skip to main content
research-article
Public Access

Time and Sequence Integrated Runtime Anomaly Detection for Embedded Systems

Published: 07 December 2017 Publication History

Abstract

Network-connected embedded systems grow on a large scale as a critical part of Internet of Things, and these systems are under the risk of increasing malware. Anomaly-based detection methods can detect malware in embedded systems effectively and provide the advantage of detecting zero-day exploits relative to signature-based detection methods, but existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this article, we present a formal runtime security model that defines the normal system behavior including execution sequence and execution timing. The anomaly detection method in this article utilizes on-chip hardware to non-intrusively monitor system execution through trace port of the processor and detect malicious activity at runtime. We further analyze the properties of the timing distribution for control flow events, and select subset of monitoring targets by three selection metrics to meet hardware constraint. The designed detection method is evaluated by a network-connected pacemaker benchmark prototyped in FPGA and simulated in SystemC, with several mimicry attacks implemented at different levels. The resulting detection rate and false positive rate considering constraints on the number of monitored events supported in the on-chip hardware demonstrate good performance of our approach.

References

[1]
ARM. 2011. Embedded Trace Macrocell ETMv1.0 to ETMv3.5 Architecture Specification.
[2]
D. Arora, S. Ravi, A. Raghunathan, and N. K. Jha. 2005. Secure embedded processing through hardware-assisted run-time monitoring. design. In Automation and Test in Europe Conference, (March 2005), 178--183.
[3]
D. Arora, A. Raghunathan, S. Ravi, and N. K. Jha. 2006. Architectural support for safe software execution on embedded processors. In Conference on Hardware Software Co-design and System Synthesis, (Oct. 2006), 106--111.
[4]
S. Bhatkar, A. Chaturvedi, and R. Sekar. 2006. Dataflow anomaly detection. In Symposium on Security and Privacy, (May 2006), 15--62.
[5]
M. Bond, V. K. Srivastava, K. McKinley, and V. Shmatikov. 2010. Efficient, context-sensitive detection of real-world semantic attacks. Programming Languages and Analysis for Security, (June 2010), 1--10.
[6]
Z. I. Botev, J. F. Grotowski, and D. P. Kroese. 2010. Kernel density estimation via diffusion. Annals of Statistics. 38, 5 (2010), 2916--2957.
[7]
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. Iyer. 2005. Non-control-data attacks are realistic threats. In USENIX Security Symposium, (July 2005), 177--192.
[8]
D. Y. Deng, D. Lo, G. Malysa, S. Schneider, and G. E. Suh. 2010. Flexible and efficient instruction-grained run-rime monitoring using on-chip reconfigurable fabric. In Proceedings of the 43rd Annual IEEE/ACM International Symposium on Microarchitecture. (Dec. 2010), 137--148.
[9]
J. Ellson, E. Gansner, L. Koutsofios, S. C. North, and G. Woodhull. 2002. Graphviz -- Open source graph drawing tools. In Graph Drawing. Springer, 2002, 483--484.
[10]
Federal Financial Institutions Examination Council (FFEIC). Cyberattacks on Financial Institutions’ ATM and Card Authorization Systems. https://www.ffiec.gov, 2014.
[11]
A. Frossi, F. Maggi, G. Rizzo, and S. Zanero. 2009. Selecting and improving system call models for anomaly detection. In Conference on Detection of Intrusions and Malware, and Vulnerability, (July 2009), 206--223.
[12]
D. Gao, M. Reiter, and D. Song. 2003. Gray-box extraction of execution graphs for anomaly detection. In ACM Conference on Computer and Communications Security, (Oct. 2003), 318--329.
[13]
N. Idika and A. P. Mathur. 2007. A Survey of Malware Detection Techniques. Technical Report, Purdue University, (2007).
[14]
Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam. 2012. Modeling and verification of a dual chamber implantable pacemaker. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems, (March 2012), 188--203.
[15]
C. Liu, C. Yang, and Y. Shen. 2014. Leveraging microarchitectural side channel information to efficiently enhance program control flow integrity. In Hardware/Software Codesign and System Synthesis Conference (Oct. 2014). 1--9.
[16]
S. Lu, M. Seo, and R. Lysecky. 2015. Timing-based anomaly detection in embedded systems. In Asia South Pacific Design Automation Conference (Jan. 2015). 809--814.
[17]
S. Lu. and R. Lysecky. 2015. Analysis of control flow events for timing-based runtime anomaly detection. In Workshop on Embedded Systems Security (Oct. 2015).
[18]
S. Mao and T. Wolf. 2010. Hardware support for secure processing in embedded systems. IEEE Transactions on Computers, 59, 6, 847--854.
[19]
E. Marin, D. Singelée, B. Yang, I. Verbauwhede, and B. Preneel. 2016. On the feasibility of cryptography for a wireless insulin pump system. In ACM Conference on Data and Application Security and Privacy (March, 2016). 113--120.
[20]
R. A. Maxion and K. M. C. Tan. 2002. Anomaly detection in embedded systems. IEEE Transactions on Computers. 51, 2, 108--120.
[21]
McAfee Labs. Threats Report 2015. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf.
[22]
C. McCarthy, K. Harnett, and A. Carter. 2014. Characterization of Potential Security Threats in Modern Automobiles: A Composite Modeling Approach. National Highway Traffic Safety Administration, Washington Tech. Rep, (Oct. 2014).
[23]
MicroBlaze. 2009. Microblaze processor reference guide embedded development kit EDK 11.4. 102--104.
[24]
J. Mu, K. Shankar, and R. Lysecky. 2013. Profiling and online system-level performance and power estimation for dynamically adaptable embedded systems. ACM Transactions on Embedded Computing Systems (TECS) 12, 3, Article 85, 1--20, 2013.
[25]
K. Patel and S. Parameswaran. 2008. SHIELD: A software hardware design methodology for security and reliability of MPSOCs. In Design Automation Conference (June 2008), 858--861.
[26]
K. Patel, S. Parameswaran, and R. Ragel. 2010. Architectural frameworks for security and reliability of mpsocs. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 99, 1--14.
[27]
M. Prates, V. H. Lachos, and C. R. B. Cabral. 2011. mixsmsn: Fitting finite mixture of scale mixture of skew normal distributions. R package version 0. 2-9
[28]
M. Rahmatian, H. Kooti, I. Harris, and E. Bozorgzadeh. 2012. Hardware-assisted detection of malicious software in embedded systems. IEEE Embedded Systems Letters (ESL), 4, 4, 94--97.
[29]
M. Ramilli and M. Prandini. 2012. Always the same, never the same. IEEE Security 8 Privacy, 8, 2, 73--75.
[30]
M. I. Sharif, K. Singh, J. T. Giffin, and W. Lee. 2007. Understanding precision in host based intrusion detection. In International Symposium on Research in Attacks, Intrusions and Defenses. 4637, 21--41.
[31]
N. K. Singh, A. J. Wellings, and A. L. C. Cavalcanti. 2012. The cardiac pacemaker case study and its implementation in safety-critical java and ravenscar ada. In International Workshop on Java Technologies for Real-time and Embedded Systems (Oct. 2012). 62--71.
[32]
Slowloris HTTP DoS. http://Ha.ckers.org/slowloris/, 2014.
[33]
N. Stollon. 2011. On-Chip Instrumentation: Design and Debug for Systems on Chip. Springer US, 2011.
[34]
D. Wagner and P. Soto. 2002. Mimicry attacks on host based intrusion detection systems. In ACM Conference on Computer and Communications Security (Nov. 2002). 255--264.
[35]
M. K. Yoon, S. Mohan, J. Choi, and L. Sha. 2015. Memory heat map: Anomaly detection in real-time embedded systems using memory behavior. In Design Automation Conference (June 2015), 1--6.
[36]
M. K. Yoon, S. Mohan, J. Choi, and L. Sha. 2013. SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems. In Real-Time and Embedded Technology and Applications Symposium (April 2013), 21--32.
[37]
T. Zhang, X. Zhuang, S. Pande, and W. Lee. 2005. Anomalous path detection with hardware support. In Conference on Compilers. Architectures and Synthesis for Embedded Systems (Sep. 2005), 43--54.
[38]
C. Zimmer, B. Bhat, F. Mueller, and S. Mohan. 2010. Time-based intrusion detection in cyber-physical systems. In ACM/IEEE International Conference on Cyber-Physical Systems (April 2010), 109--118.

Cited By

View all
  • (2024)Runtime Verification and AI: Addressing Pragmatic Regulatory ChallengesBridging the Gap Between AI and Reality10.1007/978-3-031-75434-0_16(225-241)Online publication date: 30-Oct-2024
  • (2023)Anomaly Behaviour tracing of CHERI-RISC V using Hardware-Software Co-design2023 21st IEEE Interregional NEWCAS Conference (NEWCAS)10.1109/NEWCAS57931.2023.10198103(1-5)Online publication date: 26-Jun-2023
  • (2022)FIRE: A Finely Integrated Risk Evaluation Methodology for Life-Critical Embedded SystemsInformation10.3390/info1310048713:10(487)Online publication date: 10-Oct-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Embedded Computing Systems
ACM Transactions on Embedded Computing Systems  Volume 17, Issue 2
Special Issue on MEMCODE 2015 and Regular Papers (Diamonds)
March 2018
640 pages
ISSN:1539-9087
EISSN:1558-3465
DOI:10.1145/3160927
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

Publication History

Published: 07 December 2017
Accepted: 01 July 2017
Revised: 01 April 2017
Received: 01 November 2016
Published in TECS Volume 17, Issue 2

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Embedded system security
  2. anomaly detection
  3. medical device security
  4. software security
  5. timing based detection

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)106
  • Downloads (Last 6 weeks)16
Reflects downloads up to 18 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Runtime Verification and AI: Addressing Pragmatic Regulatory ChallengesBridging the Gap Between AI and Reality10.1007/978-3-031-75434-0_16(225-241)Online publication date: 30-Oct-2024
  • (2023)Anomaly Behaviour tracing of CHERI-RISC V using Hardware-Software Co-design2023 21st IEEE Interregional NEWCAS Conference (NEWCAS)10.1109/NEWCAS57931.2023.10198103(1-5)Online publication date: 26-Jun-2023
  • (2022)FIRE: A Finely Integrated Risk Evaluation Methodology for Life-Critical Embedded SystemsInformation10.3390/info1310048713:10(487)Online publication date: 10-Oct-2022
  • (2022)Benchmark Tool for Detecting Anomalous Program Behaviour on Embedded Devices2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom56396.2022.00164(1187-1192)Online publication date: Dec-2022
  • (2020)GWAD: Greedy Workflow Graph Anomaly Detection Framework for System Traces2020 IEEE International Conference on Systems, Man, and Cybernetics (SMC)10.1109/SMC42975.2020.9282938(2790-2796)Online publication date: 11-Oct-2020
  • (2020)MA2DF: A Multi-Agent Anomaly Detection Framework2020 IEEE International Conference on Systems, Man, and Cybernetics (SMC)10.1109/SMC42975.2020.9282846(30-36)Online publication date: 11-Oct-2020
  • (2020)Privacy Attack On IoT: a Systematic Literature Review2020 International Conference on ICT for Smart Society (ICISS)10.1109/ICISS50791.2020.9307568(1-8)Online publication date: 19-Nov-2020
  • (2019)Window-based statistical analysis of timing subcomponents for efficient detection of malware in life-critical systemsProceedings of the Modeling and Simulation in Medicine Symposium10.5555/3338264.3338271(1-12)Online publication date: 29-Apr-2019
  • (2019)Window-Based Statistical Analysis Of Timing Subcomponents For Efficient Detection Of Malware In Life-Critical Systems2019 Spring Simulation Conference (SpringSim)10.23919/SpringSim.2019.8732899(1-12)Online publication date: Apr-2019
  • (2019)Data-driven Anomaly Detection with Timing Features for Embedded SystemsACM Transactions on Design Automation of Electronic Systems10.1145/327994924:3(1-27)Online publication date: 2-Apr-2019
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Full Access

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media