Behavior Rule Specifcation-based Intrusion

Detection for Safety Critical Medical Cyber

Physical Systems
Abstract:
We propose and analyze a behavior-rule specification-based technique for
intrusion detection of medical devices embedded in a medical cyber physical system
(MCPS) in which the patients safety is of the utmost importance! We propose a
methodolo"y to transform behavior rules to a state machine# so that a device that is bein"
monitored for its behavior can easily be chec$ed a"ainst the transformed state machine
for deviation from its behavior specification! %sin" vital si"n monitor medical devices as
an e&ample' we demonstrate that our intrusion detection technique can effectively trade
false positives off for a hi"h detection probability to cope with more sophisticated and
hidden attac$ers to support ultra safe and secure MCPS applications! Moreover# throu"h a
comparative analysis# we demonstrate that our behavior-rule specification based ()S
technique outperforms two e&istin" anomaly-based techniques for detectin" abnormal
patient behaviors in pervasive healthcare applications!
Algorithm:
IDS techniques:
We demonstrate that our behavior-rule specification based IDS
technique outperforms two existing anomaly-based techniques for detecting
abnormal patient behaviors in pervasive healthcare applications.
Anomaly-based techniques using statistical analysis one studies user
sessions !to detect live intruders"# and the other studies the runtime
behavior of programs !to detect malicious code". We propose semi-
supervised anomaly-based IDS targeted for assisted living environments.
GLOBALSOFT TECHNOLOGIES
IEEE PROJECTS & SOFTWARE DEVELOPMENTS
IEEE FINAL YEAR PROJECTS|IEEE ENGINEERING PROJECTS|IEEE STUDENTS
PROJECTS|IEEE
BULK PROJECTS|BE/BTECH/ME/MTECH/MS/MCA PROJECTS|CSE/IT/ECE/EEE
PROJECTS
CELL: +91 9!9" #9$"% +91 99&&' #"(% +91 9!9" "(9$% +91 9($1!
!$!$1
V)*)+: ,,,-.)/012304546738+*-649 M0)1 +6:)333.)/01*3:546738+*;9:0)1-86:
GLOBALSOFT TECHNOLOGIES
IEEE PROJECTS & SOFTWARE DEVELOPMENTS
IEEE FINAL YEAR PROJECTS|IEEE ENGINEERING PROJECTS|IEEE STUDENTS
PROJECTS|IEEE
BULK PROJECTS|BE/BTECH/ME/MTECH/MS/MCA PROJECTS|CSE/IT/ECE/EEE
PROJECTS
CELL: +91 9!9" #9$"% +91 99&&' #"(% +91 9!9" "(9$% +91 9($1!
!$!$1
V)*)+: ,,,-.)/012304546738+*-649 M0)1 +6:)333.)/01*3:546738+*;9:0)1-86:
$heir design is behavior-based and audits series of events which they call
episodes. $he authors% events are &-tuples comprising sensor ID# start time
and duration.
Key points:
*! live intruders
+! runtime behavior
,! livin" environments
Existing System:
-&istin" wor$ only considered specification-based state machines for intrusion
detection of communication protocol misbehavin" patterns! .efore that not usin" trust
based techniques to avoid delay due to trust a""re"ation and propa"ation to promptly
react to malicious behaviors in safety critical MCPSs!
Proposed System:
We propose a methodolo"y to transform behavior rules to a state machine# so that
a device that is bein" monitored for its behavior can easily be chec$ed a"ainst the
transformed state machine for deviation from its behavior specification! We also
investi"ate the impact of attac$er behaviors on the effectiveness of MCPS intrusion
detection! We demonstrate that our specification based ()S technique can effectively
trade hi"her false positives off for lower false ne"atives to cope with more sophisticated
and hidden attac$ers! We show results for a ran"e of confi"urations to illustrate this trade!
.ecause the $ey motivation in MCPS is safety# our solution is deployed in a
confi"uration yieldin" a hi"h detection rate without compromisin" the false positive
probability! /ur approach is monitorin"-based relyin" on the use of peer devices to
monitor and measure the compliance de"ree of a trustee device connected to the
monitorin" node by the CPS networ$! 0he rules comparin" monitor and trustee
physiolo"y (blood pressure# o&y"en saturation# pulse# respiration and temperature)
e&ceeds protection possible by considerin" devices in isolation!
System architecture

Modules:
0he system is proposed to have the followin" modules alon" with functional
requirements!
'. $hreat (odel
). Attac*er Archetypes
&. +ehavior ,ules
-. Intrusion detection system
1 !hreat Model
We focus on defeatin" inside attac$ers that violate the inte"rity of the MCPS with the
ob1ective to disable the MCPS functionality! /ur desi"n is also effective a"ainst attac$s such as
subtle manipulations that chan"e medical doses sli"htly to cause lon" term harm to patients or
medical or billin" record e&filtrations which violate privacy! 0here are two distinct sta"es in an
attac$2 before a node is compromised and after a node is compromised! .efore a node is
compromised# the adversary focuses on the tactical "oal of achievin" a foothold on the tar"et
system!
" Attac#er Archetypes
We differentiate two attac$er archetypes2 rec$less# random and opportunistic! 3 rec$less
attac$er performs attac$s whenever it has a chance to impair the MCPS functionality as soon as
possible! 3 random attac$er# on the other hand# performs attac$s only randomly to avoid
detection! (t is thus insidious and hidden with the ob1ective to cripple the MCPS functionality!
We model the attac$er behavior by a random attac$ probability pa! When pa 4 * the attac$er is a
rec$less adversary! 5andom attac$s are typically implemented with on off attac$s in real-world
scenarios# so pa is not a random variable drawn from uniform distribution %(6# *) but rather a
probability that a malicious node is performin" attac$s at any time with this on-off attac$
behavior! 3n opportunistic attac$er is the third archetype! 3n opportunistic attac$er e&ploits
ambient noise modeled by perr (probability of mis-monitorin")to perform attac$s!
$ %eha&ior 'ules
.ehavior rules for a device are specified durin" the desi"n and testin" phase of an MCPS!
/ur intrusion detection protocol ta$es a set of behavior rules for a device as input and detects if a
devices behavior deviates from the e&pected behavior specified by the set of behavior rules!
Since the intrusion detection activity is performed in the bac$"round# it allows behavior rules to
be chan"ed if incomplete or imprecise specifications are discovered durin" the operational phase
Without disruptin" the MCPS operation! /ur ()S desi"n for the reference MCPS model relies on
0he use of li"htwei"ht specification-based behavior rules for each sensor or actuator medical
device!
( Intrusion detection system
(ntrusion detection system (()S) desi"n for cyber physical systems (CPSs) has attracted
considerable because of the dire consequence of CPS failure! (n this paper# we consider
specification rather than si"nature-based detection to deal with un$nown attac$er patterns! We
consider specification rather than anomaly based techniques to avoid usin" resource constrained
Sensors or actuators in an MCPS for profilin" anomaly patterns (e!"!# throu"h learnin") and to
avoid hi"h false positives! We consider specification rather than trust based techniques to avoid
delay due to trust a""re"ation and propa"ation to promptly react to malicious behaviors in Safety
critical MCPSs!
So)t*are 'equirements:
0echnolo"ies 2 3sp !7et and C8!7et
)atabase 2 MS-S9: Server +66;<+66=
()- 2 >isual Studio +66=
+ard*are 'equirements:
Processor 2 Pentium (>
53M 2 *?.