skip to main content
research-article
Open Access

Probabilistic Estimation of Threat Intrusion in Embedded Systems for Runtime Detection

Published:04 January 2021Publication History
Skip Abstract Section

Abstract

With billions of networked connected embedded systems, the security historically provided by the isolation of embedded systems is no longer sufficient. Millions of new malware are created every month and zero-day attacks are becoming an increasing concern. Therefore, proactive security measures are no longer enough to provide protection to embedded systems. Instead, reactive approaches that detect attacks that can circumvent the proactive defenses and react upon them are needed. Anomaly-based detection is a common reactive approach employed to detect malware by monitoring anomalous deviations in the system execution. Timing-based anomaly detection detects malware by monitoring the system's internal timing, which offers unique protection against mimicry malware compared to sequence-based anomaly detection. However, previous timing-based anomaly detection methods focus on each operation independently at the granularity of tasks, function calls, system calls, or basic blocks. These approaches neither consider the entire software execution path nor provide a quantitative estimate of the presence of malware. This article presents a novel model for specifying the normal timing for execution paths in software applications using cumulative distribution functions of timing data in sliding execution windows. A probabilistic formulation is used to estimate the presence of malware for individual operations and sequences of operations within the paths. Operation and path-based thresholds are determined during the training process to minimize false positives. Finally, the article presents an optimization method to assist system developers in selecting which operations to monitor based on different optimization goals and constraints. Experimental results with a smart connected pacemaker, an unmanned aerial vehicle, and seven sophisticated mimicry malware implemented at different levels demonstrate the effectiveness of the proposed approach.

References

  1. D. Evans. 2013. The internet of things: How the next evolution of the internet is changing everything. Cisco White Paper 2013.Google ScholarGoogle Scholar
  2. McAfee Labs. Threats Report: December, 2018.Google ScholarGoogle Scholar
  3. C. Li, A. Raghunathan, and N. K. Jha. 2011. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In Proceedings of the Conference on e-Health Networking Applications and Services. 150--156.Google ScholarGoogle Scholar
  4. H. Holm. 2014. Signature-based intrusion detection for zero-day attacks: (Not) a closed chapter? In Proceedings of the Hawaii International Conference on System Sciences.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. V. Chandola, A. Banerjee, and V. Kumar. 2009. Anomaly detection: A survey. ACM Comput. Survey 41, 3 (2009).Google ScholarGoogle Scholar
  6. T. Zhang, X. Zhuang, S. Pande, and W. Lee. 2005. Anomalous path detection with hardware support. In Proceedings of the Conference on Compilers. Architectures and Synthesis for Embedded Systems. 43—54.Google ScholarGoogle Scholar
  7. D. Arora, A. Raghunathan, S. Ravi, and N. K. Jha. 2006. Architectural support for safe software execution on embedded processors. In Proceedings of the Conference on Hardware Software Co-design and System Synthesis. 106--111.Google ScholarGoogle Scholar
  8. D. Wagner and P. Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the Conference on Computer and Communications Security. 255--264.Google ScholarGoogle Scholar
  9. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the USENIX Security Symposium. 161--176.Google ScholarGoogle Scholar
  10. C. Zimmer, B. Bhat, F. Mueller, and S. Mohan. 2010. Time-based intrusion detection in cyber-physical systems. In Proceedings of the ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS’10). 109--118.Google ScholarGoogle Scholar
  11. M.-K. Yoon, S. Mohan, J. Choi, J.-E. Kim, and L. Sha. 2013. SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems. In Proceedings of the Real-Time and Embedded Technology and Applications Symposium.Google ScholarGoogle Scholar
  12. S. Lu and R. Lysecky. 2017. Time and sequence integrated runtime anomaly detection for embedded systems. ACM Trans. Embed. Comput. Syst. 17, 2 (2017), Article 38, 1--27.Google ScholarGoogle Scholar
  13. K. Patel and S. Parameswaran. 2008. SHIELD: A software hardware design methodology for security and reliability of MPSOCs. In Proceedings of the Design Automation Conference. 858--861.Google ScholarGoogle Scholar
  14. K. Patel, S. Parameswaran, and R. Ragel. 2010. Architectural frameworks for security and reliability of MPSoCs. IEEE Trans. Very Large Scale Integr. Syst. 99, 1--14, 2010.Google ScholarGoogle Scholar
  15. J. Sametinger, J. Rozenblit, R. Lysecky, and P. Ott. 2015. Security challenges for medical devices. Commun. ACM 58, 4 (2015), 74--82.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. A. Wasicek, P. Derler, and E. A. Lee. 2014. Aspect-oriented modeling of attacks in automotive cyber-physical systems. In Proceedings of the Design Automation Conference. 1--6.Google ScholarGoogle Scholar
  17. N. Stollon. 2011. On-chip Instrumentation: Design and Debug for Systems on Chip. Springer.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam. 2012. Modeling and verification of a dual chamber implantable pacemaker. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems. 188--203.Google ScholarGoogle Scholar
  19. N. K. Singh, A. Wellings, and A. Cavalcanti. 2012. The cardiac pacemaker case study and its implementation in safety-critical java and Ravenscar Ada. In Proceedings of the Workshop on Java Technologies for Real-time and Embedded Systems.Google ScholarGoogle Scholar
  20. Xilinx Inc. 2016. MicroBlaze Processor Reference Guide, UG984.Google ScholarGoogle Scholar
  21. R. Wilhelm, J. Engblom, A. Ermedahl, N. Holsti, S. Thesing, D. Whalley, G. Bernat, C. Ferdinand, R. Heckmann, T. Mitra, F. Mueller, I. Puaut, P. Puschner, J. Staschulat, and P. Stenstrom. 2008. The worst-case execution-time problem—Overview of methods and survey of tools. ACM Trans. Embed. Comput. Syst. 7, 36 (2008), 1--47.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Chakravarti Laha and Roy. 1967. Handbook of Methods of Applied Statistics, Vol. I. John Wiley and Sons, 392—394.Google ScholarGoogle Scholar
  23. S. Lu, R. Lysecky, and J. Rozenblit. 2017. Subcomponent timing-based detection of malware in embedded systems. In Proceedings of the IEEE International Conference on Computer Design (ICCD’17). 17--24.Google ScholarGoogle Scholar
  24. K. Hartmann and C. Steup. 2013. The vulnerability of UAVs to cyber attacks—An approach to the risk assessment. In Proceedings of the Conference on Cyber Conflict (CYCON’13).Google ScholarGoogle Scholar
  25. A. Kim, B. J. Wampler, I. Goppert Hwang, and H. Aldridge. 2012. Cyber Attack Vulnerabilities Analysis for Unmanned Aerial Vehicles. The American Institute of Aeronautics and Astronautics, Reston, VA.Google ScholarGoogle Scholar
  26. S. Sun, S. Kwong, B. Lei, and S. Zheng. 2007. Advances in multimedia information processing. In Proceedings of the 8th Pacific Rim Conference on Multimedia (PCM’07). 367--375.Google ScholarGoogle Scholar
  27. R. M. Friedberg. 1958. A learning machine: Part I. IBM J. Res. Dev. 2 (1958), 2--13.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. R. M. Friedberg, B. Dunham, and T. North. 1959. A learning machine: Part II. IBM J. Res. Dev. 3, 3 (1959), 282--287.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Sixing Lu and Roman Lysecky. 2019. Data-driven anomaly detection with timing features for embedded systems. ACM Trans. Des. Autom. Electron. Syst. 24, 3 Article 33 (2019), 27 pages.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. Iyer. 2005. Non-control-data attacks are realistic threats. In Proceedings of the USENIX Security Symposium. 177--192.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. A. Frossi, F. Maggi, G. Rizzo, and S. Zanero. 2009. Selecting and improving system call models for anomaly detection. In Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability. 206--223.Google ScholarGoogle Scholar
  32. M. Bond, V. K. Srivastava, K. McKinley, and V. Shmatikov. 2010. Efficient, context-sensitive detection of real-world semantic attacks. In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS'10). Association for Computing Machinery, New York, NY, USA, Article 1, 1--10.Google ScholarGoogle Scholar
  33. S. Bhatkar, A. Chaturvedi, and R. Sekar. 2006. Dataflow anomaly detection. In Proceedings of the Symposium on Security and Privacy. 15--62.Google ScholarGoogle Scholar
  34. Parzen Emanuel. 1962. On estimation of a probability density function and mode. Ann. Math. Statist. 33 (1962), 3, 1065--1076. DOI:10.1214/aoms/1177704472. https://projecteuclid.org/euclid.aoms/1177704472.Google ScholarGoogle ScholarCross RefCross Ref
  35. C. McCarthy, K. Harnett, and A. Carter. 2014. Characterization of Potential Security Threats in Modern Automobiles: A Composite Modeling Approach. Technical report, National Highway Traffic Safety Administration, Washington.Google ScholarGoogle Scholar
  36. Federal Financial Institutions Examination Council (FFEIC). Cyberattacks on Financial Institutions’ ATM and Card Authorization Systems. Retrieved from https://www.ffiec.gov.Google ScholarGoogle Scholar
  37. Katherine L. Monti. 1195. Folded empirical distribution function curves-mountain plots.Amer. Stat. 49, 4 (1995), 342--345Google ScholarGoogle Scholar
  38. Frost and Sullivan, Study Analysing the Current Activities in the Field of UAV. Technical report, European Commission Enterprise and Industry Directorate-General.Google ScholarGoogle Scholar
  39. G. Cai, J. Dias, and L. Seneviratne. 2014. A survey of small-scale unmanned aerial vehicles: Recent advances and future development trends. Unman. Syst. 2, 2 (2014), 175--199.Google ScholarGoogle ScholarCross RefCross Ref
  40. S. Baluja and R. Caruana. 1995. Removing the genetics from the standard genetic algorithm. Technical report, Carnegie Mellon University, Pittsburgh, PA.Google ScholarGoogle Scholar
  41. J. Demme et al. 2013. On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput. Architect. News 41, 3 (June 2013), 559--570.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. M. Bahador et al. 2014. HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition. In Proceedings of the International Conference on Computer and Knowledge Engineering (ICCKE’14).Google ScholarGoogle ScholarCross RefCross Ref
  43. M. Alam et al. 2018. Side-channel assisted malware classifier with gradient descent correction for embedded platforms. In Proceedings of the International Workshop on Security Proofs for Embedded Systems ([email protected]’18).Google ScholarGoogle Scholar
  44. ARM. 2011. Embedded Trace Macrocell ETMv1.0 to ETMv3.5 Architecture Specification. Retrieved from https://developer.arm.com/documentation/ihi0014/q/.Google ScholarGoogle Scholar
  45. MicroBlaze. 2009. Microblaze Processor Reference Guide Embedded Development Kit EDK 11.4. 102--104. Retrieved from https://www.xilinx.com/support/documentation/sw_manuals/xilinx11/mb_ref_guide.pdf.Google ScholarGoogle Scholar
  46. VirusShare. Retrieved from https://virusshare.com/.Google ScholarGoogle Scholar
  47. VirusTotal. Retrieved from https://www.virustotal.com/.Google ScholarGoogle Scholar
  48. G. Buttazzo. 2006. Achieving scalability in real-time systems. Computer 39, 5 (2006), 54--59.Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Perf Tool. Retrieved from https://perf.wiki.kernel.org/index.php/Main_Page.Google ScholarGoogle Scholar
  50. Roberto Vitillo's presentation on Perf events. Retrieved from https://indico.cern.ch/event/141309/contributions/1369454/attachments/126021/Issue:2Year:2017Month:October.Google ScholarGoogle Scholar

Index Terms

  1. Probabilistic Estimation of Threat Intrusion in Embedded Systems for Runtime Detection

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!