Implementation and Validation of a Multi-Level Security Model

The 14th International Conference on Intelligent System Applications to Power Systems, ISAP 2007

November 4 - 8, 2007, Kaohsiung, Taiwan1

Implementation and Validation of a Multi-Level Security Model Architecture D. Edwards, Member, IEEE, S. K. Srivastava, Member, IEEE, D. A. Cartes, Senior Member, IEEE, S. Simmons, Member, IEEE, N. Wilde, Member, IEEE associated communication is required. In agent based systems, where the majority of communication is handled by agents, it is imperative to keep the communication channel secure so that no malicious code or data may enter and harm the system. In this paper a validation of a developed multi-level security model (MLSM) is presented. In this MLSM a single control agent is replaced by a collection of robust agents that provide more resistance to cyber attacks. First in section II types of possible attacks are discussed. Thereafter, the developed MLSM architecture is discussed. Section IV presents the experimental setup for validating the MLSM architecture. Conclusions are drawn in section V.

Abstract—With the increasing complexity of transmissions grids and distribution networks, data communication security is becoming a paramount issue. This issue becomes more important in applications where software agent technology is being utilized, as software agents provide another possible channel of cyber attack. In this paper an innovative software agents-based multilevel security model architecture is presented. The goal of this architecture is to prevent known attacks, and to reduce or eliminate the consequences of successful attacks. An experimental protocol is presented to validate the developed security model architecture. Test results show the effectiveness of the developed architecture. Index Terms—software agent, cyber security, mutation, real time simulation

II. TYPES OF POSSIBLE CYBER ATTACKS Attack methods are generally unique to the targeted application or system, but common techniques commonly underlie the strategies. The National Vulnerability Database [2] maintains reported vulnerabilities from industry, the private sector and government. Previous work [3] sampled the database and constructed a categorization of attack strategies and consequences. These categories allowed development of the MLSM to target the most common attack vectors and consequences relative to agent-based systems. The most common attacks specifically targeted web servers and were not directly applicable to distributed agent technology. Of the remaining methods, two were identified as the most likely to effect agent-based control of power distribution: crafted input and buffer overflow. Consequences most applicable to our model are denial of service and arbitrary code execution. Although the MLSM is designed to prevent crafted input and buffer overflow from resulting in denial of service or arbitrary code execution, it is not restricted to those attacks and consequences. The design offers a robust method of preventing the consequences of any targeted attack from being realized. Even successful attacks are trapped inside the model and automatic recovery takes place before any results are externally visible.

I. INTRODUCTION

T

he great increases in data communication, acquisition and display techniques in the past 10 years offers opportunities to greatly improve the quantity of data available as well as the timeliness of the data. Greatly improved reliability of communications offers the need to develop new algorithms for control and protection. Agent based control strategies using multi-node information can be developed to react to system disturbances more quickly and precisely than a human operator can. However, distributed agents may be subject to a variety of cyber attacks. As experiences with commercial programs have shown, even well written software may be compromised if it is accessible over a network. Hacker groups located around the world are dedicated to identifying vulnerabilities in software and publishing "exploits" that detail how to take advantage of these vulnerabilities. An arms race of exploits versus patches has emerged between hackers and software developers [1]. The extension of this arms race to power grid control would be an unwelcome development. In order to make the electrical infrastructure more secure without compromising the productivity advantages of the highly interconnected networks, enhanced security of This work was supported in part by the Department of Energy, USA under Grant No. DE FG02 05CH1292. D. Edwards, S. Simmons, and N. Wilde are with Department of Computer Science, University of West Florida, Pensacola, FL 32514 USA (email: [email protected], [email protected], [email protected]) S. K. Srivastava and D. A. Cartes are with Center for Advanced Power Systems, Florida State University, Tallahassee, FL 32310 USA (email: [email protected], [email protected])

III. MULTI-LEVEL SECURITY MODEL ARCHITECTURE An innovative software model has been developed to counter cyber attacks on agent-based computer systems. The multi-level security model (MLSM) is designed to replace a single agent in the system with a robust collection of agents. 593

The 14th International Conference on Intelligent System Applications to Power Systems, ISAP 2007

The model produces a system that is more resistant to cyber attacks and automatically detects and corrects any successful attacks before any consequences are realized. The layout and interaction of the MLSM components are shown in figure 1. The system is composed of five types of agents. The monitor/resurrection agent (MRA) creates the other four types of agents, monitors their performance, and is responsible for resurrecting agents that have failed or been identified as compromised. The communication agent (CA) is responsible for all communication with external sources. The distribution/voting agent (DVA) duplicates input to each computational agent, receives results from computational agents in the form of votes, computes a majority decision, and monitors the execution of the computational agents for abnormal performance. Originally, the system is composed of a single agent responsible for all functionality. Only the computational functions are retained in the replicated computation agents (RCA). At least three mutated, replicated RCA’s are created in the system. The last agent is a mutation agent (MA) responsible for modifying the source code for each of the other agents and compiling the resulting source. Each mutation is functionally equivalent to the original source code, but structurally different. Mutations prevent a single attack from affecting each of the RCA’s identically. By altering the effects of an attack, we allow the DVA to recognize the attack and report it to the MRA where the compromised agents are killed and new mutations are resurrected as replacements. Further details concerning the mutation engine can be found in [4]. The multi-level security model is further described in [5].

a low cost and low risk way of doing this. In this section, a real time digital simulator (RTDS) based simulation platform is proposed to test and validate the developed MLSM architecture. The developed MLSM is validated against a power system simulated in the RTDS housed at the Center for Advanced Power Systems (CAPS) at Florida State University. The RTDS simulates the functionality of an electrical power distribution grid and reports status information through a serial connection. Figure 2 shows the block diagram of experimental set up. As shown in the figure, the experimental setup provides an opportunity for interfacing agents to a power system simulation running in RTDS through a Field Programmable Gate Array (FPGA) based interface. Although several numbers of agents can be interfaced with RTDS, in the current study only a single MLSM architecture was interfaced with the RTDS. The RTDS is a high speed, real time test system that can be used for control system testing and general power system simulation [6,7]. The RTDS has the capable of high-fidelity simulation of transient and dynamic behavior of complex power systems in real-time at time-steps down to one microsecond. The RTDS simulator uses the parallel processing hardware technology to achieve its performance. The RTDS simulator employs an advanced and easy to use graphical user interface – the RSCAD software [7]. With RSCAD, it is very easy to setup a power system model with the graphical module in the libraries of RSCAD. The agents in MLSM are operated on a laptop computer running Fedora Linux and the agent codes are written in C language. The computer is connected to the RTDS through the FPGA based interface. This FPGA interface was developed using an Altera ACEX-based development board from Rapid Technology. A custom Verilog program was developed to inter-connect three 16-bit I/O channels from the RTDS with 15 TTL-level duplex serial channels, with intermediate multiplexing and data buffering in both directions, and parallel/serial conversion. Maxim MAX3233 transceivers were used to achieve RS 232 line levels.

network

MLSM serial

Source

FPGA Interface

CA

MaAME

MRA

Normal I/O

DVA

RCA 2

Power System model

RCA 3

Agent 1

Agent 2

RTDS

Control Signals RCA 1

November 4 - 8, 2007, Kaohsiung, Taiwan2

Wireless communication

RS232 Ports

Agent 3

Fig. 1 Layout and interaction of MLSM components Agent n

IV. EXPERIMENTAL SET UP AND TEST MODES In order to validate the developed MLSM architecture and test its performance, the developed approach needs to be tested and validated in a framework that captures its impact on the total integrated system. Modeling and simulation provides

Fig. 2 Experimental setup for MLSM architecture validation.

594

The 14th International Conference on Intelligent System Applications to Power Systems, ISAP 2007

The FPGA module receives values from components of the simulated power system via time-division multiplexed data transfers, using clocking from the RTDS. These received values are stored in the FPGA memory, since a particular serial channel (on the agent side) might be unavailable due to data transmission already in progress. When the serial channel to an agent (in this case the computer with MLSM) becomes available, the values to that agent are transmitted. Transmission to multiple agents can occur in parallel. Concurrently, the agents on the laptop computer can send control commands as needed to the RTDS simulated components, via the FPGA module. Using the same multiplexing clock rate used for receiving values from the RTDS, the FPGA module can transmit control variables to simulated components in the RTDS. As signals are received at the laptop, they are read by the software agent. Data is verified for integrity and then used to compute a result which is returned to the RTDS through the serial communication line, discussed above. Internet connections are provided by the laptop and monitored by the software agent. Commands from an external source are read from the Internet connection. We plan to perform four tests to determine the real-time functionality of the system. Each test is explained below.

November 4 - 8, 2007, Kaohsiung, Taiwan3

them are established. A second time is recorded to mark the end of the initialization sequence. Logging facilities, compiled into the CA, are used to record the times of arriving and departing messages. These times, compared with those collected in test 2, will provide a quantified measure of the impact of the MLSM implementation. No improper arrivals are allowed during this test since it is designed to test normal operation. C. Test 3 – MLSM Fault Recovery Test three is designed to measure the time required to recover from a software fault resulting in a crash of one MCA processes. Recording of message arrival and departure times is continued. While recording times, one of the MCA processes is manually killed. The remaining MCA processes should constitute a majority as the system continues performing as if no fault had occurred. The recorded times will determine if the hypothesis is correct. D. Test 4 – MLSM Attack Recovery After test 3 is completed, the system should be back in a normal operational state. The final test determines the operation of the MLSM system as an attack manages to elude the prevention barriers in the upper layers of agents. An attack string has been designed to cause a buffer overflow in the computational agents. When attacked, the standalone version goes into an infinite loop printing the string “HACKED!” on the screen. With message time still being recorded, we send the carefully constructed attack string to the MLSM system. It is expected that the system will recover quickly, but that some incoming serial messages may not be processed in a timely fashion. The collected times will help determine the time required to recover from a successful attack. The test will also verify the behavior of the system.

A. Test 1 – Standalone system Agent software has been created to accept input from a serial port, compute results from the incoming data, and transmit those results back through the serial port. Logging facilities have been added to record the time messages are received and transmitted to nanosecond precision. All incoming and outgoing messages are logged as the system functions in a normal operational state. Results of this test will be used as a baseline to provide statistical analysis of the MLSM system. The standalone system will be compiled from source code without mutations. It will then be executed and the message times recorded. Analysis of the collected data will be performed post-mortem.

V. EXPECTED RESULTS The test results are expected to show that in some circumstances, the overhead required to implement the MLSM system is trivial. Electric power distribution grids communicate serially. The time between arrivals is large enough for some of the overhead to be allowed. However, in real-time systems, the overhead may need to be reduced for the system to be an option. Results of the tests will be used to quantify the response delay introduced by the system as compared to the standalone process. Tests 1 and 2 will be compared to determine the amount of overhead imposed and the additional initialization time required by the new system. Test three will determine the recovery time in normal operation and provide an idea of the needed recovery time when a process failure occurs. Test 4 will determine the recovery time in attack-based failure operation and will provide a numeric representation of the time required to reinstate the system when an attack successfully breaks through the outer barriers.

B. Test 2 – MLSM Overhead Two timings will be taken to analyze the overhead added to the system resulting from the MLSM implementation. The first will determine the initialization cost and the second will quantify the runtime costs. The monitor/resurrection agent (MRA) and the mutation engine (ME) are compiled before the test begins. In the future, these agents will reside in hardware for additional security. This is feasible since their functionality rarely changes. At this point, the prototype implementation is still software based. The MRA is started and the time is recorded. The MRA uses the ME to mutate source code, then the MRA compiles the mutated source and starts execution of the other agents. In order of execution, the communication agent (CA) is first, followed by the distribution/voting agent (DVA) and k instances of the mutated computational agent (MCA). Once all the agents are executing, the communication paths between 595

The 14th International Conference on Intelligent System Applications to Power Systems, ISAP 2007

D. A. Cartes (M’1996) is an Assistant Professor of Mechanical Engineering at Florida State University. He joined the Department of Mechanical Engineering at FAMU-FSU College of Engineering in January 2001, after receiving his Ph.D. in Engineering Science from Dartmouth College. Dr. Cartes heads the Power Controls Lab at the Center for Advanced Power Systems. He teaches courses in control and dynamic systems. His research interests include Distributed Control and Reconfigurable Systems, Real-Time System Identification, and Adaptive Control. In 1994, Dr. Cartes completed a 20-year U.S. Navy career with experience in operation, conversion, overhaul, and repair of complex marine propulsion systems. Dr. Cartes is a senior member of IEEE.

Together, tests 2, 3 and 4 will verify the system operation in three modes of execution: normal execution, process fault execution, and attack attempt execution. Tests 3 and 4 will demonstrate the automatic recovery of the system in the face of software faults and attack attempts.

VI. CONCLUSIONS A multi-level security model architecture to prevent known cyber attacks, and to reduce or eliminate the consequences of successful attacks on a multiagent system is presented. A realtime digital simulator based experimental setup is developed to validate the developed security model architecture. Once the tests on this experimental setup are concluded, analysis of the results will begin to test the effectiveness of the proposed architecture. As areas of unacceptable overhead are identified, methods of reaching performance improvements will be investigated.

S. Simmons is an Associate Professor of Computer Science at The University of West Florida. She received her Master of Science degree in computer science in 1991 from the University of Southern Mississippi. She joined the Department of Computer Science at UWF in May 2001 after receiving her Ph.D. in Computer Science from The College of William & Mary. Dr. Simmons teaches courses in computer networks and distributed programming. Her research interests include distributed systems, high performance systems, computer networks and intelligent agents. N. Wilde is a Professor of Computer Science and Nystul Chair at The University of West Florida. He received his Ph.D. in Mathematics and Operations Research from the Massachusetts Institute of Technology in 1971. He spent a number of years working in developing countries overseas: in academic positions, with the World Health Organization, and as an independent systems consultant. Dr. Wilde is currently working with the Software Engineering Research Center on a series of research and technology transfer projects in Software Maintenance and particularly in the area of Dependency Analysis and Software Reconnaissance. Dr. Wilde is a member of IEEE.

REFERENCES [1]

[2]

[3]

[4]

[5]

[6]

[7]

November 4 - 8, 2007, Kaohsiung, Taiwan4

CERT Coordination Center, Carnegie Mellon Software Engineering Institute, CERT/CC Advisories, http://www.cert.org/advisories/, URI current March/05 National Vulnerability Database: a comprehensive cyber vulnerability resource, National Institute of Standards and Technology, http://nvd.nist.gov S. Simmons, D. Edwards, N. Wilde, J. Just, and M. Satyanarayana, “Preventing unauthorized islanding: cyber-threat analysis,” in Proc. IEEE/SMC International Conference on Systems of Systems Engineering (IEEE SoSE ’06), April 2006, pp. 178-182. S. Simmons, D. Edwards, and T. Zimmerman, “Agent security through software mutation,” 4th International Conference on Cybernetics and Information Technologies, Systems and Applications: CITSA 2007, July 2007. D. Edwards, S. Simmons, and N. Wilde, “Prevention, detection and recovery from cyber-attacks using a multilevel agent architecture,” in Proc. IEEE/SMC International Conference on Systems of Systems Engineering (IEEE SoSE ’07), April 2007. R. Kuffel, J. Geisbrecht, T. Maguire, R. P. Wierckx, and P. G. McLaren, “RTDS-a fully digital power system simulator operating in real time,” in Proc. 1995 IEEE Conf. on Communications, Power, and Computing, WESCANEX, vol. 2, pp. 300-305. Real Time Digital Simulator Tutorial Manual, RSCAD Version, September 2005.

BIOGRAPHIES D. Edwards is an Associate Professor of Computer Science at The University of West Florida. He joined the Department of Computer Science at UWF in August 2001 after receiving his Ph.D. in Computer Science from The College of William & Mary. Dr. Edwards teaches courses in operating systems and security. His research interests include distributed agent security, computer forensics and distributed systems. Dr. Edwards is a member of IEEE and ACM. S. K. Srivastava (S’2001, M’ 2004) is an Assistant Scholar Scientist in Center of Advanced Power System at Florida State University. He received Bachelor of Engineering in Electrical Engineering degree in 1997 from M. M. M. Engineering College, Gorakhpur; and Master of Technology degree in Power Systems in 1999 from I. I. T. Delhi, New Delhi. He was a Project Engineer at Secure Meters Limited, New Delhi, India, from 1999 to 2000. He received his Ph.D. degree in Electrical Engineering from Texas A&M University in 2003. His research interests include expert system application to power systems, reconfiguration of navy shipboard power system, and agent technology application to power systems. Dr. Srivastava is a member of IEEE.

596