Blithe behavior rule based insider threat detection for smart grid
0 likes103 views
The document proposes a behavior rule-based methodology (BLITHE) for detecting insider threats in smart grids, emphasizing the importance of maintaining operational continuity and accuracy. It introduces a grading strategy based on rule-weight and compliance distance to enhance detection effectiveness while minimizing false alarms. The methodology aims to address the complexities of insider threats by leveraging behavior specifications and can be generalized to other cyber-physical systems.
Blithe behavior rule based insider threat detection for smart grid
- 1. #13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, Vellore – 6. Off: 0416-2247353 / 6066663 Mo: +91 9500218218 Website: www.shakastech.com, Email - id: shakastech@gmail.com, info@shakastech.com BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION FOR SMART GRID ABSTRACT A Behavior ruLe based methodology is proposed for Insider THrEat detection (BLITHE) of data monitor devices in smart grid, where the continuity and accuracy of operations are of vital importance. Based on the DC power flow model and state estimation model, three behavior rules are extracted to depict the behavior norms of each device, such that a device (trustee) that is being monitored on its behavior can be easily checked on the deviation from the behavior specification. Specifically, a rule-weight and compliance-distance based grading strategy is designed, which greatly improves the effectiveness of the traditional grading strategy for evaluation of trustees. The statistical property, i.e., the mathematical expectation of compliance degree of each trustee, is particularly analyzed from both theoretical and practical perspectives, which achieves satisfactory trade-off between detection accuracy and false alarms to detect more sophisticated and hidden attackers. INTRODUCTION Smart grid, as widely considered to be the next generation of the power grid, has attracted considerable attention. As a typical cyber-physical system (CPS), smart grid incorporates information and communications technology (ICT) into the traditional power system and is characterized by sophisticated reliability, efficiency, economy, and sustainability. To ensure that smart grid can operate continuously even when some components fail, power research communities use meters or phasor measurement units (PMUs), placed at important locations of the power system, to monitor system components and report their measurements to the control centre (CC), and the latter can estimate the state variables based on the meter measurements. The estimation utilizes state estimation model, which heavily relies on the accuracy of the reported measurements that CC receives. Recently, smart grid researchers have realized the threat of bad measurements (or information corruption) and developed techniques to address this
- 2. #13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, Vellore – 6. Off: 0416-2247353 / 6066663 Mo: +91 9500218218 Website: www.shakastech.com, Email - id: shakastech@gmail.com, info@shakastech.com challenge. Information corruption threats in smart grid are very complex, as they can come from both outsider and insider. Particularly, due to the openness brought by integrating ICT into the power system, some devices could be compromised and become insider attackers. While great efforts have been made to resist the outsider attacks, much less attention has been paid to the insider ones because of the difficulties stemmed from their concealment and potentiality. Today, even though the insider threat detection for CPS has attracted considerable concern due to the dire consequence of CPS failure, the effective and accurate detection techniques for CPS, especially for smart grid, are still in their infancy with very few studies conducted. PROBLEM STATEMENT Generally, insider threat detection techniques can be classified into three types: signature-based, anomaly-based and specification-based techniques. Signature-based detection technique is exceedingly capable of identifying known attacks; it cannot effectively cope with unknown attacker patterns. The proposed anomaly-based schemes utilize resource constrained sensors and/or actuators for outlining anomaly patterns, which suffers from high computational overhead in detecting insider threats and generally has high rates of false alarms. Specification-based techniques have been proposed only for insider threat detection of misbehaving patterns in communication protocols. Because all electrical devices are connected as a whole system and each state variable should manifest specific compliance to make smart grid to be equilibrious, the topology restriction and data correlation indeed exist in smart grid. Therefore, behavior rule specifications can be taken good advantage of to depict the behavior criteria and norms of all devices in the system. However, due to the complexity of smart grid and the potentiality and concealment of insider threats, to design an efficient and effective behavior rule specification based insider threat detection methodology for smart grid still faces many challenges.
- 3. #13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, Vellore – 6. Off: 0416-2247353 / 6066663 Mo: +91 9500218218 Website: www.shakastech.com, Email - id: shakastech@gmail.com, info@shakastech.com EXISTING SYSTEM False positive probability method There were no numerical data studies regarding the false positive probability pfp and the false negative probability pfn. Even though three of them had miniature numerical data, one or two data points characterizing pfn=pfp, instead of a data set that could be transformed into a receiver operating characteristic (ROC) figure, i.e., a pfn versus pfp curve, are studied merely. One of them proposed an insider threat detection technique which can effectively balance small false positives pfp for a high detection probability 1pfn to deal with more sophisticated and hidden threats to support secure applications in smart grid. Two of them tried to exploit the topology restriction and data correlation of smart grid to detect insider threats. Disadvantages Since it only addressed very high-level requirements in smart grid, it is too coarse- grained to be applied in practical scenarios. Because both of them only consider the very specific scenarios of smart grid, they are not universal and effective solutions. Flocking-based method Flocking-based modeling paradigm is designed to identify insider threats for the transient stability process of smart grid. Observing the characteristics of smart grid from a hierarchical cyber-physical perspective, natural physical couplings amongst power systems are leveraged as telltale signs to identify insider cyber threats. Disadvantages
- 4. #13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, Vellore – 6. Off: 0416-2247353 / 6066663 Mo: +91 9500218218 Website: www.shakastech.com, Email - id: shakastech@gmail.com, info@shakastech.com Threat model is limited to narrow scenarios of the transient stability process, which is urgent to be extended to generalized circumstances covering the stability process of smart grid. State estimation model Liu et al. proposed one adaptive partitioning state estimation (APSE) method to detect bad data injections in smart grid. APSE divides the large system into several subsystems, and the detection procedures are continuously performed in yielded subsystems until the place of the insider threat is located. PROPOSED SYSTEM To propose behavior rule based insider threat detection (BLITHE) methodology for smart grid, which can improve the accuracy of detection with very low false alarms. With comprehensive and accurate behavior rule definitions, proposed methodology can also be easily generalized to other CPSs. Considering the fact that each rule usually has different effect and prominence on evaluation of the compliance degree of trustee, the rule-weight and compliance distance based grading strategy is designed to improve the traditional evaluation strategy. Advantages Trade-off between detection accuracy and false alarms of insider threat detection HARDWARE REQUIREMENTS Processor : Any Processor above 500 MHz. Ram : 128Mb. Hard Disk : 10 Gb. Compact Disk : 650 Mb.
- 5. #13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, Vellore – 6. Off: 0416-2247353 / 6066663 Mo: +91 9500218218 Website: www.shakastech.com, Email - id: shakastech@gmail.com, info@shakastech.com Input device : Standard Keyboard and Mouse. Output device : VGA and High Resolution Monitor. SOFTWARE SPECIFICATION Operating System : Windows Family. Techniques : JDK 1.5 or higher Database : MySQL 5.0