TWC: Option: Medium: Collaborative: Semantic Security Monitoring for Industrial Control Systems

TWC：选项：中：协作：工业控制系统的语义安全监控

• 批准号: 1314973
• 负责人: Robin Sommer
• 金额: $ 69.94万
• 依托单位: International Computer Science Institute
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-09-01 至 2018-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1314973&HistoricalAwards=false
• 关键词: TWC; Option; Medium; Collaborative; Semantic

Industrial control systems differ significantly from standard, general-purpose computing environments, and they face quite different security challenges. With physical "air gaps" now the exception, our critical infrastructure has become vulnerable to a broad range of potential attackers. In this project we develop novel network monitoring approaches that can detect sophisticated semantic attacks: malicious actions that drive a process into an unsafe state without however exhibiting any obvious protocol-level red flags. In one thrust, we conduct a measurement-centric study of ICS network activity, aimed at developing a deep understanding of operational semantics in terms of actors, workloads, dependencies, and state changes over time. In a second thrust, we develop domain-specific behavior models that abstract from low-level protocol activity to their semantic meaning according to the current state of the processes under control. Our goal is to integrate these models into operationally viable, real-time network monitoring that reports unexpected deviations as indicators of attacks or malfunction. A separate "Transition to Practice" phase advances our research results into deployment-ready technology by integrating it into the open-source Bro network monitor. Overall, our work will improve security and safety of today's critical infrastructure by providing effective, unobtrusive security monitoring tailored to their specific semantics. In addition, we tie a number of educational activities to the research and involve students at all levels.

工业控制系统与标准的通用计算环境有很大不同，它们面临着截然不同的安全挑战。由于现在物理“气隙”已成为例外，我们的关键基础设施变得容易受到各种潜在攻击者的攻击。在这个项目中，我们开发了新颖的网络监控方法，可以检测复杂的语义攻击：使进程进入不安全状态的恶意行为，但不会表现出任何明显的协议级危险信号。我们的一个目标是对 ICS 网络活动进行一项以测量为中心的研究，旨在深入了解参与者、工作负载、依赖关系和状态随时间变化的操作语义。第二个重点是，我们开发特定领域的行为模型，根据受控进程的当前状态，从低级协议活动抽象为其语义。我们的目标是将这些模型集成到可操作的实时网络监控中，将意外偏差报告为攻击或故障的指标。一个单独的“过渡到实践”阶段通过将我们的研究成果集成到开源 Bro 网络监视器中，将其推进为可部署的技术。总的来说，我们的工作将通过提供针对特定语义定制的有效、不引人注目的安全监控来提高当今关键基础设施的安全性。此外，我们将许多教育活动与研究联系起来，并让各个级别的学生参与其中。