richard mcevoy - Academia.edu (original) (raw)

Papers by richard mcevoy

This thesis examines the problem of detecting malicious software in industrial control systems. T... more This thesis examines the problem of detecting malicious software in industrial control systems. This is a growing problem since such systems are increasingly exposed to attack as modernization heightens the degree of system interconnectivity. At the same time, such systems are ill-equipped with suitable security mechanisms to allow them to fend off these attacks. The approach adopted assumes that the attacker will make no egregious protocol errors which would reveal the fact of penetration before that phase of the attack completes. Instead, the detection problem is one of uncovering an attack during the exploitation phase by drawing on a rich set of potential data relationships and using these, if possible, to locate the source of the attack and manage its outcome. The future direction of this work should permit us to detect integrity attacks in a timely fashion and use the results to bring control systems back under operator supervision, at least, for a subset of such systems. We consider this research will be valuable to individuals working to defend control systems-and distributed systems in general-against malicious software attacks.

2016 International Conference on Military Communications and Information Systems (ICMCIS), 2016

The correct labelling of all information at its point of origin is a critical enabler for effecti... more The correct labelling of all information at its point of origin is a critical enabler for effective information access control in modern military systems. If information is not properly labeled it cannot be shared between different communities of interest and coalition partners, which affects the responsibility to share and potentially impedes ongoing military operations. This paper describes two experiments performed at the NATO Communications and Information Agency related to supporting correct labelling of both pre-existing and newly created information objects. Two different techniques are used, one based on semantic analysis and the other on machine learning. Both approaches offer promising results in their respective use case scenarios, but require further development prior to operational deployment.

Supervisory control and data acquisition (SCADA) systems form a vital part of the critical infras... more Supervisory control and data acquisition (SCADA) systems form a vital part of the critical infrastructure. Such systems have been subject to sophisticated and persistent attacks which are executed by processes under adversary supervision. Such attacks may be detected using inconsistencies in sensor readings or estimated behavior of the plant. However, to locate and eliminate malicious "agents" in networks, novel protocols are required to observe messaging behavior. In this paper, we propose a novel network protocol for SCADA systems which, for low computational cost, permits discovery and elimination of subverted nodes utilizing techniques related to probabilistic packet marking. We discuss its advantages over earlier work in this area, calculate message complexity requirements for detection and outline its resilience to various attack strategies .

Lecture Notes in Computer Science, 2013

Supervisory control and data acquisition (SCADA) systems form a vital part of the critical infras... more Supervisory control and data acquisition (SCADA) systems form a vital part of the critical infrastructure. Such systems are subject to sophisticated attacks by subverted processes which can manipulate message content or forge authentic messages, undermining the action of the plant, whilst hiding the effects from operators. In this paper, we propose a novel network protocol which, using techniques related to IP Traceback, enables the efficient discovery of subverted nodes, assuming an initial detection event. We discuss its advantages over previous techniques in this area and provide a formal model.

Lecture Notes in Computer Science, 2010

Recent research on intrusion detection in supervisory data acquisition and control (SCADA) and DC... more Recent research on intrusion detection in supervisory data acquisition and control (SCADA) and DCS systems has focused on anomaly detection at protocol level based on the well-defined nature of traffic on such networks. Here, we consider attacks which compromise sensors or actuators (including physical manipulation), where intrusion may not be readily apparent as data and computational states can be controlled to give an appearance of normality, and sensor and control systems have limited accuracy. To counter these, we propose to consider indirect relations between sensor readings to detect such attacks through concurrent observations as determined by control laws and constraints.

IFIP Advances in Information and Communication Technology, 2011

Industrial control systems are a vital part of the critical infrastructure. The potentially large... more Industrial control systems are a vital part of the critical infrastructure. The potentially large impact of a failure makes them attractive targets for adversaries. Unfortunately, simplistic approaches to intrusion detection using protocol analysis or naïve statistical estimation techniques are inadequate in the face of skilled adversaries who can hide their presence with the appearance of legitimate actions. This paper describes an approach for identifying malicious activity that involves the use of a path authentication mechanism in combination with state estimation for anomaly detection. The approach provides the ability to reason conjointly over computational structures, and operations and physical states. The well-known Tennessee Eastman reference problem is used to illustrate the efficacy of the approach.

2010 Fifth International Conference on Systems, 2010

Page 1. An Algebra for the Detection and Prediction of Malicious Activity in Concurrent Systems T... more Page 1. An Algebra for the Detection and Prediction of Malicious Activity in Concurrent Systems Thomas Richard McEvoy Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, UK Email: trmcevoy@rhul.ac.uk ...

Critical Infrastructure Protection VI, 2012

Defensive actions in critical infrastructure environments will increasingly require automated age... more Defensive actions in critical infrastructure environments will increasingly require automated agents to manage the complex, dynamic interactions that occur between operators and malicious actors. Characterizing such agent behavior requires the ability to reason about distributed environments where the state of a channel or process depends on the actions of the opposing sides. This paper describes an extension to the Applied π-Calculus for modeling agent behavior in critical infrastructure environments. The utility of the extension is demonstrated via an agent-based attack and defense interaction scenario.

Lecture Notes in Computer Science, 2013

Critical infrastructure systems are distributed environments in which the mixture of technologies... more Critical infrastructure systems are distributed environments in which the mixture of technologies and interdependencies between physical and logical components lead to complex interactions. Calculating the possible impacts of attacks and the success of proposed countermeasures in such environments represents a severe problem. We propose a process algebraic technique as a means of affecting such calculations. Our approach allows us to demonstrate equivalence w.r.t. attack and defense strategies respectively. It also forms a basis for determining the efficiency and effectiveness of countermeasures. In comparison with other methods, such as attack/defense trees and attack graphs, our approach allows us to relax assumptions regarding the ordering of events by applying structural reasoning to outcomes and reducing the state space for the analysis. An obvious application is to risk management.

Lecture Notes in Computer Science, 2011

Conventional adversary models used in the analysis of cryptographic protocols such as the Dolev-Y... more Conventional adversary models used in the analysis of cryptographic protocols such as the Dolev-Yao model and variants rely on a simple communication model in which an adversary fully participates in network communication. In the case of control (supervisory control and data acquisition, SCADA) systems, this set of assumptions can lead to undesirable results as constraints on communication affect both defender and adversary capabilities. These include a restricted topology for message passing and real-time processing constraints resulting in message prioritisation. We therefore propose an alternative adversary model explicitly capturing these constraints. We use a π-calculus variant to reason about priorities and constraints on messages (names) and explicitly model multiple adversarial agents rather than a single omnipotent adversary so as to capture synchronisation and communication effects. As an example of the model's capabilities, we derive targets for intrusion detection based on constraints on adversary action resulting from adversary-agent communication capabilities.

IFIP Advances in Information and Communication Technology, 2010

Modern process control systems are increasingly vulnerable to subversion. Attacks that directly t... more Modern process control systems are increasingly vulnerable to subversion. Attacks that directly target production processes are difficult to detect because signature-based approaches are not well-suited to the unique requirements of process control systems. Also, anomaly detection mechanisms have difficulty coping with the non-linearity of industrial processes. This paper focuses on the problem where attackers gain supervisory control of systems and hide their manipulations in signal noise or conceal computational states. To detect these attacks, we identify suitable proxy measurements for the output of a control system. Utilizing control laws, we compare the estimated system output using real-time numerical simulation along with the actual output to detect attacker manipulations. This approach also helps determine the intervention required to return the process to a safe state. The approach is demonstrated using a heat exchange process as a case study. By employing an explicit control model rather than a learning system or anomaly detection approach, the minimal requirements on proxy sensors and the need for additional sensors can be characterized. This significantly improves resilience while minimizing cost.

International Journal of Critical Infrastructures, 2013

A supervisory control and data acquisition (SCADA) system may be subject to integrity attacks. An... more A supervisory control and data acquisition (SCADA) system may be subject to integrity attacks. Anomalies in sensor measurements may be used to detect these attacks, but such techniques do not permit us to locate attacking nodes. We propose a novel technique to enable this. Each participating network node probabilistically copies packets and marks them with routing information, before encrypting them with private keys and forwarding them to the operator. Nodes regularly release the keys used to encrypt packets. At that point, the operator may compare the copied packets with the original. Using the differences in packet content and routing information, it is possible to deduce to within one or two processes the location of an attack. Our approach is based on IP traceback techniques originally used for detecting the origin of denial of service attacks. The complexity of the approach is low and the technique can be shown to be resilient to counterattack .

Risk may be analyzed implicitly or explicitly. From industrial experience, the former is less com... more Risk may be analyzed implicitly or explicitly. From industrial experience, the former is less commonly used than the latter on a day-to-day basis, even though the former makes up the primary content of most commercially available risk analysis and management methodologies. Paradoxically, the latter is also more commonly baked into the process and technology used by organizations and its culture of risk management. Hence this represents a sociotechnical issue which requires the resolution of both conflict of methods and ambiguity in the interpretation and application of risk analysis. We propose an approach for resolving these issues, based on experience “in the wild”, and creating a Delphic convergence between the results of both approaches. Ultimately, we would aim to create a methodology for this purpose and propose some criteria for its creation.

Current methodologies for cyber security risk analysis are largely focused on process and technol... more Current methodologies for cyber security risk analysis are largely focused on process and technology. They do not systematically incorporate sociotechnical thinking. We argue this reduces their predictive power in determining the risks of cyber threats to organizations and hence limits the range of responses. A remedy is to augment such systems using suitable socio-technical models. As an example, we propose a re-working of Rasmussen’s model for safety in systems, applying it to cyber security. The updated model gives rise to a set of predictors and boundary conditions which can be used to determine an organization’s resilience in the face of external and internal cyber threats, enabling analysts to propose an extended range of countermeasures. We propose using this approach as a basis to include socio-technical analysis in risk assessment. As an example, we provide a critique of the risk methodology used in SABSA against this model. We discuss practical applications of the approach...

DXC Technology were asked to participate in a Cyber Vulnerability Investigation into organization... more DXC Technology were asked to participate in a Cyber Vulnerability Investigation into organizations in the Defense sector in the UK. Part of this work was to examine the influence of socio-technical and/or human factors on cyber security – where possible linking factors to specific technical risks. Initial research into the area showed that (commercially, at least) most approaches to developing security culture in organisations focus on end users and deal solely with training and awareness regarding identifying and avoiding social engineering attacks and following security procedures. The only question asked and answered is how to ensure individuals conform to security policy and avoid such attacks. But experience of recent attacks (e.g., Wannacry, Sony hacks) show that responses to cyber security requirements are not just determined by the end users’ level of training and awareness, but grow out of the wider organizational culture – with failures at different levels of the organizat...

Complex Systems Informatics and Modeling Quarterly, 2019

Cyber security risks are socio-technical in nature. They result not just from technical vulnerabi... more Cyber security risks are socio-technical in nature. They result not just from technical vulnerabilities but also, more fundamentally, from the degradation of working practices over timewhich move an organization across the boundary of secure practice to a place where attacks will not only succeed, but also have a significantly greater impact on the organization. Yet current risk analysis and management methodologies are not designed to detect these kinds of systemic risks. We present an approach, devised in the field, to deriving these risksusing a qualitative research methodology, akin to grounded theory, but based on preset coding descriptors. This allows organizational and individual behavior identified during interviews, observations or document research to be thematically analyzed, collated and mapped to potential risks, linked to poor working practices. The resulting risk factors can be linked together forming "risk narratives", showing how the degradation of working practices in one part of the organization can contribute to undermining its ability to respond to cyber security threats in another part of the organization.

Lecture Notes in Computer Science, 2010

Attack and intrusion detection on host systems is both a last line of defence and provides substa... more Attack and intrusion detection on host systems is both a last line of defence and provides substantially more detail than other sensor types. However, any host-based sensor is likely to be a primary target for adversaries to ensure concealment and evasion of defensive measures. In this paper we therefore propose a novel defence mechanism for hostbased sensors utilising true concurrent observation of state at key locations of operating systems and security controls, including a self-defence mechanism. This is facilitated by the ready availability of multi-core and multi-processor systems in symmetric and non-uniform architectures for general-purpose computers. This obviates the need for specialised hardware components or overhead imposed by virtualisation approaches and has the added advantage of becoming increasingly difficult to foil as the number of concurrent observation threads increases whilst being highly scalable itself. We describe a formal model of this observation and self-observation mechanism. The analysis of the observations is supported by a causal model, which we describe briefly. Using causal models enables us to detect complex attacks using dynamic obfuscation as it relies on higher-order semantics and also allows the system to deal with non-linearity in memory writes which is characteristic of multiprocessing systems. We conclude with a brief description of experimental validation, demonstrating both high, adaptable performance and the ability to detect attacks on the mechanism itself.

This thesis examines the problem of detecting malicious software in industrial control systems. T... more This thesis examines the problem of detecting malicious software in industrial control systems. This is a growing problem since such systems are increasingly exposed to attack as modernization heightens the degree of system interconnectivity. At the same time, such systems are ill-equipped with suitable security mechanisms to allow them to fend off these attacks. The approach adopted assumes that the attacker will make no egregious protocol errors which would reveal the fact of penetration before that phase of the attack completes. Instead, the detection problem is one of uncovering an attack during the exploitation phase by drawing on a rich set of potential data relationships and using these, if possible, to locate the source of the attack and manage its outcome. The future direction of this work should permit us to detect integrity attacks in a timely fashion and use the results to bring control systems back under operator supervision, at least, for a subset of such systems. We consider this research will be valuable to individuals working to defend control systems-and distributed systems in general-against malicious software attacks.

2016 International Conference on Military Communications and Information Systems (ICMCIS), 2016

The correct labelling of all information at its point of origin is a critical enabler for effecti... more The correct labelling of all information at its point of origin is a critical enabler for effective information access control in modern military systems. If information is not properly labeled it cannot be shared between different communities of interest and coalition partners, which affects the responsibility to share and potentially impedes ongoing military operations. This paper describes two experiments performed at the NATO Communications and Information Agency related to supporting correct labelling of both pre-existing and newly created information objects. Two different techniques are used, one based on semantic analysis and the other on machine learning. Both approaches offer promising results in their respective use case scenarios, but require further development prior to operational deployment.

Supervisory control and data acquisition (SCADA) systems form a vital part of the critical infras... more Supervisory control and data acquisition (SCADA) systems form a vital part of the critical infrastructure. Such systems have been subject to sophisticated and persistent attacks which are executed by processes under adversary supervision. Such attacks may be detected using inconsistencies in sensor readings or estimated behavior of the plant. However, to locate and eliminate malicious "agents" in networks, novel protocols are required to observe messaging behavior. In this paper, we propose a novel network protocol for SCADA systems which, for low computational cost, permits discovery and elimination of subverted nodes utilizing techniques related to probabilistic packet marking. We discuss its advantages over earlier work in this area, calculate message complexity requirements for detection and outline its resilience to various attack strategies .

Lecture Notes in Computer Science, 2013

Supervisory control and data acquisition (SCADA) systems form a vital part of the critical infras... more Supervisory control and data acquisition (SCADA) systems form a vital part of the critical infrastructure. Such systems are subject to sophisticated attacks by subverted processes which can manipulate message content or forge authentic messages, undermining the action of the plant, whilst hiding the effects from operators. In this paper, we propose a novel network protocol which, using techniques related to IP Traceback, enables the efficient discovery of subverted nodes, assuming an initial detection event. We discuss its advantages over previous techniques in this area and provide a formal model.

Lecture Notes in Computer Science, 2010

Recent research on intrusion detection in supervisory data acquisition and control (SCADA) and DC... more Recent research on intrusion detection in supervisory data acquisition and control (SCADA) and DCS systems has focused on anomaly detection at protocol level based on the well-defined nature of traffic on such networks. Here, we consider attacks which compromise sensors or actuators (including physical manipulation), where intrusion may not be readily apparent as data and computational states can be controlled to give an appearance of normality, and sensor and control systems have limited accuracy. To counter these, we propose to consider indirect relations between sensor readings to detect such attacks through concurrent observations as determined by control laws and constraints.

IFIP Advances in Information and Communication Technology, 2011

Industrial control systems are a vital part of the critical infrastructure. The potentially large... more Industrial control systems are a vital part of the critical infrastructure. The potentially large impact of a failure makes them attractive targets for adversaries. Unfortunately, simplistic approaches to intrusion detection using protocol analysis or naïve statistical estimation techniques are inadequate in the face of skilled adversaries who can hide their presence with the appearance of legitimate actions. This paper describes an approach for identifying malicious activity that involves the use of a path authentication mechanism in combination with state estimation for anomaly detection. The approach provides the ability to reason conjointly over computational structures, and operations and physical states. The well-known Tennessee Eastman reference problem is used to illustrate the efficacy of the approach.

2010 Fifth International Conference on Systems, 2010

Page 1. An Algebra for the Detection and Prediction of Malicious Activity in Concurrent Systems T... more Page 1. An Algebra for the Detection and Prediction of Malicious Activity in Concurrent Systems Thomas Richard McEvoy Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, UK Email: trmcevoy@rhul.ac.uk ...

Critical Infrastructure Protection VI, 2012

Defensive actions in critical infrastructure environments will increasingly require automated age... more Defensive actions in critical infrastructure environments will increasingly require automated agents to manage the complex, dynamic interactions that occur between operators and malicious actors. Characterizing such agent behavior requires the ability to reason about distributed environments where the state of a channel or process depends on the actions of the opposing sides. This paper describes an extension to the Applied π-Calculus for modeling agent behavior in critical infrastructure environments. The utility of the extension is demonstrated via an agent-based attack and defense interaction scenario.

Lecture Notes in Computer Science, 2013

Critical infrastructure systems are distributed environments in which the mixture of technologies... more Critical infrastructure systems are distributed environments in which the mixture of technologies and interdependencies between physical and logical components lead to complex interactions. Calculating the possible impacts of attacks and the success of proposed countermeasures in such environments represents a severe problem. We propose a process algebraic technique as a means of affecting such calculations. Our approach allows us to demonstrate equivalence w.r.t. attack and defense strategies respectively. It also forms a basis for determining the efficiency and effectiveness of countermeasures. In comparison with other methods, such as attack/defense trees and attack graphs, our approach allows us to relax assumptions regarding the ordering of events by applying structural reasoning to outcomes and reducing the state space for the analysis. An obvious application is to risk management.

Lecture Notes in Computer Science, 2011

Conventional adversary models used in the analysis of cryptographic protocols such as the Dolev-Y... more Conventional adversary models used in the analysis of cryptographic protocols such as the Dolev-Yao model and variants rely on a simple communication model in which an adversary fully participates in network communication. In the case of control (supervisory control and data acquisition, SCADA) systems, this set of assumptions can lead to undesirable results as constraints on communication affect both defender and adversary capabilities. These include a restricted topology for message passing and real-time processing constraints resulting in message prioritisation. We therefore propose an alternative adversary model explicitly capturing these constraints. We use a π-calculus variant to reason about priorities and constraints on messages (names) and explicitly model multiple adversarial agents rather than a single omnipotent adversary so as to capture synchronisation and communication effects. As an example of the model's capabilities, we derive targets for intrusion detection based on constraints on adversary action resulting from adversary-agent communication capabilities.

IFIP Advances in Information and Communication Technology, 2010

Modern process control systems are increasingly vulnerable to subversion. Attacks that directly t... more Modern process control systems are increasingly vulnerable to subversion. Attacks that directly target production processes are difficult to detect because signature-based approaches are not well-suited to the unique requirements of process control systems. Also, anomaly detection mechanisms have difficulty coping with the non-linearity of industrial processes. This paper focuses on the problem where attackers gain supervisory control of systems and hide their manipulations in signal noise or conceal computational states. To detect these attacks, we identify suitable proxy measurements for the output of a control system. Utilizing control laws, we compare the estimated system output using real-time numerical simulation along with the actual output to detect attacker manipulations. This approach also helps determine the intervention required to return the process to a safe state. The approach is demonstrated using a heat exchange process as a case study. By employing an explicit control model rather than a learning system or anomaly detection approach, the minimal requirements on proxy sensors and the need for additional sensors can be characterized. This significantly improves resilience while minimizing cost.

International Journal of Critical Infrastructures, 2013

A supervisory control and data acquisition (SCADA) system may be subject to integrity attacks. An... more A supervisory control and data acquisition (SCADA) system may be subject to integrity attacks. Anomalies in sensor measurements may be used to detect these attacks, but such techniques do not permit us to locate attacking nodes. We propose a novel technique to enable this. Each participating network node probabilistically copies packets and marks them with routing information, before encrypting them with private keys and forwarding them to the operator. Nodes regularly release the keys used to encrypt packets. At that point, the operator may compare the copied packets with the original. Using the differences in packet content and routing information, it is possible to deduce to within one or two processes the location of an attack. Our approach is based on IP traceback techniques originally used for detecting the origin of denial of service attacks. The complexity of the approach is low and the technique can be shown to be resilient to counterattack .

Risk may be analyzed implicitly or explicitly. From industrial experience, the former is less com... more Risk may be analyzed implicitly or explicitly. From industrial experience, the former is less commonly used than the latter on a day-to-day basis, even though the former makes up the primary content of most commercially available risk analysis and management methodologies. Paradoxically, the latter is also more commonly baked into the process and technology used by organizations and its culture of risk management. Hence this represents a sociotechnical issue which requires the resolution of both conflict of methods and ambiguity in the interpretation and application of risk analysis. We propose an approach for resolving these issues, based on experience “in the wild”, and creating a Delphic convergence between the results of both approaches. Ultimately, we would aim to create a methodology for this purpose and propose some criteria for its creation.

Current methodologies for cyber security risk analysis are largely focused on process and technol... more Current methodologies for cyber security risk analysis are largely focused on process and technology. They do not systematically incorporate sociotechnical thinking. We argue this reduces their predictive power in determining the risks of cyber threats to organizations and hence limits the range of responses. A remedy is to augment such systems using suitable socio-technical models. As an example, we propose a re-working of Rasmussen’s model for safety in systems, applying it to cyber security. The updated model gives rise to a set of predictors and boundary conditions which can be used to determine an organization’s resilience in the face of external and internal cyber threats, enabling analysts to propose an extended range of countermeasures. We propose using this approach as a basis to include socio-technical analysis in risk assessment. As an example, we provide a critique of the risk methodology used in SABSA against this model. We discuss practical applications of the approach...

DXC Technology were asked to participate in a Cyber Vulnerability Investigation into organization... more DXC Technology were asked to participate in a Cyber Vulnerability Investigation into organizations in the Defense sector in the UK. Part of this work was to examine the influence of socio-technical and/or human factors on cyber security – where possible linking factors to specific technical risks. Initial research into the area showed that (commercially, at least) most approaches to developing security culture in organisations focus on end users and deal solely with training and awareness regarding identifying and avoiding social engineering attacks and following security procedures. The only question asked and answered is how to ensure individuals conform to security policy and avoid such attacks. But experience of recent attacks (e.g., Wannacry, Sony hacks) show that responses to cyber security requirements are not just determined by the end users’ level of training and awareness, but grow out of the wider organizational culture – with failures at different levels of the organizat...

Complex Systems Informatics and Modeling Quarterly, 2019

Cyber security risks are socio-technical in nature. They result not just from technical vulnerabi... more Cyber security risks are socio-technical in nature. They result not just from technical vulnerabilities but also, more fundamentally, from the degradation of working practices over timewhich move an organization across the boundary of secure practice to a place where attacks will not only succeed, but also have a significantly greater impact on the organization. Yet current risk analysis and management methodologies are not designed to detect these kinds of systemic risks. We present an approach, devised in the field, to deriving these risksusing a qualitative research methodology, akin to grounded theory, but based on preset coding descriptors. This allows organizational and individual behavior identified during interviews, observations or document research to be thematically analyzed, collated and mapped to potential risks, linked to poor working practices. The resulting risk factors can be linked together forming "risk narratives", showing how the degradation of working practices in one part of the organization can contribute to undermining its ability to respond to cyber security threats in another part of the organization.

Lecture Notes in Computer Science, 2010

Attack and intrusion detection on host systems is both a last line of defence and provides substa... more Attack and intrusion detection on host systems is both a last line of defence and provides substantially more detail than other sensor types. However, any host-based sensor is likely to be a primary target for adversaries to ensure concealment and evasion of defensive measures. In this paper we therefore propose a novel defence mechanism for hostbased sensors utilising true concurrent observation of state at key locations of operating systems and security controls, including a self-defence mechanism. This is facilitated by the ready availability of multi-core and multi-processor systems in symmetric and non-uniform architectures for general-purpose computers. This obviates the need for specialised hardware components or overhead imposed by virtualisation approaches and has the added advantage of becoming increasingly difficult to foil as the number of concurrent observation threads increases whilst being highly scalable itself. We describe a formal model of this observation and self-observation mechanism. The analysis of the observations is supported by a causal model, which we describe briefly. Using causal models enables us to detect complex attacks using dynamic obfuscation as it relies on higher-order semantics and also allows the system to deal with non-linearity in memory writes which is characteristic of multiprocessing systems. We conclude with a brief description of experimental validation, demonstrating both high, adaptable performance and the ability to detect attacks on the mechanism itself.