BLITHE: Behavior Rule Based Insider Threat ...

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2015.2459049, IEEE Internet of Things Journal IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015

1

BLITHE: Behavior Rule Based Insider Threat Detection for Smart Grid Haiyong Bao, Rongxing Lu† , Member, IEEE, Beibei Li, and Ruilong Deng, Member, IEEE

Abstract—In this paper, we propose a Behavior ruLe based methodology for Insider THrEat detection (BLITHE) of data monitor devices in smart grid, where the continuity and accuracy of operations are of vital importance. Based on the DC power flow model and state estimation model, three behavior rules are extracted to depict the behavior norms of each device, such that a device (trustee) that is being monitored on its behavior can be easily checked on the deviation from the behavior specification. Specifically, a rule-weight and compliance-distance based grading strategy is designed, which greatly improves the effectiveness of the traditional grading strategy for evaluation of trustees. The statistical property, i.e., the mathematical expectation of compliance degree of each trustee, is particularly analyzed from both theoretical and practical perspectives, which achieves satisfactory trade-off between detection accuracy and false alarms to detect more sophisticated and hidden attackers. In addition, based on real data run in POWER WORLD for IEEE benchmark power systems, and through comparative analysis, we demonstrate that BLITHE outperforms the state-of-arts for detecting abnormal behaviors in pervasive smart grid applications. Index Terms—Insider threat detection, smart grid, security.

I. I NTRODUCTION MART grid, as widely considered to be the next generation of the power grid, has attracted considerable attention in recent years [1]–[3]. As a typical cyber-physical system (CPS), smart grid incorporates information and communications technology (ICT) into the traditional power system, as shown in Fig. 1, and is characterized by sophisticated reliability, efficiency, economy, and sustainability.

S

Control Center (CC) Information flow

Power flow Power Generation

Fig. 1.

Transmission

Distribution

Customer

The conceptual architecture of smart grid.

To ensure that smart grid can operate continuously even when some components fail, power research communities H. Bao is with the School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore 639798, and also with the School of Computer Science and Information Engineering, Zhejiang Gongshang University, Hangzhou 310018, China (e-mail: [email protected]). R. Lu, B. Li, and R. Deng are with the School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore 639798 (e-mail: [email protected], [email protected], [email protected]).

use meters or phasor measurement units (PMUs), placed at important locations of the power system, to monitor system components and report their measurements to the control centre (CC), and the latter can estimate the state variables based on the meter measurements [4]. The estimation utilizes state estimation model, which heavily relies on the accuracy of the reported measurements that CC receives [5], [6]. Recently, smart grid researchers have realized the threat of bad measurements (or information corruption) and developed techniques to address this challenge [5], [7]–[9]. Information corruption threats in smart grid are very complex, as they can come from both outsider and insider. Particularly, due to the openness brought by integrating ICT into the power system, some devices could be compromised and become insider attackers. While great efforts have been made to resist the outsider attacks, much less attention has been paid to the insider ones because of the difficulties stemmed from their concealment and potentiality [10]–[12]. Statistically, according to 2013 U.S. State Cyber Crime Survey [13], insider threats constitute 34% of all surveyed attacks (outsider threats constitute 31%, and the remaining 35% of them have unknown/unsure sources), which surprisingly shows that insider threats have already become one of main sources of the security hazards of cyber/cyber-physical systems. Today, even though the insider threat detection for CPS has attracted considerable concern due to the dire consequence of CPS failure [14], [15], the effective and accurate detection techniques for CPS, especially for smart grid, are still in their infancy with very few studies conducted [16]–[26]. In most of the aforementioned literatures, there were no numerical data studies regarding the false positive probability pf p (i.e., misidentifying good devices as bad devices) and the false negative probability pf n (i.e., losing bad devices) [16]–[20]. Even though three of them had miniature numerical data [21]–[23], one or two data points characterizing pf n /pf p , instead of a data set that could be transformed into a receiver operating characteristic (ROC) figure, i.e., a pf n versus pf p curve, are studied merely. One of them proposed an insider threat detection technique which can effectively balance small false positives pf p for a high detection probability 1 − pf n to deal with more sophisticated and hidden threats to support secure applications in smart grid [24]. However, since it only addressed very high-level requirements in smart grid, it is too coarse-grained to be applied in practical scenarios. Two of them tried to exploit the topology restriction and data correlation of smart grid to detect insider threats [25], [26]. However, because both of them only consider the very specific scenarios of smart grid, they are not universal and

2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2015.2459049, IEEE Internet of Things Journal 2

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015

effective solutions. Specifically, in [25], the flocking-based modeling paradigm is designed to identify insider threats for the transient stability process of smart grid. Observing the characteristics of smart grid from a hierarchical cyber-physical perspective, natural physical couplings amongst power systems are leveraged as telltale signs to identify insider cyber threats. However, the considered threat model is limited to narrow scenarios of the transient stability process, which is urgent to be extended to generalized circumstances covering the stability process of smart grid. In [26], to improve the sensitivity of the traditional state estimation model based bad data injection (one type of insider threats) detection method, Liu et al. proposed one adaptive partitioning state estimation (APSE) method to detect bad data injections in smart grid. APSE divides the large system into several subsystems, and the detection procedures are continuously performed in yielded subsystems until the place of the insider threat is located. However, since the essentials of traditional methods have not been innovated, unless the system is divided into very small subsystems so as to locate the threat precisely at the cost of explosive computational overhead, the limitations in the traditional state estimation based insider threat detection methods still exist. Moreover, as commented by the authors themselves, APSE could only detect bad data on one transmission line, which makes it impractical in some scenarios. Generally, insider threat detection techniques can be classified into three types: signature-based, anomaly-based and specification-based techniques. Although the signature-based detection technique is exceedingly capable of identifying known attacks [27]–[29], it cannot effectively cope with unknown attacker patterns [30]. The proposed anomaly-based schemes utilize resource constrained sensors and/or actuators for outlining anomaly patterns (e.g., via learning), which suffers from high computational overhead in detecting insider threats and generally has high rates of false alarms [31]–[33]. In the existing literatures, specification-based techniques have been proposed only for insider threat detection of misbehaving patterns in communication protocols [34]–[36]. Because all electrical devices (e.g., buses, transmission lines, etc.) are connected as a whole system and each state variable should manifest specific compliance to make smart grid to be equilibrious, the topology restriction and data correlation indeed exist in smart grid. Therefore, behavior rule specifications can be taken good advantage of to depict the behavior criteria and norms of all devices in the system. However, due to the complexity of smart grid and the potentiality and concealment of insider threats, to design an efficient and effective behavior rule specification based insider threat detection methodology for smart grid still faces many challenges. In this paper, to deal with the aforementioned challenges, after a complete survey and evaluation of existing similar literatures, we aim to propose a new behavior rule based insider threat detection (BLITHE) methodology for smart grid, which can improve the accuracy of detection with very low false alarms. In addition, with comprehensive and accurate behavior rule definitions, our proposed methodology can also be easily generalized to other CPSs. Specifically, the major

contributions of BLITHE include the following four aspects. Firstly, as our initial research, we focus on establishing reasonable and accurate behavior rules to detect insider threats using the DC power flow model of smart grid [37]. We expect the results obtained in this paper to serve as the groundwork for future research on generalized power flow models. Specifically, based on the DC power flow model and state estimation model, three behavior rules are extracted to depict the behavior norms of the devices (buses/nodes) for insider threat detection. Inspired by the universal truth “minority is subordinate to majority”, we build the first and key rule to distinguish normal and abnormal devices, which bases on the observation that phase angles differences between the neighbouring nodes are within certain threshold in the DC power flow model and assumes that majorities are normal components. We exploit the theoretical foundation of state estimation model that normal sensor measurements usually give estimations of state variables close to their actual values to build the second and third rules for detecting the “inconsistency” (i.e., the insider threats) of bad measurements. Secondly, considering the fact that each rule usually has different effect and prominence on evaluation of the compliance degree of trustee, the rule-weight and compliancedistance based grading strategy is designed to improve the traditional evaluation strategy [24], [38], [39]. Thirdly, untreated in existing literatures, based on the real data run in POWER WORLD for IEEE benchmark power systems, we conduct performance evaluations of our proposed BLITHE and compare its effectiveness on insider threat detection with the state-of-arts. Finally, we pay particular attention to statistical characteristics, i.e., the mathematical expectation of compliance degree of each trustee, for the trade-off between detection accuracy and false alarms of insider threat detection, since the insights on insider threats relate to the long-term-behavior modeling and extensive behavioral analysis of internal/legal participants. The remainder of this paper is organized as follows. In Section II, we give a brief review of some preliminaries of our proposed BLITHE. In Section III, we formalize the system model, including the unmanned-PMU-attached-to-bus (UPB) reference model, the threat model and the attacker prototypes. In Section IV, we present the details of BLITHE aiming to minimize the false negative rate without diminishing the false positive rate. In Section V, we evaluate the performance of BLITHE. In Section VI, we perform the comparative analysis with state-of-the-art behavior rule based insider threat detection schemes and demonstrate the advantages of our improved design. In Section VII, we discuss the related works. In Section VIII, we conclude this paper and depict the future work. II. P RELIMINARIES In this section, we briefly recall some preliminaries of our proposed insider threat detection methodology for smart grid, including the DC power flow model [37], power system state estimation [5], and elliptic-curve-ElGamal cryptosystem [40].


This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2015.2459049, IEEE Internet of Things Journal BAO et al.: BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION FOR SMART GRID

3

A. DC Power Flow Model

B. Power System State Estimation

For analysis of large power systems, the AC power flow model is heavily resource consuming and even unworkable in many cases. Thus, power research communities sometimes only consider using the linearized (DC) power flow model to approximate the AC power flow model [41]. The DCpower-flow modeling process stems from the AC power flow equations. For consistency consideration, the DC power flow model and its relation to the AC power flow model are briefly reviewed. The AC power flow equations in the polar coordinate form can be represented as:  n P   Vj (Gij cos θij + Bij sin θij )  Pi = V i j=1 , n P   Vj (Gij sin θij − Bij cos θij )  Qi = Vi

To monitor voltages and power flows of a power system is of great importance in maintaining the system reliability. To guarantee the continues operation of a power system, power engineers deploy meters and devices to monitor system states and report the readings to CC, which estimates state variables based on these meter measurements. The state estimation problem is to estimate state variables x = (x1 , · · · , xn )T according to meter measurements z = (z1 , · · · , zm )T , where n and m are natural numbers, and xi , zj ∈ R, for i = 1, · · · , n, and j = 1, · · · , m [4]. More precisely, suppose e = (e1 , · · · , em )T are measurement errors, where ej ∈ R, and j = 1, · · · , m, then state variables are related to meter measurements via the following model: z = h(x) + e, (2)

j=1

where Pi and Qi are the real and reactive bus power injections at bus i, Vi and θi are the voltage magnitude and angle at bus i, θij = θi − θj , Gij and Bij are the real and imaginary portions of the constituent in the bus admittance matrix, i = 1, · · · , n, and n is the total number of all buses. The DC power flow model is based on the following four assumptions: 1) Branch reactance is much bigger than branch resistance, such that branch susceptance can be roughly expressed by: −1 . bij ≈ xij 2) The difference of voltage angles between two buses of a branch is small and therefore: sin θij ≈ θi − θj . cos θij ≈ 1 3) The susceptance of each bus relative to the ground can be neglected: bi0 = bj0 ≈ 0. 4) Each bus’s voltage magnitude is supposed to be 1 per unit. On the basis of the above four assumptions, the real power flow through a branch can be calculated as: Pij =

θi − θj , xij

such that, bus real power injections can be computed as: X X 0 0 Pi = Pij = Bii θi + Bij θj i = 1, · · · , n, (1) j∈Ri

j∈Ri

where Ri is the subset of buses are directly linked to P which 0 0 0 B bus i, Bij = x−1 , B = − , and xij is the branch ii j∈Ri ij ij reactance. It is obvious that this is a series of linear algebraic equations. By use of matrix forms, Eq. (1) can be expressed as: P = B 0 θ. Suppose bus n to be the swing bus and let θn = 0, then B 0 is a square matrix with (n − 1) dimensions.

where h(x) = (h1 (x1 , · · · , xn ), · · · , hm (x1 , · · · , xn ))T , and hi (x1 , · · · , xn ) is a function of x1 , · · · , xn . The state estimaˆ of x which best fits tion problem is to look for an estimate x meter measurement z according to Eq. (2). For state estimation utilizing the DC power flow model illustrated in Section II-A, Eq. (2) can be represented by a linear regression model: z = Hx + e, where H = (hij )m×n . Three statistical estimation criteria are often utilized in state estimation, i.e., maximum likelihood criterion, minimum variance criterion, and weighted leastsquare criterion [4]. When the meter error is supposed to be normally distributed with zero mean, the above criteria bring about an unified estimator computed as the following matrix solution: ˆ = (H T W H)−1 H T W z, x where W is a diagonal matrix, and elements of which are reciprocals of the variances of meter errors. That is,   −2 σ1   σ2−2   ,  W = .    . −2 σm where σi2 is the variance of the i-th meter (1 ≤ i ≤ m). Power research communities compatibly calculate the meaˆ (i.e., the vector deviation between surement residual z − H x the observed measurements and the estimated measurements), ˆ to detect the appearance and utilize the L2 -norm ||z − H x|| of nonuniform measurements. C. Elliptic-Curve-ElGamal Cryptosystem It is generally believed that elliptic curve group based discrete logarithm problem (DLP) is much harder than that in other groups. Hence the security of elliptic curve cryptosystem is comparable with other cryptosystems while equipped with smaller key only. In this study, by exploiting EllipticCurve-ElGamal cryptosystem to encrypt the reporting data of each bus, two messages can be encrypted simultaneously to the x-coordinate and y-coordinate of a certain point in




a elliptic curve, respectively [40]. Specifically, the EllipticCurve-ElGamal cryptosystem includes three algorithms: key generation, encryption, and decryption as follows. 1) Key generation: Given τ ∈ Z + , the security parameter, perform ζ(τ ) to get the tuple (E, P ), where E(F2m ) is a non-super singular elliptic curve with |m| = τ , and P ∈ E(2m ) is a public generator of E. In addition, when a participant Ui wants to registers itself in the system, it selects a random integer xi as its private key, and computes the corresponding public key Yi = xi P . Eventually, E(F2m ), P , and all Yi s are published, and each Ui keeps xi secretly. 2) Encryption: When the sender B wants to encrypt messages M1 and M2 to the receiver A, B chooses a random integer k, and uses the public generator P and A’s public key Ya to compute Q = kP and kYa = kxa P = (x0 , y 0 ). Then B sends a pair of elements (m1 , m2 ) = (M1 x0 , M2 y 0 ) and the point Q to A. 3) Decryption: To decrypt messages M1 and M2 , A uses its private key xa to compute xa Q = xa kP = (x0 , y 0 ) and decrypts messages as M1 = m1 (x0 )−1 and M2 = m2 (y 0 )−1 . III. S YSTEM M ODEL A. Reference UPB We consider a typical cyber-physical smart grid system containing a number of buses linked by transmission lines. Each bus is attached with a physical component of meter and/or PMU to report the measurement data (i.e., bus power injection/load, bus phase angle, etc.) to CC periodically. Then CC can estimate state variables (i.e., bus power injection/load, bus phase angle, line power flow, etc.) to realize real-time monitoring and controlling. Fig. 2 illustrates the reference unmanned-PMU-attached-to-bus (UPB) embedded system model characterized by the cyber physical loop. Specifically, via the communication link between each UPB and CC, the measurements collection and reporting process of each UPB is followed by the data synthesization in CC. Then, according to all received measurements, CC performs state estimation. The estimated state variables are utilized to control the smart grid components (e.g., to increase the output of a power generator) to keep the whole system within healthy conditions. For readability, we will use the terms “node”, “device” and “UPB” interchangeably in the rest of this paper. The UPB reference model formalizes and represents general behaviors of the UPB which allows us to quickly evaluate the survivability of each UPB facing malicious insider threats. B. Threat Model It is of vital importance to define the threat model to cover system vulnerabilities. Even though our focus of this study is to detect the insider threats, we consider the basic outsider threats simultaneously. Specifically, we consider three threats focusing on misleading CC to take inaccurate/wrong actions:

Measurement

Estimation

Behavior Rule

ܲͳ ǡ ߠͳ

ܲ෠ͳ ,ߠ෠ͳ

For each bus i { For each bus ݆ ‫ܰ א‬ሺ݅ሻ

ܲʹ ǡ ߠʹ

ܲ෠ʹ ,ߠ෠ʹ

End For

…

… ܲ݉ ǡ ߠ݉

ܲ෠݉ ,ߠ෠݉

…

} End For

… Control Center

Enc(ܲ݅ ǡ ߠ݅ ሻ

...

...

Enc(ܲ݅ ǡ ߠ݅ ሻ

166MW 5Mvar 165MW 28Mvar

Fig. 2.

Reference UPB.

1) The first threat is an insider attacker, performed by a compromised node, that deviates the data preparing to be reported from the real one. 2) The second threat is an attacker that tries to obtain the reported measurements of a subset of nodes to impair the state estimation performed by CC. This can be both insider and outsider attackers. 3) The third threat is an outsider attacker that intercepts and pollutes the reported measurement transmitted via the communication link from each node to CC. C. Attacker Prototypes In this study, we model the attacker behavior and the environment noise (causing mis-monitoring) by the probability values pa and perr , respectively. Moreover, three attacker prototypes, i.e., reckless, random, and opportunistic [39], are considered. 1) For a reckless attacker, pa = 1 holds. Thus, it launches attacks whenever there is a chance, which impairs the UPB functionality as early as possible. 2) For a random attacker, it launches attacks randomly (with probability pa ). Thus, comparing with a reckless attacker, it is more deceptive and insidious to impair the UPB functionality, which makes it more difficult to be detected. 3) An opportunistic attacker exploits the sensed perr to launch attacks. Specifically, when perr is higher, the system is more vulnerable. In such circumstance, an opportunistic attacker behaves aggressively. On the contrary, when the sensed perr is lower, an opportunistic attacker behaves more conservatively to avoid being detected. Inspired by the demand-pricing model in the



ε field of Economics [42], we model pa as pa = C ∗ Perr , where C is a positive constant. Then, both conservative and aggressive attack behaviors can be depicted. While ε = 1, pa increases linearly with perr , which models a conservative opportunistic attacker; and while ε < 1, pa increases exponentially with perr , which models an aggressive opportunistic attacker, and the attack extent is modeled by ε.

IV. O UR P ROPOSED BLITHE In this section, considering the aforementioned threat model and attacker prototypes, we present the concrete methodology of BLITHE. As described in our reference UPB model, CC obtains the reported real-time measurements from each node to estimate state variables so as to monitor and ensure the health of the whole smart grid system. In our proposed BLITHE, the measurements, which includes the bus power injection/load and bus phase angle, are measured by PMU device attached to each bus. The state variables are the phase angles of all the buses, which can uniquely determine the states of the whole smart grid system. Therefore, it is of great importance to ensure the accuracy of the reported measurements that CC obtains. In the following, to prevent the latter two threats considered in Section III-B, we adopt the data encryption and signature techniques in Section IV-A to provide confidentiality and integrity of the data report link from each node to CC. Then, to resist the first threat, behavior ruled based insider threat detection methodology is presented from Section IV-B to Section IV-F to detect the insider threat that compromises the reported data of each node (without reporting the genuine data). A. Encryption and Signature on Reported Measurements Suppose the measurements to be reported by node i are the power injection/load Pi and bus phase angle θi , and both of which are with two decimal places. Firstly, the measurements of θi and Pi are mapped to the corresponding integers by multiplying 100, respectively. Then, Elliptic-Curve-ElGamal Cryptosystem in Section II-C is invoked to encrypt the conversions of the measurements. Subsequently, the popular digital signature algorithm of ECDSA [43] is adopted to sign on the yielded ciphertext. Eventually, the signature and ciphertext are transmitted to CC. B. Behavior Rules After receiving all data from each node, CC decrypts to obtain and verify each of the measurement. Our design for BLITHE reference model depends on the use of simple specification based behavior rules for CC to analyze all received data synthetically for monitoring and detecting potential attacks on each UPB. BLITHE focuses on detecting the inside attacker attached to each specific physical device (UPB). It outputs a continuous output between 0 and 1, which allows a monitor device to perform insider threat detection on the target trustee via observation. TABLE I illustrates the behavior rules for detecting

5

a malicious UPB with the monitor being a peer UPB or CC (see Fig. 2). TABLE I B EHAVIOR RULES D ESCRIPTION

Description The difference in phase angle between every two neighbouring buses is less than a certain threshold, i.e., 10-15 degrees The difference in bus phase angle between the reported measurement and corresponding estimation is less than a certain threshold The difference in bus power injecton/load between the reported measurement and corresponding estimation is less than a certain threshold

Trustee

Monitor

Theoretical foundation and philosophy

UPB

UPB/CC

Assumption 2) in Section II-A

UPB

CC

Section II-B

UPB

CC

Section II-B

C. Transforming Rules to State Machines Each behavior rule reflects a specific state, which covers a safe state and an unsafe state. A safe state denotes a normal behavior when the obedience of the behavior rule is observed. By contrast, an unsafe state denotes a malicious behavior when the violation of the behavior rule is observed. Therefore, a behavior rule corresponds to a state variable binding to this rule, indicating the probability that the node is in a normal or in malicious behavior status. A behavior rule specification can be transformed into a state machine via performing the following procedures. Firstly, the attack behavior indicator is identified, which denotes that a behavior rule is violated. Then, the obtained attack behavior indicator is transformed into a conjunctive normal form predicate which identifies the involved state components in the implicit state machine. Next, the attack behavior indicators are synthesized into a boolean expression in a disjunctive normal form. Subsequently, the conjunction of all predicate variables are converted into state components of a state machine and the corresponding range of each component is decided meanwhile. Finally, the number of all states is optimized by compressing states and eliminating illegitimate values. In the following, based on behavior rules of the reference UPB model, we illustrate how a state machine is acquired from a behavior specification. 1) Identify Attack Behavior Indicators: Attacks associated with a UPB will drive the UPB into certain attack behavior indicators, which can be identified via analyzing the specification based behavior rules. There are three attack behavior indicators due to the violation of the three behavior rules of a UPB listed in TABLE I. The first UPB attack behavior indicator is that more than one neighbouring UPB (together with CC) notice that the trustee UPB’s phase angle measurement exceeds a certain threshold. The trustee and monitor in this case are a certain UPB and its neighbouring UPBs (together with CC), respectively. The




second UPB attack behavior indicator is that the difference between the UPB’s reported phase angle measurement to CC and the corresponding estimation is above a certain threshold. The trustee and monitor in this case are a certain UPB and CC, respectively. The third UPB attack behavior indicator is that the difference between the UPB’s reported power measurement to CC and the corresponding estimation is above a certain threshold. The trustee and monitor in this case are a certain UPB and CC, respectively. 2) Express Attack Behavior Indicators in a Conjunctive Normal Form: Suppose w is the total number of node i’s neighbouring nodes, and the phase angles of node i and its w neighbouring nodes are θi , θ(i,1) , · · · , θ(i,w) , respectively. The UPB attack behavior indicators in the conjunctive normal form are expressed in TABLE II. TABLE II B EHAVIOR RULES Attack Behavior Indicator

Expression

1 2 3

|θi − θ(i,1) | ≤ α1 ∧ · · · ∧ |θi − θ(i,w) | ≤ α1 |θi − θî | > α2 |Pi − Pî | > α3

3) Consolidate Predicates in a Disjunctive Normal Form: |θ − θ | ≤ α ∧ · · · ∧ |θi − θ(i,w) | ≤ α1 ∨ i 1 (i,1) |θi − θî | > α2 ∨ |Pi − Pî | > α3 . 4) Identify State Components and Component Ranges: Continuous components are quantized as integer scales within permissible ranges. Specifically, the value of a phase angle is in the range of [0◦ , 360◦ ]. The value of power is in the range of [−10000M W, 10000M W ] (for generation bus, the value is positive; and for load bus, the value is negative). TABLE III shows the entire list of the allowed ranges of UPB state components. The resulting UPB automaton has 360w+1 ∗ 360 ∗ 200012 ≈ 8.7 ∗ 1023 states (supposing w = 4, i.e., one node has 4 neighbouring nodes on average). The scale of the yielded automata is too large; and the state space will be concentrated in the next step. TABLE III UPB S TATE C OMPONENTS Name

Control or Reading

Range

Phase angle Power

Reading Reading

[0◦ , 360◦ ] [−10000M W, 10000M W ]

5) Optimize State Space: Through abbreviating the values of the components, the size of the state machine is reduced and the number of states is optimized. For each of the three components, i.e., (i) the phase angle difference between one node and its neighbouring nodes; (ii) the phase angle difference between the measurement and estimation of the trustee node; and (iii) the power difference between the measurement and estimation of the trustee node, each of our rules only considers four states: normal/good, medium-warning, great-warning, and unsafe/bad. To depict the rule-violation and optimize the state

space more subtly and accurately, we perform transformation on each rule. Specifically, as shown in TABLE IV, the value of the first rule is calculated by evaluating the ratio β1 = α/w, where α is the number of node i’s neighbouring nodes that observes |θi − θ(i,j) | > α1 , for j = 1, · · · , w. The larger the value of β1 is, the more severe the rule is violated. The value of the second rule is calculated by evaluating the phase angle difference β2 = |θi − θî |, where θi and θî are the measurement and estimation of trustee node i’s phase angle, respectively. The larger the value of β2 is, the more severe the rule is violated. The third rule is quantified similarly with the parameter β3 . This treatment generates a condensed UPB state machine with 4 × 4 × 4 = 64 states, only 1 of which is safe, since the trustee and the corresponding monitor readings match for all three components as described in TABLE IV. Among these states, 26 are warning since the trustee and the corresponding monitor readings differ by more than the warning (including 7 medium-warning and 19 great-warning states) margin for at least one component but do not exceed the unsafe threshold for any component. And 37 of the states are unsafe/bad because at least one component’s differences exceed the unsafe threshold. TABLE IV UPB C OMPONENTS ’ S TATES β1 = α/w

β2 = |θi − θî |

β3 = |Pi − Pî |

States

[0, a1 ] (a1 , a2 ] (a2 , a3 ] (a3 , 1]

[0, b1 ] (b1 , b2 ] (b2 , b3 ] (b3 , 360]

(0, c1 ] (c1 , c2 ] (c2 , c3 ] (c3 , 20000]

safe/good medium-warning great-warning unsafe/bad

6) Behavior Rule State Machine: Here we illustrate how to produce the behavior rule state machine of a UPB device. Based on the behavior rules, the UPB state machine (including 1 good, 7 medium-warning, 19 great-warning, and 37 unsafe states) is produced as follows. Firstly, all the states are marked as 1, · · · , 64. Next, to reflect a good, warning (including medium-warning and great-warning), or bad UPB’s behavior, pij is assigned, which denotes the probability that state i transfers to state j, for each pair (i, j) in the state machine. A good UPB should stay in safe states all the time. However, due to the unexpected surrounding noise, system disturbance, or communication fault, it may be misidentified as in a warning or unsafe state by the monitor node occasionally. Therefore, the compliance degree of a good UPB will slightly less than but close to 1. Assume perr models the error probability that a monitor node misidentifies the genuine status of a trustee node due to the aforementioned factors. In testing phases, for a good UPB seeded in the system, a monitor node is assigned accordingly to observe and measure its pij in the presence of perr . Note that pij is 1 − perr when j is the good state, perr × 7/(7 + 19 + 37) when j is one of 7 medium-warning states, perr × 19/(7 + 19 + 37) when j is one of 19 greatwarning states, and perr ×37/(7+19+37) when j is one of 37 unsafe states. Fig. 3 illustrates the behavior rule state machine for a good UPB in BLITHE. Let G, MW, GW and B are the abbreviations of good, medium-warning, great-warning and bad outputs of each rule, respectively. Transitions into states



including G, MW and GW outputs of rules are valid, but their marginality is ambiguous to be concerned. Transitions into states including B output of rule are invalid, which causes an alert. Any of the two states can be transferred mutually. Each state describes how one of the specific trustee node’s attributes matches the counterpart observed by the monitor. For the UPB device, the measurement and estimation of the bus phase angle and bus power magnitude are the device attributes of interest. Note that each device, with specific attributes, owns the state machine of itself. MW G G

…

G G G

G MW B

Good (G) Medium-Warning (MW) Great-Warning (GW) Bad (B)

G GW G

MW GW B

…

ͳ െ ‫݌‬௘௥௥

MW GW G

Fig. 3.

G MW MW

‫݌‬௘௥௥ ‫ כ‬͹Ȁ63 ‫݌‬௘௥௥ ‫ͻͳ כ‬Ȁ63 ‫݌‬௘௥௥ ‫͵ כ‬͹Ȁ63

The behavior rule state machine for a good UPB.

For a compromised UPB, pij relies on the attacker’s type. A reckless attacker will be assumed staying in unsafe or warning states all the time. However, due to the surrounding noise or communication fault, it may be mistaken as staying in a safe state by the monitor node occasionally. In testing phases, for a UPB compromised by reckless attacker seeded in the system, a monitor node is assigned accordingly to observe and measure its pij . Note that pij is perr when j is the good state, 7/(7 + 19+37)×(1−perr ) when j is one of 7 medium-warning states, 19/(7+19+37)×(1−perr ) when j is one of 19 great-warning states, and 37/(7 + 19 + 37) × (1 − perr ) when j is one of 37 unsafe states. Similarly, for a random attacker with probability pa to launch attack, it stops attacking with probability 1 − pa , which is to be detected by the monitor node with probability 1 − perr . Therefore, pij is pa × perr + (1 − pa ) × (1 − perr ) when j is the good state, 7/(7 + 19 + 37) × (pa × (1 − perr ) + (1 − pa ) × perr ) when j is one of 7 medium-warning states, 19/(7 + 19 + 37) × (pa × (1 − perr ) + (1 − pa ) × perr ) when j is one of 19 great-warning states, and 37/(7 + 19 + 37) × (pa × (1 − perr ) + (1 − pa ) × perr ) when j is one of 37 bad states. Fig. 4 illustrates the behavior rule state machine for a UPB compromised by a random attacker in BLITHE. D. Collect Compliance Degree Data In this section, we improve the traditional grading strategy [39] and propose our rule-weight and compliance-distance based grading strategy to evaluate the compliance degree of a trustee effectively. One of the remarkable characteristics of our improved strategy is the adjustable weight for each rule. The state machine built in Section IV-C is utilized to collect compliance degrees of the good and/or bad trustees.

7

MW G G

…

Good (G) Medium-Warning (MW) Great-Warning (GW) Bad (B)

G GW G

G G G

G MW B

MW GW B

…

‫݌‬௔ ‫݌ כ‬௘௥௥ ൅ ͳ െ ‫݌‬௔ ‫ כ‬ሺͳ െ ‫݌‬௘௥௥ ሻ

MW GW G

G MW MW

͹Ȁ63*ሾ‫݌‬௔ ‫ ͳ כ‬െ ‫݌‬௘௥௥ ൅ ͳ െ ‫݌‬௔ ‫݌ כ‬௘௥௥ ሿ ͳͻȀ63*ሾ‫݌‬௔ ‫ ͳ כ‬െ ‫݌‬௘௥௥ ൅ ͳ െ ‫݌‬௔ ‫݌ כ‬௘௥௥ ሿ ͵͹Ȁ63‫כ‬ሾ‫݌‬௔ ‫ ͳ כ‬െ ‫݌‬௘௥௥ ൅ ͳ െ ‫݌‬௔ ‫݌ כ‬௘௥௥ ሿ

Fig. 4. The behavior rule state machine for a UPB compromised by a random attacker.

The yielded historical information of compliance degree is analyzed to fine-tune the false positive and false negative probabilities for detection of insider threats optimally under various scenarios. Even though our experiments are performed with a range of configurations, we focus on the trade-off of instances which can be gracefully adjusted to generate a high detection proportion, because the principal objective of BLITHE is safety. Specifically, for each UPB device assumed to be a good or a bad trustee, we profile its measurements of bus power magnitude and bus phase angle. For insider threat detection of each device (without reporting data genuinely), the behavior of which is modeled by a stochastic process in states 1, · · · , m with transition probability pij described in Section IV-C, and let πj denote the probability of a device in state j. Therefore, by summing up all the possible transitions to state j, the probability of the random process in state j can be represented Pm as πj = i=1 πi pij . Because there are m states for each node, total m such equations can be obtained. To avoid infinite solutions, one additional equation as the constraint condition is added as: m X

πi = 1.

(3)

i=1

Let cj denote the “grade” corresponding to state j, which depicts the closeness between the specified “good” behavior and the observed behavior of state j. Then, by summing all the products of each state’s probability and “grade”, a node’s compliance degree c can be expressed as: c=

m X

π j cj ,

(4)

j=1

In BLITHE, we pioneer the rule-weight and compliancedistance based grading strategy as shown in Fig. 5 to evaluate the compliance degree of a node. It is a general form of grading strategy, where m and n are the sizes of states and rule domain of each node, respectively. And the intersection values bij , for i = 1, · · · , m and j = 1, · · · , n, denote the monitored behavior data under the considered model. To quantize the compliance degree, when state j is secure, we assign the value of 1 to it. However, when state j is insecure, we assign it




with the value within [0, 1], expressing the distance of state j deviating from the secure state. By integrating the weight factor of each rule concurrently, cj is formalized as: n X Djk , cj = γk 1 − Dmax (Rk ) k=1 Pn where γk is the weight of rule k and satisfies k=1 γk = 1, Djk is the distance from the behavior data bjk to the corresponding secure state, and Dmax (Rk ) is the largest distance from any possible insecure state to the corresponding secure state for Rk (rule k). According to this assignment, if state j is secure under all rules, then Djk = 0, for all k = 1, · · · , n, and hence cj = 1. If state j is insecure but still approaches to a secure state, then cj is close to 1. By contrast, cj is close to 0, when state j is far away from a secure state. After all cj s are assigned, recalling Eq. (4), we can evaluate the compliance degree of a node as: m m n X X X Djk }, (5) c= π j cj = πj { γk 1 − Dmax (Rk ) j=1 j=1 k=1

where πj represents the ratio of time that the node is in state j during the observation period.

Behavior Rules Data

R1

R2

...

b11

b12

...

b1n

S2

b21

b22

...

b2n

...

...

...

...

bm1

bm2

...

bmn

Sm

...

Rule ID Rule Weight

S1

...

States ID States Probability

Fig. 5.

0 1

Z EB [X] =

xf (x; α, β)dx = 0

α . α+β

Then, by taking advantage of the collected compliance degree history data (c1 , · · · , cn ) in Section IV-D, the parameters of α and β can be estimated via the maximum likelihood method. Mathematically, by solving the following two equations, the maximum likelihood estimates of α and β can be obtained.     

ˆ ∂Γ(α+ ˆ β)

n ∂α ˆ ˆ Γ(α+ ˆ β) ˆ ∂Γ(α+ ˆ β) n ˆ ∂β

ˆ Γ(α+ ˆ β)

∂Γ(α) ˆ

− −

n ∂α ˆ Γ(α) ˆ

∂Γ(α) ˆ n ˆ ∂β

ˆ Γ(β)

+

Pn

log ci = 0

+

Pn

log(1 − ci ) = 0

i=1

i=1

,

where Rn

...

States

Specifically, we model the compliance degree of a node in BLITHE by a random variable X ∼ Beta(α, β), with the probability distribution function (PDF) of f (x; α, β) = Γ(α+β) α−1 (1−x)β−1 , where Γ(·) denotes the gamma funcΓ(α)Γ(β) x tion [39], [44]. The cumulative distribution function (CDF) F (x) and the mathematical expectation EB [X] of X can be computed as follows: Z x F (x) = f (t; α, β)dt, (6)

The rule-weight and compliance-distance based grading strategy.

E. Compliance Degree Distribution In BLITHE, observing that various perturbations, i.e, surrounding noises and unreliable communications, etc., may affect the evaluation accuracy of the compliance of a device, the Beta distribution in statistics and probability theory is applied to model the node compliance degree. The reason of choosing Beta distribution is because its distribution could be regarded as a probability, and it could be utilized to depict the prior distribution of the probability. Generally, the Beta distribution is a cluster of continuous probability distributions defined in the interval [0, 1]. The value of 0 represents that the output is completely unacceptable (without compliance), while 1 represents the output is absolutely acceptable (with best compliance). Moreover, when Bayesian inference is applied, after observing sufficient instances, the Beta distribution can also be exploited to compute the posterior distribution of the probability [39].

Z ∞ ˆ ˆ ∂Γ(α ˆ + β) ∂Γ(ˆ α + β) ˆ ˆ β−1 = = (log x) xα+ e−x dx. ∂α ˆ ∂ βˆ 0 Commonly, a less general but simplistic model, i.e., the single-parameter distribution Beta(1, β) with α set to 1, is considered, In such a circumstance, the PDF is f (x; β) = β(1 − x)β−1 [39], and the corresponding maximum likelihood estimate of β can be computed as: n (7) βˆ = P . n 1 log 1−c i i=1

F. False Negative and False Positive Rates In this section, the threshold criterion [39] is considered to describe the false positive probability pf p (misidentifying good devices as bad ones) and false negative probability pf n (losing bad devices). Despite neither pf p nor pf n is expectable, pf n in BLITHE is much worse to the security of smart grid. Since the key motivation of BLITHE is safety, we seek for configurations that achieves high detection rates (low pf n ) without diminishing pf p . Specifically, suppose CT be the minimum compliance threshold of the system. If a bad node’s compliance degree (represented by Xb , with the CDF represented as Eq. (6)) exceeds CT , then a false negative happens. Formally, pf n for BLITHE is represented as: pf n = Pr{Xb > CT } = 1 − F (CT ).

(8)

On the contrary, if a good node’s compliance degree (represented by Xg , with the CDF represented as Eq. (6)) is less than CT , then a false positive happens. Formally, pf p for BLITHE is represented as: pf p = Pr{Xg ≤ CT } = F (CT ).


(9)


Perr=0.01 Perr=0.02 Perr=0.03 Perr=0.04 Perr=0.05

Perr=0.01 Perr=0.02 Perr=0.03 Perr=0.04 Perr=0.05

1 0.99 compliance degree

9

0.98 0.97 0.1 compliance degree

0.96 0.95 0.94 1000 800

1000

0.04 0.02

800 600

0.05

0.02

0.04

400 trial number

0.06

0

0.01 600

0.08

400

0.03

trial number

0.03

200

0.04 0

Perr

200 0.02

Perr

0.05

0.01

(a) ci versus perr for good nodes

0

(b) ci versus perr for reckless attackers

Perr=0.1 Perr=0.2 Perr=0.3 0.9

Pa=0.0

Perr=0.4

Pa=0.2 Perr=0.5

Pa=0.6

0.7

Pa=0.8

0.8

0.6 0.5 0.4 0

Pa=1.0 0.6 0.4 0.2

200 0.1

400 0.2

600 trial number

0.3 800

0.4 1000

Perr

0.5

(c) ci versus perr for opportunistic attackers Fig. 6.

Pa=0.4

1

compliance degree

compliance degree

0.8

0 1000

0 0.2

800

0.4

600

0.6

400 0.8

200 trial number

0

Pa

(d) ci versus pa for random attackers

Sensitivity of node’s compliance degree ci to perr or pa .

V. P ERFORMANCE E VALUATION In this section, we evaluate the performance of BLITHE via conducting Monte Carlo simulation and real data simulation in IEEE benchmark power system. A. Monte Carlo Simulation By the aid of Monte Carlo simulation, the compliance degree history data (c1 , · · · , cn ) of a device is collected, which allows us to generate random samples repeatedly following the stochastic process of a device’s state machine. We utilize the UPB device in the reference model described in Section III to illustrate the utility of BLITHE for securing smart grid applications. Specifically, we simulate the procedures in Section IV-C6 to build the state machines of a good and a bad UPB device. For a good device, we simulate pij as 1 − perr when j is

the good state, and as perr when j is one of 63 abnormal states (including 7 medium-warning, 19 great-warning, and 37 unsafe states). For a bad device compromised by a random attacker with attack probability pa , we simulate pij as (1 − pa ) × (1 − perr ) + pa × perr when j is the good state, and as (pa × (1 − perr ) + (1 − pa ) × perr ) /63 when j is one of 63 abnormal states. Based on the state machine of a UPB device generated above, we collect the time-dimensional compliance degree data (c1 , · · · , cn ) through n = 1000 times of Monte Carlo simulations. In each simulation, we initiate from state 0 and observe the stochastic process of the device when it goes from one state to another. We continue this procedure until there is at least one state which has been sufficiently traversed (i.e., 100 times). Then we approximate the probability of the device in state j (denoted as πj ), i.e., the proportion of the number of transitions to state j to the overall number of state transitions.




In this way, we can obtain one instance of the compliance degree c using Eq. (4). We repeat a sufficiently large number (i.e., n = 1000) of test rounds to collect (c1 , · · · , cn ), based on which we compute the distribution of the compliance degree of a good and/or a bad device under reckless, opportunistic and/or random attacks. Fig. 6(a) plots n = 1000 points of the compliance degree raw data for a good UPB node with different perr values. There are five clusters of compliance degree data, corresponding to each setting of perr . It can be observed that as perr (the surrounding noise) increases, the cluster of compliance degree data moves downward, i.e., the good node’s compliance degree declines. It implies the mechanism that when the noise increases, there is a higher probability that the monitoring node mistakes the good UPB node as staying in a bad state. Fig. 6(b) plots the sensitivity of the compliance degree ci to perr for a bad UPB node compromised by reckless attackers. Similar as Fig. 6(a), there are five clusters of compliance degree data, corresponding to each setting of perr . However, in this circumstance, as perr increases, the cluster of compliance degree data moves upward, i.e., the bad node’s compliance degree increases. It implies the mechanism that when the noise increases, there is a higher probability that the monitoring node mistakes the bad UPB node as staying in a good state. Fig. 6(c) plots the sensitivity of the compliance degree ci to perr for a bad UPB node compromised by opportunistic attackers (with ε = 0.9). Similar as Fig. 6(b), there are five clusters of compliance degree data, corresponding to each setting of perr , and the lower compliance degree correlates to the higher perr . It can be observed that the compliance degree of opportunistic attackers is more sensitive to perr than reckless ones. Numerically, the range of the compliance degree spans (0.4, 0.9) for opportunistic attackers, while the counterpart is just within approximate (0.01, 0.07) for reckless ones. Fig. 6(d) plots the sensitivity of the compliance degree ci to pa for a bad UPB node compromised by random attackers. There are five clusters of compliance degree data, corresponding to each setting of pa . It can be observed that as pa increases, the cluster of compliance degree data moves downward, i.e., the compliance degree of the bad node declines. It implies the mechanism that when the bad UPB node is attacked more frequently, the attacker is more easily to be detected, and thus the measured compliance degree decreases. With the compliance degree history data (c1 , · · · , cn ) of a good or bad UPB device at hand, we can apply Eq. (7) to estimate the parameter of β, and further obtain the probability distribution Beta(1, β) of the compliance degree for the trustee node. Then, given the minimum compliance degree threshold CT as an input, we can calculate the false negative pf n and false positive pf p probabilities utilizing Eq. (8) and Eq. (9), respectively. For a trustee in BLITHE, we take priority to achieve a low false negative probability, since the key motivation of BLITHE is safety. TABLE V illustrates values of β, pf n and pf p under different reckless and random attack types, with basic parameter settings of CT = 0.92 and perr = 0.01. The rule-weight and

TABLE V VALUES OF β, pf n AND pf p UNDER DIFFERENT RECKLESS AND RANDOM ATTACK TYPES (CT = 0.92 AND perr = 0.01) Attack Type

β

pf n (%)

pf p (%)

Reckless Attack (pa = 1) Random Attack (pa = 0.8) Random Attack (pa = 0.6) Random Attack (pa = 0.4) Random Attack (pa = 0.2)

99.57 4.33 1.95 1.09 0.63

0.0008 0.0018 0.73 6.31 20.26

17.21 17.21 17.21 17.21 17.21

compliance-distance based grading strategy is used to evaluate cj to state j for a random or reckless attacker. In the following, we will show that, CT , as a design parameter, can be finetuned to trade-off between false negatives and false positives according to the different safety criticality. It can be observed that, when pa is high, the attacker is easy to be detected, as manifested by a low false negative probability. Especially, when pa = 1, the reckless attacker can rarely be missed. On the other hand, when pa decreases, the attacker becomes more insidious and hidden, reflected by the increase of the false negative probability. Note that the false positive probability maintains the same no matter the attack probability is, because it is a metric which evaluates the detection error regarding good nodes merely. TABLE VI VALUES OF β, pf n AND pf p UNDER DIFFERENT OPPORTUNISTIC ATTACK TYPES (CT = 0.92, perr = 0.01 AND C = 10) Opportunistic Attack Type

pa

β

pf n (%)

pf p (%)

Conservative Attack (ε = 1) Aggressive Attack (ε = 0.9) Aggressive Attack (ε = 0.8) Aggressive Attack (ε = 0.7)

0.1 0.16 0.25 0.4

0.44 0.55 0.73 1.08

32.33 24.86 15.76 6.47

17.21 17.21 17.21 17.21

Likewise, TABLE VI illustrates values of β, pf n and pf p under different opportunistic attack types, with basic parameter settings of CT = 0.92, perr = 0.01 and C = 10. The ruleweight and compliance-distance based grading strategy is used to evaluate cj to state j for an opportunistic attacker. It can be observed that, when ε decreases, due to exposed more aggressive attack behaviors, the opportunistic attacker can be detected more easily. Our behavior rule based insider threat detection methodology allows one to adjust the minimum compliance degree threshold CT to achieve an satisfactory pf n while maintaining pf p as low as possible. Fig. 7(a) plots the relationship between pf n and CT for detecting random attackers with different values of pa . For each curve, it can be observed that pf n = 1 when CT = 0, and pf n = 0 when CT = 1, regardless of different values of pa . Meanwhile, pf n decreases when pa increases, since it is more likely for a bad node to be detected when behaves more maliciously. Fig. 7(b) plots the relationship between pf n and CT for detecting reckless attackers (pa = 1) with different values of perr . Similar as Fig. 7(a), for each curve, pf n = 1 when CT = 0, and pf n = 0 when CT = 1, regardless of different values of perr . Meanwhile, pf n decreases when perr decreases, since the



11

1 Pfn

1 0.5

0.8 Pfn

0 0 0.2

1 0.4

0.01 0.02

0 0

0.6

0.6

0.4 0.2

0.8

CT

0.6

0.03 0.2

0.4 0.8

0.2 1

0.4

0.04

0.6

Pa

0.8

CT

0

1

(a) pf n versus CT and pa for detecting random attackers

Perr

0.05

(b) pf n versus CT and perr for detecting reckless attackers

1 0.8 1

Pfn

Pfp

0.6

0.5

0.2

0.05

0 0

0.04

0.2 0.4 0.6 CT

0.02

0.8 1

0 0.05 0.04

0.03

0.03

Perr

Perr

0.01

(c) pf n versus CT and perr for detecting opportunistic attackers Fig. 7.

0.4

0.02 0.01

0

0.2

0.6

0.4

0.8

1

CT

(d) pf p versus CT and perr for detecting good nodes

False negatives pf n or false positives pf p versus compliance threshold CT and attack probability pa or surrounding noise perr .

lower surrounding noise is less likely to conceal the malicious behavior of reckless attackers. Fig. 7(c) plots the relationship between pf n and CT for detecting opportunistic attackers (ε = 0.9) with different values of perr . Similar as Fig. 7(b), for each curve, pf n = 1 when CT = 0, and pf n = 0 when CT = 1, regardless of different values of perr . However, unlike Fig. 7(b), it can be observed that pf n decreases when perr increases. It implies the mechanism that the attack probability pa of opportunistic attackers is higher (i.e., more aggressive) when the surrounding noise is higher, which increases the probability of being detected and results in a smaller pf n . Correspondingly, Fig. 7(d) plots the relationship between pf p and CT for detecting good nodes with different values of perr . For each curve, it can be observed that pf p = 0 when CT = 0, and pf p = 1 when CT = 1, regardless of different values of perr . Meanwhile, pf p decreases when perr decreases, since the lower surrounding noise is less likely to incite good nodes to be mistaken as malicious ones. By adjusting the minimum compliance degree threshold CT , our behavior rule based insider threat detection technique can effectively trade-off between pf p and pf n to cope with more

sophisticated and hidden attackers. The underlying philosophy is that, by increasing CT , pf n can be effectively reduced at the cost of a higher pf p . This is especially desirable for smart grid applications which requires ultra safety and security, since even a very small false negative could result in tremendous and dire consequences. Fig. 8 illustrates a receiver operating characteristic (ROC) graph of the insider threat detection rate 1 − pf n versus the false positive probability pf p . The ROC graph is deduced as a result of adjusting CT , under the rule-weight and compliancedistance based grading policy for detecting reckless or random attackers. We draw a number of ROC curves, corresponding to different values of the attack probability pa . The value of perr is fixed to 0.01. When we increase CT , both the detection rate (vertically up of z-plane) and the false positive probability (toward right of the graph) increase. It can be seen that applying our behavior rule based insider threat detection technique, the detection rate of the UPB device can approach 1. That is, an attacker can be always detected without false negatives. Numerically, the false positive probability is upperbounded by 0.1 for reckless attackers, and 0.3 for random




TABLE VII S ELECTING CT TO SATISFY pf n = 0.01 GIVEN perr , pa AND ATTACKER TYPE AS INPUT

Attack type perr 0.01 0.02 0.03 0.04 0.05

Reckless (pa = 1) CT pf n pf p 0.05 0.09 0.14 0.18 0.22

0.01 0.01 0.01 0.01 0.01

0.0079 0.0202 0.0477 0.0520 0.0709

Random (pa = 0.2) CT pf n pf p 0.9994 0.9993 0.9992 0.9991 0.9989

0.01 0.01 0.01 0.01 0.01

0.0743 0.1377 0.2074 0.2525 0.3031

Opportunistic (C = 10 and ε = 0.8) CT pa pf n pf p 0.997 0.979 0.910 0.754 0.481

0.25 0.44 0.60 0.76 0.91

0.01 0.01 0.01 0.01 0.01

0.0877 0.0751 0.0630 0.0573 0.0339

Detection Rate

1

0.5

0 0.4

0.3 Pa 0.2

0.1

Fig. 9. 0

0.05

0.1

0.2

0.15

0.25

0.3

0.35

IEEE 14-bus test system in POWER WORLD.

0.4

TABLE VIII S IMULATION PARAMETERS

Pfp

Fig. 8. A ROC graph of rule-weight and compliance-distance based grading strategy for detecting reckless or random attackers (perr = 0.01).

attackers, respectively. The results obtained above can be utilized by the system administrator to adaptively select the value of CT to dynamically satisfy the imposed pf n in response to the environment condition (e.g., the surrounding noise) and the suspected attacker type. TABLE VII illustrates one instance, where the maximum allowable pf n , which must be satisfied, is 0.01. Given perr and the attacker type as input, there is a value of CT that has pf n = 0.01 (see Fig. 7(a), Fig. 7(b) and Fig. 7(c), following the z-plane at pf n = 0.01). From the selected value of CT , the corresponding pf p can be determined by Eq. (9). TABLE VII summarizes the settings of CT for all attacker types over a range of perr . For example, to achieve pf n = 0.01 and pf p = 7.51%, the system administrator should set CT to be 0.979 when facing the surrounding noise perr = 0.02 and suffered by an opportunistic attacker with C = 10 and ε = 0.8. Such a CT is obtained by intersecting the planes of perr = 0.02 and pf n = 0.01 with the hyperplane in Fig. 7(c). B. Real Data Simulation In the following, we check the validity of BLITHE through conducting experiments on the IEEE 14-bus test system. We are primarily interested in the feasibility of detecting insider threats on all 14 nodes when they report data to CC. We extract the configuration of the IEEE test system (especially the H matrix, bus phase angle, bus power injection/load, transmission

Description Probability of mis-monitoring Weight of rule 1 Weight of rule 2 Weight of rule 3 Phase angle difference of neighbouring buses Upper-bound of good for rule 1 Upper-bound of medium-warning for rule 1 Upper-bound of great-warning for rule 1 Upper-bound of good for rule 2 Upper-bound of medium-warning for rule 2 Upper-bound of great-warning for rule 2 Upper-bound of good for rule 3 Upper-bound of medium-warning for rule 3 Upper-bound of great-warning for rule 3

Parameter

Value

perr γ1 γ2 γ3 α1 a1 a2 a3 b1 b2 b3 c1 c2 c3

0.001 0.6 0.2 0.2 15◦ 30% 40% 60% 15◦ 30◦ 50◦ 50 MW 150 MW 300 MW

line power flow, etc.) from POWER WORLD for solving optimal power flow problems running in DC model, as shown in Fig. 9 [45]. For our power system state estimation model, the measurements are real power injections/loads of all buses. The real power flows of all branches are set as the indirect measurements, which can be easily inferred from the direct measurements of all buses. The state variables are phase angles of all buses. Based on the estimated phase angle of each bus, the real power injection/load of each bus can be determined uniquely. Then the three behavior rules in Table I are utilized as criteria to detect insider threats on each node. The outputs from POWER WORLD are fed to MATLAB for insider threat detection and data analysis. All experiments are simulated on an HP PC running Windows 7, with one 3.0 GHz Pentium 4 processor and 4 GB memory. The detailed test parameters



are listed in TABLE VIII. In order to illustrate our experiment clearly, a flow chart of major experiment procedures are shown in Fig. 10.

13

1 0.9 0.8

Start 0.7

iRound=0; iReportCount=0 E [X]

0.6 B

Data Report Pi pa perr Pi’ θi ’ θi

0.4

Pi’ H

θi ’

Pij’

𝜽𝒊

pa=20%

0.2

N

pa=40% pa=60%

0.1

Y State Estimation Pi’

pa=10%

0.3

iReportCount ++ iReportCount>=1000

0.5

0

𝑷𝒊 𝜽𝒊

1

2

3

4

5

6

7 8 Bus

9

10

11

12

13

14

11

12

13

14

12

13

14

(a) EB [X] under attacks on bus 9 1

Behavior Rule Evaluation Rule1: (|θ′i − θ′(i,1) | ≤ α1 )⋀ ⋯ ⋀(|θ′i − θ′(i,w) | ≤ α1 ) ′ Rule2: |θi − θi | ≤ α2 Rule3: |𝑃𝑖′ − 𝑃𝑖 | ≤ 𝛼3

0.9 0.8 0.7

Build State Machine

}

EB[X]

0.6

Compute Compliance Degree 64 3 𝐷𝑗𝑘 𝑐𝑖 = 𝜋𝑗 { 𝛾𝑘 1 − 𝐷𝑚𝑎𝑥 𝑅𝑘 𝑗 =1 𝑘=1

0.4

iRound++ N

0.5

iRound>=2000

0.2

Y Parameterize Compliance Degree Distribution

0.1 0

Compute Expectation of Compliance Degree for Each Node: 𝐸𝐵 [X]

pa=20% pa=35% pa=50% 1

2

3

4

5

6

7 8 Bus

9

10

(b) EB [X] under attacks on buses 4 and 13

Insider Threat Detection with CT, pfp, pfn

1

End

Fig. 10.

pa=10%

0.3

0.9 0.8

A flow chart of major experiment procedures.

0.7 0.6 EB[X]

We take random attacks for example in our experiments. Three insider threat scenarios are considered, i.e., the threat on one, two, and three bus(es), respectively. In each of the three scenarios, four test cases with different values of pa are conducted providing that the error probability perr is fixed at 0.001. For a clear comparison, in each experiment, the value of pa set to each bus is the same. The mathematical expectation of the compliance degree of each bus, denoted by EB [X], is plotted and compared in the three test cases. The following phenomena are observed clearly from Fig. 11(a), Fig. 11(b) and Fig. 11(c): 1) The value of EB [X] of the buses suffered from insider threats is remarkably low, while the counterparts of the remaining normal buses are hardly affected; 2) The value of EB [X] of each bus suffered from insider threats decreases greatly when pa increases;

0.5 0.4 pa=10%

0.3

pa=20%

0.2

pa=30% pa=40%

0.1 0

1

2

3

4

5

6

7 8 Bus

9

10

11

(c) EB [X] under attacks on buses 2, 9 and 13 Fig. 11. Mathematical expectation of the compliance degree of each bus EB [X] under random attacks with attack probability pa .




3) The value of EB [X] of the buses that are directly connected to (i.e., with 1-hop distance) the attacked buses are also slightly affected. With the distance increases, the impacts are hardly observed; 4) The distinction of EB [X] between normal buses and the buses suffered from insider threat is obvious even when multiple buses are attacked simultaneously, which indicates the robustness and scalability of our insider threat detection methodology. To conclude, the experiments show that our proposed behavior rule based insider threat detection methodology is effective and efficient. VI. C OMPARATIVE A NALYSIS In this section, based on the experiment results from the real data run on POWER WORLD IEEE 14-bus benchmark system, we compare our proposed BLITHE with the state-ofthe-art behavior rule based insider threat detection schemes [24], [38], [39] in terms of the mathematical expectation of the compliance degree of each bus EB [X], which is the key metric to detect insider threats. Several distance-based grading strategies (e.g., Hamming, Euclidean, Manhattan, Levenshtein, etc.) for measuring “grade” and computing the compliance degree of trustee nodes have been proposed in [24], [38], [39]. However, none of them considers the effect of the weight of each rule, which causes inaccuracy when evaluating the behavior of trustees naturally with heterogeneous behavioral norms. Simulations and experiments show that the rule-weight and compliance-distance based grading strategy proposed in BLITHE can effectively address this problem. In our experiment, the insider threats are simulated on bus 6. We compare the value of EB [X] of all 14 buses in two scenarios with different grading strategies. One is the existing strategy [24], [38], [39] with the identical weight for the three rules. The other is our proposed BLITHE that considers different weights for each rule. It can be seen from Fig. 12(a) and Fig. 12(b), our proposed rule-weight and compliance-distance based grading strategy outperforms the existing one in terms of distinguishing the abnormal nodes. Specifically, although both of them can differentiate the nodes that are far away from (with more that 2-hop distance from bus 6) the suffered node, i.e., with the value of EB [X] approximately equal to 1, our proposed strategy is more effective to differentiate the threat node (bus 6) and the normal nodes within 1-hop (e.g., bus 13). It can be seen clearly that, comparing with the existing strategy, with the increase of pa , the value of EB [X] of bus 13 (normal node) in our strategy decreases slightly while that of bus 6 (abnormal node) decreases greatly. Numerically, when pa = 0.6, for the existing strategy, the values of EB [X] of buses 6 and 13 are 0.655667 and 0.9285, respectively. While the corresponding values of EB [X] in our improved strategy are 0.5514 and 0.9527, respectively. The discrimination in our improved strategy is 1.47 times of that in the existing strategy. Our improvement is due to the adjustable weight settings for rules. Actually, the weights can be fine-tuned in BLITHE so as to be applied in different scenarios with different attacker prototypes and abnormal extents.

Therefore, our rule-weight and compliance-distance based grading strategy proposed in BLITHE greatly outperforms the state-of-the-art strategy in terms of detecting the insider threats. VII. R ELATE W ORKS Insider threats are malicious behaviors perpetrated by a legal member (or a compromised device) with authorized system access, called the insider attacker, for malicious goals, e.g., tampering data, spoofing other members (or normal devices). Since insider attackers have authorized system access and are familiar with system architectures, they have distinct advantages over outsider attackers to launch attacks stealthily. Over past few years, several insider threat detection schemes have been proposed [14], [15], [24], [27]–[36], [38], [39], which can be generally classified into three types: signature-based, anomaly-based, and specification-based schemes. Signaturebased detection schemes completely rely on the conventional information of known attack patterns and utilize data mining methods and algorithms to detect possible attacks [27]–[29]. Although these methods are exceedingly capable of identifying known attacks, their detection capabilities are imperfect when facing with unknown attack patterns [30]. In contrast, anomaly-based detection systems prevail over this problem by assuming the behaviors as suspicious or anomalous when they deviate from the normal model. Utilizing various techniques, e.g., statistical, distance, profile and model based analytical methods, several anomaly detection schemes have been proposed trying to distinguish between the abnormal and normal behavior properly [31]–[33]. Unfortunately, conventional anomaly-based detection schemes consume high computational overhead in performing threat detection and regularly have high rates of false alarms [30]. A handful of specification-based insider threat detection schemes thus far has been studied and applied only in the context of communication networks. For example, an insider threat detection system that applies seven types of trafficbased rules to detect insider threats is proposed in [34], and specification-based state machines are considered in [35], [36] for insider threat detection of misbehaving patterns in communication networks. However, the physical environment and the closed-loop control structure of CPS have not yet been considered in existing literatures. In addition, some behavior rule specifications proposed in [24], [38], [39], are impractical because they are too coarse-grained, and only address very high-level requirements in some specific research domains. Today, although insider threat detection for CPS has attracted considerable attention due to the dire consequence of failures, the detection techniques for CPS, especially smart grid, is still in its infancy with very little work reported [14], [15]. Therefore, it is urgently desirable to design effective insider threat detection schemes for securing CPS, like smart grid systems. VIII. C ONCLUSION For smart grid, being able to detect insider threats to protect the continuity and accuracy of operation is of vital importance.



1

1 0.95

0.95 bus5 bus6 bus11 bus12 bus13 bus1 bus2 bus3 bus4 bus7 bus8 bus9 bus10 bus14

0.85

0.8

0.75

0.85 0.8 0.75 0.7 0.65

0.7

0.6

0.2

0.3

0.4

0.5

0.55 0.1

0.6

pa

(a) Existing strategy with identical rule weight (γ1 = γ2 = γ3 = Fig. 12.

bus5 bus6 bus11 bus12 bus13 bus1 bus2 bus3 bus4 bus7 bus8 bus9 bus10 bus14

0.9

EB(X)

EB(X)

0.9

0.65 0.1

15

0.2

0.3

0.4

0.5

0.6

pa

1 ) 3

(b) BLITHE with different rule weights (γ1 = 0.6, γ2 = γ3 = 0.2)

Comparison of the value of EB [X] of each bus in the IEEE 14-bus system with the insider threat on bus 6.

In this paper, BLITHE, a behavior rule based insider threat detection methodology, has been proposed to capture the insider attacks on physical devices. BLITHE features with simplicity, flexibility and accuracy due to the configurable parameters, including the threshold for distinguishing normal/abnormal devices and the weight of rules that is applicable for heterogeneous behavioral norms. Through conducting the real data based experiments and comparative analysis, we have demonstrated that BLITHE outperforms existing behavior rule based approaches for detecting insider threats. In future work, we plan to model fine-grained adversary prototypes and design more effective and practical insider threat detection mechanisms based on artificial intelligence techniques (e.g., neuronic network [46], ant colony optimization [47], genetic algorithms [48], etc.), such that the system can dynamically and automatically adjust CT to maximize the insider threat detection performance in face of varying and uncertain attack behaviors. ACKNOWLEDGMENT The authors would like to thank the support of Nanyang Technological University under Grant NTU-SUG (M4081196) and MOE Tier 1 (M4011177). H. Bao is supported in part by EEE Cybersecurity Research Program, NTU. R EFERENCES [1] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “Eppa: An efficient and privacy-preserving aggregation scheme for secure smart grid communications,” IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 9, pp. 1621–1631, 2012. [2] X. S. Shen, “Empowering the smart grid with wireless technologies [editor’s note],” IEEE Network, vol. 26, no. 3, pp. 2–3, 2012. [3] R. Deng, Z. Yang, M.-Y. Chow, and J. Chen, “A survey on demand response in smart grids: Mathematical models and approaches,” IEEE Transactions on Industrial Informatics, to appear, DOI: 10.1109/TII.2015.2414719. [4] A. J. Wood and B. F. Wollenberg, Power generation, operation, and control. John Wiley & Sons, 2012. [5] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against state estimation in electric power grids,” ACM Transactions on Information and System Security (TISSEC), vol. 14, no. 1, p. 13, 2011.

[6] J.-M. Lin and H.-Y. Pan, “A static state estimation approach including bad data detection and identification in power systems,” in Power Engineering Society General Meeting, 2007. IEEE. IEEE, 2007, pp. 1–7. [7] T. Van Cutsem and M. Ribbens-Pavella, “Bad data identification methods in power system state estimation-acomparative study,” IEEE Transactions on PowerApparatus and Systems, vol. 104, no. 11, 1985. [8] A. Monticelli, State estimation in electric power systems: a generalized approach. Springer Science & Business Media, 1999, vol. 507. [9] I. W. Slutsker, “Bad data identification in power system state estimation based on measurement compensation and linear residual calculation,” IEEE Transactions on Power Systems, vol. 4, no. 1, pp. 53–60, 1989. [10] Z. Xiao, Y. Xiao, and D.-C. Du, “Non-repudiation in neighborhood area networks for smart grid,” Communications Magazine, IEEE, vol. 51, no. 1, pp. 18–26, 2013. [11] C. Rottondi, M. Savi, D. Polenghi, G. Verticale, and C. Kraus, “Implementation of a protocol for secure distributed aggregation of smart metering data,” in Smart Grid Technology, Economics and Policies (SGTEP), 2012 International Conference on. IEEE, 2012, pp. 1–4. [12] M. S. Thomas, I. Ali, and N. Gupta, “A secure way of exchanging the secret keys in advanced metering infrastructure,” in Power System Technology (POWERCON), 2012 IEEE International Conference on. IEEE, 2012, pp. 1–7. [13] H. Kluitenberg, “Security risk management in it small and medium enterprises,” 2014. [14] M. Anand, E. Cronin, M. Sherr, M. Blaze, Z. Ives, and I. Lee, “Security challenges in next generation cyber physical systems,” Beyond SCADA: Networked Embedded Control for Cyber Physical Systems, 2006. [15] A. Cardenas, S. Amin, B. Sinopoli, A. Giani, A. Perrig, and S. Sastry, “Challenges for securing cyber physical systems,” in Workshop on future directions in cyber-physical systems security, 2009. [16] R. Berthier and W. H. Sanders, “Specification-based intrusion detection for advanced metering infrastructures,” in Dependable Computing (PRDC), 2011 IEEE 17th Pacific Rim International Symposium on. IEEE, 2011, pp. 184–193. [17] A. A. Cardenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, and S. Sastry, “Attacks against process control systems: risk assessment, detection, and response,” in Proceedings of the 6th ACM symposium on information, computer and communications security. ACM, 2011, pp. 355–366. [18] Y. Chen and B. Luo, “S2a: secure smart household appliances,” in Proceedings of the second ACM conference on Data and Application Security and Privacy. ACM, 2012, pp. 217–228. [19] P. Jokar, H. Nicanfar, and V. C. Leung, “Specification-based intrusion detection for home area networks in smart grids,” in Smart Grid Communications (SmartGridComm), 2011 IEEE International Conference on. IEEE, 2011, pp. 208–213. [20] R. Klump and M. Kwiatkowski, “Distributed ip watchlist generation for intrusion detection in the electrical smart grid,” in Critical Infrastructure Protection IV. Springer, 2010, pp. 113–126.




[21] Q. He and R. S. Blum, “Smart grid monitoring for intrusion and fault detection with new locally optimum testing procedures,” in Acoustics, Speech and Signal Processing (ICASSP), 2011 IEEE International Conference on. IEEE, 2011, pp. 3852–3855. [22] Y. Zhang, L. Wang, W. Sun, R. Green, and M. Alam, “Artificial immune system based intrusion detection in a distributed hierarchical network architecture of smart grid,” in Power and Energy Society General Meeting, 2011 IEEE. IEEE, 2011, pp. 1–8. [23] Y. Zhang, L. Wang, W. Sun, R. C. Green, and M. Alam, “Distributed intrusion detection system in a multi-layer network architecture of smart grids,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 796–808, 2011. [24] R. Mitchell and R. Chen, “Behavior rule based intrusion detection systems for safety critical smart grid applications,” IEEE Transactions on Smart Grid, vol. 4, no. 3, pp. 1254–1263, 2013. [25] J. Wei, D. Kundur, T. Zourntos, and K. Butler-Purry, “Probing the telltale physics: Towards a cyber-physical protocol to mitigate information corruption in smart grid systems,” in Smart Grid Communications (SmartGridComm), 2012 IEEE Third International Conference on. IEEE, 2012, pp. 372–377. [26] T. Liu, Y. Gu, D. Wang, Y. Gui, and X. Guan, “A novel method to detect bad data injection attack in smart grid,” in INFOCOM, 2013 Proceedings IEEE. IEEE, 2013, pp. 3423–3428. [27] P. S. Wheeler, “Techniques for improving the performance of signaturebased network intrusion detection systems,” Ph.D. dissertation, Citeseer, 2006. [28] S. Patton, W. Yurcik, and D. Doss, “An achilles?heel in signature-based ids: Squealing false positives in snort,” Proceedings of RAID 2001, 2001. [29] G. Vigna, W. Robertson, and D. Balzarotti, “Testing network-based intrusion detection signatures using mutant exploits,” in Proceedings of the 11th ACM conference on Computer and communications security. ACM, 2004, pp. 21–30. [30] P. Louvieris, N. Clewley, and X. Liu, “Effects-based feature identification for network intrusion detection,” Neurocomputing, vol. 121, pp. 265–273, 2013. [31] M. V. Mahoney, “Network traffic anomaly detection based on packet bytes,” in Proceedings of the 2003 ACM symposium on Applied computing. ACM, 2003, pp. 346–350. [32] C. Taylor and J. Alves-Foss, “Nate: N etwork analysis of a nomalous t raffic e vents, a low-cost approach,” in Proceedings of the 2001 workshop on New security paradigms. ACM, 2001, pp. 89–96. [33] K. Wang and S. J. Stolfo, “Anomalous payload-based network intrusion detection,” in Recent Advances in Intrusion Detection. Springer, 2004, pp. 203–222. [34] A. P. R. da Silva, M. H. Martins, B. P. Rocha, A. A. Loureiro, L. B. Ruiz, and H. C. Wong, “Decentralized intrusion detection in wireless sensor networks,” in Proceedings of the 1st ACM international workshop on Quality of service & security in wireless and mobile networks. ACM, 2005, pp. 16–23. [35] S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, and A. Valdes, “Using model-based intrusion detection for scada networks,” in Proceedings of the SCADA security scientific symposium, vol. 46, 2007, pp. 1–12. [36] B. Dutertre, “Formal modeling and analysis of the modbus protocol,” in Critical Infrastructure Protection. Springer, 2008, pp. 189–204. [37] W. Li, Risk assessment of power systems: models, methods, and applications. John Wiley & Sons, 2014. [38] R. Mitchell and R. Chen, “Adaptive intrusion detection of malicious unmanned air vehicles using behavior rule specifications,” IEEE Transactions on Systems, Man, and Cybernetics, vol. 44, no. 5, pp. 593–604, 2014. [39] ——, “Behavior rule specification-based intrusion detection for safety critical medical cyber physical systems,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 1, pp. 16–30, 2015. [40] S. Sutikno, A. Surya, and R. Effendi, “An implementation of elgamal elliptic curves cryptosystems,” in Circuits and Systems, 1998. IEEE APCCAS 1998. The 1998 IEEE Asia-Pacific Conference on. IEEE, 1998, pp. 483–486. [41] D. Van Hertem, J. Verboomen, K. Purchala, R. Belmans, and W. Kling, “Usefulness of dc power flow for active power flow analysis with flow controlling devices,” in AC and DC Power Transmission, 2006. ACDC 2006. The 8th IEE International Conference on. IET, 2006, pp. 58–62. [42] O. Yilmaz and R. Chen, “Utilizing call admission control for pricing optimization of multiple service classes in wireless cellular networks,” Computer Communications, vol. 32, no. 2, pp. 317–323, 2009.

[43] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm (ecdsa),” International Journal of Information Security, vol. 1, no. 1, pp. 36–63, 2001. [44] S. M. Ross, Introduction to probability models. Academic press, 2014. [45] H. Kaur, Y. Brar, and J. S. Randhawa, “Optimal power flow using power world simulator,” in Electric Power and Energy Conference (EPEC), 2010 IEEE. IEEE, 2010, pp. 1–6. [46] L. A. Zadeh, “Toward a theory of fuzzy information granulation and its centrality in human reasoning and fuzzy logic,” Fuzzy sets and systems, vol. 90, no. 2, pp. 111–127, 1997. [47] C.-F. Juang, C.-W. Hung, and C.-H. Hsu, “Rule-based cooperative continuous ant colony optimization to improve the accuracy of fuzzy system design,” IEEE Transactions on Fuzzy Systems, vol. 22, no. 4, pp. 723–735, 2014. [48] J. J. Grefenstette, “Optimization of control parameters for genetic algorithms,” IEEE Transactions on Systems, Man and Cybernetics, vol. 16, no. 1, pp. 122–128, 1986.

Haiyong Bao received the Ph.D. degree in computer science from Shanghai Jiao Tong University, Shanghai, China, in 2006. He is currently a Postdoctoral Research Fellow with the INFINITUS Laboratory, School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore. His research interests include secure data aggregation, insider attack detection, and applied cryptography.

Rongxing Lu (S’09-M’11) received the Ph.D. degree in computer science from Shanghai Jiao Tong University, Shanghai, China, in 2006, and the Ph.D. degree in electrical and computer engineering from the University of Waterloo, Waterloo, ON, Canada, in 2012. From May 2012 to April 2013, he was a Postdoctoral Fellow with the University of Waterloo. Since May 2013, he has been an Assistant Professor with the School of Electrical and Electronics Engineering, Nanyang Technological University, Singapore. His research interests include computer network security, mobile and wireless communication security, and applied cryptography. Dr. Lu was the recipient of the Canada Governor General Gold Metal.

Beibei Li received the B.E. degree in communication engineering from Beijing University of Posts and Telecommunications, Beijing, China, in 2014. He is currently a Ph.D. student with the INFINITUS Laboratory, School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore. His research interests include cyber physical security and applied cryptography.



Ruilong Deng (S’11-M’14) received the Ph.D. degrees in control science and engineering from Zhejiang University, Hangzhou, China, in 2014. He is currently a Postdoctoral Research Fellow with the INFINITUS Laboratory, School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore. His research interests include wireless sensor network, cognitive radio, and smart grid.


17

BLITHE: Behavior Rule Based Insider Threat ...

BLITHE: Behavior Rule Based Insider Threat ...

Suggest Documents

Graph-Based Approaches to Insider Threat Detection

Graph-Based Approaches to Insider Threat Detection

Defining the Insider Threat

Defining the Insider Threat

Managing insider threat - EY

Visualizing the Insider Threat - CEMS

Call Trace and Memory Access Pattern based Runtime Insider Threat ...

Call Trace and Memory Access Pattern based Runtime Insider Threat ...

Behavior Rule based Intrusion Detection - Events

Behavior Rule based Intrusion Detection - Events

Honeypots: Catching the Insider Threat - CiteSeerX

Insider Threat to Utilities - Public Intelligence

Understanding the Insider Threat - RAND Corporation

Insider Threat - Computer Science- UC Davis

Insider Threat and its impact on GDPR

Insider Threat Study - Software Engineering Institute - Carnegie ...

Towards an Insider Threat Prediction Specification ... - CiteSeerX

Mitigating insider threat in cloud relational databases

Insider Threat - Computer Science- UC Davis

Insider Threat Study - Software Engineering Institute - Carnegie ...

Understanding the Insider Threat - RAND Corporation

Understanding Insider Threat: A Framework for ...

Predicting Insider Threat Risks through Linguistic ...

Understanding the Insider Threat - RAND Corporation