Saman Zonouz’s research while affiliated with Georgia Institute of Technology and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (140)


ERACAN: Defending Against an Emerging CAN Threat Model
  • Conference Paper
  • Full-text available

October 2024

·

963 Reads

·

·

Saman Zonouz

·

[...]

·

The Controller Area Network (CAN) is a pivotal communication protocol extensively utilized in vehicles, aircraft, factories, and diverse cyber-physical systems (CPSs). The extensive CAN security literature resulting from decades of wide usage may create an impression of thorough scrutiny. However, a closer look reveals its reliance on a specific threat model with a limited range of abilities. Notably, recent works show that this model is outdated and that a more potent and versatile model could soon become the norm, prompting the need for a new defense paradigm. Unfortunately, the security impact of this emerging model on CAN systems has not received sufficient attention, and the defense systems addressing it are almost nonexistent. In this paper, we introduce ERACAN, the first comprehensive defense system against this new threat model. We first begin with a threat analysis to ensure that ERACAN comprehensively understands this model's capabilities, evasion tactics, and propensity to enable new attacks or enhance existing ones. ERACAN offers versatile protection against this spectrum of threats, providing attack detection, classification, and optional prevention abilities. We implement and evaluate ERACAN on a testbed and a real vehicle's CAN bus to demonstrate its low latency, real-time operation, and protective capabilities. ERACAN achieves detection rates of 100% and 99.7%+ for all attacks launched by the conventional and the enhanced threat models, respectively.

Download

Sensor Deprivation Attacks for Stealthy UAV Manipulation

October 2024

·

6 Reads

Unmanned Aerial Vehicles autonomously perform tasks with the use of state-of-the-art control algorithms. These control algorithms rely on the freshness and correctness of sensor readings. Incorrect control actions lead to catastrophic destabilization of the process. In this work, we propose a multi-part \emph{Sensor Deprivation Attacks} (SDAs), aiming to stealthily impact process control via sensor reconfiguration. In the first part, the attacker will inject messages on local buses that connect to the sensor. The injected message reconfigures the sensors, e.g.,~to suspend the sensing. In the second part, those manipulation primitives are selectively used to cause adversarial sensor values at the controller, transparently to the data consumer. In the third part, the manipulated sensor values lead to unwanted control actions (e.g. a drone crash). We experimentally investigate all three parts of our proposed attack. Our findings show that i)~reconfiguring sensors can have surprising effects on reported sensor values, and ii)~the attacker can stall the overall Kalman Filter state estimation, leading to a complete stop of control computations. As a result, the UAV becomes destabilized, leading to a crash or significant deviation from its planned trajectory (over 30 meters). We also propose an attack synthesis methodology that optimizes the timing of these SDA manipulations, maximizing their impact. Notably, our results demonstrate that these SDAs evade detection by state-of-the-art UAV anomaly detectors. Our work shows that attacks on sensors are not limited to continuously inducing random measurements, and demonstrate that sensor reconfiguration can completely stall the drone controller. In our experiments, state-of-the-art UAV controller software and countermeasures are unable to handle such manipulations. Hence, we also discuss new corresponding countermeasures.





Toward Resilient Modern Power Systems: From Single-Domain to Cross-Domain Resilience Enhancement

April 2024

·

176 Reads

·

2 Citations

Proceedings of the IEEE

Modern power systems are the backbone of our society, supplying electric energy for daily activities. With the integration of communication networks and high penetration of renewable energy sources (RESs), modern power systems have evolved into a cross-domain multilayer complex system of systems with improved efficiency, controllability, and sustainability. However, increasing numbers of unexpected events, including natural disasters, extreme weather, and cyberattacks, are compromising the functionality of modern power systems and causing tremendous societal and economic losses. Resilience, a desirable property, is needed in modern power systems to ensure their capability to withstand all kinds of hazards while maintaining their functions. This article presents a systematic review of recent power system resilience enhancement techniques and proposes new directions for enhancing modern power systems’ resilience considering their cross-domain multilayer features. We first answer the question, “what is power system resilience?” from the perspectives of its definition, constituents, and categorization. It is important to recognize that power system resilience depends on two interdependent factors: network design and system operation. Following that, we present a review of articles published since 2016 that have developed innovative methodologies to improve power system resilience and categorize them into infrastructural resilience enhancement and operational resilience enhancement. We discuss their problem formulations and proposed quantifiable resilience measures, as well as point out their merits and limitations. Finally, we argue that it is paramount to leverage higher order subgraph studies and scientific machine learning (SciML) for modern power systems to capture the interdependence and interactions across heterogeneous networks and data for holistically enhancing their infrastructural and operational resilience.



Fig. 1. The challenges of the DNN deployment for an edge-cloud system.
Fig. 3. Privacy metric and task loss function calculation in awareSL.
Fig. 5. Scatter plot result between inference accuracy and distance correlation.
Fig. 6. Average DCOR among training batches and inference accuracy results when taking different importance scores α 1 at the same split point.
Fig. 7. Input reconstruction attack results and awareSL defense results on FashionM-NIST dataset with different setups of split points and importance scores. The coefficient of task loss α 2 is set as 1.

+1

Resource-Aware DNN Partitioning for Privacy-Sensitive Edge-Cloud Systems

November 2023

·

140 Reads

Lecture Notes in Computer Science

With recent advances in deep neural networks (DNNs), there is a significant increase in IoT applications leveraging AI with edge-cloud infrastructures. Nevertheless, deploying large DNN models on resource-constrained edge devices is still challenging due to limitations in computation, power, and application-specific privacy requirements. Existing model partitioning methods, which deploy a partial DNN on an edge device while processing the remaining portion of the DNN on the cloud, mainly emphasize communication and power efficiency. However, DNN partitioning based on the privacy requirements and resource budgets of edge devices has not been sufficiently explored in the literature. In this paper, we propose awareSL, a model partitioning framework that splits DNN models based on the computational resources available on edge devices, preserving the privacy of input samples while maintaining high accuracy. In our evaluation of multiple DNN architectures, awareSL effectively identifies the split points that adapt to resource budgets of edge devices. Meanwhile, we demonstrate the privacy-preserving capability of awareSL against existing input reconstruction attacks without sacrificing inference accuracy in image classification tasks.


Fig. 3: Overview of training process for physical perturbations in the EVILEYE framework. EVILEYE generates a digital perturbation to create an unsafe misclassification. EVILEYE's digital-to-physical mapping then transforms the digital perturbation into a physical perturbation, i.e., the projection of the digital perturbation onto the transparent display.
Fig. 4: Our physical evaluation setup, consisting of a Raspberry Pi victim camera and a low-cost transparent display analogue, consisting of an organic light-emitting diode (OLED) display and beam splitter. Adversarial perturbations are displayed on the screen and reflected by the beam splitter, overlaying them onto the natural scene as observed by the victim camera.
Fig. 5: Visual comparison between the output of all TNet models and the ground truth of the 50-dot case. TNet-UNet output approximates the ground truth perturbation best.
Fig. 10: A visualization of SentiNet attack detection at different lux levels. Adversarial samples fall within the distribution of benign samples in terms of Average Classifier Confidence and Fool Percentage when salient areas are masked by SentiNet, and are therefore difficult to detect.
Fig. 11: A comparison of classifier accuracy for benign and adversarial samples when varying image bit-depth of the RGB channels, ranging from native 8-bit color resolution (256 possible values/channel) to 1-bit (2 possible values/channel). Color represents benign (blue) and adversarial (red) performance. Markers indicate different lux levels.
Why Don't You Clean Your Glasses? Perception Attacks with Dynamic Optical Perturbations

July 2023

·

49 Reads

Camera-based autonomous systems that emulate human perception are increasingly being integrated into safety-critical platforms. Consequently, an established body of literature has emerged that explores adversarial attacks targeting the underlying machine learning models. Adapting adversarial attacks to the physical world is desirable for the attacker, as this removes the need to compromise digital systems. However, the real world poses challenges related to the "survivability" of adversarial manipulations given environmental noise in perception pipelines and the dynamicity of autonomous systems. In this paper, we take a sensor-first approach. We present EvilEye, a man-in-the-middle perception attack that leverages transparent displays to generate dynamic physical adversarial examples. EvilEye exploits the camera's optics to induce misclassifications under a variety of illumination conditions. To generate dynamic perturbations, we formalize the projection of a digital attack into the physical domain by modeling the transformation function of the captured image through the optical pipeline. Our extensive experiments show that EvilEye's generated adversarial perturbations are much more robust across varying environmental light conditions relative to existing physical perturbation frameworks, achieving a high attack success rate (ASR) while bypassing state-of-the-art physical adversarial detection frameworks. We demonstrate that the dynamic nature of EvilEye enables attackers to adapt adversarial examples across a variety of objects with a significantly higher ASR compared to state-of-the-art physical world attack frameworks. Finally, we discuss mitigation strategies against the EvilEye attack.


Dissecting the Industrial Control Systems Software Supply Chain

July 2023

·

16 Reads

·

2 Citations

IEEE Security and Privacy Magazine

Industrial control system (ICS) platforms are increasingly relying on third-party software components forming an untrusted supply chain. In this work, we investigate components and their security in this supply chain, dissecting firmware from major international ICS vendors.


Citations (71)


... As the immersiveness is seen as the long-awaited interaction affordance that will offer an alternative to the conventional entering of credentials [1], The threats to VR headsets could come from adversaries with and without access to the VR headset. An adversary without access or a "shoulder-surfer" might not be able to directly snoop on the credential entering process of VR users [26] but could craft a careful observation based attack that would enable deciphering approximately between 75-80% of text inputs made in VR headset [27], [28], [29], [30], [31], coming effectively close to conventional keylogging attacks. ...

Reference:

"Oh, sh*t! I actually opened the document!": An Empirical Study of the Experiences with Suspicious Emails in Virtual Reality Headsets
Virtual Keymysteries Unveiled: Detecting Keystrokes in VR with External Side-Channels
  • Citing Conference Paper
  • May 2024

... The attacker can inject energy into the serial communication channels (e.g., I2C bus) on the drone. This can be achieved in various ways: i) a supply chain attack, implanting malicious behavior into one component connected to the bus [45], ii) by remotely injecting (or changing existing) messages on the bus via IEMI [8,9]. ...

Control Corruption without Firmware Infection: Stealthy Supply Chain Attacks via PLC Hardware Implants (MalTag)
  • Citing Conference Paper
  • May 2024

... Power system resilience relies on the secure operation of both cyber and physical components and their crucial interdependencies [6]. Cyber and physical attacks, such as denialof-service (DoS), man (machine)-in-the-middle (MiTM), and false data injection (FDI) attacks, can potentially affect both the dynamic and transient states of the system, which can lead to compromised resiliency and stability [7], [8], [9]. Therefore, major enhancements have been made to power system security against these threats over the past decade. ...

Toward Resilient Modern Power Systems: From Single-Domain to Cross-Domain Resilience Enhancement

Proceedings of the IEEE

... The Industrial Internet of Things (IIoT) has ushered in a trans-formative era for industrial processes, with IoT-enabled Programmable Logic Controllers (IoT-PLCs) emerging as a revolutionary force [1]. These devices seamlessly integrate traditional industrial systems with advanced digital technologies, fostering unprecedented levels of efficiency and connectivity. ...

Compromising Industrial Processes using Web-Based Programmable Logic Controller Malware
  • Citing Conference Paper
  • January 2024

... However, this (whitebox) approach requires that an attacker has full knowledge of the state estimator, which may not be very feasible. ARES [17] proposed a reinforcement learning based approach to find adversarial values for the control task to move the vehicle away from its planned path. It is also a whitebox approach and the objective isn't stealthy deviations like the examples shown in Figure 1. ...

Get Your Cyber-Physical Tests Done! Data-Driven Vulnerability Assessment of Robotic Aerial Vehicles

... Existing studies confirm that pruning strategies emerge as promising solutions to address the aforementioned dilemma [3,29,46,2]. For example, stateof-the-art pruning techniques remove more than 75% of floating point operations (FLOPs) and parameters without compromising model accuracy [47,20]. ...

CSTAR: Towards Compact and Structured Deep Neural Networks with Adversarial Robustness
  • Citing Article
  • June 2023

Proceedings of the AAAI Conference on Artificial Intelligence

... While the former works only outdoor and the latter only indoor (works only for one building at a time), there are not many hybrid solutions that can work across buildings (possibly with reduced granularity such as room or building level). 3) Room-level granularity is sufficient: In certain security applications such as [5], policies are defined based on the device's context (location, time, etc.). Policies define allowed behavior such as whether recording or making a call is allowed or not and can depend on room-level location. ...

Don't Just BYOD, Bring-Your-Own-App Too! Protection via Virtual Micro Security Perimeters
  • Citing Conference Paper
  • June 2016

... The RESLab testbed can simulate the cyber-physical environment of realistic large-scale power systems and validate the response performance. The testbed consists of a power system interactive simulator that runs in near-real-time, a connected network emulator, intrusion detection systems like Snort [35], Elastic Search-Kibana data aggregation and visualization [36], hardware devices including protective relays and real-time automation control (RTACs), a proprietary platform from Schweitzer Engineering Laboratories (SEL) [37], and a cyberphysical resilient energy system energy management system (CYPRES EMS) [38]. The RESLab testbed has industrial control system protocols running through the emulated network and connecting with our power system simulator, our CYPRES EMS, and industrial hardware devices [39]. ...

Design of Next-Generation Cyber-Physical Energy Management Systems: Monitoring to Mitigation

IEEE Open Access Journal of Power and Energy

... Many works leverage Long Short-Term Memory (LSTM) networks to effectively extract temporal dependencies in the observed video sequences for prediction of future frames (Srivastava et al., 2015;Lotter et al., 2016). In addition, video predictive models conditioned on action received broader applications, such as reinforcement learning (Escontrela et al., 2024;Lenz et al., 2015), motion planning (Sarkar et al., 2019;Zang et al., 2022), etc. ...

Robot Motion Planning as Video Prediction: A Spatio-Temporal Neural Network-based Motion Planner
  • Citing Conference Paper
  • October 2022

... Accumulating evidence supports the robustness of "low-rank" models against adversarial attacks in image recognition Yang et al. [2019], Phan et al. [2022], Wang et al. [2023]. There, the low-rank models were realized by different methods: matrix completion Yang et al. [2019], model compression Phan et al. [2022] or tensor SVD Wang et al. [2023], suggesting that the lowrankness seems to be the universal key for adversarial robustness. ...

CSTAR: Towards Compact and STructured Deep Neural Networks with Adversarial Robustness