状态的恶意操作，但不会显示任何明显的协议级危险信号。一方面，我们对ICS网络活动进行了以测量为中心的研究，旨在根据参与者、工作负载、依赖关系和状态随时间的变化深入理解操作语义。在第二个推力中，我们开发了特定于领域的行为模型，根据受控过程的当前状态，将底层协议活动抽象为其语义。我们的目标是将这些模型集成到操作可行的实时网络监控中，以报告意外偏差作为攻击或故障的指标。通过将我们的研究成果集成到开源的Bro网络监控器中，一个单独的“过渡到实践”阶段将我们的研究成果推进到可部署的技术中。总体而言，我们的工作将通过提供根据其特定语义量身定做的有效、不引人注目的安全监控来提高当今关键基础设施的安全性和安全性。此外，我们将一些教育活动与研究联系在一起，并让所有级别的学生参与。