Fuzzy Logic Based Anomaly Detection for Embedded Network Security Cyber Sensor Page: 4 of 9
This article is part of the collection entitled: Office of Scientific & Technical Information Technical Reports and was provided to Digital Library by the UNT Libraries Government Documents Department.
The following text was automatically extracted from the image on this page using optical character recognition software:
Fig. 3 Photo of the TOFINO network security cyber sensor plugged-in into
the test system.
- Wco +z:
If dist(Qa,i )> rad, a new cluster is created at the location
of input pattern xi , and its weight is set to 1.
III. EMBEDDED NETWORK SECURITY CYBER SENSOR
The Tofino embedded network security device, depicted in
Fig. 3, is manufactured by Byres Security Inc. . Originally,
the device was developed for pre-emptive threat detection,
termination and reporting, specifically tailored for the needs of
SCADA and industrial control systems. Its major advantages
are primarily its low-cost and ease of deployment in real world
systems. In the presented work, the Tofino cyber sensor was
used as an embedded development platform for
implementation of the proposed anomaly based detection
The Tofino platform consists of an Arcom Vulcan single
board computer. The main processor is an Intel IXP425
XScale processor running at 533MHz with 64MB of DRAM
and 32MB of flash memory. The Intel IXP425 XScale is based
on an ARM V5TE instruction set . Two Ethernet ports are
provided along with two USB ports. The Ethernet ports are
used in processing packet data and the USB ports are used for
storage of statistics. The operating system is based on the
OpenWRT distribution of Linux.
One of the specifics of this embedded platform is that the
Intel IXP425 XScale processor used in the Tofino platform
does not have a floating point unit (FPU). Instead, the floating
point arithmetic used in the presented algorithm is emulated.
Future work will include modification of the current
implementation to use fixed point (integer) arithmetic.
Depending on the implementation, a large performance gain
may be achieved by using the SIMD Multiply-Accumulate
unit coprocessor unit available on the IXP425. This
coprocessor allows 16x32 multiply-accumulate operations to
complete in a single cycle.
While not of utmost concern in an academic setting, the
implementation of the proposed algorithm on a hardware
platform is relevant. Sommer and Paxson  argue that it in
terms of capabilities and limitations it is important to obtain
insight into the performance of an anomaly detection system
from an operational point of view. The focused
implementation is here at a very low level with an envisioned
deployment just before some critical equipment, such as a
Programmable Logic Controller (PLC). With the increasingly
common usage of network based control systems and the
current deployment of smart grid systems hundreds, thousands
and possibly millions of devices will be interconnected. This
makes the cost and reliability of an implemented hardware
solution a relevant concern. In addition, the proposed
hardware implementation of the embedded network security
cyber sensor provides a performance baseline that might prove
useful for comparison in future work.
IV. DATA ACQUISITION AND FEATURE EXTRACTION
This section describes the network data acquisition process
and reviews the previously published window based feature
A. Control System Experimental Test-Bed
The hardware experimental test-bed system that was used for
network data acquisition represents several aspects of an
operational control system, such as operational control
structure, control system network and hardware control of
actual physical processes. RSView32, a Rockwell Software
HMI product, provides an integrated component based
interface for monitoring of the system behavior. The interface
runs on a Windows XP laptop connected via an IPv4 network.
A Moxa EDS-505A operated Ethernet switch provides
network connectivity for the controller. This switch is
mounted on a DIN-Rail and powered by the control system
source. All network traffic to and from the controller is
transported via the switch. Port mirroring has been enabled on
the control traffic port connected to the HMI machine. A
Linux laptop with the tcpdump software application was
Fig. 4 Network data acquisition setup. A PLC is connected through a hub to
the control PC station using an Ethernet network.
Here’s what’s next.
This article can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Article.
Linda, Ondrej; Vollmer, Todd; Wright, Jason & Manic, Milos. Fuzzy Logic Based Anomaly Detection for Embedded Network Security Cyber Sensor, article, April 1, 2011; Idaho Falls, Idaho. (digital.library.unt.edu/ark:/67531/metadc836339/m1/4/: accessed December 13, 2017), University of North Texas Libraries, Digital Library, digital.library.unt.edu; crediting UNT Libraries Government Documents Department.