Composite Intrusion Detection in Process Control Networks

An intrusion detection ensemble, i.e. a set of diverse intrusion detection algorithms employed as a group, has been shown to outperform each one those diverse algorithms employed individually. Moving along this line, we have devised an intrusion detection ensemble that inspects network packets that flow across the process control network of a digitally controlled physical system such as a power plant. Such process control specific intrusion detection ensemble is comprised of a statistical anomaly intrusion detection algorithm called the Estimation-Inspection (EI) algorithm, a physical process aware specification-based approach, a theory of deception for intrusion detection that we call mirage theory, and an alert fusion technique in the form of a Bayesian theory of confirmation. In this research we leverage evolutions of the content of specific locations in the random access memory (RAM) of control systems into means of characterizing the normalcy or abnormality of network traffic. The EI algorithm uses estimation methods from applied statistics and probability theory to estimate normal evolutions of RAM content. The physical process aware specification-based approach defines normal evolutions of RAM content via specifications developed manually through expert knowledge. Mirage theory consistently introduces deceptive evolutions of RAM content, and hence employs communicating finite state machines to detect any deviations caused by malicious network packets. The alert fusion technique also leverages evolutions of RAM content to estimate the degrees to which network traffic normalcy and abnormality hypotheses are confirmed on evidence. In this dissertation we provide a detailed discussion of these intrusion detection algorithms along with a detailed discussion of the alert fusion technique. We also discuss an empirical testing of the proposed intrusion detection ensemble in a small testbed comprised of Linux PC-based control systems that resemble the process