روشی برای ارزیابی مخاطره امنیتی در سیستم‌های سایبر- فیزیکی با اطلاعات ناقص با استفاده از نظریه بازی بیزی

نوع مقاله : مقاله پژوهشی (کاربردی)

نویسنده

استادیار، گروه مهندسی کامپیوتر، دانشگاه فنی و حرفه‌ای، تهران، ایران.

چکیده

در سال‌های اخیر با توسعه و پیشرفت جنبه‌های مختلفی از دانش، شاهد ورود فناوری‌های جدید در بخش‌های مختلفی از زندگی و صنعت شده‌ایم. در این بین، بخش صنعت بیش‌ترین تأثیر را پذیرفته است به‌طوری که بسیاری از زیرساخت‌های حیاتی مبتنی بر فناوری‌های جدید شده است. از طرفی، افزایش پیچیدگی در این بخش‌ها، مدیریت و حفظ ایمنی را بسیار سخت‌تر از قبل کرده است، به‌طوری که در سال‌های اخیر موضوع امنیت در سیستم‌های صنعتی و به‌خصوص زیرساخت‌های حیاتی و پیچیده به یکی از معضلات اساسی تبدیل شده است. حمله در این سیستم‌ها می‌تواند تأثیرات و پیامدهای فیزیکی ناگواری بر تجهیزات، تولیدات، قطعی سرویس و حتی سلامت افراد داشته باشد. در این مقاله، روشی برای مدل‌سازی و ارزیابی مخاطره امنیتی در سیستم‌های سایبر- فیزیکی ارائه شده است. در این روش، تقابل بین سیستم و مهاجم به‌صورت یک بازی بیزی با اطلاعات ناقص مدل شده است. مؤلفه‌های امنیتی در نظر گرفته شده به دو دسته مؤلفه‌های دفاعی و مؤلفه‌های هجومی تقسیم‌بندی شده‌اند و رفتار مهاجم و سیستم با استفاده از مدل ارائه‌شده پیش‌بینی شده است. ورودی‌های این مدل، مؤلفه‌های کنترلی، مدل فرایند، مؤلفه‌های سیستمی و هجومی هستند و خروجی آن مقادیر کمّی برای سنجه‌ مخاطره امنیتی هستند.

کلیدواژه‌ها

موضوعات


عنوان مقاله [English]

A Method for Assessing the Security Risk in Cyber-Physical Systems with Incomplete Information Using Bayesian Game Theory

نویسنده [English]

  • Hamed Sepehrzadeh
Assistant Professor, Department of Computer Engineering, Technical and Vocational University (TVU), Tehran, Iran.
چکیده [English]

In recent years, with the development and advancement of various aspects of information, we have witnessed the introduction of new technologies in various sectors of life and industry. The industrial sector has been most impacted with many critical infrastructures based on new technologies. On the other hand, the increasing complexity of these sectors has made the task of managing and maintaining safety much more difficult than before, so that in recent years the issue of security in industrial systems, particularly in critical and complex infrastructure, has become one of the major challenges. An attack on these systems can have adverse physical effects and consequences on equipment, products, service outages, and even human health. In this paper, a method for modeling and assessing the security risk in cyber-physical systems is presented. In this method, the interaction between the system and the attacker was modeled as a Bayesian game with incomplete information. The considered security parameters were divided into two categories of attack and defensive parameters and the attacker and the system behavior predicted using the proposed model. The inputs of this model were control components, process model, system and attack parameters, and its outputs were quantitative values for security risk metric.

کلیدواژه‌ها [English]

  • Cyber
  • Physical Systems (CPSs) Security risk Game theory Attacker Attack detection
[1] Hu, F., Lu, Y., Vasilakos, A. V., Hao, Q., Ma, R., Patil, Y., Zhang, T., Lu, J., Li, X., & Xiong, N. N. (2016). Robust Cyber–Physical Systems: Concept, models, and implementation. Future Generation Computer Systems, 56(1), 449-475. https://doi .org/10.1016/j.future.2015.06.006
[2] Krotofil, M., & Larsen, J. (2014). Are You Threatening My Hazards? In Advances in Information and Computer Security: 9th International Workshop on Security, IWSEC 2014, Hirosaki, Japan, August 27-29, 2014. Proceedings. Springer, Cham. https://doi.org/10.1007/978-3-319-09843-2_2
[3] Kopetz, H., & Sytems, R-T. (2011). Real-Time Systems: Design Principles for Distributed Embedded Applications (2 ed.). Springer New York. https://doi.org/10.1007/978-1-4419-8237-7
[4] Li, H., Lai, L., & Poor, H. V. (2012). Multicast Routing for Decentralized Control of Cyber Physical Systems with an Application in Smart Grid. IEEE Journal on Selected Areas in Communications, 30(6), 1097-1107. https://doi.org/10.1109/JSA C.2012.120708
[5] Jagtap, S. S., VS, S. S., & Subramaniyaswamy, V. (2021). A hypergraph based Kohonen map for detecting intrusions over cyber–physical systems traffic. Future Generation Computer Systems, 119, 84-109. https://doi.org/10.1016/j.future.2021.02.001
[6] Orojloo, H., & Abdollahi Azgomi, M. (2019). Modelling and evaluation of the security of cyber-physical systems using stochastic Petri nets. The Institution of Engineering and Technology Cyber-Physical Systems: Theory & Applications, 4(1), 50-57. https://doi.org/ 10.1049/iet-cps.2018.0008
[7] Orojloo, H., & Abdollahi Azgomi, M. (2017). A method for evaluating the consequence propagation of security attacks in cyber–physical systems. Future Generation Computer Systems, 67, 57-71. https://doi.org/10.1016/j.future.2016.07.016
[8] Cui, Y., Quddus, N., & Mashuga, C. V. (2020). Bayesian network and game theory risk assessment model for third-party damage to oil and gas pipelines. Process Safety and Environmental Protection, 134, 178-188. https://doi.org/10.1016/j.psep.2019. 11.038
[9] Liang, X., & Xiao, Y. (2013). Game Theory for Network Security. IEEE Communications Surveys & Tutorials, 15(1), 472-486. https://doi.org/10.1109/SURV.2012.062612.00056
[10] Abapour, S., Mohammadi-Ivatloo, B., & Tarafdar Hagh, M. (2020). A Bayesian game theoretic based bidding strategy for demand response aggregators in electricity markets. Sustainable Cities and Society, 54, 101787. https://doi.org/10.1016/j.scs.2019.101787
[11] Dahiya, A., & Gupta, B. B. (2021). A reputation score policy and Bayesian game theory based incentivized mechanism for DDoS attacks mitigation and cyber defense. Future Generation Computer Systems, 117, 193-204. https://doi.org/10.10 16/j.future.2020.11.027
[12] Ashok, A., Hahn, A., & Govindarasu, M. (2014). Cyber-physical security of Wide-Area Monitoring, Protection and Control in a smart grid environment. Journal of Advanced Research, 5(4), 481-489. https://doi.org/10.1016/j.jare.2013.12.005
[13] Ma, C. Y. T., Rao, N. S. V., & Yau, D. K. Y. (2011, April 10-15). A game theoretic study of attack and defense in cyber-physical systems. 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Shanghai, China https://doi.org/10.1109/INFCOMW.2011.5928904
[14] Vigo, R., Bruni, A., & Yüksel, E. (2013). Security Games for Cyber-Physical Systems. In Secure IT Systems: 18th Nordic Conference, NordSec 2013, Ilulissat, Greenland, October 18-21, 2013, Proceedings. Springer Berlin Heidelberg. https://doi.org/10.1007/9 78-3-642-41488-6_2
[15] He, F., Zhuang, J., & Rao, N. S. (2012, May 19-23). Game-theoretic analysis of attack and defense in cyber-physical network infrastructures. IIE Annual Conference. Proceedings, Hilton Bonnet Creek, Orlando, Florida United States. http://citeseerx. ist.psu.edu/viewdoc/download?doi=10.1.1.719.2652&rep=rep1&type=pdf
[16] Krotofil, M., Cárdenas, A., Larsen, J., & Gollmann, D. (2014). Vulnerabilities of cyber-physical systems to stale data—Determining the optimal time to launch attacks. International Journal of Critical Infrastructure Protection, 7(4), 213-232. https://doi.org/10.1016/j.ijcip.2014.10.003
[17] Yampolskiy, M., Horváth, P., Koutsoukos, X. D., Xue, Y., & Sztipanovits, J. (2015). A language for describing attacks on cyber-physical systems. International Journal of Critical Infrastructure Protection, 8, 40-52. https://doi.org/10.1016/j.ijcip.2014.09.003
[18] Mitchell, R., & Chen, I. (2016). Modeling and Analysis of Attacks and Counter Defense Mechanisms for Cyber Physical Systems. IEEE Transactions on Reliability, 65(1), 350-358. https://doi.org/10.1109/TR.2015.2406860
[19] Tantawy, A., Abdelwahed, S., Erradi, A., & Shaban, K. (2020). Model-based risk assessment for cyber physical systems security. Computers & Security, 96, 101864. https://doi.org/10 .1016/j.cose.2020.101864
[20] Alguliyev, R., Imamverdiyev, Y., & Sukhostat, L. (2018). Cyber-physical systems and their security issues. Computers in Industry, 100(1), 212-223. https://doi.org/10.10 16/j.compind.2018.04.017
[21] Orojloo, H., & Abdollahi Azgomi, M. (2016). Predicting the behavior of attackers and the consequences of attacks against cyber-physical systems. Security and Communication Networks, 9(18), 6111-6136. https://doi.org/10.1002/sec.1761
[22] Orojloo, H., & Abdollahi Azgomi, M. (2018). A Stochastic Game Model for Evaluating the Impacts of Security Attacks Against Cyber-Physical Systems. Journal of Network and Systems Management, 26(4), 929-965. https://doi.org/10.1007/s10922-018-9449-0
[23] Orojloo, H., & Abdollahi Azgomi, M. (2017). A game-theoretic approach to model and quantify the security of cyber-physical systems. Computers in Industry, 88, 44-57. https://doi.org/10.1016/j.compind.2017.03.007
[24] Tripathi, D., Singh, L. K., Tripathi, A. K., & Chaturvedi, A. (2021). Model based security verification of Cyber-Physical System based on Petrinet: A case study of Nuclear power plant. Annals of Nuclear Energy, 159, 108306. https://doi.org/10.1016/j.anucene.2021.10 8306
[25] Kholidy, H. A. (2021). Autonomous mitigation of cyber risks in the Cyber–Physical Systems. Future Generation Computer Systems, 115(10), 171-187. https://doi.org/ 10.1016/j.future.2020.09.002
[26] Sánchez Rodríguez, M. Á., Bermejo Higuera, J., Bermejo Higuera, J. R., Sicilia Montalvo, J. A., & González Crespo, R. (2021). A systematic approach to analysis for assessing the security level of cyber-physical systems in the electricity sector. Microprocessors and Microsystems, 87(1), 104352. https://doi.org/10.1016/j.micpr o.2021.104352
[27] Ahmed Jamal, A., Mustafa Majid, A-A., Konev, A., Kosachenko, T., & Shelupanov, A. (2021). A review on security analysis of cyber physical systems using Machine learning. Materials Today: Proceedings, -(-), -. https://doi.org/10.1016/j.matpr.202 1.06.320
[28] Dong, L., Xu, H., Wei, X., & Hu, X. (2022). Security correction control of stochastic cyber–physical systems subject to false data injection attacks with heterogeneous effects. International Society of Automation Transactions, 123, 1-13. https://doi.or g/10.1016/j.isatra.2021.05.015
[29] Bernardi, S., Gentile, U., Marrone, S., Merseguer, J., & Nardone, R. (2020). Security modelling and formal verification of survivability properties: Application to cyber-physical systems. Journal of Systems and Software, 171, 110746. https://doi.org/1 0.1016/j.jss.2020.110746
[30] Liu, X., Zhang, J., Zhu, P., Tan, Q., & Yin, W. (2021). Quantitative cyber-physical security analysis methodology for industrial control systems based on incomplete information Bayesian game. Computers & Security, 102, 102138. https://doi.org/1 0.1016/j.cose.2020.102138
[31] Kowalewski, S., Stursberg, O., Fritz, M., Graf, H., Hoffmann, I., Preußig, J., Remelhe, M., Simon, S., & Treseler, H. (1999). A Case Study in Tool-Aided Analysis of Discretely Controlled Continuous Systems: The Two Tanks Problem. In Hybrid Systems V. Springer Berlin Heidelberg. https://doi.org/10.1007/3-540-49163-5_9