Abstract
Network-connected embedded systems grow on a large scale as a critical part of Internet of Things, and these systems are under the risk of increasing malware. Anomaly-based detection methods can detect malware in embedded systems effectively and provide the advantage of detecting zero-day exploits relative to signature-based detection methods, but existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this article, we present a formal runtime security model that defines the normal system behavior including execution sequence and execution timing. The anomaly detection method in this article utilizes on-chip hardware to non-intrusively monitor system execution through trace port of the processor and detect malicious activity at runtime. We further analyze the properties of the timing distribution for control flow events, and select subset of monitoring targets by three selection metrics to meet hardware constraint. The designed detection method is evaluated by a network-connected pacemaker benchmark prototyped in FPGA and simulated in SystemC, with several mimicry attacks implemented at different levels. The resulting detection rate and false positive rate considering constraints on the number of monitored events supported in the on-chip hardware demonstrate good performance of our approach.
- ARM. 2011. Embedded Trace Macrocell ETMv1.0 to ETMv3.5 Architecture Specification.Google Scholar
- D. Arora, S. Ravi, A. Raghunathan, and N. K. Jha. 2005. Secure embedded processing through hardware-assisted run-time monitoring. design. In Automation and Test in Europe Conference, (March 2005), 178--183. Google Scholar
Digital Library
- D. Arora, A. Raghunathan, S. Ravi, and N. K. Jha. 2006. Architectural support for safe software execution on embedded processors. In Conference on Hardware Software Co-design and System Synthesis, (Oct. 2006), 106--111. Google Scholar
Digital Library
- S. Bhatkar, A. Chaturvedi, and R. Sekar. 2006. Dataflow anomaly detection. In Symposium on Security and Privacy, (May 2006), 15--62. Google Scholar
Digital Library
- M. Bond, V. K. Srivastava, K. McKinley, and V. Shmatikov. 2010. Efficient, context-sensitive detection of real-world semantic attacks. Programming Languages and Analysis for Security, (June 2010), 1--10. Google Scholar
Digital Library
- Z. I. Botev, J. F. Grotowski, and D. P. Kroese. 2010. Kernel density estimation via diffusion. Annals of Statistics. 38, 5 (2010), 2916--2957.Google Scholar
Cross Ref
- S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. Iyer. 2005. Non-control-data attacks are realistic threats. In USENIX Security Symposium, (July 2005), 177--192. Google Scholar
Digital Library
- D. Y. Deng, D. Lo, G. Malysa, S. Schneider, and G. E. Suh. 2010. Flexible and efficient instruction-grained run-rime monitoring using on-chip reconfigurable fabric. In Proceedings of the 43rd Annual IEEE/ACM International Symposium on Microarchitecture. (Dec. 2010), 137--148. Google Scholar
Digital Library
- J. Ellson, E. Gansner, L. Koutsofios, S. C. North, and G. Woodhull. 2002. Graphviz -- Open source graph drawing tools. In Graph Drawing. Springer, 2002, 483--484.Google Scholar
Cross Ref
- Federal Financial Institutions Examination Council (FFEIC). Cyberattacks on Financial Institutions’ ATM and Card Authorization Systems. https://www.ffiec.gov, 2014.Google Scholar
- A. Frossi, F. Maggi, G. Rizzo, and S. Zanero. 2009. Selecting and improving system call models for anomaly detection. In Conference on Detection of Intrusions and Malware, and Vulnerability, (July 2009), 206--223. Google Scholar
Digital Library
- D. Gao, M. Reiter, and D. Song. 2003. Gray-box extraction of execution graphs for anomaly detection. In ACM Conference on Computer and Communications Security, (Oct. 2003), 318--329. Google Scholar
Digital Library
- N. Idika and A. P. Mathur. 2007. A Survey of Malware Detection Techniques. Technical Report, Purdue University, (2007).Google Scholar
- Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam. 2012. Modeling and verification of a dual chamber implantable pacemaker. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems, (March 2012), 188--203. Google Scholar
Digital Library
- C. Liu, C. Yang, and Y. Shen. 2014. Leveraging microarchitectural side channel information to efficiently enhance program control flow integrity. In Hardware/Software Codesign and System Synthesis Conference (Oct. 2014). 1--9. Google Scholar
Digital Library
- S. Lu, M. Seo, and R. Lysecky. 2015. Timing-based anomaly detection in embedded systems. In Asia South Pacific Design Automation Conference (Jan. 2015). 809--814.Google Scholar
- S. Lu. and R. Lysecky. 2015. Analysis of control flow events for timing-based runtime anomaly detection. In Workshop on Embedded Systems Security (Oct. 2015). Google Scholar
Digital Library
- S. Mao and T. Wolf. 2010. Hardware support for secure processing in embedded systems. IEEE Transactions on Computers, 59, 6, 847--854. Google Scholar
Digital Library
- E. Marin, D. Singelée, B. Yang, I. Verbauwhede, and B. Preneel. 2016. On the feasibility of cryptography for a wireless insulin pump system. In ACM Conference on Data and Application Security and Privacy (March, 2016). 113--120. Google Scholar
Digital Library
- R. A. Maxion and K. M. C. Tan. 2002. Anomaly detection in embedded systems. IEEE Transactions on Computers. 51, 2, 108--120. Google Scholar
Digital Library
- McAfee Labs. Threats Report 2015. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf.Google Scholar
- C. McCarthy, K. Harnett, and A. Carter. 2014. Characterization of Potential Security Threats in Modern Automobiles: A Composite Modeling Approach. National Highway Traffic Safety Administration, Washington Tech. Rep, (Oct. 2014).Google Scholar
- MicroBlaze. 2009. Microblaze processor reference guide embedded development kit EDK 11.4. 102--104.Google Scholar
- J. Mu, K. Shankar, and R. Lysecky. 2013. Profiling and online system-level performance and power estimation for dynamically adaptable embedded systems. ACM Transactions on Embedded Computing Systems (TECS) 12, 3, Article 85, 1--20, 2013. Google Scholar
Digital Library
- K. Patel and S. Parameswaran. 2008. SHIELD: A software hardware design methodology for security and reliability of MPSOCs. In Design Automation Conference (June 2008), 858--861. Google Scholar
Digital Library
- K. Patel, S. Parameswaran, and R. Ragel. 2010. Architectural frameworks for security and reliability of mpsocs. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 99, 1--14. Google Scholar
Digital Library
- M. Prates, V. H. Lachos, and C. R. B. Cabral. 2011. mixsmsn: Fitting finite mixture of scale mixture of skew normal distributions. R package version 0. 2-9Google Scholar
- M. Rahmatian, H. Kooti, I. Harris, and E. Bozorgzadeh. 2012. Hardware-assisted detection of malicious software in embedded systems. IEEE Embedded Systems Letters (ESL), 4, 4, 94--97. Google Scholar
Digital Library
- M. Ramilli and M. Prandini. 2012. Always the same, never the same. IEEE Security 8 Privacy, 8, 2, 73--75. Google Scholar
Digital Library
- M. I. Sharif, K. Singh, J. T. Giffin, and W. Lee. 2007. Understanding precision in host based intrusion detection. In International Symposium on Research in Attacks, Intrusions and Defenses. 4637, 21--41. Google Scholar
Digital Library
- N. K. Singh, A. J. Wellings, and A. L. C. Cavalcanti. 2012. The cardiac pacemaker case study and its implementation in safety-critical java and ravenscar ada. In International Workshop on Java Technologies for Real-time and Embedded Systems (Oct. 2012). 62--71. Google Scholar
Digital Library
- Slowloris HTTP DoS. http://Ha.ckers.org/slowloris/, 2014.Google Scholar
- N. Stollon. 2011. On-Chip Instrumentation: Design and Debug for Systems on Chip. Springer US, 2011. Google Scholar
Digital Library
- D. Wagner and P. Soto. 2002. Mimicry attacks on host based intrusion detection systems. In ACM Conference on Computer and Communications Security (Nov. 2002). 255--264. Google Scholar
Digital Library
- M. K. Yoon, S. Mohan, J. Choi, and L. Sha. 2015. Memory heat map: Anomaly detection in real-time embedded systems using memory behavior. In Design Automation Conference (June 2015), 1--6. Google Scholar
Digital Library
- M. K. Yoon, S. Mohan, J. Choi, and L. Sha. 2013. SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems. In Real-Time and Embedded Technology and Applications Symposium (April 2013), 21--32. Google Scholar
Digital Library
- T. Zhang, X. Zhuang, S. Pande, and W. Lee. 2005. Anomalous path detection with hardware support. In Conference on Compilers. Architectures and Synthesis for Embedded Systems (Sep. 2005), 43--54. Google Scholar
Digital Library
- C. Zimmer, B. Bhat, F. Mueller, and S. Mohan. 2010. Time-based intrusion detection in cyber-physical systems. In ACM/IEEE International Conference on Cyber-Physical Systems (April 2010), 109--118. Google Scholar
Digital Library
Index Terms
Time and Sequence Integrated Runtime Anomaly Detection for Embedded Systems
Recommendations
Probabilistic Estimation of Threat Intrusion in Embedded Systems for Runtime Detection
With billions of networked connected embedded systems, the security historically provided by the isolation of embedded systems is no longer sufficient. Millions of new malware are created every month and zero-day attacks are becoming an increasing ...
Analysis of Control Flow Events for Timing-based Runtime Anomaly Detection
WESS'15: Proceedings of the WESS'15: Workshop on Embedded Systems SecurityEmbedded system security has become a critical challenge given the increasing prevalence of network-connected systems. While anomaly-based detection methods provide the advantage of detecting zero-day exploits, existing approaches incur significant ...
Data-driven Anomaly Detection with Timing Features for Embedded Systems
Malware is a serious threat to network-connected embedded systems, as evidenced by the continued and rapid growth of such devices, commonly referred to as the Internet of Things. Their ubiquitous use in critical applications require robust protection to ...






Comments