System and method for security in internet-of-things and cyber-physical systems based on machine learning

What is claimed is: 1 . A method for detecting security vulnerabilities in at least one of cyber-physical systems (CPSs) and Internet of Things (IoT) devices, the method comprising: constructing an attack directed acyclic graph (DAG) from a plurality of regular expressions, each regular expression corresponding to control-data flow for a known CPS/IoT attack, the attack DAG comprising a plurality of nodes, each node representing a system-level operation of the CPS or IoT device, and a plurality of paths, each path representing a CPS/IoT attack vector; performing a linear search on the attack DAG to determine unexploited CPS/IoT attack vectors, wherein a path in the attack DAG that does not represent a known CPS/IoT attack vector represents an unexploited CPS/IoT attack vector; applying a trained machine learning module to the attack DAG to predict new CPS/IoT vulnerability exploits, the trained machine learning module configured to determine a feasibility of linking unconnected nodes in the attack DAG to create a new branch representing a new CPS/IoT vulnerability exploit; and constructing a defense DAG configured to protect against the known CPS/IoT attacks, the unexploited CPS/IoT attacks, and the new CPS/IoT vulnerability exploits. 2 . The method of claim 1 , wherein constructing the attack DAG further comprises representing each of the plurality of regular expressions as control-data flow graphs. 3 . The method of claim 2 , wherein constructing the attack DAG further comprises combining the plurality of control-data flow graphs into a single DAG. 4 . The method of claim 1 , wherein new CPS or IoT attacks are discovered based on a convergence of multiple paths at a common node in the attack DAG. 5 . The method of claim 1 , wherein linking unconnected nodes in the attack DAG is feasible when a sequence of operations represented by linking the unconnected nodes can be implemented in at least one of the CPS and IoT device. 6 . The method of claim 1 , wherein the machine learning module comprises a support vector machine (SVM) model. 7 . The method of claim 1 , further comprising training the machine learning module to predict new CPS/IoT attacks. 8 . The method of claim 7 , further comprising constructing a training dataset for training the machine learning module, the training dataset comprising all existing paths in the attack DAG as feasible and a plurality of unconnected paths known to be infeasible. 9 . The method of claim 8 , wherein infeasible branches comprise infeasible sequences of system-level operations. 10 . The method of claim 7 , wherein the machine learning module is trained based on parameters for achieving zero false negatives. 11 . The method of claim 1 , wherein the defense DAG is configured to mirror the attack DAG to make paths in the attack DAG infeasible. 12 . The method of claim 1 , wherein the defense DAG is configured to protect against at least one of buffer overflow attacks, access control and privilege escalation attacks, malware execution, cryptographic and network security attacks, and boot-stage attacks. 13 . A system for detecting security vulnerabilities in at least one of cyber-physical systems (CPSs) and Internet of Things (IoT) devices, the system comprising one or more processors configured to: construct an attack directed acyclic graph (DAG) from a plurality of regular expressions, each regular expression corresponding to control-data flow for a known CPS/IoT attack, the attack DAG comprising a plurality of nodes, each node representing a system-level operation of the CPS or IoT device, and a plurality of paths, each path representing a CPS/IoT attack vector; perform a linear search on the attack DAG to determine unexploited CPS/IoT attacks vectors, wherein a path in the attack DAG that does not represent a known CPS/IoT attack vector represents an unexploited CPS/IoT attack vector; apply a trained machine learning module to the attack DAG to predict new CPS/IoT vulnerability exploits, the trained machine learning module configured to determine a feasibility of linking unconnected nodes in the attack DAG to create a new branch representing a new CPS/IoT vulnerability exploit; and construct a defense DAG to protect against the known CPS/IoT attacks, the unexploited CPS/IoT attacks, and the new CPS/IoT vulnerability exploits. 14 . The system of claim 13 , wherein the one or more processors are further configured to represent each of the plurality of regular expressions as control-data flow graphs. 15 . The system of claim 14 , wherein the one or more processors are further configured to combine the plurality of control-data flow graphs into a single DAG. 16 . The system of claim 13 , wherein new CPS or IoT attacks are discovered based on a convergence of multiple paths at a common node in the attack DAG. 17 . The system of claim 13 , wherein linking unconnected nodes in the attack DAG is feasible when a sequence of operations represented by linking the unconnected nodes can be implemented in at least one of the CPS and IoT device. 18 . The system of claim 13 , wherein the machine learning module comprises a support vector machine (SVM) model. 19 . The system of claim 13 , wherein the one or more processors are further configured to train the machine learning module to predict new CPS/IoT attacks. 20 . The system of claim 19 , wherein the one or more processors are further configured to construct a training dataset for training the machine learning module, the training dataset comprising all existing paths in the attack DAG as feasible and a plurality of unconnected paths known to be infeasible. 21 . The system of claim 20 , wherein infeasible branches comprise infeasible sequences of system-level operations. 22 . The system of claim 19 , wherein the machine learning module is trained based on parameters for achieving zero false negatives. 23 . The system of claim 13 , wherein the defense DAG is configured to mirror the attack DAG to make paths in the attacks DAG infeasible. 24 . The system of claim 13 , wherein the defense DAG is configured to protect against at least one of buffer overflow attacks, access control and privilege escalation attacks, malware execution, cryptographic and network security attacks, and boot-stage attacks. 25 . A non-transitory computer-readable medium having stored thereon a computer program for execution by a processor configured to perform a method for detecting security vulnerabilities in at least one of cyber-physical systems (CPSs) and Internet of Things (IoT) devices, the method comprising: constructing an attack directed acyclic graph (DAG) from a plurality of regular expressions, each regular expression corresponding to control-data flow for a known CPS/IoT attack, the attack DAG comprising a plurality of nodes, each node representing a system-level operation of the CPS or IoT device, and a plurality of paths, each path representing a CPS/IoT attack vector; performing a linear search on the attack DAG to determine unexploited CPS/IoT attack vectors, wherein a path in the attack DAG that does not represent a known CPS/IoT attack vector represents an unexploited CPS/IoT attack vector; applying a trained machine learning module to the attack DAG to predict new CPS/IoT vulnerability exploits, the trained machine learning module configured to determine a feasibility of linking unconnected nodes in the a