About Me     Research     CV     Publications         Professional     Personal

Behavior-Based Intrusion Detection

Cyber-Physical Systems (CPSs) have distinct cyber and physical components that must work cohesively with each other to ensure correct operation. Examples include automobiles, power plants, avionics systems, home automation systems, etc. Traditionally such systems were isolated from external accesses and used proprietary components and protocols. Hence, they were considered to be invulnerable to cyber attacks. The recent Stuxnet worm and other similar attacks have shown that even such systems are not immune to compromise. A failure to protect these systems from harm could result in significant harm to humans, the environment or even critical infrastructure.

On the other hand, many cyber-physical systems have real-time constraints i.e., they must function correctly within predetermined time scales. Systems that have such real-time properties are predictable by design. Designers work really hard to ensure that the execution behavior of such systems (e.g., execution time, memory usage, control flow, system properties, etc.) are analyzed and controlled to a high level of detail so as to guarantee predictable behavior.

This project aims to use this very predictability of real-time CPS to detect intrusions as soon as they occur and take evasive actions. This will be then combined with the development of an architectural framework to:

  1. detect intrusions and
  2. guarantee that the underlying physical system does not come to harm.

The development of analysis techniques and intrusion-detection architectures will inherently make such systems more secure and hence, safer. It will bring us one step closer to understanding how to integrate two seemingly diverse yet important fields, CPS and security, while gaining a better understanding of both areas.

The ideas that will be developed as part of this project have the potential for significant impact on a diverse set of domains. Apart from the research community, government agencies and industry could also gain significantly from results produced as part of this research. It will make many critical aspects of modern day life such as aircraft, vehicles, critical infrastructures (power grid, water treatment plants, etc.) much safer.


  1. Sibin Mohan [UIUC]
  2. Lui Sha [UIUC]
  3. Man-Ki Yoon [UIUC]
  4. Fardin Abdi [UIUC]
  5. Rakesh Bobba [UIUC]
  6. Mihai Christodorescu [Qualcomm Research]
  7. Rajarshi Gupta [Qualcomm Research]


We have analyzed the following behavioral properties and used them to detect intrusions in real-time, embedded and cyber-physical systems:

  • Execution Time
  • Control Flow
  • System Call Behavior
  • Memory Traffic

These analysis methods have been developed in conjunction with an architectural solution that we call, SecureCore. The main idea is that one of the cores in a multicore processor will be able to observe the behavior of critical tasks executing on other cores.


  1. S3A: Secure System Simplex Architecture for Safety-Critical Supervisory Control Systems by S. Mohan, S. Bak, E. Betti, H. Yun, L. Sha and M. Caccamo published in the 2nd ACM Conference on High Confidence Networked Systems (HiCoNS), Philadelphia, Pennsylvania in April 2013.
  2. SecureCore: A Multicore Architecture for Intrusion Detection in Real-Time Control Systems by M. K. Yoon, L. Sha and S. Mohan published in the IEEE Conference on Real-Time and Embedded Technology and Applications Symposium (RTAS), Philadelphia, Pennsylvania in April 2013.
  3. On-chip control flow integrity check for real time embedded systems by F. A. T. Abad, J. V. D. Woude, Y. Lu, S. Bak, M. Caccamo, L. Sha, R. Mancuso and S. Mohan in the 1st IEEE International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA), 2013.
  4. Intrusion detection for real-time embedded applications using system call frequency distribution by M.-K. Yoon, S. Mohan, J. Choi and L. Sha submitted to the IEEE Real-Time Systems Symposium, 2014.
  5. Memory heat map: Learning memory behavior for anomaly detection in real-time systems by M.-K. Yoon, S. Mohan, J. Choi and L. Sha submitted to the IEEE Real-Time Systems Symposium 2014.



Other Links

<< Home