Table of Contents
Fetching ...

Differentiation Between Faults and Cyberattacks through Combined Analysis of Cyberspace Logs and Physical Measurements

Mohammad Shamim Ahsan, Haizhou Wang, Venkateswara Reddy Motakatla, Minghui Zhu, Peng Liu

TL;DR

This work tackles the problem of distinguishing undetected faults from cyberattacks in DER systems by integrating physical measurements with cyberspace information. It introduces a virtual physical variable-oriented taint analysis (PVOTA) to automatically construct dependency graphs (USG/LSG) and then prune them with context-aware operations, followed by pattern matching against domain-specific global (GPTN) and local (LPTN) patterns to infer root causes. The approach is validated through four case studies, including false data injection and memory corruption, demonstrating time-efficient analysis and improved differentiation between fault and attack scenarios. The results suggest practical potential for automated, integrated incident analysis in DER environments, reducing manual effort and enhancing resilience.

Abstract

In recent years, cyberattacks - along with physical faults - have become an increasing factor causing system failures, especially in DER (Distributed Energy Resources) systems. In addition, according to the literature, a number of faults have been reported to remain undetected. Consequently, unlike anomaly detection works that only identify abnormalities, differentiating undetected faults and cyberattacks is a challenging task. Although several works have studied this problem, they crucially fall short of achieving an accurate distinction due to the reliance on physical laws or physical measurements. To resolve this issue, the industry typically conducts an integrated analysis with physical measurements and cyberspace information. Nevertheless, this industry approach consumes a significant amount of time due to the manual efforts required in the analysis. In this work, we focus on addressing these crucial gaps by proposing a non-trivial approach of distinguishing undetected faults and cyberattacks in DER systems. Specifically, first, a special kind of dependency graph is constructed using a novel virtual physical variable-oriented taint analysis (PVOTA) algorithm. Then, the graph is simplified using an innovative node pruning technique, which is based on a set of context-dependent operations. Next, a set of patterns capturing domain-specific knowledge is derived to bridge the semantic gaps between the cyber and physical sides. Finally, these patterns are matched to the relevant events that occurred during failure incidents, and possible root causes are concluded based on the pattern matching results. In the end, the efficacy of our proposed automatic integrated analysis is evaluated through four case studies covering failure incidents caused by the FDI attack, undetected faults, and memory corruption attacks.

Differentiation Between Faults and Cyberattacks through Combined Analysis of Cyberspace Logs and Physical Measurements

TL;DR

This work tackles the problem of distinguishing undetected faults from cyberattacks in DER systems by integrating physical measurements with cyberspace information. It introduces a virtual physical variable-oriented taint analysis (PVOTA) to automatically construct dependency graphs (USG/LSG) and then prune them with context-aware operations, followed by pattern matching against domain-specific global (GPTN) and local (LPTN) patterns to infer root causes. The approach is validated through four case studies, including false data injection and memory corruption, demonstrating time-efficient analysis and improved differentiation between fault and attack scenarios. The results suggest practical potential for automated, integrated incident analysis in DER environments, reducing manual effort and enhancing resilience.

Abstract

In recent years, cyberattacks - along with physical faults - have become an increasing factor causing system failures, especially in DER (Distributed Energy Resources) systems. In addition, according to the literature, a number of faults have been reported to remain undetected. Consequently, unlike anomaly detection works that only identify abnormalities, differentiating undetected faults and cyberattacks is a challenging task. Although several works have studied this problem, they crucially fall short of achieving an accurate distinction due to the reliance on physical laws or physical measurements. To resolve this issue, the industry typically conducts an integrated analysis with physical measurements and cyberspace information. Nevertheless, this industry approach consumes a significant amount of time due to the manual efforts required in the analysis. In this work, we focus on addressing these crucial gaps by proposing a non-trivial approach of distinguishing undetected faults and cyberattacks in DER systems. Specifically, first, a special kind of dependency graph is constructed using a novel virtual physical variable-oriented taint analysis (PVOTA) algorithm. Then, the graph is simplified using an innovative node pruning technique, which is based on a set of context-dependent operations. Next, a set of patterns capturing domain-specific knowledge is derived to bridge the semantic gaps between the cyber and physical sides. Finally, these patterns are matched to the relevant events that occurred during failure incidents, and possible root causes are concluded based on the pattern matching results. In the end, the efficacy of our proposed automatic integrated analysis is evaluated through four case studies covering failure incidents caused by the FDI attack, undetected faults, and memory corruption attacks.
Paper Structure (15 sections, 8 figures, 3 tables)

This paper contains 15 sections, 8 figures, 3 tables.

Figures (8)

  • Figure 1: Mapping between cyberspace program variables and physical system variables in a DER system
  • Figure 2: Overview of the proposed approach
  • Figure 3: An example to demonstrate the shortcomings of the traditional taint analysis technique
  • Figure 4: Handling propagation through function during backtracking
  • Figure 5: An Inter-procedural Flow.
  • ...and 3 more figures