1. Event Stream Processing for Intrusion Detection in ZigBee Home Area Networks Sandra Pogarcic, Samujjwal Bhandari, Kedar Hippalgaonkar, and Susan Urban Motivation  Because the ZigBee Protocol was designed for efficiency rather than security, it has an easily exploited communication protocol  Use artificial intelligence to make a self healing system, which dynamically discovers new cyber attacks based off of similar attacks References: [1] Urban S.D. and Sridharan M. 2011. CSR: Small: Adaptive Event Stream Processing. [NSF Grant No.: CNS-1005212, proposal for Software Engineering Research]. [2] Anderson, R. 2001. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, New York. [3] Intelligent Event Processor (IEP) User's Guide. Sun Microsystems, Inc. Santa Clara, CA 2009. [4] Ploeg, J. ZigBee. 2006-2008.Taken from: http://www.specifications.nl/zigbee/zigbee_UK.php This research is supported by NSF Grant No. CNS 1005212 & ECCS-1040161. Opinions, findings, conclusions, or recommendations expressed in this paper are those of the author(s) and do not necessarily reflect the views of NSF. TTU 2012 NSF Research Experiences for Undergraduates Site Projec t Figure 2: ZigBee Packet and architecture [4] Objectives:  Detect attacks in a ZigBee environment  Understand and exploit the vulnerabilities in the ZigBee stack protocol  Flood Attack  Back-Off Manipulation  Analyze ZigBee packets from the hardware simulation to develop static rules for detection of attack scenarios  Experiment with the use of event processing technology to detect attack scenarios Intelligent Event Processing  A graphical opensource software, which performs functions on events provided in streams and relational data tables  IEP uses message binding to import external data such as text files for processing  IEP has several graphical operators that can perform functions on micro events  The operators pass on data to different operators if the stream meets the querry’s condition  Input and Ouput operators are mandatory, but more complex rules can be made by refining the conditions of what can be the output  If something falls into the output based upon the rules that you set, it means that that particular sequence of events has occurred Event Stream Processing  The detection of patterns from a data set or a data stream, which signify that an event has occurred  Can be used to create patterns or rules from pre- existing data, which can be refined to predict similar event behavior  Used here to create meta data, or domain specific rules, which will be combined with probability to dynamically define emerging attack patterns Smart Grid  The Smart Grid is the next step in modernizing the electrical system to fit the rising demand for energy.  It has an interconnected, two-way communication system, built into its infrastructure.  Data and energy can dynamically be transferred through multiple pathways  Home Area Network (HAN) ZigBee  Wireless technology that is built on and expands the IEEE 802.15.4 standard  Has a unanimous data standard  Low cost and low power consumption  Compatible with intrusion detection technologies  Supports large network communication infrastructure  ZigBee network parallels Smart Grid infrastructure My Research  Apply event stream processing technology to flood attack and back-off time manipulation intrusion scenarios  Identify static rules from ZigBee packets  Ex: Flood Attack Pattern  If Source Addressing Mode = 11, then there is an Association protocol in place  If the Intra Pan field = 0, then the Association Protocol is an Association Request (a device is trying to join the network)  If this behavior happens approximately 4 times within a minute, then there is a likely chance of a flood attack Figure 4: Parsed Zigbee Packet Figure 5: Corresponding Packet in Wireshark, a packet analyzer Figure 6: Basic input and output stream in IEPFigure 7: Graphical representation of a Flood Attack Pattern Figure 3: IEP Architecture [3] Future Directions  Integrate event stream processing with the intrusion simulation  From simple patterns, dynamic intrusion detection rules or algorithms can be made using can be made using probability  Expand the JADE simulation to generate ZigBee packets for Event Stream Processing  Expand general rules into IEP rules Figure 1: Smart Grid Security Challenges  Less tested than other wireless technologies  New attacks will continuously be developed  Communication protocol manipulation to prevent message transmission  Network jamming  Physical layer attacks  New attacks will continuously be developed, which are unknown to be able to address  Same network key for multiple devices