Showing papers by "Richard R. Brooks published in 2015"

Network algorithms for detection of radiation sources

Abstract: In support of national defense, Domestic Nuclear Detection Office s (DNDO) Intelligent Radiation Sensor Systems (IRSS) program supported the development of networks of radiation counters for detecting, localizing and identifying low-level, hazardous radiation sources. Industry teams developed the first generation of such networks with tens of counters, and demonstrated several of their capabilities in indoor and outdoor characterization tests. Subsequently, these test measurements have been used in algorithm replays using various sub-networks of counters. Test measurements combined with algorithm outputs are used to extract Key Measurements and Benchmark (KMB) datasets. We present two selective analyses of these datasets: (a) a notional border monitoring scenario that highlights the benefits of a network of counters compared to individual detectors, and (b) new insights into the Sequential Probability Ratio Test (SPRT) detection method, which lead to its adaptations for improved detection. Using KMB datasets from an outdoor test, we construct a notional border monitoring scenario, wherein twelve 2 *2 NaI detectors are deployed on the periphery of 21*21meter square region. A Cs-137 (175 uCi) source is moved across this region, starting several meters from outside and finally moving away. The measurements from individual counters and the network were processed using replays of amore » particle filter algorithm developed under IRSS program. The algorithm outputs from KMB datasets clearly illustrate the benefits of combining measurements from all networked counters: the source was detected before it entered the region, during its trajectory inside, and until it moved several meters away. When individual counters are used for detection, the source was detected for much shorter durations, and sometimes was missed in the interior region. The application of SPRT for detecting radiation sources requires choosing the detection threshold, which in turn requires a source strength estimate, typically specified as a multiplier of the background radiation level. A judicious selection of this source multiplier is essential to achieve optimal detection probability at a specified false alarm rate. Typically, this threshold is chosen from the Receiver Operating Characteristic (ROC) by varying the source multiplier estimate. ROC is expected to have a monotonically increasing profile between the detection probability and false alarm rate. We derived ROCs for multiple indoor tests using KMB datasets, which revealed an unexpected loop shape: as the multiplier increases, detection probability and false alarm rate both increase until a limit, and then both contract. Consequently, two detection probabilities correspond to the same false alarm rate, and the higher is achieved at a lower multiplier, which is the desired operating point. Using the Chebyshev s inequality we analytically confirm this shape. Then, we present two improved network-SPRT methods by (a) using the threshold off-set as a weighting factor for the binary decisions from individual detectors in a weighted majority voting fusion rule, and (b) applying a composite SPRT derived using measurements from all counters.« less

Cyber security in smart DC microgrid operations

Abstract: Microgrids are low voltage electric distribution grids with modular distributed energy sources and controllable loads. The DC microgrids avoid DC to AC and AC to DC conversion and minimize transmission and distribution losses. Dynamic energy management systems enhance utilization of renewable energy sources and ensure uninterrupted supply of power to critical loads. Like the traditional transmission and distribution grid, AC and DC microgrids are vulnerable to cyber attacks. Further research is required on the cyber security to leverage the promises and potentials of DC microgrids. This paper discusses security vulnerabilities and some solutions for DC microgrids.

Automobile ECU Design to Avoid Data Tampering

Abstract: Modern embedded vehicle systems are based on network architectures. Vulnerabilities from in-vehicle communications are significant. Privacy and security measures are required for vehicular Electronic Control Units (ECUs). We present a security vulnerability analysis, which shows that the vulnerability mainly lies in the ubiquitous on-board diagnostics II (OBD-II) interface and the memory configuration within ECU. Countermeasures using obfuscation and encryption techniques are introduced to protect ECUs from data sniffing and code tampering. A security scheme of deploying lures that look like ECU vulnerabilities to deceive lurking intruders into installing rootkits is proposed. We show that the interactions between the attacker and the system can be modeled as a Markov decision process (MDP).

Stealthy malware traffic - Not as innocent as it looks

Abstract: Malware is constantly evolving. Although existing countermeasures have success in malware detection, corresponding counter-countermeasures are always emerging. In this study, a counter-countermeasure that avoids network-based detection approaches by camouflaging malicious traffic as an innocuous protocol is presented. The approach includes two steps: Traffic format transformation and side-channel massage (SCM). Formattransforming encryption (FTE) translates protocol syntax to mimic another innocuous protocol while SCM obscures traffic side-channels. The proposed approach is illustrated by transforming Zeus botnet (Zbot) Command and Control (C&C) traffic into smart grid Phasor Measurement Unit (PMU) data. The experimental results show that the transformed traffic is identified by Wireshark as synchrophasor protocol, and the transformed protocol fools current side-channel attacks. Moreover, it is shown that a real smart grid Phasor Data Concentrator (PDC) accepts the false PMU data.

Side-Channels in Electric Power Synchrophasor Network Data Traffic

Abstract: The deployment of synchrophasor devices such as Phasor Measurement Units (PMUs) in an electric power grid enhances real-time monitoring, analysis and control of grid operations. PMU information is sensitive, and any missing or incorrect PMU data could lead to grid failure and/or damage. Therefore, it is important to use encrypted communication channels to avoid any cyber attack. However, encrypted communication channels are vulnerable to side-channel attacks. In this study, side-channel attacks using packet sizes and/or inter-packet timing delays differentiate the stream of packets from any given PMU within an encrypted tunnel. This is investigated under different experimental settings. Also, virtual private network vulnerabilities due to side-channel analysis are discussed.

Side channel analysis of multiple PMU data in electric power systems

Abstract: The deployment of Phasor Measurement Units (PMUs) in an electric power grid will enhance real-time monitoring and analysis of grid operations. The PMU collects bus voltage phasors, branch current phasors, and bus frequency measurements and uses a communication network to transmit the measurements to the respective substation(s)/control center(s). PMU information is sensitive, since missing or incorrect PMU data could lead to grid failure and/or damage. It is important to use encrypted communicate channels to avoid cyber attacks. In this study, a side-channel attack using inter-packet delays to isolate the stream of packets of one PMU from an encrypted tunnel is shown. Also, encryption in power system VPNs and vulnerabilities due to side channel analysis is discussed.

Analysis of Botnet Counter-Counter-Measures

Abstract: Botnets evolve quickly to outwit police and security researchers. Since they first appeared in 1993, there have been significant botnet countermeasures. Unfortunately, countermeasures, especially takedown operations, are not particularly effective. They destroy research honeypots and stimulate botmasters to find creative ways to hide. Botnet reactions to countermeasures are more effective than countermeasures. Also, botnets are no longer confined to PCs. Android and iOS platforms are increasingly attractive targets. This paper focuses on recent countermeasures against botnets and counter-countermeasures of botmasters. We look at side effects of botnet takedowns as insight into botnet countermeasures. Then, botnet counter-countermeasures against two-factor-authentication (2FA) are discussed in Android and iOS platform. Representative botnet-in-the-mobile (BITM) implementations against 2FA are compared, and a theoretical iOS-based botnet against 2FA is described. Botnet counter-countermeasures against keyloggers are discussed. More attention needs to be paid to botnet issues.

Semantic Similarity Detection For Data Leak Prevention

Abstract: To counter data breaches, we introduce a new data leak prevention (DLP) approach. Unlike regular expression methods, our approach extracts a small number of critical semantic features and requires a small training set. Existing tools concentrate mostly on data format where most defense and industry applications would be better served by monitoring the semantics of information in the enterprise. We demonstrate our approach by comparing its performance with other state-of-the-art methods, such as latent dirichlet allocation (LDA) and support vector machine (SVM). The experiment results suggest that the proposed approach have superior accuracy in terms of detection rate and false-positive (FP) rate.

Network detection of radiation sources using ROSD localization

Abstract: Networks of radiation counters are increasingly being deployed in monitoring applications to provide faster and better detection than individual detectors. Their performances critically depend on the algorithms used to aggregate measurements from individual detectors. Recently, localization-based algorithms have been developed for network detection, where multiple source location estimates are generated based on the measurements from various “dispersed” subnets: i) when a source is present, these source location estimates form a single dominant cluster; ii) otherwise, they are spatially dispersed. For example, the triangulation-based detection method [1] employs a closed-form quadratic expression for source location estimates using a subnet of three detectors. This method works well in relatively simple detector configurations, but may exhibit unpredictable performances in complex settings mainly due to the increased number of imaginary roots in the closed-form solution.