Abstract
With billions of networked connected embedded systems, the security historically provided by the isolation of embedded systems is no longer sufficient. Millions of new malware are created every month and zero-day attacks are becoming an increasing concern. Therefore, proactive security measures are no longer enough to provide protection to embedded systems. Instead, reactive approaches that detect attacks that can circumvent the proactive defenses and react upon them are needed. Anomaly-based detection is a common reactive approach employed to detect malware by monitoring anomalous deviations in the system execution. Timing-based anomaly detection detects malware by monitoring the system's internal timing, which offers unique protection against mimicry malware compared to sequence-based anomaly detection. However, previous timing-based anomaly detection methods focus on each operation independently at the granularity of tasks, function calls, system calls, or basic blocks. These approaches neither consider the entire software execution path nor provide a quantitative estimate of the presence of malware. This article presents a novel model for specifying the normal timing for execution paths in software applications using cumulative distribution functions of timing data in sliding execution windows. A probabilistic formulation is used to estimate the presence of malware for individual operations and sequences of operations within the paths. Operation and path-based thresholds are determined during the training process to minimize false positives. Finally, the article presents an optimization method to assist system developers in selecting which operations to monitor based on different optimization goals and constraints. Experimental results with a smart connected pacemaker, an unmanned aerial vehicle, and seven sophisticated mimicry malware implemented at different levels demonstrate the effectiveness of the proposed approach.
- D. Evans. 2013. The internet of things: How the next evolution of the internet is changing everything. Cisco White Paper 2013.Google Scholar
- McAfee Labs. Threats Report: December, 2018.Google Scholar
- C. Li, A. Raghunathan, and N. K. Jha. 2011. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In Proceedings of the Conference on e-Health Networking Applications and Services. 150--156.Google Scholar
- H. Holm. 2014. Signature-based intrusion detection for zero-day attacks: (Not) a closed chapter? In Proceedings of the Hawaii International Conference on System Sciences.Google Scholar
Digital Library
- V. Chandola, A. Banerjee, and V. Kumar. 2009. Anomaly detection: A survey. ACM Comput. Survey 41, 3 (2009).Google Scholar
- T. Zhang, X. Zhuang, S. Pande, and W. Lee. 2005. Anomalous path detection with hardware support. In Proceedings of the Conference on Compilers. Architectures and Synthesis for Embedded Systems. 43—54.Google Scholar
- D. Arora, A. Raghunathan, S. Ravi, and N. K. Jha. 2006. Architectural support for safe software execution on embedded processors. In Proceedings of the Conference on Hardware Software Co-design and System Synthesis. 106--111.Google Scholar
- D. Wagner and P. Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the Conference on Computer and Communications Security. 255--264.Google Scholar
- C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the USENIX Security Symposium. 161--176.Google Scholar
- C. Zimmer, B. Bhat, F. Mueller, and S. Mohan. 2010. Time-based intrusion detection in cyber-physical systems. In Proceedings of the ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS’10). 109--118.Google Scholar
- M.-K. Yoon, S. Mohan, J. Choi, J.-E. Kim, and L. Sha. 2013. SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems. In Proceedings of the Real-Time and Embedded Technology and Applications Symposium.Google Scholar
- S. Lu and R. Lysecky. 2017. Time and sequence integrated runtime anomaly detection for embedded systems. ACM Trans. Embed. Comput. Syst. 17, 2 (2017), Article 38, 1--27.Google Scholar
- K. Patel and S. Parameswaran. 2008. SHIELD: A software hardware design methodology for security and reliability of MPSOCs. In Proceedings of the Design Automation Conference. 858--861.Google Scholar
- K. Patel, S. Parameswaran, and R. Ragel. 2010. Architectural frameworks for security and reliability of MPSoCs. IEEE Trans. Very Large Scale Integr. Syst. 99, 1--14, 2010.Google Scholar
- J. Sametinger, J. Rozenblit, R. Lysecky, and P. Ott. 2015. Security challenges for medical devices. Commun. ACM 58, 4 (2015), 74--82.Google Scholar
Digital Library
- A. Wasicek, P. Derler, and E. A. Lee. 2014. Aspect-oriented modeling of attacks in automotive cyber-physical systems. In Proceedings of the Design Automation Conference. 1--6.Google Scholar
- N. Stollon. 2011. On-chip Instrumentation: Design and Debug for Systems on Chip. Springer.Google Scholar
Digital Library
- Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam. 2012. Modeling and verification of a dual chamber implantable pacemaker. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems. 188--203.Google Scholar
- N. K. Singh, A. Wellings, and A. Cavalcanti. 2012. The cardiac pacemaker case study and its implementation in safety-critical java and Ravenscar Ada. In Proceedings of the Workshop on Java Technologies for Real-time and Embedded Systems.Google Scholar
- Xilinx Inc. 2016. MicroBlaze Processor Reference Guide, UG984.Google Scholar
- R. Wilhelm, J. Engblom, A. Ermedahl, N. Holsti, S. Thesing, D. Whalley, G. Bernat, C. Ferdinand, R. Heckmann, T. Mitra, F. Mueller, I. Puaut, P. Puschner, J. Staschulat, and P. Stenstrom. 2008. The worst-case execution-time problem—Overview of methods and survey of tools. ACM Trans. Embed. Comput. Syst. 7, 36 (2008), 1--47.Google Scholar
Digital Library
- Chakravarti Laha and Roy. 1967. Handbook of Methods of Applied Statistics, Vol. I. John Wiley and Sons, 392—394.Google Scholar
- S. Lu, R. Lysecky, and J. Rozenblit. 2017. Subcomponent timing-based detection of malware in embedded systems. In Proceedings of the IEEE International Conference on Computer Design (ICCD’17). 17--24.Google Scholar
- K. Hartmann and C. Steup. 2013. The vulnerability of UAVs to cyber attacks—An approach to the risk assessment. In Proceedings of the Conference on Cyber Conflict (CYCON’13).Google Scholar
- A. Kim, B. J. Wampler, I. Goppert Hwang, and H. Aldridge. 2012. Cyber Attack Vulnerabilities Analysis for Unmanned Aerial Vehicles. The American Institute of Aeronautics and Astronautics, Reston, VA.Google Scholar
- S. Sun, S. Kwong, B. Lei, and S. Zheng. 2007. Advances in multimedia information processing. In Proceedings of the 8th Pacific Rim Conference on Multimedia (PCM’07). 367--375.Google Scholar
- R. M. Friedberg. 1958. A learning machine: Part I. IBM J. Res. Dev. 2 (1958), 2--13.Google Scholar
Digital Library
- R. M. Friedberg, B. Dunham, and T. North. 1959. A learning machine: Part II. IBM J. Res. Dev. 3, 3 (1959), 282--287.Google Scholar
Digital Library
- Sixing Lu and Roman Lysecky. 2019. Data-driven anomaly detection with timing features for embedded systems. ACM Trans. Des. Autom. Electron. Syst. 24, 3 Article 33 (2019), 27 pages.Google Scholar
Digital Library
- S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. Iyer. 2005. Non-control-data attacks are realistic threats. In Proceedings of the USENIX Security Symposium. 177--192.Google Scholar
Digital Library
- A. Frossi, F. Maggi, G. Rizzo, and S. Zanero. 2009. Selecting and improving system call models for anomaly detection. In Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability. 206--223.Google Scholar
- M. Bond, V. K. Srivastava, K. McKinley, and V. Shmatikov. 2010. Efficient, context-sensitive detection of real-world semantic attacks. In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS'10). Association for Computing Machinery, New York, NY, USA, Article 1, 1--10.Google Scholar
- S. Bhatkar, A. Chaturvedi, and R. Sekar. 2006. Dataflow anomaly detection. In Proceedings of the Symposium on Security and Privacy. 15--62.Google Scholar
- Parzen Emanuel. 1962. On estimation of a probability density function and mode. Ann. Math. Statist. 33 (1962), 3, 1065--1076. DOI:10.1214/aoms/1177704472. https://projecteuclid.org/euclid.aoms/1177704472.Google Scholar
Cross Ref
- C. McCarthy, K. Harnett, and A. Carter. 2014. Characterization of Potential Security Threats in Modern Automobiles: A Composite Modeling Approach. Technical report, National Highway Traffic Safety Administration, Washington.Google Scholar
- Federal Financial Institutions Examination Council (FFEIC). Cyberattacks on Financial Institutions’ ATM and Card Authorization Systems. Retrieved from https://www.ffiec.gov.Google Scholar
- Katherine L. Monti. 1195. Folded empirical distribution function curves-mountain plots.Amer. Stat. 49, 4 (1995), 342--345Google Scholar
- Frost and Sullivan, Study Analysing the Current Activities in the Field of UAV. Technical report, European Commission Enterprise and Industry Directorate-General.Google Scholar
- G. Cai, J. Dias, and L. Seneviratne. 2014. A survey of small-scale unmanned aerial vehicles: Recent advances and future development trends. Unman. Syst. 2, 2 (2014), 175--199.Google Scholar
Cross Ref
- S. Baluja and R. Caruana. 1995. Removing the genetics from the standard genetic algorithm. Technical report, Carnegie Mellon University, Pittsburgh, PA.Google Scholar
- J. Demme et al. 2013. On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput. Architect. News 41, 3 (June 2013), 559--570.Google Scholar
Digital Library
- M. Bahador et al. 2014. HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition. In Proceedings of the International Conference on Computer and Knowledge Engineering (ICCKE’14).Google Scholar
Cross Ref
- M. Alam et al. 2018. Side-channel assisted malware classifier with gradient descent correction for embedded platforms. In Proceedings of the International Workshop on Security Proofs for Embedded Systems ([email protected]’18).Google Scholar
- ARM. 2011. Embedded Trace Macrocell ETMv1.0 to ETMv3.5 Architecture Specification. Retrieved from https://developer.arm.com/documentation/ihi0014/q/.Google Scholar
- MicroBlaze. 2009. Microblaze Processor Reference Guide Embedded Development Kit EDK 11.4. 102--104. Retrieved from https://www.xilinx.com/support/documentation/sw_manuals/xilinx11/mb_ref_guide.pdf.Google Scholar
- VirusShare. Retrieved from https://virusshare.com/.Google Scholar
- VirusTotal. Retrieved from https://www.virustotal.com/.Google Scholar
- G. Buttazzo. 2006. Achieving scalability in real-time systems. Computer 39, 5 (2006), 54--59.Google Scholar
Digital Library
- Perf Tool. Retrieved from https://perf.wiki.kernel.org/index.php/Main_Page.Google Scholar
- Roberto Vitillo's presentation on Perf events. Retrieved from https://indico.cern.ch/event/141309/contributions/1369454/attachments/126021/Issue:2Year:2017Month:October.Google Scholar
Index Terms
Probabilistic Estimation of Threat Intrusion in Embedded Systems for Runtime Detection
Recommendations
Time and Sequence Integrated Runtime Anomaly Detection for Embedded Systems
Special Issue on MEMCODE 2015 and Regular Papers (Diamonds)Network-connected embedded systems grow on a large scale as a critical part of Internet of Things, and these systems are under the risk of increasing malware. Anomaly-based detection methods can detect malware in embedded systems effectively and provide ...
Data-driven Anomaly Detection with Timing Features for Embedded Systems
Malware is a serious threat to network-connected embedded systems, as evidenced by the continued and rapid growth of such devices, commonly referred to as the Internet of Things. Their ubiquitous use in critical applications require robust protection to ...
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...






Comments