skip to main content
research-article
Public Access

Time and Sequence Integrated Runtime Anomaly Detection for Embedded Systems

Published:07 December 2017Publication History
Skip Abstract Section

Abstract

Network-connected embedded systems grow on a large scale as a critical part of Internet of Things, and these systems are under the risk of increasing malware. Anomaly-based detection methods can detect malware in embedded systems effectively and provide the advantage of detecting zero-day exploits relative to signature-based detection methods, but existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this article, we present a formal runtime security model that defines the normal system behavior including execution sequence and execution timing. The anomaly detection method in this article utilizes on-chip hardware to non-intrusively monitor system execution through trace port of the processor and detect malicious activity at runtime. We further analyze the properties of the timing distribution for control flow events, and select subset of monitoring targets by three selection metrics to meet hardware constraint. The designed detection method is evaluated by a network-connected pacemaker benchmark prototyped in FPGA and simulated in SystemC, with several mimicry attacks implemented at different levels. The resulting detection rate and false positive rate considering constraints on the number of monitored events supported in the on-chip hardware demonstrate good performance of our approach.

References

  1. ARM. 2011. Embedded Trace Macrocell ETMv1.0 to ETMv3.5 Architecture Specification.Google ScholarGoogle Scholar
  2. D. Arora, S. Ravi, A. Raghunathan, and N. K. Jha. 2005. Secure embedded processing through hardware-assisted run-time monitoring. design. In Automation and Test in Europe Conference, (March 2005), 178--183. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. D. Arora, A. Raghunathan, S. Ravi, and N. K. Jha. 2006. Architectural support for safe software execution on embedded processors. In Conference on Hardware Software Co-design and System Synthesis, (Oct. 2006), 106--111. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. S. Bhatkar, A. Chaturvedi, and R. Sekar. 2006. Dataflow anomaly detection. In Symposium on Security and Privacy, (May 2006), 15--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. M. Bond, V. K. Srivastava, K. McKinley, and V. Shmatikov. 2010. Efficient, context-sensitive detection of real-world semantic attacks. Programming Languages and Analysis for Security, (June 2010), 1--10. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Z. I. Botev, J. F. Grotowski, and D. P. Kroese. 2010. Kernel density estimation via diffusion. Annals of Statistics. 38, 5 (2010), 2916--2957.Google ScholarGoogle ScholarCross RefCross Ref
  7. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. Iyer. 2005. Non-control-data attacks are realistic threats. In USENIX Security Symposium, (July 2005), 177--192. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. D. Y. Deng, D. Lo, G. Malysa, S. Schneider, and G. E. Suh. 2010. Flexible and efficient instruction-grained run-rime monitoring using on-chip reconfigurable fabric. In Proceedings of the 43rd Annual IEEE/ACM International Symposium on Microarchitecture. (Dec. 2010), 137--148. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. J. Ellson, E. Gansner, L. Koutsofios, S. C. North, and G. Woodhull. 2002. Graphviz -- Open source graph drawing tools. In Graph Drawing. Springer, 2002, 483--484.Google ScholarGoogle ScholarCross RefCross Ref
  10. Federal Financial Institutions Examination Council (FFEIC). Cyberattacks on Financial Institutions’ ATM and Card Authorization Systems. https://www.ffiec.gov, 2014.Google ScholarGoogle Scholar
  11. A. Frossi, F. Maggi, G. Rizzo, and S. Zanero. 2009. Selecting and improving system call models for anomaly detection. In Conference on Detection of Intrusions and Malware, and Vulnerability, (July 2009), 206--223. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. D. Gao, M. Reiter, and D. Song. 2003. Gray-box extraction of execution graphs for anomaly detection. In ACM Conference on Computer and Communications Security, (Oct. 2003), 318--329. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. N. Idika and A. P. Mathur. 2007. A Survey of Malware Detection Techniques. Technical Report, Purdue University, (2007).Google ScholarGoogle Scholar
  14. Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam. 2012. Modeling and verification of a dual chamber implantable pacemaker. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems, (March 2012), 188--203. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. C. Liu, C. Yang, and Y. Shen. 2014. Leveraging microarchitectural side channel information to efficiently enhance program control flow integrity. In Hardware/Software Codesign and System Synthesis Conference (Oct. 2014). 1--9. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. S. Lu, M. Seo, and R. Lysecky. 2015. Timing-based anomaly detection in embedded systems. In Asia South Pacific Design Automation Conference (Jan. 2015). 809--814.Google ScholarGoogle Scholar
  17. S. Lu. and R. Lysecky. 2015. Analysis of control flow events for timing-based runtime anomaly detection. In Workshop on Embedded Systems Security (Oct. 2015). Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. S. Mao and T. Wolf. 2010. Hardware support for secure processing in embedded systems. IEEE Transactions on Computers, 59, 6, 847--854. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. E. Marin, D. Singelée, B. Yang, I. Verbauwhede, and B. Preneel. 2016. On the feasibility of cryptography for a wireless insulin pump system. In ACM Conference on Data and Application Security and Privacy (March, 2016). 113--120. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. R. A. Maxion and K. M. C. Tan. 2002. Anomaly detection in embedded systems. IEEE Transactions on Computers. 51, 2, 108--120. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. McAfee Labs. Threats Report 2015. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf.Google ScholarGoogle Scholar
  22. C. McCarthy, K. Harnett, and A. Carter. 2014. Characterization of Potential Security Threats in Modern Automobiles: A Composite Modeling Approach. National Highway Traffic Safety Administration, Washington Tech. Rep, (Oct. 2014).Google ScholarGoogle Scholar
  23. MicroBlaze. 2009. Microblaze processor reference guide embedded development kit EDK 11.4. 102--104.Google ScholarGoogle Scholar
  24. J. Mu, K. Shankar, and R. Lysecky. 2013. Profiling and online system-level performance and power estimation for dynamically adaptable embedded systems. ACM Transactions on Embedded Computing Systems (TECS) 12, 3, Article 85, 1--20, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. K. Patel and S. Parameswaran. 2008. SHIELD: A software hardware design methodology for security and reliability of MPSOCs. In Design Automation Conference (June 2008), 858--861. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. K. Patel, S. Parameswaran, and R. Ragel. 2010. Architectural frameworks for security and reliability of mpsocs. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 99, 1--14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. M. Prates, V. H. Lachos, and C. R. B. Cabral. 2011. mixsmsn: Fitting finite mixture of scale mixture of skew normal distributions. R package version 0. 2-9Google ScholarGoogle Scholar
  28. M. Rahmatian, H. Kooti, I. Harris, and E. Bozorgzadeh. 2012. Hardware-assisted detection of malicious software in embedded systems. IEEE Embedded Systems Letters (ESL), 4, 4, 94--97. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. M. Ramilli and M. Prandini. 2012. Always the same, never the same. IEEE Security 8 Privacy, 8, 2, 73--75. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. M. I. Sharif, K. Singh, J. T. Giffin, and W. Lee. 2007. Understanding precision in host based intrusion detection. In International Symposium on Research in Attacks, Intrusions and Defenses. 4637, 21--41. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. N. K. Singh, A. J. Wellings, and A. L. C. Cavalcanti. 2012. The cardiac pacemaker case study and its implementation in safety-critical java and ravenscar ada. In International Workshop on Java Technologies for Real-time and Embedded Systems (Oct. 2012). 62--71. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Slowloris HTTP DoS. http://Ha.ckers.org/slowloris/, 2014.Google ScholarGoogle Scholar
  33. N. Stollon. 2011. On-Chip Instrumentation: Design and Debug for Systems on Chip. Springer US, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. D. Wagner and P. Soto. 2002. Mimicry attacks on host based intrusion detection systems. In ACM Conference on Computer and Communications Security (Nov. 2002). 255--264. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. M. K. Yoon, S. Mohan, J. Choi, and L. Sha. 2015. Memory heat map: Anomaly detection in real-time embedded systems using memory behavior. In Design Automation Conference (June 2015), 1--6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. M. K. Yoon, S. Mohan, J. Choi, and L. Sha. 2013. SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems. In Real-Time and Embedded Technology and Applications Symposium (April 2013), 21--32. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. T. Zhang, X. Zhuang, S. Pande, and W. Lee. 2005. Anomalous path detection with hardware support. In Conference on Compilers. Architectures and Synthesis for Embedded Systems (Sep. 2005), 43--54. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. C. Zimmer, B. Bhat, F. Mueller, and S. Mohan. 2010. Time-based intrusion detection in cyber-physical systems. In ACM/IEEE International Conference on Cyber-Physical Systems (April 2010), 109--118. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Time and Sequence Integrated Runtime Anomaly Detection for Embedded Systems

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!