Robust model predictive control of resilient cyber-physical systems: security and resource-awareness

Sun, Qi

20 September 2021

Cyber-physical systems (CPS), integrating advanced computation, communication, and control technologies with the physical process, are widely applied in industry applications such as smart production and manufacturing systems, robotic and automotive control systems, and smart grids. Due to possible exposure to unreliable networks and complex physical environments, CPSs may simultaneously face multiple cyber and physical issues including cyber threats (e.g., malicious cyber attacks) and resource constraints (e.g., limited networking resources and physical constraints). As one of the essential topics in designing efficient CPSs, the controller design for CPSs, aiming to achieve secure and resource-aware control objectives under such cyber and physical issues, is very significant yet challenging. Emphasizing optimality and system constraint handling, model predictive control (MPC) is one of the most widely used control paradigms, notably famous for its successful applications in chemical process industry. However, the conventional MPC methods are not specifically tailored to tackle cyber threats and resource constraints, thus the corresponding theory and tools to design the secure and resource-aware controller are lacking and need to be developed. This dissertation focuses on developing MPC-based methodologies to address the i) secure control problem and ii) resource-aware control problem for CPSs subject to cyber threats and resource constraints. In the resource-aware control problem of CPSs, the nonlinear system with additive disturbance is considered. By using an integral-type event-triggered mechanism and an improved robustness constraint, we propose an integral-type event-triggered MPC so that smaller sampling frequency and robustness to the additive disturbance can be obtained. The sufficient conditions for guaranteeing the recursive feasibility and the closed-loop stability are established. For the secure control problem of CPSs, two aspects are considered. Firstly, to achieve the secure control objective, we design a secure dual-mode MPC framework, including a modified initial feasible set and a new positively invariant set, for constrained linear systems subject to Denial-of-Service (DoS) attacks. The exponential stability of the closed-loop system is guaranteed under several conditions. Secondly, to deal with cyber threats and take advantage of the cloud-edge computing technology, we propose a model predictive control as a secure service (MPCaaSS) framework, consisting of a double-layer controller architecture and a secure data transmission protocol, for constrained linear systems in the presence of both cyber threats and external disturbances. The rigorous recursive feasibility and robust stability conditions are established. To simultaneously address the secure and resource-aware control problems, an event-triggered robust nonlinear MPC framework is proposed, where a new robustness constraint is introduced to deal with additive disturbances, and a packet transmission strategy is designed to tackle DoS attacks. Then, an event-triggered mechanism, which accommodates DoS attacks occurring in the communication network, is proposed to reduce the communication cost for resource-constrained CPSs. The recursive feasibility and the closed-loop stability in the sense of input-to-state practical stable (ISpS) are guaranteed under the established sufficient conditions. / Graduate

Cyber-physical systems

model predictive control

security

resource-awareness

Meta-Adaptation Strategies for Adaptation in Cyber-Physical Systems / Meta-Adaptation Strategies for Adaptation in Cyber-Physical Systems

Huječek, Adam

January 2016

When designing a complex Cyber-Physical System it is often impossible to foresee all potential situations in advance and prepare corresponding tactics to adapt to the changes in dynamic environment. This greatly hurts the system's resilience and dependability. All kinds of trouble can rise from situations that lie beyond the expected "envelope of adaptability" from malfunction of one component to failure of the whole system. Self-adaptation approaches are typically limited in choosing a tactic from a fixed set of tactics. Meta-adaptation strategies extend the limits of system's inherent adaptation by creating new tactics at runtime. This thesis elaborates and provides implementations of selected meta-adaptation strategies for IRM-SA in jDEECo as well as their evaluation in a scenario based on a firefighter coordination case study. Powered by TCPDF (www.tcpdf.org)

SIMON: A Domain-Agnostic Framework for Secure Design and Validation of Cyber Physical Systems

Yanambaka Venkata, Rohith

12 1900

Cyber physical systems (CPS) are an integration of computational and physical processes, where the cyber components monitor and control physical processes. Cyber-attacks largely target the cyber components with the intention of disrupting the functionality of the components in the physical domain. This dissertation explores the role of semantic inference in understanding such attacks and building resilient CPS systems. To that end, we present SIMON, an ontological design and verification framework that captures the intricate relationship(s) between cyber and physical components in CPS by leveraging several standard ontologies and extending the NIST CPS framework for the purpose of eliciting trustworthy requirements, assigning responsibilities and roles to CPS functionalities, and validating that the trustworthy requirements are met by the designed system. We demonstrate the capabilities of SIMON using two case studies – a vehicle to infrastructure (V2I) safety application and an additive manufacturing (AM) printer. In addition, we also present a taxonomy to capture threat feeds specific to the AM domain.

CPS

Cyber Physical Systems

Security

Additive manufacturing security

threat feeds

CYBERSECURITY IN THE PUR-1 NUCLEAR REACTOR

Styliani Pantopoulou (11189106)

27 July 2021

Nuclear systems heavily depend on Instrumentation and Control (I&C) entities for their protection, monitoring and control processes, all of which play an important role for their safety and security. The obsolescence of analog I&C systems, along with the increased costs for their maintenance, has rendered the adoption of digital control systems inevitable. Digitization offers numerous advantages to systems, ranging from precision in measurements to reduction in equipment and costs. However, it also comes with a number of challenges, most of which are related to increased failure risk, either from human or control systems error, and vulnerability to attacks, which can be a major threat to non-proliferation. These characteristics point to the category of Cyber Physical Systems (CPSs), namely collections of computational components that receive physical inputs from sensors, and are connected to feedback loops in order to adapt to new circumstances. The ever growing use of CPSs may increase the risk for cyber attacks, that threaten a system’s integrity and security. Plenty of research has been conducted on this topic. The focus of this work is to implement an architecture that can protect the system under review, namely Purdue University Reactor Number One (PUR-1), from these types of attacks. The reactor is physically modelled, through the use of point kinetics equations and reactivity calculations. Controllers existing in the plant are modelled and tuned for the purpose of controlling the reactor’s power. Mitigation of the cyber attacks is later examined through fault tolerance. One of the main ways to achieve fault tolerance in systems of this type is through redundant components, the so-called replicas. Replicas are later used in a process of voting, in order to detect failures. According to the Byzantine Fault Tolerance (BFT) protocol, which is the most popular protocol for this purpose, a maximum number of t faults can be tolerated by the system, when there are in total 3t+1 replicas in the system architecture. Redundancy, however, is not capable to keep a system safe by itself under all circumstances. For this purpose, software diversity is explored. According to this, software in the controllers gets diversified into distinct variants. Different software variants execute instructions, and other variants are expected to execute other actions. In the case where some tampered inputs crash (or deactivate) one of the variants, other variants take control and the system is tolerant against failures. Lastly, CPS inertia is exploited along with rollback recovery methods for the rebooting of the system after a failure. The actual algorithm for the system studied in this work uses three redundant controllers and performs as follows; the error term from the subtraction of the output from the setpoint is fed as input to the first two controllers, as well as to the delay queue connected to the third controller. The outputs of the first two controllers are compared, and then there are two cases of operation. In the case of a good message in the input, the variants in the controllers do not crash, thus the signal from the top two controllers reaches the plant. In the case of a bad message, at least one of the two controllers crashes, because at least one of the code variants fails due to the diversity. This automatically triggers the comparator, which sends a signal so that the output of the isolated controller is used and propagates towards the plant. After implementing a Graphical User Interface (GUI), which acts as a simulator and visualizes the system’s state, it is shown that PUR-1 is able to overcome bad messages regarding scram or control rod positions, when the protection architecture is activated. More specifically, when a bad message for scram is sent, the reactor manages to not drop its power level and continues to adjust the rod positions in order to achieve a specific power setpoint. Moreover, in the case of a bad message for the control rod positions, which means that the system is running open loop and thus is uncontrolled, the reactor manages to recover the rod positions and power level after some seconds. Conversely, when the protection system is deactivated, it is shown that bad messages regarding scram or rod positions are able to affect the reactor's state. In the case of the scram bad message, the reactor power drops immediately, while in the case of the rod position bad message, the power level changes uncontrollably.

Nuclear Engineering

Cybersecurity

PUR-1

cyber physical systems

Cooperative Autonomous Resilient Defense Platform for Cyber-Physical Systems

Azab, Mohamed Mahmoud Mahmoud

28 February 2013

Cyber-Physical Systems (CPS) entail the tight integration of and coordination between computational and physical resources. These systems are increasingly becoming vital to modernizing the national critical infrastructure systems ranging from healthcare, to transportation and energy, to homeland security and national defense. Advances in CPS technology are needed to help improve their current capabilities as well as their adaptability, autonomicity, efficiency, reliability, safety and usability.  Due to the proliferation of increasingly sophisticated cyber threats with exponentially destructive effects, CPS defense systems must systematically evolve their detection, understanding, attribution, and mitigation capabilities. Unfortunately most of the current CPS defense systems fall short to adequately provision defense services while maintaining operational continuity and stability of the targeted CPS applications in presence of advanced persistent attacks. Most of these defense systems use un-coordinated combinations of disparate tools to provision defense services for the cyber and physical components. Such isolation and lack of awareness of and cooperation between defense tools may lead to massive resource waste due to unnecessary redundancy, and potential conflicts that can be utilized by a resourceful attacker to penetrate the system.   Recent research argued against the suitability of the current security solutions to CPS environments. We assert the need for new defense platforms that effectively and efficiently manage dynamic defense missions and toolsets in real-time with the following goals: 1) Achieve asymmetric advantage to CPS defenders, prohibitively increasing the cost for attackers; 2) Ensure resilient operations in presence of persistent and evolving attacks and failures; and 3) Facilitate defense alliances, effectively and efficiently diffusing defense intelligence and operations transcending organizational boundaries. Our proposed solution comprehensively addresses the aforementioned goals offering an evolutionary CPS defense system. The presented CPS defense platform, termed CyPhyCARD (Cooperative Autonomous Resilient Defenses for Cyber-Physical systems) presents a unified defense platform to monitor, manage, and control the heterogeneous composition of CPS components. CyPhyCARD relies on three interrelated pillars to construct its defense platform. CyPhyCARD comprehensively integrates these pillars, therefore building a large scale, intrinsically resilient, self- and situation-aware, cooperative, and autonomous defense cloud-like platform that provisions adequate, prompt, and pervasive defense services for large-scale, heterogeneously-composed CPS. The CyPhyCARD pillars are: 1) Autonomous management platform (CyberX) for CyPhyCARD's foundation. CyberX enables application elasticity and autonomic adaptation to changes by runtime diversity employment, enhances the application resilience against attacks and failures by multimodal recovery mechanism, and enables unified application execution on heterogeneously composed platforms by a smart employment of a fine-grained environment-virtualization technology. 2) Diversity management system (ChameleonSoft) built on CyberX. ChameleonSoft encrypts software execution behavior by smart employment of runtime diversity across multiple dimensions to include time, space, and platform heterogeneity inducing a trace-resistant moving-target defense that works on securing CyPhyCARD platform against software attacks. 3) Evolutionary Sensory system (EvoSense) built on CyberX. EvoSense realizes pervasive, intrinsically-resilient, situation-aware sense and response system to seamlessly effect biological-immune-system like defense. EvoSense acts as a middle layer between the defense service provider(s) and the Target of Defense (ToD) creating a uniform defense interface that hides ToD's scale and heterogeneity concerns from defense-provisioning management. CyPhyCARD is evaluated both qualitatively and quantitatively. The efficacy of the presented approach is assessed qualitatively, through a complex synthetic CPS attack scenario. In addition to the presented scenario, we devised multiple prototype packages for the presented pillars to assess their applicability in real execution environment and applications. Further, the efficacy and the efficiency of the presented approach is comprehensively assessed quantitatively by a set of custom-made simulation packages simulating each CyPhyCARD pillar for performance and security evaluation.  The evaluation illustrated the success of CyPhyCARD and its constructing pillars to efficiently and effectively achieve its design objective with reasonable overhead. / Ph. D.

Cyber Physical Systems

Security

Resilience

Cloud Computing

Autonomic Management

Securing Modern Cyberspace Using A Multi-Faceted Approach

Li, Yu

06 June 2019

No description available.

Computer Engineering

Security

cyber-physical systems

web server

social networks

Human-Interactions with Robotic Cyber-Physical Systems (CPS) for Facilitating Construction Progress Monitoring

Halder, Srijeet

23 August 2023

Progress monitoring in construction involves a set of inspection tasks with repetitive in-person observations on the site. The current manual inspection process is time-consuming, inefficient, inconsistent, and has many safety risks to project inspectors. Cyber-Physical Systems (CPS) are networks of integrated physical and cyber components, such as robots, sensors, actuators, cloud computing, artificial intelligence, and the building itself. Introducing CPS for construction progress monitoring can reduce risks involved in the process, improve efficiency, and enable remote progress monitoring. A robotic CPS uses a robot as the core component of the CPS. But human interaction with technology plays an important role in the successful implementation of any technology. This research studied the human-centered design of a CPS from a human-computer interaction perspective for facilitating construction progress monitoring that puts the needs and abilities of humans at the center of the development process. User experience and interactions play an important role in human-centered design. This study first develops a CPS framework to autonomously collect visual data and facilitate remote construction progress monitoring. The two types of interactions occur between the human and the CPS – the human provides input for the CPS to collect data referred to as mission planning, and CPS provides visual data to enable the human to perform progress analysis. The interaction may occur through different modalities, such as visual, tactile, auditory, and immersive. The goal of this research is to understand the role of human interactions with CPS for construction progress monitoring. The study answers five research questions – a) What robotic CPS framework can be applied in construction progress monitoring? b) To what extent is the proposed CPS framework acceptable as an alternative to traditional construction progress monitoring? c) How can natural interaction modalities like hand gestures and voice commands be used as human-CPS interaction modalities for the proposed CPS? d) How does the human interaction modality between the proposed CPS and its user affect the usability of the proposed CPS? e) How does the human interaction modality between CPS and its user affect the performance of the proposed CPS?. To answer the research questions, a mixed-method-based methodology is used in this study. First, a systematic literature review is performed on the use of robots in inspection and monitoring of the built environment. Second, a CPS framework for remote progress monitoring is developed and evaluated in lab conditions. Third, a set of industry experts experienced with construction progress monitoring are interviewed to measure their acceptance of the developed CPS and to collect feedback for the evaluation of the CPS. Fourth, two methodologies are developed to use hand gesture and voice command recognition for human-CPS interaction in progress monitoring. Fifth, the usability and performance of the CPS are measured for identified interaction modalities through a human subject study. The human subjects are also interviewed post-experiment to identify the challenges they faced in their interactions with the CPS. The study makes the following contributions to the body of knowledge – a) key research areas and gaps were identified for robots in inspection and monitoring of the built environment, b) a fundamental framework for a robotic CPS was developed to automate reality capture and visualization using quadruped robots to facilitate remote construction progress monitoring, c) factors affecting the acceptance of the proposed robotic CPS for construction progress monitoring were identified by interviewing construction experts, d) two methodologies for using hand gestures and voice commands were developed for human-CPS interaction in construction progress monitoring, e) the effect of human interaction modalities on the usability and performance of the proposed CPS was assessed in construction progress monitoring through user studies, f) factors affecting the usability and performance of the proposed CPS with different interaction modalities were identified by conducting semi-structured interviews with users. / Doctor of Philosophy / Progress monitoring in construction involves inspecting and observing the construction site in person. The current manual inspection process is slow, inefficient, inconsistent, and risky for inspectors. Cyber-Physical Systems (CPS) are networks that integrate physical and digital components like robots, sensors, cloud computing, and artificial intelligence. Implementing CPS in construction progress monitoring can reduce risks, improve efficiency, and enable remote monitoring. A robotic CPS uses a robot as its core component. However, acceptance of the technology by people in the industry is crucial for successful implementation. Past literature has suggested human-centered design of technology for better acceptance of the technology. This research focuses on the human-centered design of a robotic CPS for construction progress monitoring, by focusing on the role of human-CPS interactions. User experience and interactions are important in human-centered design. The study develops a CPS framework that autonomously collects visual data and facilitates remote progress monitoring. The interactions between humans and CPS involve the human providing input for data collection (called mission planning) and the CPS providing visual data for progress analysis. The research aims to understand the role of human interactions with CPS in construction progress monitoring and answers five research questions. To answer these questions, a mixed-methods methodology is used. The CPS framework is developed and evaluated in lab conditions, industry experts are interviewed for their acceptance and feedback, methodologies are developed to recognize hand gestures and voice commands for human-CPS interaction, and usability and performance of the CPS are measured through human subject studies. Key contributions are made in this research in terms of identification of the application domains of CPS in inspection and monitoring of buildings and infrastructure, a CPS framework for remote progress monitoring, identification of the factors affecting acceptance of CPS in construction progress monitoring, development of methodologies to use hand gestures and voice commands for interactions with CPS, assessment of the effect of interaction modalities on the user experience with the CPS.

robots

construction progress monitoring

human-computer interaction

cyber-physical systems

A Makerspace Cyber Physical System for Convergence Research

Moiz S Rasheed (17611824)

12 December 2023

<p dir="ltr">We are in the midst of the fourth industrial revolution, and manufacturers are looking<br>to digitally transform their processes in order to leverage new technologies such as adap-<br>tive automation, virtual reality and digital twin driven simulation. A key aspect of this<br>revolution compared to previous is the increased availability of data and accessibility of<br>machines throughout the production process enabled by cyber-physical systems (CPS) and<br>IoT. However, the integration of many devices is challenging, requiring significant capital<br>and expertise. This can limit smaller players from benefiting from technological gains as<br>well as stymie research, particularly advanced human-computer-interaction (HCI) investiga-<br>tions which are becoming increasingly relevant.<br>Thus in this thesis we develop a framework for CPS creation and communication that<br>is amenable to the needs of HCI and convergence research. We develop several middleware<br>components to bridge the communication gap of many common fabrication machines and<br>other devices. The middleware translates device specific protocols into a shared language to<br>alleviate the user interface (UI) programs of this responsibility and promote reuse. Addi-<br>tionally, we develop an extension to the glTF model format to leverage this shared protocol<br>to enable the UI to load and interact with an arbitrary number of devices in an intuitive<br>manner at runtime. Finally, we discuss several applications to demonstrate the system’s<br>utility for research.</p>

Human-computer interaction

Makerspaces

industrial IoT

Cyber-Physical Systems (CPSs)

Security and Privacy for Internet of Things: Authentication and Blockchain

Sharaf Dabbagh, Yaman

21 May 2020

Reaping the benefits of the Internet of Things (IoT) system is contingent upon developing IoT-specific security and privacy solutions. Conventional security and authentication solutions often fail to meet IoT requirements due to the computationally limited and portable nature of IoT objects. Privacy in IoT is a major issue especially in the light of current attacks on Facebook and Uber. Research efforts in both the academic and the industrial fields have been focused on providing security and privacy solutions that are specific to IoT systems. These solutions include systems to manage keys, systems to handle routing protocols, systems that handle data transmission, access control for devices, and authentication of devices. One of these solutions is Blockchain, a trust-less peer-to-peer network of devices with an immutable data storage that does not require a trusted party to maintain and validate data entries in it. This emerging technology solves the problem of centralization in systems and has the potential to end the corporations control over our personal information. This unique characteristic makes blockchain an excellent candidate to handle data communication and storage between IoT devices without the need of oracle nodes to monitor and validate each data transaction. The peer-to-peer network of IoT devices validates data entries before being added to the blockchain database. However, accurate authentication of each IoT device using simple methods is another challenging problem. In this dissertation, a complete novel system is proposed to authenticate, verify, and secure devices in IoT systems. The proposed system consists of a blockchain framework to collect, monitor, and analyze data in IoT systems. The blockchain based system exploits a method, called Sharding, in which devices are grouped into smaller subsets to provide a scalable system. In addition to solving the scalability problem in blockchain, the proposed system is secured against the 51% attack in which a malicious node tries to gain control over the majority of devices in a single shard in order to disrupt the validation process of data entries. The proposed system dynamically changes the assignment of devices to shards to significantly decrease the possibility of performing 51% attacks. The second part of the novel system presented in this work handles IoT device authentication. The authentication framework uses device-specific information, called fingerprints, along with a transfer learning tool to authenticate objects in the IoT. The framework tracks the effect of changes in the physical environment on fingerprints and uses unique IoT environmental effects features to detect both cyber and cyber-physical emulation attacks. The proposed environmental effects estimation framework showed an improvement in the detection rate of attackers without increasing the false positives rate. The proposed framework is also shown to be able to detect cyber-physical attackers that are capable of replicating the fingerprints of target objects which conventional methods are unable to detect. In addition, a transfer learning approach is proposed to allow the use of objects with different types and features in the environmental effects estimation process. The transfer learning approach was also implemented in cognitive radio networks to prevent primary users emulation attacks that exist in these networks. Lastly, this dissertation investigated the challenge of preserving privacy of data stored in the proposed blockchain-IoT system. The approach presented continuously analyzes the data collected anonymously from IoT devices to insure that a malicious entity will not be able to use these anonymous datasets to uniquely identify individual users. The dissertation led to the following key results. First, the proposed blockchain based framework that uses sharding was able to provide a decentralized, scalable, and secured platform to handle data exchange between IoT devices. The security of the system against 51% attacks was simulated and showed significant improvements compared to typical blockchain implementations. Second, the authentication framework of IoT devices is shown to yield to a 40% improvement in the detection of cyber emulation attacks and is able to detect cyber-physical emulation attacks that conventional methods cannot detect. The key results also show that the proposed framework improves the authentication accuracy while the transfer learning approach yields up to 70% additional performance gains. Third, the transfer learning approach to combine knowledge about features from multiple device types was also implemented in cognitive radio networks and showed performance gains with an average of 3.4% for only 10% relevant information between the past knowledge and the current environment signals. / Doctor of Philosophy / The Internet of things (IoT) system is anticipated to reach billions of devices by the year 2020. With this massive increase in the number of devices, conventional security and authentication solutions will face many challenges from computational limits to privacy and security challenges. Research on solving the challenges of IoT systems is focused on providing lightweight solutions to be implemented on these low energy IoT devices. However these solutions are often prone to different types of attacks. The goal of this dissertation is to present a complete custom solution to secure IoT devices and systems. The system presented to solve IoT challenges consists of three main components. The first component focuses on solving scalability and centralization challenges that current IoT systems suffer from. To accomplish this a combination of distributed system, called blocchain, and a method to increase scalability, called Sharding, were used to provide both scalability and decentralization while maintaining high levels of security. The second component of the proposed solution consists of a novel framework to authenticate the identity of each IoT device. To provide an authentication solution that is both simple and effective, the framework proposed used a combination of features that are easy to collect, called fingerprints. These features were used to model the environment surrounding each IoT device to validate its identity. The solution uses a method called transfer learning to allow the framework to run on different types of devices. The proposed frameworks were able to provide a solution that is scalable, simple, and secured to handle data exchange between IoT devices. The simulation presented showed significant improvements compared to typical blockchain implementations. In addition, the frameworks proposed were able to detect attackers that have the resources to replicate all the device specific features. The proposed authentication framework is the first framework to be able to detect such an advanced attacker. The transfer learning tool added to the authentication framework showed performance gains of up to 70%.

Blockchain

Internet of things (IoT)

Cyber-Physical Systems

Authentication

Program Anomaly Detection Against Data-Oriented Attacks

Cheng, Long

29 August 2018

Memory-corruption vulnerability is one of the most common attack vectors used to compromise computer systems. Such vulnerabilities could lead to serious security problems and would remain an unsolved problem for a long time. Existing memory corruption attacks can be broadly classified into two categories: i) control-flow attacks and ii) data-oriented attacks. Though data-oriented attacks are known for a long time, the threats have not been adequately addressed due to the fact that most previous defense mechanisms focus on preventing control-flow exploits. As launching a control-flow attack becomes increasingly difficult due to many deployed defenses against control-flow hijacking, data-oriented attacks are considered an appealing attack technique for system compromise, including the emerging embedded control systems. To counter data-oriented attacks, mitigation techniques such as memory safety enforcement and data randomization can be applied in different stages over the course of an attack. However, attacks are still possible because currently deployed defenses can be bypassed. This dissertation explores the possibility of defeating data-oriented attacks through external monitoring using program anomaly detection techniques. I start with a systematization of current knowledge about exploitation techniques of data-oriented attacks and the applicable defense mechanisms. Then, I address three research problems in program anomaly detection against data-oriented attacks. First, I address the problem of securing control programs in Cyber-Physical Systems (CPS) against data-oriented attacks. I describe a new security methodology that leverages the event-driven nature in characterizing CPS control program behaviors. By enforcing runtime cyber-physical execution semantics, our method detects data-oriented exploits when physical events are inconsistent with the runtime program behaviors. Second, I present a statistical program behavior modeling framework for frequency anomaly detection, where frequency anomaly is the direct consequence of many non-control-data attacks. Specifically, I describe two statistical program behavior models, sFSA and sCFT, at different granularities. Our method combines the local and long-range models to improve the robustness against data-oriented attacks and significantly increase the difficulties that an attack bypasses the anomaly detection system. Third, I focus on defending against data-oriented programming (DOP) attacks using Intel Processor Trace (PT). DOP is a recently proposed advanced technique to construct expressive non-control data exploits. I first demystify the DOP exploitation technique and show its complexity and rich expressiveness. Then, I design and implement the DeDOP anomaly detection system, and demonstrate its detection capability against the real-world ProFTPd DOP attack. / Ph. D. / Memory-corruption vulnerability is one of the most common attack vectors used to compromise computer systems. Such vulnerabilities could lead to serious security problems and would remain an unsolved problem for a long time. This is because low-level memory-unsafe languages (e.g., C/C++) are still in use today for interoperability and speed performance purposes, and remain common sources of security vulnerabilities. Existing memory corruption attacks can be broadly classified into two categories: i) control-flow attacks that corrupt control data (e.g., return address or code pointer) in the memory space to divert the program’s control-flow; and ii) data-oriented attacks that target at manipulating non-control data to alter a program’s benign behaviors without violating its control-flow integrity. Though data-oriented attacks are known for a long time, the threats have not been adequately addressed due to the fact that most previous defense mechanisms focus on preventing control-flow exploits. As launching a control-flow attack becomes increasingly difficult due to many deployed defenses against control-flow hijacking, data-oriented attacks are considered an appealing attack technique for system compromise, including the emerging embedded control systems. To counter data-oriented attacks, mitigation techniques such as memory safety enforcement and data randomization can be applied in different stages over the course of an attack. However, attacks are still possible because currently deployed defenses can be bypassed. This dissertation explores the possibility of defeating data-oriented attacks through external monitoring using program anomaly detection techniques. I start with a systematization of current knowledge about exploitation techniques of data-oriented attacks and the applicable defense mechanisms. Then, I address three research problems in program anomaly detection against data-oriented attacks. First, I address the problem of securing control programs in Cyber-Physical Systems (CPS) against data-oriented attacks. The key idea is to detect subtle data-oriented exploits in CPS when physical events are inconsistent with the runtime program behaviors. Second, I present a statistical program behavior modeling framework for frequency anomaly detection, where frequency anomaly is often consequences of many non-control-data attacks. Our method combines the local and long-range models to improve the robustness against data-oriented attacks and significantly increase the difficulties that an attack bypasses the anomaly detection system. Third, I focus on defending against data-oriented programming (DOP) attacks using Intel Processor Trace (PT). I design and implement the DEDOP anomaly detection system, and demonstrate its detection capability against the real-world DOP attack.

Program Anomaly Detection

Data-Oriented Attacks

Cyber-Physical Systems