A Game-Theoretic Intrusion Response and Recovery Engine

Activity Leads: 
Industry Collaborators: 

Schweitzer Engineering Laboratories, Inc.

Research Summary: 

The severity and number of intrusions on computer networks, including networks in electric grids and other critical infrastructures, are rapidly increasing. Preserving the availability and integrity of networked computing systems in the face of those fast-spreading intrusions requires advances not only in detection algorithms, but also in intrusion tolerance and automated response techniques. In this project, we developed an intrusion-tolerant system design that can adaptively react against malicious attacks in real-time, given knowledge about the network’s topology (determined offline), and alerts and measurements from system-level sensors (gathered online). The objectives were to develop reactive response against adversarial attacks that uses knowledge about the power grid’s current security state and its security requirements; to build a Response and Recovery Engine (RRE) as a distributed system that actively monitors systems and devises reactive and proactive responses; to use theoretical methods to find optimal response deployment; to adapt RRE to handle the scale of a large Advanced Metering Infrastructure (AMI); to model the smart grid as a cyber-physical system to study the cyber-physical interactions in detection and response; to implement a response and recovery system capable of effectively interfacing with a human operator; and to verify the safety of certain responses with respect to system invariants. In pursuit of those goals, we used the cyber-physical topology language (CPTL) for description of the system; CPTL is used by RRE agents when computing optimal responses and fusing sensory data. We developed monitoring fusion algorithms that can detect high-level attack steps using diverse data sources. We adapted several languages to express the responses in our response taxonomy; RRE agents use our response language to map high-level actions into low-level actions. We also designed several cost-sensitive response selection algorithms based on distributed control theory, game theory, and graph theory.

Research Demo:

Enabling Response and Recovery in Watchdog (Software Defined Networking): Presented by Ahmed Fawaz, University of Illinois, at the TCIPG Industry Workshop in November 2013.

More Information: