Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


Computer Engineering

Committee Chair

Thomas Morris

Committee Member

David J. Coe

Committee Member

Earl Wells

Committee Member

S.M. Yoo

Committee Member

J. Iwan D. Alexander


Process control., Computer security., Cyberterrorism -- Prevention.


Highly notable cyber-attacks, such as Stuxnet [44] and the Marocchi attack [18], have targeted critical infrastructure with the goal of affecting physical processes to cause harm. This work presents a payload analysis-based Intrusion Prevention System (IPS) to detect similar attacks by predicting what harm the attacks could cause to the physical process. The IPS developed is called the Embedded Process Prediction Intrusion Prevention System (EPPIPS). EPPIPS will examine incoming command packets and programs that are destined for a Programmable Logic Controller (PLC) that interacts with a physical process. If EPPIPS predicts these packets or programs to be harmful, EPPIPS can potentially prevent or limit the harm. EPPIPS consists of a module that examines the packets that would alter settings or actuators and incorporates a model of the physical process to aid in predicting the effect of processing the command. Specifically, EPPIPS determines whether a safety violation would occur for critical variables in the physical system. Simulation of both the physical system model and a process running a copy of real PLC ladder logic is performed in EPPIPS. Uploaded programs will be evaluated to determine whether the programs would cause a safety violation, laying the groundwork for later research into malware analysis in cyber-physical systems. EPPIPS resides inside the PLC itself as a proxy process between the actual PLC process and the network. This placement and implementation is similar to the “on the edge” approach for an IPS [47]. The purpose of this approach is to serve as the innermost layer of defense relative to the PLC for cyber-attacks in a defense in depth strategy. Defenses on the outer layers may include mitigations such as encryption and firewalls. EPPIPS acts as a last line of defense against cyber-attacks that affect a physical process under the PLC’s control. Since EPPIPS incorporates a PLC process to make predictions within the PLC hardware, this work’s unique approach encompasses a PLC model within a PLC. This work seeks to eliminate or minimize the number of manual specifications through system identification and machine learning to generate models. This allows the IPS to be more generic and deployable. Another contribution of this work is a broader and more general understanding of the threat model that causes unsafe or inefficient consequences in cyber-physical systems. The metrics used when evaluating the results in this work included latency and the accuracy of the predictions.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.