skip to main content
10.1145/2818362.2818365acmconferencesArticle/Chapter ViewAbstractPublication PagesesweekConference Proceedingsconference-collections
research-article

Analysis of Control Flow Events for Timing-based Runtime Anomaly Detection

Published: 04 October 2015 Publication History

Abstract

Embedded system security has become a critical challenge given the increasing prevalence of network-connected systems. While anomaly-based detection methods provide the advantage of detecting zero-day exploits, existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this paper, we present a formal runtime security model that defines the normal system behavior. The runtime security model is applied to a timing-based, runtime anomaly detection method that utilizes on-chip hardware to non-intrusively monitor both the system execution sequence and execution timing to detect malicious activity. Monitoring all possible execution paths of an embedded application is infeasible due to its complexity. Thus, we analyze the properties of the timing distribution for control flow events within a network-connected pacemaker to evaluate the resulting detection rate for various levels of mimicry attacks, considering constraints on the number of monitored events supported in the on-chip hardware.

References

[1]
Arora D., S. Ravi, A. Raghunathan, and N. K. Jha. "Secure Embedded Processing through Hardware-Assisted Run-Time Monitoring." Design, Automation and Test in Europe Conference, pp. 178--183, 2005.
[2]
Evans, D. "The Internet of Things: How the Next Evolution of the Internet Is Changing Everything." Cisco White Paper, http://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf, 2013.
[3]
Idika, N. and Mathur, A. P. "A Survey of Malware Detection Techniques." Technical Report, Purdue University, 2007.
[4]
Jiang, Z., M. Pajic, S. Moarref, R. Alur, and R. Mangharam. "Modeling and Verification of a Dual Chamber Implantable Pacemaker." International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pp. 188--203, 2012.
[5]
McAfee. Info graphic: The State of Malware 2013, http://www.mcafee.com/us/security-awareness/articles/stateof-malware-2013.aspx, 2013.
[6]
Mohan, S., J. Choi, M.-K. Yoon, L. Sha, and J.-E. Kim, "SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems." Real-Time and Embedded Technology and Applications Symposium (RTAS), pp. 21--32, 2013.
[7]
Patel K., and S. Parameswaran. "SHIELD: A Software Hardware Design Methodology for Security and Reliability of MPSOCs." Design Automation Conference (DAC), pp. 858--861, 2008.
[8]
Patel, K., S. Parameswaran, and R. Ragel, "Architectural frameworks for security and reliability of mpsocs." IEEE Transactions on Very Large Scale Integration (VLSI) Systems, No. 99, pp. 1--14, 2010.
[9]
Rahmatian, M., H. Kooti, I. Harris, and E. Bozorgzadeh. "Hardware-Assisted Detection of Malicious Software in Embedded Systems." IEEE Embedded Systems Letters (ESL), Vol. 4, No. 4, pp. 94--97, 2012.
[10]
Ramilli, M. Bologna, M. Prandini. "Always the Same, Never the Same." IEEE Security & Privacy, Vol. 8, No. 2, pp. 73--75, 2012.
[11]
Sharif, M. I., K. Singh, J. T. Giffin, and W. Lee. "Understanding precision in host based intrusion detection." International Symposium on Research in Attacks, Intrusions and Defenses. Vol. 4637, pp. 21--41, 2007.
[12]
Singh, N. K., A. J. Wellings, and A. L. C. Cavalcanti. "The cardiac pacemaker case study and its implementation in Safety-Critical Java and Ravenscar Ada." International Workshop on Java Technologies for Real-time and Embedded Systems (JTRES). 2012.
[13]
Wagner, D., and P. Soto. "Mimicry attacks on host based intrusion detection systems." ACM Conference on Computer and Communications Security (SIGSAC). pp. 255--264, 2002.
[14]
Lu, S., M. Seo, and R. Lysecky. Timing-based Anomaly Detection in Embedded Systems. Asia South Pacific Design Automation Conference (ASP-DAC). pp. 809--814, 2015.
[15]
Zimmer, C., B. Bhat, F. Mueller, and S. Mohan, "Time-Based Intrusion Detection in Cyber-Physical Systems." ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS), pp. 109--118, 2010.

Cited By

View all
  • (2021)Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical SystemsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.290616118:2(825-842)Online publication date: 1-Mar-2021
  • (2020)Detecting Execution Anomalies As an Oracle for Autonomy Software Robustness2020 IEEE International Conference on Robotics and Automation (ICRA)10.1109/ICRA40945.2020.9197060(9366-9373)Online publication date: May-2020
  • (2017)Anomaly Detection as a Service: Challenges, Advances, and OpportunitiesSynthesis Lectures on Information Security, Privacy, and Trust10.2200/S00800ED1V01Y201709SPT0229:3(1-173)Online publication date: 24-Oct-2017
  • Show More Cited By

Index Terms

  1. Analysis of Control Flow Events for Timing-based Runtime Anomaly Detection

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      WESS'15: Proceedings of the WESS'15: Workshop on Embedded Systems Security
      October 2015
      73 pages
      ISBN:9781450336673
      DOI:10.1145/2818362
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 04 October 2015

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. Embedded system security
      2. anomaly detection
      3. network-connected pacemaker
      4. software security
      5. timing based detection

      Qualifiers

      • Research-article
      • Research
      • Refereed limited

      Conference

      ESWEEK'15
      ESWEEK'15: ELEVENTH EMBEDDED SYSTEM WEEK
      October 4 - 9, 2015
      Amsterdam, Netherlands

      Acceptance Rates

      Overall Acceptance Rate 8 of 21 submissions, 38%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)8
      • Downloads (Last 6 weeks)1
      Reflects downloads up to 18 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2021)Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical SystemsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.290616118:2(825-842)Online publication date: 1-Mar-2021
      • (2020)Detecting Execution Anomalies As an Oracle for Autonomy Software Robustness2020 IEEE International Conference on Robotics and Automation (ICRA)10.1109/ICRA40945.2020.9197060(9366-9373)Online publication date: May-2020
      • (2017)Anomaly Detection as a Service: Challenges, Advances, and OpportunitiesSynthesis Lectures on Information Security, Privacy, and Trust10.2200/S00800ED1V01Y201709SPT0229:3(1-173)Online publication date: 24-Oct-2017
      • (2017)OrpheusProceedings of the 33rd Annual Computer Security Applications Conference10.1145/3134600.3134640(315-326)Online publication date: 4-Dec-2017
      • (2017)Time and Sequence Integrated Runtime Anomaly Detection for Embedded SystemsACM Transactions on Embedded Computing Systems10.1145/312278517:2(1-27)Online publication date: 7-Dec-2017
      • (2017)Subcomponent Timing-Based Detection of Malware in Embedded Systems2017 IEEE International Conference on Computer Design (ICCD)10.1109/ICCD.2017.12(17-24)Online publication date: Nov-2017

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media