Side Channel Identification using Granger Time Series Clustering with Applications to Control Systems

Side channels are data sources that adversaries can exploit to carry out cyber security attacks. Alternatively, side channels can be used as data sources for techniques to predict the presence of an attack. Typically, the identification of side channels requires domain-specific expertise and it is likely that many side channels are present within systems that are not readily identified, even by a subject matter expert. We are motivated to develop methods that automatically recognize the presence of side channels without requiring the need to use detailed or domain-specific knowledge. Understanding cause and effect relationships is hypothesized to be a key aspect of determining appropriate side channels; however, determining such relationships is generally a problem whose solution is very challenging. We describe a time-series clustering approach for identifying side channels using the statistical model of Granger causality. Since our method is based upon the Granger causality paradigm in contrast to techniques that rely upon the identification of correlation relationships, we can identify side channels without requiring detailed subject matter expertise. A Granger-based data clustering technique is described in detail and experimental results of our prototype algorithms are provided to demonstrate the efficacy of the approach using an industrial control system model comprised of commercial components.