Research Projects

Project Title Lead Principal Investigator Abstract
Thrust : Incidence Response: Forensics and Recovery
Scalable Hybrid Honeypot Infrastructure for IoT Threat Intelligence and Response Prof Zhou Jianying, SUTD Large-scale malware campaigns against IoT are a major threat to critical infrastructures. Due to the heterogeneity of IoT devices and the massive numbers of devices, it is challenging to foresee new attack waves. In this project we propose to build a hybrid (low and high interaction) honeypot, designed to scale to various kinds of devices, and to collect real-time data on attacks running on the wild. This data will be analyzed using lean machine-learning based techniques, in order to effectively provide threat intelligence on known and possibly unknown attacks. The honeypot will integrate data from other initiatives (such as the one hosted by the Global Cybersecurity Alliance) and will also provide threat intelligence as a service.
Automated Incident Response and Recovery in ICS Prof Zhou Jianying, SUTD In the current industrial control systems (ICS), response and recovery actions are determined and performed manually by a human operator once an attack has been detected. In this project, we aim to address challenges associated with automated synthesis of defence and incident response in ICS, and answer the following research questions: [RQ1] How to respond to an on-going attack on-the-fly, by performing actions to disable the attacker’s access to the system? [RQ2] How to recover from a successful attack by performing actions to move the system state from an unsafe to a safe state? We will develop a distributed monitoring technique that can coordinate multiple, component-specific monitors with an automatic synthesize protocol. We will also develop a technique for automatically synthesizing response and recovery actions in case of an active attacker.
Thrust : Attestation and Assessment
Towards Practical Attestation Solutions for Countering Advanced Attacks to Industrial Control Systems Assoc Prof Binbin Chen, SUTD Industrial control systems (ICS) monitor and operate critical infrastructures via logic implemented on their component devices — e.g., programmable logic controllers (PLCs). The PLC code may be maliciously modified in different ways, e.g., through runtime memory modification or tampering with the binary code. Once the PLC code is modified, the safety and security of CPS can be easily compromised. This project seeks to develop practical defender attestation techniques that can be applied to iTrust ICS testbeds and eventually to real-world systems. The developed solution will be able to cope with the lack of hardware support and software privilege and also ensure attestation does not affect the ICS operations. We will also play the role of attacker to develop advanced techniques for attacking existing attestation techniques and co-evolve the defender and attacker to develop effective attestation techniques that are resilient against the ‘smartest’ attackers.
Thrust : Digital Twinning
LEarning from Network and Process data to secure Water Distribution Systems (LENP-WDS) Asst Prof Stefano Galelli, SUTD Modern water distribution systems rely on networks of digital devices, which offer a vast attack surface to unauthorized users. In this project, we plan to develop novel data-driven solutions for detecting and responding to cyber-attacks. In particular, we will work with both network and process (SCADA) data generated by our first contribution, that is, a digital twin. The availability of such data will propel two additional contributions: (1) attack detection and localization algorithms, and (2) real-time response strategies. The detection (and localization) process will rely on the idea of pairing process and traffic data to reduce the number of false positives, identify both physical and digital assets under attack, and disclose threats earlier in the kill chain. This information will be then harnessed by a Deep Reinforcement Learning agent, which will learn the best response strategies through repeated interactions with the digital twin.
Automated Framework for Generating Cyber-physical Range for Smart Grid Dr Daisuke Mashima, ADSC Cyber range is a virtual representation of cyber-physical systems, and is demanded not only as a venue for evaluating compatibility and performance of ICS devices as well as ICS security solutions before deployment but also as sandbox for training and education. There are several desired properties for cyber range to be effective: fidelity to real systems, consistent cyber-physical systems emulation, flexibility in configuration, and scalability to support large-scale cyber-physical systems. Besides, it is desired to have accessibility and portability so that developed models can be shared with the community. In this project, focusing on smart power grid system, we develop expressive modelling framework to describe cyber range and associated tool chain to facilitate the instantiation of the cyber range according to the user-defined models. We further plan to demonstrate the technology by showcasing a cyber range of a real smart power grid system such as SUTD’s EPIC testbed.
Digital twinning of secure water treatment facilities Assoc Prof Adrian Law, NTU This project aims to develop a digital-twin system concept, termed as “Smart Digital Water Twins (SDWT)”, to protect and optimize critical water infrastructures. This project is in collaboration with CAD-IT Consultants (Asia). SDWT shall build on the ThingWorx commercial platform for real-time data communication and management. It will leverage on advanced machine learning algorithms for predictive analysis, to provide effective and instant safeguards against operational anomalies and cyber/physical-attacks in critical water treatment infrastructures. The concept of SDWT will be examined independently in SUTD’s lab-scale Secure Water Treatment (SWaT) iTrust Testbed. Predictive maintenance for the simulated units will be carried out to evaluate the amount of material and energy savings for the known intake conditions, and cyber/physical-attacks will also be simulated with and without simultaneous technical anomalies to test the capability of SDWT in protecting the system operations.
Thrust : Attack Prevention
Enhancing Dynamic Analysis of Firmware in IoT Infrastructures via Component Functionality Inference Assoc Prof Liang Zhenkai, NUS Dynamic analysis in IoT environments is often hindered by the lack of knowledge in certain critical components. This project aims to develop techniques to bridge the gap and enable effective dynamic analysis. Based on our research in traditional binaries, we found that important functionalities of components, such as dataflow-related semantics, can be inferred from observing inputs and outputs of a component. We will further the investigation of this technique in the domain of IoT components, using inference-based techniques to model components missing in virtual machines. With the model of IoT components, we can further drive the execution of firmware in dynamic analysis, and thus exposing more of its functionality to analysis, such as fuzzing and taint analysis.
Design and reinforcement security on smart grids against cyber-physical attack Assoc Prof Yuen Chau, SUTD Smart grid is a well-known cyber-physical system. However, its complex nature introduces a new level of security vulnerabilities that reveals urgent needs of security reinforcement against malicious attacks. In this research project, to improve the security level of smart grid, a new security reinforcement process is proposed with three stages; namely (1) Design, (2) Monitoring, and (3) Operation, involved with the aspects of prevention, protection, detection, and control mechanisms. Specifically, we study three tasks with particular emphasis on defense-in-depth though novel techniques. To this end, first, an intelligent method is proposed to evaluate the vulnerable points and the corresponding impact of smart grid subject to various attack strategies. Then, a robust detection framework is developed that leverages the correlation between abnormal/attack incidents and normal signals/states in both the cyber and physical domains. Finally, a game-changing approach based control mechanism is proposed with fully distributed, high secure, and robust characteristics.
Thrust : Novel Approaches to design secure CI
A two-track approach to CPS Reconnaissance: causal-graphs and axiomatic design Assoc Prof Arlindo Silva, SUTD In this project we will develop two novel and complementary approaches in the context of CPS design. First, we will investigate axiomatic design theory, in which the functional requirements of the CPS are related to a set of design parameters, and systematically analysed using matrix methods. Second, we will investigate design graphs, in which causal relations and dependencies are modelled, and used to analytically identify different clusters of CPS components, as well as ‘weaker’ nodes of the system that could be targeted by an attacker. Finally, we will combine the approaches by deriving invariants for the implemented CPS based on the conditions and relations identified in the design stage. These methods will be applied to water supply, distribution, and cascading effects.
FBI – Featherlight Blockchain for IoT Asst Prof Dinh Tien Tuan Anh, SUTD Blockchains provide several interesting features, for example, decentralisation, immutability, non-repudiation, accountability, availability, and transparency. Some of these are compelling to use in an IoT context, namely to ensure and decentralise trust in the IoT infrastructure. We propose to design and build a Featherlight Blockchain Infrastructure (FBI) that will serve as a trust anchor for IoT devices. The smart contracts, consensus protocol, and identity and access management of the FBI will be tailored towards IoT services, particularly Advanced Metering Infrastructures. We will identity and make appropriate trade-offs between security and performance of the blockchain infrastructure. We will focus on three case studies to demonstrate how FBI helps with data security, recovery, and anomaly detection: Secure Logging, Secure Timestamping, and Secure Firmware Updates. To achieve this, we will interface the FBI with real-world IoT devices in the Critical Infrastructure labs of iTrust.