Biblio

The technology advance and convergence of cyber physical systems, smart sensors, short-range wireless communications, cloud computing, and smartphone apps have driven the proliferation of Internet of things (IoT) devices in smart homes and smart industry. In light of the high heterogeneity of IoT system, the prevalence of system vulnerabilities in IoT devices and applications, and the broad attack surface across the entire IoT protocol stack, a fundamental and urgent research problem of IoT security is how to effectively collect, analyze, extract, model, and visualize the massive network traffic of IoT devices for understanding what is happening to IoT devices. Towards this end, this paper develops and demonstrates an end-to-end system with three key components, i.e., the IoT network traffic monitoring system via programmable home routers, the backend IoT traffic behavior analysis system in the cloud, and the frontend IoT visualization system via smartphone apps, for monitoring, analyzing and virtualizing network traffic behavior of heterogeneous IoT devices in smart homes. The main contributions of this demonstration paper is to present a novel system with an end-to-end process of collecting, analyzing and visualizing IoT network traffic in smart homes.

DDoS attacks are usually accompanied by IP spoofing, but the availability of existing DDoS defense systems for high-speed networks decreases when facing DDoS attacks with IP spoofing. Although IP traceback technologies are proposed to focus on IP spoofing in DDoS attacks, there are problems in practical application such as the need to change existing protocols and extensive infrastructure support. To defend against DDoS attacks under IP spoofing in high-speed networks, we propose a novel DDoS defense system, IM-Shield. IM-Shield uses the address pair consisting of the upper router interface MAC address and the destination IP address for DDoS attack detection. IM-Shield implements fine-grained defense against DDoS attacks under IP spoofing by filtering the address pairs of attack traffic without requiring protocol and infrastructure extensions to be applied on the Internet. Detection experiments using the public dataset show that in a 10Gbps high-speed network, the detection precision of IM-Shield for DDoS attacks under IP spoofing is higher than 99.9%; and defense experiments simulating real-time processing in a 10Gbps high-speed network show that IM-Shield can effectively defend against DDoS attacks under IP spoofing.

Volumetric Distributed Denial of Service attacks forcefully disrupt the availability of online services by congesting network links with arbitrary high-volume traffic. This brute force approach has collateral impact on the upstream network infrastructure, making early attack traffic removal a key objective. To reduce infrastructure load and maintain service availability, we introduce ReCEIF, a topology-independent mitigation strategy for early, rule-based ingress filtering leveraging deep reinforcement learning. ReCEIF utilizes hierarchical heavy hitters to monitor traffic distribution and detect subnets that are sending high-volume traffic. Deep reinforcement learning subsequently serves to refine hierarchical heavy hitters into effective filter rules that can be propagated upstream to discard traffic originating from attacking systems. Evaluating all filter rules requires only a single clock cycle when utilizing fast ternary content-addressable memory, which is commonly available in software defined networks. To outline the effectiveness of our approach, we conduct a comparative evaluation to reinforcement learning-based router throttling.

Global traffic data are proliferating, including in Indonesia. The number of internet users in Indonesia reached 205 million in January 2022. This data means that 73.7% of Indonesia’s population has used the internet. The median internet speed for mobile phones in Indonesia is 15.82 Mbps, while the median internet connection speed for Wi-Fi in Indonesia is 20.13 Mbps. As predicted by many, real-time traffic such as multimedia streaming dominates more than 79% of traffic on the internet network. This condition will be a severe challenge for the internet network, which is required to improve the Quality of Experience (QoE) for user mobility, such as reducing delay, data loss, and network costs. However, IP-based networks are no longer efficient at managing traffic. Named Data Network (NDN) is a promising technology for building an agile communication model that reduces delays through a distributed and adaptive name-based data delivery approach. NDN replaces the ‘where’ paradigm with the concept of ‘what’. User requests are no longer directed to a specific IP address but to specific content. This paradigm causes responses to content requests to be served by a specific server and can also be served by the closest device to the requested data. NDN router has CS to cache the data, significantly reducing delays and improving the internet network’s quality of Service (QoS). Motivated by this, in 2019, we began intensive research to achieve a national flagship product, an NDN router with different functions from ordinary IP routers. NDN routers have cache, forwarding, and routing functions that affect data security on name-based networks. Designing scalable NDN routers is a new challenge as NDN requires fast hierarchical name-based lookups, perpackage data field state updates, and large-scale forward tables. We have a research team that has conducted NDN research through simulation, emulation, and testbed approaches using virtual machines to get the best NDN router design before building a prototype. Research results from 2019 show that the performance of NDN-based networks is better than existing IP-based networks. The tests were carried out based on various scenarios on the Indonesian network topology using NDNsimulator, MATLAB, Mininet-NDN, and testbed using virtual machines. Various network performance parameters, such as delay, throughput, packet loss, resource utilization, header overhead, packet transmission, round trip time, and cache hit ratio, showed the best results compared to IP-based networks. In addition, NDN Testbed based on open source is free, and the flexibility of creating topology has also been successfully carried out. This testbed includes all the functions needed to run an NDN network. The resource capacity on the server used for this testbed is sufficient to run a reasonably complex topology. However, bugs are still found on the testbed, and some features still need improvement. The following exploration of the NDN testbed will run with more new strategy algorithms and add Artificial Intelligence (AI) to the NDN function. Using AI in cache and forwarding strategies can make the system more intelligent and precise in making decisions according to network conditions. It will be a step toward developing NDN router products by the Bandung Institute of Technology (ITB) Indonesia.

The phenomenon known as "Internet ossification" describes the process through which certain components of the Internet’s older design have become immovable at the present time. This presents considerable challenges to the adoption of IPv6 and makes it hard to implement IP multicast services. For new applications such as data centers, cloud computing and virtualized networks, improved network availability, improved internal and external domain routing, and seamless user connectivity throughout the network are some of the advantages of Internet growth. To meet these needs, we've developed Software Defined Networking for the Future Internet (SDN). When compared to current networks, this new paradigm emphasizes control plane separation from network-forwarding components. To put it another way, this decoupling enables the installation of control plane software (such as Open Flow controller) on computer platforms that are substantially more powerful than traditional network equipment (such as switches/routers). This research describes Mininet’s routing techniques for a virtualized software-defined network. There are two obstacles to overcome when attempting to integrate SDN in an LTE/WiFi network. The first problem is that external network load monitoring tools must be used to measure QoS settings. Because of the increased demand for real-time load balancing methods, service providers cannot adopt QoS-based routing. In order to overcome these issues, this research suggests a router configuration method. Experiments have proved that the network coefficient matrix routing arrangement works, therefore it may provide an answer to the above-mentioned concerns. The Java-based SDN controller outperforms traditional routing systems by nine times on average highest sign to sound ratio. The study’s final finding suggests that the field’s future can be forecast. We must have a thorough understanding of this emerging paradigm to solve numerous difficulties, such as creating the Future Internet and dealing with its obliteration problem. In order to address these issues, we will first examine current technologies and a wide range of current and future SDN projects before delving into the most important issues in this field in depth.

Smart Security Solutions are in high demand with the ever-increasing vulnerabilities within the IT domain. Adjusting to a Work-From-Home (WFH) culture has become mandatory by maintaining required core security principles. Therefore, implementing and maintaining a secure Smart Home System has become even more challenging. ARGUS provides an overall network security coverage for both incoming and outgoing traffic, a firewall and an adaptive bandwidth management system and a sophisticated CCTV surveillance capability. ARGUS is such a system that is implemented into an existing router incorporating cloud and Machine Learning (ML) technology to ensure seamless connectivity across multiple devices, including IoT devices at a low migration cost for the customer. The aggregation of the above features makes ARGUS an ideal solution for existing Smart Home System service providers and users where hardware and infrastructure is also allocated. ARGUS was tested on a small-scale smart home environment with a Raspberry Pi 4 Model B controller. Its intrusion detection system identified an intrusion with 96% accuracy while the physical surveillance system predicts the user with 81% accuracy.

The Network-on-Chip (NoC) is the communication heart in Multiprocessors System-on-Chip (MPSoC). It offers an efficient and scalable interconnection platform, which makes it a focal point of potential security threats. Due to outsourcing design, the NoC can be infected with a malicious circuit, known as Hardware Trojan (HT), to leak sensitive information or degrade the system’s performance and function. An HT can form a security threat by consciously dropping packets from the NoC, structuring a Black Hole Router (BHR) attack. This paper presents an end-to-end secure interconnection network against the BHR attack. The proposed scheme is energy-efficient to detect the BHR in runtime with 1% and 2% average throughput and energy consumption overheads, respectively.

The security of manycore systems has become increasingly critical. In system-on-chips (SoCs), Hardware Trojans (HTs) manipulate the functionalities of the routing components to saturate the on-chip network, degrade performance, and result in the leakage of sensitive data. Existing HT detection techniques, including runtime monitoring and state-of-the-art learning-based methods, are unable to timely and accurately identify the implanted HTs, due to the increasingly dynamic and complex nature of on-chip communication behaviors. We propose AGAPE, a novel Generative Adversarial Network (GAN)-based anomaly detection and mitigation method against HTs for secured on-chip communication. AGAPE learns the distribution of the multivariate time series of a number of NoC attributes captured by on-chip sensors under both HT-free and HT-infected working conditions. The proposed GAN can learn the potential latent interactions among different runtime attributes concurrently, accurately distinguish abnormal attacked situations from normal SoC behaviors, and identify the type and location of the implanted HTs. Using the detection results, we apply the most suitable protection techniques to each type of detected HTs instead of simply isolating the entire HT-infected router, with the aim to mitigate security threats as well as reducing performance loss. Simulation results show that AGAPE enhances the HT detection accuracy by 19%, reduces network latency and power consumption by 39% and 30%, respectively, as compared to state-of-the-art security designs.

Soft real-time applications, including multimedia, gaming, and smart appliances, rely on specific architectural characteristics to deliver output in a time-constrained fashion. Any violation of application deadlines can lower the Quality-of-Service (QoS). The data sets associated with these applications are distributed over cores that communicate via Network-on-Chip (NoC) in multi-core systems. Accordingly, the response time of such applications depends on the worst-case latency of request/reply packets. A malicious implant such as Hardware Trojan (HT) that initiates a delay-of-service attack can tamper with the system performance. We model an HT that mounts a time-delay attack in the system by violating the path selection strategy used by the adaptive NoC router. Our analysis shows that once activated, the proposed HT increases the packet latency by 17% and degrades the system performance (IPC) by 18% over the Baseline. Furthermore, we propose an HT detection framework that uses packet traffic analysis and path monitoring to localise the HT. Experiment results show that the proposed detection framework exhibits 4.8% less power consumption and 6.4% less area than the existing technique.

Event detection and classification are crucial to power system stability. The Wide Area Measurement System (WAMS) technology helps in enhancing wide area situational awareness by providing useful synchronized information to the grid control center in order to accurately identify various power system events. This paper demonstrates the viability of using EWAMS (Egyptian Wide Area Measurement System) data as one of the evolving technologies of smart grid to identify extreme events within the Egyptian power grid. The proposed scheme is based on online synchronized measurements of wide-area monitoring devices known as Frequency Disturbance Recorders (FDRs) deployed at selected substations within the grid. The FDR measures the voltage, voltage angle, and frequency at the substation and streams the processed results to the Helwan University Host Server (HUHS). Each FDR is associated with a timestamp reference to the Global Positioning System (GPS) base. An EWAMS-based frequency disturbance detection algorithm based on the rate of frequency deviation is developed to identify varies types of events such as generator trip and load shedding. Based on proper thresholding on the frequency and rate of change of frequency of the Egyptian grid, different types of events have been captured in many locations during the supervision and monitoring the operation of the grid. EWAMS historical data is used to analyze a wide range of data pre-event, during and post-event for future enhancement of situational awareness as well as decision making.

While digitization of distribution grids through information and communications technology brings numerous benefits, it also increases the grid's vulnerability to serious cyber attacks. Unlike conventional systems, attacks on many industrial control systems such as power grids often occur in multiple stages, with the attacker taking several steps at once to achieve its goal. Detection mechanisms with situational awareness are needed to detect orchestrated attack steps as part of a coherent attack campaign. To provide a foundation for detection and prevention of such attacks, this paper addresses the detection of multi-stage cyber attacks with the aid of a graph-based cyber intelligence database and alert correlation approach. Specifically, we propose an approach to detect multi-stage attacks by lever-aging heterogeneous data to form a knowledge base and employ a model-based correlation approach on the generated alerts to identify multi-stage cyber attack sequences taking place in the network. We investigate the detection quality of the proposed approach by using a case study of a multi-stage cyber attack campaign in a future-orientated power grid pilot.

Micro grid is a small-scale power supply network designed to provide electricity to small community with integrated renewable energy sources. A micro grid can be integrated to the utility grid. Due to lack of computerized analysis, mechanical switches causing slow response time, poor visibility and situational awareness blackouts are caused due to cascading of faults. This paper presents a brief survey on communication technologies used in smart grid and its extension to micro grid. By integration of communication network, device control, information collection and remote management an intelligent power management system can be achieved

An accurate state estimation (SE) considering increased uncertainty by the high penetration of renewable energy systems (RESs) is more and more important to enhance situational awareness, and the optimal and resilient operation of the renewable-rich power grids. However, it is anticipated that adversaries who plan to manipulate the target power grid will generate attacks that inject inaccurate data to the SE using the vulnerabilities of the devices and networks. Among potential attack types, false data injection attack (FDIA) is gaining popularity since this can bypass bad data detection (BDD) methods implemented in the SE systems. Although numerous FDIA detection methods have been recently proposed, the uncertainty of system configuration that arises by the continuously increasing penetration of RESs has been been given less consideration in the FDIA algorithms. To address this issue, this paper proposes a new FDIA detection scheme that is applicable to renewable energy-rich power grids. A deep learning framework is developed in particular by synergistically constructing a Bidirectional Long Short-Term Memory (Bi-LSTM) with modern smart grid characteristics. The developed framework is evaluated on the IEEE 14-bus system integrating several RESs by using several attack scenarios. A comparison of the numerical results shows that the proposed FDIA detection mechanism outperforms the existing deep learning-based approaches in a renewable energy-rich grid environment.

Smart city management is going through a remarkable transition, in terms of quality and diversity of services provided to the end-users. The stakeholders that deliver pervasive applications are now able to address fundamental challenges in the big data value chain, from data acquisition, data analysis and processing, data storage and curation, and data visualisation in real scenarios. Industry 4.0 is pushing this trend forward, demanding for servitization of products and data, also for the smart cities sector where humans, sensors and devices are operating in strict collaboration. The data produced by the ubiquitous devices must be processed quickly to allow the implementation of reactive services such as situational awareness, video surveillance and geo-localization, while always ensuring the safety and privacy of involved citizens. This paper proposes a modular architecture to (i) leverage innovative technologies for data acquisition, management and distribution (such as Apache Kafka and Apache NiFi), (ii) develop a multi-layer engineering solution for revealing valuable and hidden societal knowledge in smart cities environment, and (iii) tackle the main issues in tasks involving complex data flows and provide general guidelines to solve them. We derived some guidelines from an experimental setting performed together with leading industrial technical departments to accomplish an efficient system for monitoring and servitization of smart city assets, with a scalable platform that confirms its usefulness in numerous smart city use cases with different needs.

Similar to any spoof detection systems, power grid monitoring systems and devices are subject to various cyberattacks by determined and well-funded adversaries. Many well-publicized real-world cyberattacks on power grid systems have been publicly reported. Phasor Measurement Units (PMUs) networks with Phasor Data Concentrators (PDCs) are the main building blocks of the overall wide area monitoring and situational awareness systems in the power grid. The data between PMUs and PDC(s) are sent through the legacy networks, which are subject to many attack scenarios under with no, or inadequate, countermeasures in protocols, such as IEEE 37.118-2. In this paper, we consider a stealthier data spoofing attack against PMU networks, called a mirroring attack, where an adversary basically injects a copy of a set of packets in reverse order immediately following their original positions, wiping out the correct values. To the best of our knowledge, for the first time in the literature, we consider a more challenging attack both in terms of the strategy and the lower percentage of spoofed attacks. As part of our countermeasure detection scheme, we make use of novel framing approach to make application of a 2D Convolutional Neural Network (CNN)-based approach which avoids the computational overhead of the classical sample-based classification algorithms. Our experimental evaluation results show promising results in terms of both high accuracy and true positive rates even under the aforementioned stealthy adversarial attack scenarios.

The integration of distributed energy resources (DERs) and expansion of complex network in the distribution grid requires an advanced two-level state estimator to monitor the grid health at micro-level. The distribution state estimator will improve the situational awareness and resiliency of distributed power system. This paper implements a synchrophasors-based master state awareness (MSA) estimator to enhance the cybersecurity in distribution grid by providing a real-time estimation of system operating states to control center operators. In this paper, the implemented MSA estimator utilizes only phasor measurements, bus magnitudes and angles, from phasor measurement units (PMUs), deployed in local substations, to estimate the system states and also detects data integrity attacks, such as load tripping attack that disconnects the load. To validate the proof of concept, we implement this methodology in cyber-physical testbed environment at the Idaho National Laboratory (INL) Electric Grid Security Testbed. Further, to address the "valley of death" and support technology commercialization, field demonstration is also performed at the Critical Infrastructure Test Range Complex (CITRC) at the INL. Our experimental results reveal a promising performance in detecting load tripping attack and providing an accurate situational awareness through an alert visualization dashboard in real-time.

Smart grids integrate computing and communication infrastructure with conventional power grids to improve situational awareness, control, and safety. Several technologies such as automatic fault detection, automated reconfiguration, and outage management require close network monitoring. Therefore, utilities utilize sensing equipment such as PMUs (phasor measurement units), smart meters, and bellwether meters to obtain grid measurements. However, the expansion in sensing equipment results in an increased strain on existing communication infrastructure. Prior works overcome this problem by exploiting the sparsity of power consumption data in the Haar, Hankel, and Toeplitz transformation bases to achieve sub-Nyquist compression. However, data-driven dictionaries enable superior compression ratios and reconstruction accuracy by learning the sparsifying basis. Therefore, this work proposes using dictionary learning to learn the sparsifying basis of smart meter data. The smart meter data sent to the data centers are compressed using a random projection matrix prior to transmission. These measurements are aggregated to obtain the compressed measurements at the primary nodes. Compressive sensing-based estimators are then utilized to estimate the system states. This approach was validated on the IEEE 33-node distribution system and showed superior reconstruction accuracy over conventional transformation bases and over-complete dictionaries. Voltage magnitude and angle estimation error less than 0.3% mean absolute percentage error and 0.04 degree mean absolute error, respectively, were achieved at compression ratios as high as eight.

In this article, we propose a generic cyber-physical framework, developed in our laboratory, for smart grid control and monitoring in real-time. Our framework is composed of four key elements: (1) system layer which embeds a physical or emulated power system network, (2) data analysis layer to execute real-time data-driven grid analysis algorithms, (3) backend layer with a generic data storage framework which supports multiple databases with functionally different architectures, and (4) visualization layer where multiple customized or commercially available user interfaces can be deployed concurrently for grid control and monitoring. These four layers are interlinked via bidirectional communication channels. Such a flexible and scalable framework provides a cohesive environment to enhance smart grid situational awareness. We demonstrate the utility of our proposed architecture with several case studies where we estimate a modified IEEE-33 bus distribution network topology entirely from synchrophasor measurements, without any prior knowledge of the grid network, and render the same on visualization platform. Three demonstrations are included with single and multiple system operators having complete and partial measurements.

Intrusion detection systems (IDSs) are widely deployed in the industrial control systems to protect network security. IDSs typically generate a huge number of alerts, which are time-consuming for system operators to process. Most of the alerts are individually insignificant false alarms. However, it is not the best solution to discard these alerts, as they can still provide useful information about network situation. Based on the study of characteristics of alerts in the industrial control systems, we adopt an enhanced method of exponentially weighted moving average (EWMA) control charts to help operators in processing alerts. We classify all detection signatures as regular and irregular according to their frequencies, set multiple control limits to detect anomalies, and monitor regular signatures for network security situational awareness. Extensive experiments have been performed using real-world alert data. Simulation results demonstrate that the proposed enhanced EWMA method can greatly reduce the volume of alerts to be processed while reserving significant abnormal information.

Automatic Identification System (AIS) plays a leading role in maritime navigation, traffic control, local and global maritime situational awareness. Today, the reliable and secure AIS operation is threatened by probable cyber attacks such as imitation of ghost vessels, false distress or security messages, or fake virtual aids-to-navigation. We propose a method for ensuring the authentication and integrity of AIS messages based on the use of the Message Authentication Code scheme and digital watermarking (WM) technology to organize an additional tag transmission channel. The method provides full compatibility with the existing AIS functionality.

Accurate and synchronized timing information is required by power system operators for controlling the grid infrastructure (relays, Phasor Measurement Units (PMUs), etc.) and determining asset positions. Satellite-based global positioning system (GPS) is the primary source of timing information. However, GPS disruptions today (both intentional and unintentional) can significantly compromise the reliability and security of our electric grids. A robust alternate source for accurate timing is critical to serve both as a deterrent against malicious attacks and as a redundant system in enhancing the resilience against extreme events that could disrupt the GPS network. To achieve this, we rely on the highly accurate, terrestrial atomic clock-based network for alternative timing and synchronization. In this paper, we discuss an experimental setup for an alternative timing approach. The data obtained from this experimental setup is continuously monitored and analyzed using various time deviation metrics. We also use these metrics to compute deviations of our clock with respect to the National Institute of Standards and Technologys (NIST) GPS data. The results obtained from these metric computations are elaborately discussed. Finally, we discuss the integration of the procedures involved, like real-time data ingestion, metric computation, and result visualization, in a novel microservices-based architecture for situational awareness.

Increasing connectivity and automation in vehicles leads to a greater potential attack surface. Such vulnerabilities within vehicles can also be used for auto-theft, increasing the potential for attackers to disable anti-theft mechanisms implemented by vehicle manufacturers. We utilize patterns derived from Controller Area Network (CAN) bus traffic to verify driver “behavior”, as a basis to prevent vehicle theft. Our proposed model uses semi-supervised learning that continuously profiles a driver, using features extracted from CAN bus traffic. We have selected 15 key features and obtained an accuracy of 99% using a dataset comprising a total of 51 features across 10 different drivers. We use a number of data analysis algorithms, such as J48, Random Forest, JRip and clustering, using 94K records. Our results show that J48 is the best performing algorithm in terms of training and testing (1.95 seconds and 0.44 seconds recorded, respectively). We also analyze the effect of using a sliding window on algorithm performance, altering the size of the window to identify the impact on prediction accuracy.

With the electric power distribution grid facing ever increasing complexity and new threats from cyber-attacks, situational awareness for system operators is quickly becoming indispensable. Identifying de-energized lines on the distribution system during a SCADA communication failure is a prime example where operators need to act quickly to deal with an emergent loss of service. Loss of cellular towers, poor signal strength, and even cyber-attacks can impact SCADA visibility of line devices on the distribution system. Neural Networks (NNs) provide a unique approach to learn the characteristics of normal system behavior, identify when abnormal conditions occur, and flag these conditions for system operators. This study applies a 24-hour load forecast for distribution line devices given the weather forecast and day of the week, then determines the current state of distribution devices based on changes in SCADA analogs from communicating line devices. A neural network-based algorithm is applied to historical events on Alabama Power's distribution system to identify de-energized sections of line when a significant amount of SCADA information is hidden.

The features of socio-cyber-physical systems are presented, which dictate the need to revise traditional management methods and transform the management system in such a way that it takes into account the presence of a person both in the control object and in the control loop. The use of situational control mechanisms is proposed. The features of this approach and its comparison with existing methods of situational awareness are presented. The comparison has demonstrated wider possibilities and scope for managing socio-cyber-physical systems. It is recommended to consider a wider class of types of relations that exist in socio-cyber-physical systems. It is indicated that such consideration can be based on the use of pseudo-physical logics considered in situational control. It is pointed out that it is necessary to design a classifier of situations (primarily in cyberspace), instead of traditional classifiers of threats and intruders.

Control room video surveillance is an important source of information for ensuring public safety. To facilitate the process, a Decision-Support System (DSS) designed for the security task force is vital and necessary to take decisions rapidly using a sea of information. In case of mission critical operation, Situational Awareness (SA) which consists of knowing what is going on around you at any given time plays a crucial role across a variety of industries and should be placed at the center of our DSS. In our approach, SA system will take advantage of the human factor thanks to the reinforcement signal whereas previous work on this field focus on improving knowledge level of DSS at first and then, uses the human factor only for decision-making. In this paper, we propose a situational awareness-centric decision-support system framework for mission-critical operations driven by Quality of Experience (QoE). Our idea is inspired by the reinforcement learning feedback process which updates the environment understanding of our DSS. The feedback is injected by a QoE built on user perception. Our approach will allow our DSS to evolve according to the context with an up-to-date SA.