Intrusion detection for resource-constrained embedded control systems in the power grid

International Journal of Critical Infrastructure Protection

Volumn 5, Issue 2, 2012, Pages 74-83

  Reeves, Jason ^a   Ramaswamy, Ashwin ^a   Locasto, Michael ^b   Bratus, Sergey ^a   Smith, Sean ^a  

^a Dartmouth Department of Computer Science_Dartmouth College   (United States)

^b UNIVERSITY OF CALGARY   (Canada)

Author keywords

Embedded control systems; Intrusion detection; Power grid

Indexed keywords

CONTROL-FLOW; CONVENTIONAL APPROACH; EMBEDDED CONTROL SYSTEMS; EMBEDDED DEVICE; HOST-BASED INTRUSION DETECTION; HYPERVISOR; PERFORMANCE IMPACT; POWER GRIDS; RESOURCE RESTRICTIONS; RESOURCE-CONSTRAINED; ROOTKITS; TIMING REQUIREMENTS; TRACING FRAMEWORK;

ELECTRIC POWER DISTRIBUTION; EMBEDDED SYSTEMS; SCADA SYSTEMS;

INTRUSION DETECTION;

EID: 84863206416     PISSN: 18745482     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.ijcip.2012.02.002     Document Type: Article

References (57)

1. Transmission and Distribution World, About 212 million smart electric meters in 2014, says ABI Research, February 3, 2010. http://tdworld.com/smart_grid_automation/abi-research-smart-meters-0210.
2. N. Falliere, L. O'Murchu, E. Chien, W32.Stuxnet dossier, symantec, mountain view, California, 2011. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.
3. Fidler D. Was Stuxnet an act of war? decoding a cyberattack. IEEE Security and Privacy 2011, 9(4):56-59.
4. X. Jiang, X. Wang, D. Xu, Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction, in: Proceedings of the Fourteenth ACM Conference on Computer and Communications Security, 2007, pp. 128-138.
5. L. Litty, H. Lagar-Cavilla, D. Lie, Hypervisor support for identifying covertly executing binaries, in: Proceedings of the Seventeenth USENIX Security Symposium, 2008, pp. 243-258.
6. B. Payne, M. Carbone, M. Sharif, W. Lee, Lares: an architecture for secure active monitoring using virtualization, in: Proceedings of the IEEE Symposium on Security and Privacy, pp. 233-247, 2008.
7. N. Petroni, M. Hicks, Automated detection of persistent kernel control flow attacks, in: Proceedings of the Fourteenth ACM Conference on Computer and Communications Security, 2007, pp. 103-115.
8. R. Riley, X. Jiang, D. Xu, Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing, in: Proceedings of the Eleventh International Symposium on Recent Advances in Intrusion Detection, 2008, pp. 1-20.
9. Z. Wang, X. Jiang, W. Cui, P. Ning, Countering kernel rootkits with lightweight hook protection, in: Proceedings of the Sixteenth ACM Conference on Computer and Communications Security, 2009, pp. 545-554.
10. Institute of Electrical and Electronics Engineers, IEEE 1646-2004 standard: communication delivery time performance requirements for electric power substation automation, Piscataway, New Jersey, 2004.
11. M. LeMay, C. Gunter, Cumulative attestation kernels for embedded systems, in: Proceedings of the Fourteenth European Symposium on Research in Computer Security, 2009, pp. 655-670.
12. S. Bratus, M. Locasto, A. Ramaswamy, S. Smith, VM-based security overkill: a lament for applied systems security research, in: Proceedings of the New Security Paradigms Workshop, 2010, pp. 51-60.
13. PaX Team, Homepage. http://pax.grsecurity.net.
14. Openwall, Linux kernel patch from the Openwall Project. http://www.openwall.com/linux.
15. A. Ramaswamy, Autoscopy: detecting pattern-searching rootkits via control flow tracing, Master's Thesis, Department of Computer Science, Dartmouth College, Hanover, New Hampshire, 2009.
16. J. Reeves, Autoscopy Jr.: intrusion detection for embedded control systems, Master's Thesis, Department of Computer Science, Dartmouth College, Hanover, New Hampshire, 2011.
17. J. Keniston, P. Panchamukhi, M. Hiramatsu, Kernel probes (Kprobes), The Linux Kernel Archives. http://www.kernel.org/doc/Documentation/kprobes.txt.
18. A. Mavinakayanahalli, P. Panchamukhi, J. Keniston, A. Keshavamurthy, M. Hiramatsu, Probing the guts of Kprobes, in: Proceedings of the Linux Symposium, vol. 2, 2006, pp.109-124.
19. Motorola Solutions, ACE3600 specifications sheet, Schaumburg, Illinois, 2009. http://www.motorola.com/web/Business/Products/SCADA%20Products/ACE3600/%5FDocuments/Static%20Files/ACE3600%20Specifications%20Sheet.pdf?pLibItem%3D1.
20. Schweitzer Engineering Laboratories, SEL-3354 embedded automation computing platform data sheet, Pullman, Washington, 2011. http://www.selinc.com/WorkArea/DownloadAsset.aspx?id%3D6196.
21. A. Wright, Secure network architecture for power grid control systems, Presented at the TCIPG Summer School on Cyber Security for Smart Energy Systems, 2011.
22. Schweitzer Engineering Laboratories, Home, Pullman, Washington. http://www.selinc.com.
23. R. Anderson, S. Fuloria, Security economics and critical national infrastructure, in: Proceedings of the Eighth Workshop on the Economics of Information Security, 2009.
24. Mitre Corporation, CVE-2008-0923, Common vulnerabilities and exposures, Bedford, Massachusetts, 2008. http://cve.mitre.org/cgi-bin/cvename.cgi?name%3DCVE-2008-0923.
25. R. Wojtczuk, Subverting the Xen hypervisor, Presented at Black Hat USA, 2008. http://www.invisiblethingslab.com/resources/bh08/part1.pdf.
26. S. Forrest, S. Hofmeyr, A. Somayaji, T. Longstaff, A sense of self for Unix processes, in: Proceedings of the IEEE Symposium on Security and Privacy, 1996, pp. 120-128.
27. B. Cantrill, M. Shapiro, A. Leventhal, Dynamic instrumentation of production systems, in: Proceedings of the USENIX Annual Technical Conference, 2004, pp. 15-28.
28. M. Hiramatsu, Overhead evaluation about Kprobe and Djprobe (direct jump probe) 2005. http://lkst.sourceforge.net/docs/probes-eval-report.pdf.
29. M. Hiramatsu, S. Oshima, Djprobe-Kernel probing with the smallest overhead, in: Proceedings of the Linux Symposium, vol. 1, 2007, pp. 189-200.
30. B. Spengler, Detection, prevention and containment: a study of grsecurity, Presented at the Libre Software Meeting, 2002.
31. Wikibooks, Grsecurity/Overview. http://en.wikibooks.org/wiki/Grsecurity/Overview.
32. PaX Team, PaX-address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt.
33. PaX Team, PaX-non-executable pages design and implementation. http://pax.grsecurity.net/docs/noexec.txt.
34. PaX Team, PaX-paging based non-executable pages. http://pax.grsecurity.net/docs/pageexec.txt.
35. T. Mittner, Exploiting grsecurity/PaX with Dan Rosenberg and Jon Oberheide, May 18, 2011. http://resources.infosecinstitute.com/exploiting-gresecuritypax.
36. pragmatic/THC, (Nearly) complete Linux loadable kernel modules, 1999. http://dl.packetstormsecurity.net/docs/hack/LKM_HACKING.html.
37. phrack.org, Phrack, No. 50., April 9, 2007. http://www.phrack.org/issues.html?issue%3D50.
38. C. Kolbitsch, P. Comparetti, C. Kruegel, E. Kirda, X. Zhou, X. Wang, Effective and efficient malware detection at the end host, in: Proceedings of the Eighteenth USENIX Security Symposium, 2009, pp. 351-366.
39. B. Hicks, S. Rueda, T. Jaeger, P. McDaniel, From trusted to secure: building and executing applications that enforce system security, in: Proceedings of the USENIX Annual Technical Conference, 2007.
40. V. Prasad, W. Cohen, F. Eigler, M. Hunt, J. Keniston, B. Chen, Locating system problems using dynamic instrumentation, in: Proceedings of the Linux Symposium, 2005, pp. 49-64.
41. B. Lee, S. Moon, Y. Lee, Application-specific packet capturing using kernel probes, in: Proceedings of the Eleventh IFIP/IEEE International Conference on Symposium on Integrated Network Management, 2009, pp. 303-306.
42. D. Singh, W. Kaiser, The atom LEAP platform for energy-efficient embedded computing, Technical Report, Center for Embedded Network Sensing, University of California at Los Angeles, Los Angeles, California, 2010.
43. Reeves J., Ramaswamy A., Locasto M., Bratus S., Smith S. Lightweight intrusion detection for resource-constrained embedded control systems. Critical Infrastructure Protection V 2011, 31-46. Springer, Heidelberg, Germany. J. Butts, S. Shenoi (Eds.).
44. M. Abadi, M. Budiu, U. Erlingsson, J. Ligatti, Control flow integrity, in: Proceedings of the 12th ACM Conference on Computer and Communications Security, 2005, pp. 340-353.
45. SourceForge.net, Linux Test Project. http://ltp.sourceforge.net.
46. J. Rutkowski, Execution path analysis: finding kernel based rootkits, Phrack, No. 59, 2002. http://www.phrack.com/issues.html?issue%3D59%26id%3D10.
47. V. Thampi, udis86 Disassembler Library for ×86 and ×86-64, 2009. http://udis86.sf.net.
48. Corbet J., Rubini A., Kroah-Hartman G. Linux Device Drivers 2005, O'Reilly Media, Sebastopol, California.
49. Intel Corporation, Intel 64 and IA-32 architectures software developer's manual: instruction set reference, A-M, vol. 2A, Santa Clara, California, 2011.
50. FuSyS, KSTAT--kernel security therapy anti-trolls (2.4.x version) v1.1-2. http://www.s0ftpj.org/en/tools.html.
51. J. Levine, J. Grizzard, H. Owen, A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table, in: Proceedings of the Second IEEE International Information Assurance Workshop, 2004, pp. 107-125.
52. T. Miller, Detecting loadable kernel modules (LKM). http://www.s0ftpj.org/docs/lkm.htm.
53. Bovet D., Cesati M. Understanding the Linux Kernel 2006, O'Reilly Media, Sebastopol, California.
54. Standard Performance Evaluation Corporation, SPEC CPU2000 benchmark suite, Gainesville, Florida, 2007. http://www.spec.org/cpu2000.
55. L. McVoy, C. Staelin, lmbench: portable tools for performance analysis, in: Proceedings of the USENIX Annual Technical Conference, 1996.
56. Open Source Security, grsecurity. http://grsecurity.net.
57. S. Rostedt, Ftrace-Function Tracer, The Linux Kernel Archives. http://www.kernel.org/doc/Documentation/trace/ftrace.txt.