The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Mu Zhang - University of Utah

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

Backtracking Intrusions in Modern Industrial Internet of Things

Dec 06, 2023

Download: Video Icon MP4 Video Size: 225.4MB  
Watch on Youtube Watch on YouTube


Advanced Persistent Threat (APT) attacks are increasingly targeting modern factory floors. Recovery from a cyberattack is a complex task that involves identifying the root causes of the attack in order to thoroughly cleanse the compromised systems and remedy all vulnerabilities. As a result, the provenance analysis, which can correlate individual attack footprints and thus "connect the dots", is very much desired. Provenance analysis has been well studied in traditional IT systems, yet the OS-level attack model, prior work employs, cannot effectively capture application semantics in physical control systems. Recent efforts have been made to develop custom provenance models that uniquely represent physical attacks in cyber-physical systems. Nevertheless, existing techniques still fall short due to their unreliable semantic recovery, inability to reconstruct process contexts, and lack of cross-domain causality tracking. 

In this talk, we present ICSTracker, which aims to enable provenance analysis in the new setting of industrial IoT. To recover the physical semantics of controller routines, we utilize data mining to identify function call sequences that align with specific physical actions. To establish the process contexts, we resort to the data access patterns in controller code to discover and keep track of critical state variables that are shared among multiple iterations of control logic. To uncover the methods attackers employ in exploiting digital vulnerabilities to cause physical damage, we perform a cross-domain causality analysis, associating controller operations with OS-level events through their mutual access to shared digital assets. We have implemented and tested ICSTracker in a FischerTechnic testbed. Our preliminary results are promising, demonstrating that ICSTracker can precisely capture cross-domain cyber-physical attacks in a semantics and context-aware fashion.

About the Speaker

Mu Zhang
Mu Zhang is an Assistant Professor with the Kahlert School of Computing at the University of Utah. Zhang works at the unique intersection between systems security and cyber-physical systems. He is the lead PI of the DARPA HACCS project Semantics-Aware Discovery of Advanced Persistent Threats in Cyber-Physical Systems, which aims to detect advanced attacks in CPS settings. He has also been key personnel on the NSF CPS Frontiers project, Software Defined Control for Smart Manufacturing Systems, and has led the technical effort to develop a security vetting system for controller programs. Zhang has extensively published in top-tier security venues (S&P, CCS, NDSS), and received an ACM SIGSOFT Distinguished Paper Award at ISSTA 2023, an ACM SIGPLAN Distinguished Paper Award at OOPSLA 2019, and a Best Paper Honorable Mention at CCS 2022.

Ways to Watch


Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!