Abstract
Malware crafted to attack cyber-physical systems such as the electrical power grid have a physics-centric nucleus. Cyber-physical systems malware understand physics and hence use their knowledge to guide how they initiate physical damage on a compromised industrial computer. We develop a physics-driven page fault handler in the seL4 microkernel, which, in addition to reducing the page fault rate, differentiates active physics in main memory from passive physics in the backing store. We aid the identification of active physics via a CPU scheduler that tracks the evolution of active physics over time. We exploit the concept of active physics to develop deception that is customized to attack the physics-centric nucleus of malware. We evaluated this research against a variety of malware samples and techniques, including both numerous samples from publicly available repositories and custom-made academic code, and present our findings in the article. The physics data of reference pertain to an electrical substation, with a higher focus on a power transformer and related industrial computer algorithms.
- [1] GitHub. n.d. GridPot: Symbolic Cyber-Physical Honeynet Framework. Retrieved February 11, 2022 from https://github.com/sk4ld/gridpot.Google Scholar
- [2] Luis Garcia, Ferdinand Brasser, Mehmet H. Cintuglu, Ahmad-Reza Sadeghi, Osama Mohammed, and Saman Zonouz. 2017. Hey, my malware knows physics! Attacking PLCs with physical model aware rootkit. In Proceedings of the Networks and Distributed Systems Symposium.Google Scholar
- [3] Robert M. Lee, Michael J. Assante, and Tim Conway. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. Defense Use Case White Paper. Available at at https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf.Google Scholar
- [4] Abraham Silberschatz, Peter Baer Galvin, and Greg Gagne. 2012. Operating System Concepts (9th ed.). Wiley.Google Scholar
- [5] U.S. Department of Energy. 2006. Benefits of Using Mobile Transformers and Mobile Substations for Rapidly Restoring Electrical Service. Report to the United States Congress pursuant to Section 1816 of the Energy Policy Act of 2005. Retrieved February 11, 2022 from http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/MTS_Report_to_Congress_FINAL_73106.pdf.Google Scholar
- [6] William Eccles. 2011. Pragmatic Electrical Engineering: Fundamentals. Synthesis Lectures on Digital Circuits and Systems 6. Morgan & Claypool.Google Scholar
- [7] J. Duncan Glover, Thomas Overbye, and Mulukutla S. Sarma. 2016. Power System Analysis and Design (6th ed.). Cengage Learning.Google Scholar
- [8] Stuart Russell and Peter Norvig. 2020. Artificial Intelligence: A Modern Approach (2nd ed.). Prentice Hall.Google Scholar
- [9] AREVA. 2005. AREVA Network Protection and Automation Guide (3rd ed.). AREVA.Google Scholar
- [10] International Electrotechnical Commission. 2004. IEC 61850: Communication Networks and Systems in Substations. Parts 1 through 9. IEC.Google Scholar
- [11] Christopher D. Manning and Hinrich Schütze. 1999. Foundations of Statistical Natural Language Processing. MIT Press, Cambridge, MA.Google Scholar
- [12] Noam Nisan, Tim Roughgarden, Eva Tardos, and Vijay V. Vazirani. 2017. Algorithmic Game Theory. Cambridge University Press.Google Scholar
- [13] Erik Buchanan, Ryan Roemer, Stefan Savage, and Hovav Shacham. 2008. Return-Oriented Programming: Exploitation without Code Injection. BlackHat.Google Scholar
- [14] Julian Rrushi. 2019. Honeypot evader: Activity-guided propagation versus counter-evasion via Decoy OS Activity. In Proceedings of the 14th IEEE International Conference on Malicious and Unwanted Software.Google Scholar
- [15] RTDS Technologies. n.d. Real Time Digital Power Simulator. Retrieved February 11, 2022 from https://www.rtds.com.Google Scholar
- [16] Rayford B. Vaughn and Tommy Morris. 2016. Addressing critical industrial control system cyber security concerns via high fidelity simulation. In Proceedings of the 11th Annual Cyber and Information Security Research Conference.Google Scholar
- [17] Andrew J. Viterbi. 2006. A personal history of the Viterbi algorithm. IEEE Signal Processing Magazine 23, 4 (2006), 120–142.Google Scholar
- [18] Lawrence R. Rabiner. 1989. A tutorial on hidden Markov models and selected applications in speech recognition. Proceedings of the IEEE 77, 2 (1989), 257–286.Google Scholar
- [19] Steve Miller, Nathan Brubaker, Daniel Kapellmann Zafra, and Dan Caban. 2019. TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. FireEye Technical Report. Available at https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html.Google Scholar
- [20] Jim Guinn, Luis Luque, and Josh Ray. 2017. Crashoverride/Industroyer Malware Assessment. iDefense Technical Report. Available at https://www.accenture.com/_acnmedia/PDF-55/Accenture-Security-Managing-Malware-CRASHOVERRIDE.pdf.Google Scholar
- [21] Frédéric Moisan and Cleotilde Gonzalez. 2017. Security under uncertainty: Adaptive attackers are more challenging to human defenders than random attackers. Frontiers in Psychology 8 (2017), Article 982.Google Scholar
- [22] Edward A. Cranford, Cleotilde Gonzalez, Palvi Aggarwal, Sarah Cooney, Milind Tambe, and Christian Lebiere. 2020. Towards personalized deceptive signaling for cyber defense using cognitive models. In Proceedings of the 17th Annual Meeting of the International Conference on Cognitive Modeling. 41–46.Google Scholar
- [23] Cleotilde Gonzalez, Palvi Aggarwal, Edward A. Cranford, and Christian Lebiere. 2020. Design of dynamic and personalized deception: A research framework and new insights. In Proceedings of the 53rd Hawaii International Conference on System Sciences. 1825–1834.Google Scholar
- [24] Kimberly Ferguson-Walter, Sunny Fugate, Justin Mauger, and Maxine Major. 2018. Game Theory for Adaptive Defensive Cyber Deception. Technical Report. SPAWAR.Google Scholar
- [25] Anita D’Amico, Kirsten Whitley, Daniel Tesone, Brianne O’Brien, and Emilie Roth. 2005. Achieving cyber defense situational awareness: A cognitive task analysis of information assurance analysts. In Proceedings of the 49th Annual Meeting of the Human Factors and Ergonomics Society. 229–233.Google Scholar
- [26] Robert S. Gutzwiller, Sarah M. Hunt, and Douglas S. Lange. 2016. A task analysis toward characterizing cyber-cognitive situation awareness (CCSA) in cyber defense analysts. In Proceedings of the IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support.Google Scholar
- [27] Star Lab Software. n.d. Crucible Hypervisor. Available at https://starlab.io/crucible-version-6-1/crucible/.Google Scholar
- [28] MapuSoft. n.d. Cross-OS Hypervisor. Available at https://www.mapusoft.com/cross-os-hypervisor/.Google Scholar
- [29] General Dynamics. n.d. OKL4 Hypervisor. Available at https://gdmissionsystems.com/.Google Scholar
- [30] Sridhar Adepu, Nandha Kumar Kandasamy, and Aditya Mathur. 2018. EPIC: An electric power testbed for research and training in cyber physical systems security. In Proceedings of the 4th Workshop on the Security of Industrial Control Systems.Google Scholar
- [31] Hardkernel. n.d. ODROID. Available at https://www.hardkernel.com.Google Scholar
- [32] Symantec. 2014. Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Available at https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf.Google Scholar
- [33] Symantec. 2017. Dragonfly: Western Energy Sector Targeted by Sophisticated Attack Group. Available at https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks.Google Scholar
- [34] ICS-CERT. 2018. Cyber-Attack against Ukrainian Critical Infrastructure. Available at https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01.Google Scholar
- [35] Dániel István Buza, Ferenc Juhász, György Miru, Márk Félegyházi, and Tamás Holczer. 2014. CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot. Smart Grid Security 8448 (2014), 181–192.Google Scholar
- [36] Lukas Rist, John Vestergaard, Daniel Haslinger, Andrea De Pasquale, and John Smith. CONPOT ICS/SCADA Honeypot. Available at http://conpot.org.Google Scholar
- [37] Todd Vollmer and Milos Manic. 2014. Cyber-physical system security with deceptive virtual hosts for industrial control networks. IEEE Transactions on Industrial Informatics 10, 2 (2014), 1337–1347.Google Scholar
- [38] seL4. n.d. The seL4 Microkernel. Retrieved February 11, 2022 from https://sel4.systems/.Google Scholar
- [39] Thomas Cormen, Charles Leiserson, Ronald Rivest, and Clifford Stein. 2009. Introduction to Algorithms (3rd ed.). MIT Press, Cambridge, MA.Google Scholar
- [40] John L. Hennessy and David A. Patterson. 2019. Computer Architecture: A Quantitative Approach (6th ed.). Elsevier.Google Scholar
- [41] Idaho National Lab. 2007. Aurora Generator Test. Retrieved February 11, 2022 from https://en.wikipedia.org/wiki/Aurora_Generator_Test.Google Scholar
- [42] Charlie McCarthy, Kevin Harnett, and Art Carter. 2014. Characterization of Potential Security Threats in Modern Automobiles: A Composite Modeling Approach. Report No. DOT HS 812 074. National Highway Traffic Safety Administration, Washington, DC.Google Scholar
Index Terms
Physics-Driven Page Fault Handling for Customized Deception against CPS Malware
Recommendations
A honeypot for arbitrary malware on USB storage devices
CRISIS '12: Proceedings of the 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS)Malware is a serious threat for modern information technology. It is therefore vital to be able to detect and analyze such malicious software in order to develop contermeasures. Honeypots are a tool supporting that task — they collect malware samples ...
Malware detection using adaptive data compression
AISec '08: Proceedings of the 1st ACM workshop on Workshop on AISecA popular approach in current commercial anti-malware software detects malicious programs by searching in the code of programs for scan strings that are byte sequences indicative of malicious code. The scan strings, also known as the signatures of ...
Opcode sequences as representation of executables for data-mining-based unknown malware detection
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...






Comments