Effect of Intrusion Detection and Response on
Reliability of Cyber Physical Systems
Robert Mitchell, Ing-Ray Chen, Member, IEEE
Abstract—In this paper we analyze the effect of intrusion
detection and response on the reliability of a cyber physical
system (CPS) comprised of sensors, actuators, control units,
and physical objects for controlling and protecting a physical
infrastructure. We develop a probability model based on
stochastic Petri nets to describe the behavior of the CPS in
the presence of both malicious nodes exhibiting a range of
attacker behaviors, and an intrusion detection and response
system (IDRS) for detecting and responding to malicious events
at runtime. Our results indicate that adjusting detection and
response strength in response to attacker strength and behavior
detected can significantly improve the reliability of the CPS. We
report numerical data for a CPS subject to persistent, random
and insidious attacks with physical interpretations given.
Index Terms - Intrusion detection, intrusion response, cyber
physical systems, performance analysis.
ACRONYMS
CPS Cyber physical system
IDRS Intrusion detection and response system
IDS Intrusion detection system
RTU Remote terminal unit
MTU Master terminal unit
MTTF Mean time to failure
SPN Stochastic Petri net
NOTATION
T
IDS
Intrusion detection interval
X
b
Compliance degree of a bad node
X
g
Compliance degree of a good node
X
i
Compliance degree of arbitrary node i
C
T
System minimum compliance threshold
c
i
i
th
compliance degree output
ˆx Estimate of x
p
fn
Per-node host IDS false negative probability
p
fp
Per-node host IDS false positive probability
P
fn
System IDS false negative probability
P
fp
System IDS false positive probability
p
random
Random attack probability by a
random attacker
p
a
Attack probability by an insidious attacker
λ
c
Per-node capture rate
λ
if
Impairment rate for an attacker to cause
severe functional impairment
Manuscript received Oct. 23, 2011. Associate Editor S. Shieh.
Robert Mitchell and Ing-Ray Chen are with the Department of Computer
Science, Virginia Polytechnic Institute and State University, Falls Church,
VA, 22043.
E-mail: rrmitche@vt.edu; irchen@vt.edu.
I. INTRODUCTION
A cyber physical system (CPS) is typically comprised of
sensors, actuators, control units, and physical objects for
controlling and protecting a physical infrastructure. Because
of the dire consequence of a CPS failure, protecting a CPS
from malicious attacks is of paramount importance. In this
paper, we address the reliability issue of a CPS designed
to sustain malicious attacks over a prolonged mission period
without energy replenishment. A CPS often operates in a rough
environment wherein energy replenishment is not possible,
and nodes may be compromised (or captured) at times. Thus,
an intrusion detection and response system (IDRS) must
detect malicious nodes without unnecessarily wasting energy
to prolong the system lifetime.
Intrusion detection system (IDS) design for CPSs has
attracted considerable attention [1], [7]. Detection techniques
in general can be classified into three types: signature based,
anomaly based, and specification based techniques. In the area
of signature based IDS techniques, Oman and Phillips [22]
study an IDS for CPSs that tests an automated XML profile
to Snort signature transform in an electricity distribution
laboratory. Verba and Milvich [26] study an IDS for CPSs
that takes a multitrust hybrid approach using signature based
detection and traffic analysis. Our work is different from these
studies in that we use specification based detection rather
than signature based detection to deal with unknown attacker
patterns.
In the area of anomaly based IDS techniques, Barbosa
and Pras [2] study an IDS for CPSs that tests state machine
and Markov chain approaches to traffic analysis on a water
distribution system based on a comprehensive vulnerability
assessment. Linda, et al. [18] study an IDS for CPSs that uses
error-back propagation and Levenberg-Marquardt approaches
with window based feature extraction. Gao, et al. [16] study
an IDS for CPSs that uses a three stage back propagation
artificial neural network (ANN) based on Modbus features.
Bellettini and Rrushi [4] study an IDS for CPSs that seeds
the runtime stack with NULL calls, applies shuffle operations,
and performs detection using product machines. Yang, et
al. [28] study an IDS for CPSs that uses SNMP to drive
prediction, residual calculation, and detection modules for an
experimental testbed. Bigham, et al. [5] study an IDS for
CPSs that demonstrates promising control of detection and
false negative rates. Tsang and Kwong [25] study a rich
multitrust IDS for CPSs that uses a novel machine learning
approach. Xie, et al. [27] survey anomaly detection techniques,
and advocate an anomaly based layered approach. Our work
is different from these studies in that we use specification
based rather than anomaly based techniques to avoid using
resource-constrained sensors or actuators in a CPS for profiling
anomaly patterns (e.g., through learning), and to avoid high
false positives (treating good nodes as bad nodes).
In the area of specification-based IDS techniques, Cheung,
et al. [12] study a specification based IDS that uses PVS
to transform protocol, communication pattern, and service
availability specifications into a format compatible with
EMERALD. Carcano, et al. [6] propose a specification based
IDS that extends [15]; it distinguishes faults from attacks,
describes a language to express a CPS specification, and
establishes a critical state distance metric. Zimmer, et al.
[29] study a specification based IDS that instruments a
target application, and uses a scheduler to confirm timing
analysis results. Our work is also specification based. However,
our work is different from these prior studies in that
we automatically map a specification into a state machine
consisting of good and bad states, and simply measure a
node’s deviation from good states at runtime for intrusion
detection. Moreover we apply specification-based techniques
to host-level intrusion detection only. To cope with incomplete,
uncertain information available to nodes in the CPS, and to
mitigate the effect of node collusion, we devise system-level
intrusion detection based on multitrust to yield a low false
alarm probability.
While the literature is abundant in the collection and
analysis aspects of intrusion detection, the response aspect
is little treated. In particular, there is a gap with respect to
intrusion detection and response. Our IDRS design addresses
both intrusion detection and response issues, with the goal to
maximize the CPS lifetime.
Our methodology for CPS reliability assessment is model-
based analysis. Specifically, we develop a probability model
to assess the reliability property of a CPS equipped with
an IDRS for detecting and responding to malicious events
detected. Untreated in the literature, we consider a variety
of attacker behaviors including persistent, random, and
insidious attacker models, and identify the best design settings
of the detection strength and response strength to best
balance energy conservation versus intrusion tolerance for
achieving high reliability, when given a set of parameter
values characterizing the operational environment and network
conditions. Parameterization of the model using the properties
of the IDS system is one major contribution of the paper.
The rest of the paper is organized as follows. Section II gives
the system model. Section III develops a mathematical model
based on stochastic Petri nets [23], [11], [10] for theoretical
analysis. Section IV discusses the parameterization process
for the reference CPS. Section V presents numerical data
with physical interpretations given. Finally, Section VI outlines
some future research areas.
II. SYSTEM MODEL/REFERENCE CONFIGURATION
A. Reference CPS
Our reference CPS model is based on the CPS infrastructure
described in [21] comprising at the sensor layer 128 sensor-
carried mobile nodes. Each node ranges its neighbors
periodically Each node uses its sensor to measure any
detectable phenomena nearby. Each node transmits a CDMA
waveform. Neighbors receiving that waveform transform the
timing of the PN code (1023 symbols) and RF carrier
(915 MHz) into distance. Essentially, each node performs
sensing and reporting functions to provide information to
upper layer control devices to control and protect the CPS
infrastructure, and in addition utilizes its ranging function for
node localization and intrusion detection.
The reference model is a special case of a single-enclave
system with homogeneous nodes. The IDS functionality is
distributed to all nodes in the system for intrusion and
fault tolerance. On top of the sensor-carried mobile nodes
sits an enclave control node responsible for setting system
parameters in response to dynamically changing conditions
such as changes of attacker strength. The control module is
assumed to be fault and intrusion free through security and
hardware protection mechanisms against capture attacks and
hardware failure.
Fig. 1. Reference CPS.
Fig. 1 contextualizes our reference CPS which is comprised
of 128 sensor-carried mobile nodes, a control unit, and
physical objects for controlling and protecting a physical
infrastructure. The mobile nodes are capable of sensing
physical environments, as well as actuating and controlling
the underlying physical objects in the CPS. They function
as sensors and actuators, each carrying sensors for sensing
physical phenomena, as well as actuating devices for
controlling physical objects. The CPS literature identifies these
mobile nodes as RTUs. Sitting on top of these mobile nodes
is a control unit which receives sensing data from the mobile
nodes and determines actions to be performed by individual
nodes or a group of mobile nodes. This triggers their actuating
devices to control and protect the physical objects in the CPS.
We exemplify a number of applications to which our reference
CPS can apply.
1) Disaster recovery (say after an earthquake) might involve
a group of mobile nodes with motion and video sensing
and actuating capabilities cooperating under the control
of a disaster corrective control unit to protect and
recover physical objects (e.g., people or a physical
infrastructure).
2) Emergency rescue (say a burning building) may require
a group of mobile fighters equipped with motion and
video sensing and fighting capabilities cooperating under
the control of a control unit to rescue physical objects
(e.g., people trapped or seized).
3) Military patrol (combat or reconnaissance) [13] might
consist of a group of mobile patrol nodes equipped with
motion sensing and fighting capabilities cooperating
under the control of a control unit to protect and
control physical objects (e.g., geographic areas or critical
resources).
4) Pervasive healthcare [19] might use a group of mobile
medical personnel equipped with motion and video
sensing and actuating capabilies cooperating under the
control of a control unit to protect and provide healthcare
to physical objects (e.g., patients or medical devices).
5) Unmanned aircraft systems [20] might consist of a group
of unmanned aerial vehicles equipped with sensing
and aircraft fighting capabilities cooperating under the
control of a remote control unit to control and protect
physical objects (e.g., geographic areas).
The control unit contains control logic and provides
management services. The CPS literature identifies this
control unit as an MTU. In contrast with the RTUs, an
MTU implements the broad strategic control functions. Our
reference CPS is distinct from Wireless Sensor Networks
(WSNs); WSNs are resource constrained, mostly stationary,
and have a specific traffic profile. On the other hand, our
reference CPS is safety-critical, mobile, and uses ad hoc
networking with bidirectional flows. We do not make any
assumptions regarding the network structure used to connect
nodes in a CPS. In our reference CPS, nodes are mobile,
and they are connected through wireless links to the control
node. Our host IDS design (Section II.D) is based on local
monitoring, and our system-level IDS design (Section II.E) is
based on the voting of neighbor monitoring nodes. Both IDS
techniques can be generically applied to any network structure
(such as a star configuration) used in a CPS.
B. Security Failure
While our approach is general enough to take any security
failure definition, we consider two security failure conditions.
The first condition is based on the Byzantine fault model [17].
That is, if one-third or more of the nodes are compromised,
then the system fails. The reason is that once the system
contains 1/3 or more compromised nodes, it is impossible
to reach a consensus, hence inducing a security failure. The
second condition is impairment failure. That is, a compromised
CPS node performing active attacks without being detected can
impair the functionality of the system and cause the system to
fail. Impairment failure is modeled by defining an impairment-
failure attack period by a compromised node beyond which the
system cannot sustain the damage.
Specifically, a control unit in our reference CPS would
take in multiple sensor readings (from sensor-carried mobile
nodes) sensing the same physical phenomena to make a
decision on actions to be performed by a set of actuators
(also mobile nodes). The first failure mode, Byzantine failure,
accounts for the condition that the control unit is not able to
obtain any sensor reading consensus. The second failure mode,
impairment failure, accounts for the condition that impairment
by a bad node (especially an actuator) over an impairment-
failure period without being detected will severely impair the
system and cause the system to fail.
C. Attack Model
The first step in investigating network security is to
define the attack model. We consider capture attacks which
turn a good node into a bad insider node. At the sensor-
actuator layer of the CPS architecture, a bad node can
perform data spoofing attacks (reporting spoof sensor data)
and bad command execution attacks. At the networking
layer, a bad node can perform various communication
attacks including selective forwarding, packet dropping, packet
spoofing, packet replaying, packet flooding, and even Sybil
attacks to disrupt the system’s packet routing functionality. At
the control layer, a bad node can perform control-level attacks
including aggregated data spoofing attacks, and command
spoofing attacks. Nodes at the control layer, however, are
less susceptible to capture attacks because they are normally
deployed in a physical confine which protects them from
tampering. For this reason, in this paper, our primary interest
is on capture attacks of sensor-actuator nodes performing basic
sensing, actuating, and networking functions.
We consider three attacker models: persistent, random,
and insidious. A persistent attacker performs attacks with
probability one (i.e., whenever it has a chance). The primary
objective is to cause impairment failure. A random attacker
performs attacks randomly with probability p
random
. The
primary objective is to evade detection. It may take a longer
time for a random attacker to cause impairment failure because
the attack is random. However, random attackers are hidden
so it may increase the probability of Byzantine security failure
once the number of bad nodes equals or exceeds 1/3 of the
node population. An insidious attacker is hidden all the time to
evade detection until a critical mass of compromised nodes is
reached to perform “all in” attacks. The primary objective is to
maximize the failure probability caused by either impairment
or Byzantine security failure.
D. Host Intrusion Detection
Our host intrusion detection protocol design is based
on two core techniques: behavior rule specification, and
vector similarity specification. The basic idea of behavior
rule specification is to specify the behavior of an entity (a
sensor or an actuator) by a set of rules from which a state
machine is automatically derived. Then, node misbehavior
can be assessed by observing the behaviors of the node
against the state machine (or behavior rules). The basic idea
of vector similarity specification is to compare similarity of
a sequence of sensor readings, commands, or votes among
entities performing the same set of functions. A state machine
is also automatically derived from which a similarity test
is performed to detect outliers. More specifically, the states
derived in the state machine would be labeled as secure
versus insecure. A monitoring node then applies snooping
and overhearing techniques observing the percentage of time a
neighbor node is in secure states over T
IDS
. A longer sojourn
time in secure states indicates greater specification compliance,
while a shorter sojourn time indicates less specification
compliance. If X
i
falls below C
T
, node i is considered
compromised. We apply these two host IDS techniques
to the reference CPS as follows. (a) A monitoring node
periodically determines a sequence of locations of a sensor-
carried mobile node within radio range through ranging, and
detects if the location sequence (corresponding to the state
sequence) deviates from the expected location sequence. (b)
A monitoring node periodically collects votes from neighbor
nodes who have participated in system intrusion detection
(described below), and detects dissimilarity of vote sequences
among these neighbors for outlier detection.
The measurement of compliance degree of a node frequently
is not perfect, and can be affected by noise and unreliable
wireless communication in the CPS. We model the compliance
degree by a random variable X with G(·) = Beta(α, β)
distribution [24], with the value 0 indicating that the output is
totally unacceptable (zero compliance), and 1 indicating the
output is totally acceptable (perfect compliance), such that
G(a), 0 ≤ a ≤ 1, is given by
G(a) =
Z
a
0
Γ(α + β)
Γ(α)Γ(β)
x
α−1
(1 − x)
β−1
dx, (1)
and the expected value of X is given by
E
B
[X] =
Z
1
0
x
Γ(α + β)
Γ(α)Γ(β)
x
α−1
(1 − x)
β−1
dx =
α
α + β
.
(2)
The α and β parameters are to be estimated based on the
method of maximum likelihood by using the compliance
degree history collected during the system’s testing phase
in which the system is tested with its anticipated attacker
event profile, and where the compliance degree is assessed
using the specification-based host IDS technique described
earlier. A node’s anticipated event profile describes a node’s
behaviors, and predicts the next state the node will be
entering upon an event occurrence, given that the node is
in its current state. For example, a persistent attacker will
likely go to another bad state because it performs attacks
continuously. A random attacker will likely go to a bad state
in accordance to its random attack probability because it
performs attacks randomly. A good node on the other hand
will likely go to another good state because it complies with its
behavior rules, unless the detection of its behaviors is hindered
by noise or wireless channel error. The compliance degree
history collected this way is the realization of a sequence of
random variables (c
1
, c
2
, ..., c
n
), and n is the total number of
compliance degree outputs observed. The maximum likelihood
estimates of α and β are obtained by numerically solving
n
∂Γ( ˆα+
ˆ
β)
∂ ˆα
Γ(ˆα +
ˆ
β)
−
n
∂Γ( ˆα)
∂ ˆα
Γ(ˆα)
+
n
X
i=1
log c
i
= 0
n
∂Γ( ˆα+
ˆ
β)
∂
ˆ
β
Γ(ˆα +
ˆ
β)
−
n
∂Γ(
ˆ
β)
∂
ˆ
β
Γ(ˆα)
+
n
X
i=1
log(1 − c
i
) = 0 (3)
where
∂Γ(ˆα +
ˆ
β)
∂ ˆα
=
Z
∞
0
(log x)x
ˆα+
ˆ
β−1
e
−x
dx.
A less general though simpler model is to consider a single
parameter Beta(β) distribution with α equal to 1. In this case,
the density is β(1 − x)
β−1
for 0 ≤ x ≤ 1, and 0 otherwise.
The maximum likelihood estimate of β is
ˆ
β =
n
n
X
i=1
log(
1
1 − c
i
)
(4)
Host intrusion detection is characterized by p
fn
and p
fp
.
While many detection criteria [3], [8], [9] are possible, we
consider a threshold criterion in this paper. That is, if X
b
is
higher than C
T
, then there is a false negative. Suppose that X
b
is modeled by a G(·) = Beta(α, β) distribution as described
above. Then p
fn
is given by
p
fn
= Pr{X
b
> C
T
} = 1 − G(C
T
). (5)
On the other hand, if X
g
is less than C
T
then there is
a false positive. Again suppose that X
g
is modeled by a
G(·) = Beta(α, β) distribution. Then p
fp
is given by
p
fp
= Pr{X
g
≤ C
T
} = G(C
T
). (6)
Here we observe that these two probabilities are largely
affected by the setting of C
T
. A large C
T
induces a small
false negative probability at the expense of a large false
positive probability. Conversely, a small C
T
induces a small
false positive probability at the expense of a large false
negative probability. A proper setting of C
T
in response
to attacker strength detected at runtime helps maximize the
system lifetime.
E. System Intrusion Detection
Our system IDS technique is based on majority voting
of host IDS results to cope with incomplete and uncertain
information available to nodes in the CPS. Our system-
level IDS technique involves the selection of m detectors
as well as the invocation interval T
IDS
to best balance
energy conservation vs. intrusion tolerance for achieving
high reliability. Each node periodically exchanges its routing
information, location, and identifier with its neighbor nodes. A
coordinator is selected randomly among neighbors so that the
adversaries will not have specific targets. We add randomness
to the coordinator selection process by introducing a hashing
function that takes in the identifier of a node concatenated
with the current location of the node as the hash key. The
node with the smallest returned hash value would then become
the coordinator. Because candidate nodes know each other’s
identifier and location, they can, without trading information,
execute the hash function to determine which node would
be the coordinator. The coordinator then selects m detectors
randomly (including itself), and lets all detectors know each
others’ identities so that each voter can send its yes or no vote
to other detectors. Vote authenticity is achieved via preloaded
public keys. At the end of the voting process, all detectors
will know the same result; the node is diagnosed as good, or
as bad based on the majority vote.
The system IDS is characterized by P
fn
and P
fp
. These two
false alarm probabilities are not constant but vary dynamically,
depending on the percentage of bad nodes in the system
when majority voting is performed. We will derive these two
probabilities in the paper.
F. Intrusion Response
Our IDRS reacts to malicious events detected at runtime
by adjusting C
T
. For example, when it senses an increasing
attacker strength, it can increase C
T
with the objective to
prevent impairment security failure. This approach results in
a smaller false negative probability, which has a positive
effect of reducing the number of bad nodes in the system,
and decreasing the probability of impairment security failure.
However, it also results in a larger false positive probability,
which has the negative effect of reducing the number of
good nodes in the system, and consequently increasing the
probability of Byzantine security failure. To compensate for
the negative effect, the IDRS increases the audit rate (by
decreasing the intrusion detection interval) or increases the
number of detectors to reduce the false positive probability
at the expense of more energy consumption. The relationship
between the minimum compliance threshold C
T
set versus
p
fn
and p
fp
must be determined at static time so the system
can adjust C
T
dynamically in response to malicious events
detected at runtime.
III. MODEL AND ANALYSIS
Table I lists the set of parameters used in our model-
based analysis of intrusion detection and response designs. The
parameter N defines the starting network size (i.e., the number
of nodes). The hostility of the network is characterized by λ
c
;
the impairment rate for a bad node to cause severe functional
impairment is λ
if
; p
fp
and p
fn
are host IDS false positive and
false negative probabilities, respectively, while P
fp
and P
fn
are
system-level IDS false positive and false negative probabilities,
respectively; T
IDS
is the intrusion detection interval; m is the
number of detectors used in the system IDS.
TABLE I
PARA MET ERS USE D FO R ANALYSI S OF IN TRU SION DE TEC TION AN D
RES PON SE DESIG N
Parameter Meaning Type
N number of nodes in a CPS input
λ
c
per node compromise rate (Hz) input
λ
if
per node impairment rate (Hz) input
p
fp
probability of per-host IDS false positive input
p
fn
probability of per-host IDS false negative input
T
IDS
intrusion detection interval (s) input
m number of detectors in the system IDS input
P
fp
probability of system IDS false positive derived
P
fn
probability of system IDS false negative derived
p
random
random attack probability by a random attacker input
p
a
attack probability by an insidious attacker derived
N
IDS
maximum IDS cycles before energy exhaustion derived
MTTF system lifetime output
TABLE II
TRA NSI TION RATES O F T HE SPN MOD EL.
Transition Name Rate
TENERGY
1
N
IDS
×T
IDS
TCP N
g
× λ
c
TFP
N
g
×P
fp
T
IDS
TIDS
N
b
×(1−P
fn
)
T
IDS
TIF p
a
× N
b
× λ
if
Our theoretical model utilizes stochastic Petri net (SPN)
techniques [14]. Fig. 2 shows the SPN model describing the
ecosystem of a CPS with intrusion detection and response
under capture, impairment, and Byzantine security attacks.
The underlying model of the SPN model is a continuous-
time semi-Markov process with a state representation (N
g
,
N
b
, N
e
, impaired, energy) where N
g
is the number of good
nodes, N
b
is the number of bad nodes, N
e
is the number of
nodes evicted (as they are considered as bad nodes by intrusion
detection), impaired is a binary variable with 1 indicating
impairment security failure, and energy is a binary variable
with 1 indicating energy availability and 0 indicating energy
exhaustion.
Fig. 2. SPN Model for Intrusion Detection and Response.
Table II annotates transitions, and gives transition rates
used in the SPN model. The SPN model shown in Fig. 2
is constructed as follows.
• We use places to hold tokens, each representing a node.
Initially, all N nodes are good nodes (e.g., 128 in our
