skip to main content
research-article
Open access

Probabilistic Estimation of Threat Intrusion in Embedded Systems for Runtime Detection

Published: 04 January 2021 Publication History

Abstract

With billions of networked connected embedded systems, the security historically provided by the isolation of embedded systems is no longer sufficient. Millions of new malware are created every month and zero-day attacks are becoming an increasing concern. Therefore, proactive security measures are no longer enough to provide protection to embedded systems. Instead, reactive approaches that detect attacks that can circumvent the proactive defenses and react upon them are needed. Anomaly-based detection is a common reactive approach employed to detect malware by monitoring anomalous deviations in the system execution. Timing-based anomaly detection detects malware by monitoring the system's internal timing, which offers unique protection against mimicry malware compared to sequence-based anomaly detection. However, previous timing-based anomaly detection methods focus on each operation independently at the granularity of tasks, function calls, system calls, or basic blocks. These approaches neither consider the entire software execution path nor provide a quantitative estimate of the presence of malware. This article presents a novel model for specifying the normal timing for execution paths in software applications using cumulative distribution functions of timing data in sliding execution windows. A probabilistic formulation is used to estimate the presence of malware for individual operations and sequences of operations within the paths. Operation and path-based thresholds are determined during the training process to minimize false positives. Finally, the article presents an optimization method to assist system developers in selecting which operations to monitor based on different optimization goals and constraints. Experimental results with a smart connected pacemaker, an unmanned aerial vehicle, and seven sophisticated mimicry malware implemented at different levels demonstrate the effectiveness of the proposed approach.

References

[1]
D. Evans. 2013. The internet of things: How the next evolution of the internet is changing everything. Cisco White Paper 2013.
[2]
McAfee Labs. Threats Report: December, 2018.
[3]
C. Li, A. Raghunathan, and N. K. Jha. 2011. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In Proceedings of the Conference on e-Health Networking Applications and Services. 150--156.
[4]
H. Holm. 2014. Signature-based intrusion detection for zero-day attacks: (Not) a closed chapter? In Proceedings of the Hawaii International Conference on System Sciences.
[5]
V. Chandola, A. Banerjee, and V. Kumar. 2009. Anomaly detection: A survey. ACM Comput. Survey 41, 3 (2009).
[6]
T. Zhang, X. Zhuang, S. Pande, and W. Lee. 2005. Anomalous path detection with hardware support. In Proceedings of the Conference on Compilers. Architectures and Synthesis for Embedded Systems. 43—54.
[7]
D. Arora, A. Raghunathan, S. Ravi, and N. K. Jha. 2006. Architectural support for safe software execution on embedded processors. In Proceedings of the Conference on Hardware Software Co-design and System Synthesis. 106--111.
[8]
D. Wagner and P. Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the Conference on Computer and Communications Security. 255--264.
[9]
C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the USENIX Security Symposium. 161--176.
[10]
C. Zimmer, B. Bhat, F. Mueller, and S. Mohan. 2010. Time-based intrusion detection in cyber-physical systems. In Proceedings of the ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS’10). 109--118.
[11]
M.-K. Yoon, S. Mohan, J. Choi, J.-E. Kim, and L. Sha. 2013. SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems. In Proceedings of the Real-Time and Embedded Technology and Applications Symposium.
[12]
S. Lu and R. Lysecky. 2017. Time and sequence integrated runtime anomaly detection for embedded systems. ACM Trans. Embed. Comput. Syst. 17, 2 (2017), Article 38, 1--27.
[13]
K. Patel and S. Parameswaran. 2008. SHIELD: A software hardware design methodology for security and reliability of MPSOCs. In Proceedings of the Design Automation Conference. 858--861.
[14]
K. Patel, S. Parameswaran, and R. Ragel. 2010. Architectural frameworks for security and reliability of MPSoCs. IEEE Trans. Very Large Scale Integr. Syst. 99, 1--14, 2010.
[15]
J. Sametinger, J. Rozenblit, R. Lysecky, and P. Ott. 2015. Security challenges for medical devices. Commun. ACM 58, 4 (2015), 74--82.
[16]
A. Wasicek, P. Derler, and E. A. Lee. 2014. Aspect-oriented modeling of attacks in automotive cyber-physical systems. In Proceedings of the Design Automation Conference. 1--6.
[17]
N. Stollon. 2011. On-chip Instrumentation: Design and Debug for Systems on Chip. Springer.
[18]
Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam. 2012. Modeling and verification of a dual chamber implantable pacemaker. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems. 188--203.
[19]
N. K. Singh, A. Wellings, and A. Cavalcanti. 2012. The cardiac pacemaker case study and its implementation in safety-critical java and Ravenscar Ada. In Proceedings of the Workshop on Java Technologies for Real-time and Embedded Systems.
[20]
Xilinx Inc. 2016. MicroBlaze Processor Reference Guide, UG984.
[21]
R. Wilhelm, J. Engblom, A. Ermedahl, N. Holsti, S. Thesing, D. Whalley, G. Bernat, C. Ferdinand, R. Heckmann, T. Mitra, F. Mueller, I. Puaut, P. Puschner, J. Staschulat, and P. Stenstrom. 2008. The worst-case execution-time problem—Overview of methods and survey of tools. ACM Trans. Embed. Comput. Syst. 7, 36 (2008), 1--47.
[22]
Chakravarti Laha and Roy. 1967. Handbook of Methods of Applied Statistics, Vol. I. John Wiley and Sons, 392—394.
[23]
S. Lu, R. Lysecky, and J. Rozenblit. 2017. Subcomponent timing-based detection of malware in embedded systems. In Proceedings of the IEEE International Conference on Computer Design (ICCD’17). 17--24.
[24]
K. Hartmann and C. Steup. 2013. The vulnerability of UAVs to cyber attacks—An approach to the risk assessment. In Proceedings of the Conference on Cyber Conflict (CYCON’13).
[25]
A. Kim, B. J. Wampler, I. Goppert Hwang, and H. Aldridge. 2012. Cyber Attack Vulnerabilities Analysis for Unmanned Aerial Vehicles. The American Institute of Aeronautics and Astronautics, Reston, VA.
[26]
S. Sun, S. Kwong, B. Lei, and S. Zheng. 2007. Advances in multimedia information processing. In Proceedings of the 8th Pacific Rim Conference on Multimedia (PCM’07). 367--375.
[27]
R. M. Friedberg. 1958. A learning machine: Part I. IBM J. Res. Dev. 2 (1958), 2--13.
[28]
R. M. Friedberg, B. Dunham, and T. North. 1959. A learning machine: Part II. IBM J. Res. Dev. 3, 3 (1959), 282--287.
[29]
Sixing Lu and Roman Lysecky. 2019. Data-driven anomaly detection with timing features for embedded systems. ACM Trans. Des. Autom. Electron. Syst. 24, 3 Article 33 (2019), 27 pages.
[30]
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. Iyer. 2005. Non-control-data attacks are realistic threats. In Proceedings of the USENIX Security Symposium. 177--192.
[31]
A. Frossi, F. Maggi, G. Rizzo, and S. Zanero. 2009. Selecting and improving system call models for anomaly detection. In Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability. 206--223.
[32]
M. Bond, V. K. Srivastava, K. McKinley, and V. Shmatikov. 2010. Efficient, context-sensitive detection of real-world semantic attacks. In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS'10). Association for Computing Machinery, New York, NY, USA, Article 1, 1--10.
[33]
S. Bhatkar, A. Chaturvedi, and R. Sekar. 2006. Dataflow anomaly detection. In Proceedings of the Symposium on Security and Privacy. 15--62.
[34]
Parzen Emanuel. 1962. On estimation of a probability density function and mode. Ann. Math. Statist. 33 (1962), 3, 1065--1076. https://projecteuclid.org/euclid.aoms/1177704472.
[35]
C. McCarthy, K. Harnett, and A. Carter. 2014. Characterization of Potential Security Threats in Modern Automobiles: A Composite Modeling Approach. Technical report, National Highway Traffic Safety Administration, Washington.
[36]
Federal Financial Institutions Examination Council (FFEIC). Cyberattacks on Financial Institutions’ ATM and Card Authorization Systems. Retrieved from https://www.ffiec.gov.
[37]
Katherine L. Monti. 1195. Folded empirical distribution function curves-mountain plots.Amer. Stat. 49, 4 (1995), 342--345
[38]
Frost and Sullivan, Study Analysing the Current Activities in the Field of UAV. Technical report, European Commission Enterprise and Industry Directorate-General.
[39]
G. Cai, J. Dias, and L. Seneviratne. 2014. A survey of small-scale unmanned aerial vehicles: Recent advances and future development trends. Unman. Syst. 2, 2 (2014), 175--199.
[40]
S. Baluja and R. Caruana. 1995. Removing the genetics from the standard genetic algorithm. Technical report, Carnegie Mellon University, Pittsburgh, PA.
[41]
J. Demme et al. 2013. On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput. Architect. News 41, 3 (June 2013), 559--570.
[42]
M. Bahador et al. 2014. HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition. In Proceedings of the International Conference on Computer and Knowledge Engineering (ICCKE’14).
[43]
M. Alam et al. 2018. Side-channel assisted malware classifier with gradient descent correction for embedded platforms. In Proceedings of the International Workshop on Security Proofs for Embedded Systems (PROOFS@CHES’18).
[44]
ARM. 2011. Embedded Trace Macrocell ETMv1.0 to ETMv3.5 Architecture Specification. Retrieved from https://developer.arm.com/documentation/ihi0014/q/.
[45]
MicroBlaze. 2009. Microblaze Processor Reference Guide Embedded Development Kit EDK 11.4. 102--104. Retrieved from https://www.xilinx.com/support/documentation/sw_manuals/xilinx11/mb_ref_guide.pdf.
[46]
VirusShare. Retrieved from https://virusshare.com/.
[47]
VirusTotal. Retrieved from https://www.virustotal.com/.
[48]
G. Buttazzo. 2006. Achieving scalability in real-time systems. Computer 39, 5 (2006), 54--59.
[49]
Perf Tool. Retrieved from https://perf.wiki.kernel.org/index.php/Main_Page.
[50]
Roberto Vitillo's presentation on Perf events. Retrieved from https://indico.cern.ch/event/141309/contributions/1369454/attachments/126021/Issue:2Year:2017Month:October.

Cited By

View all
  • (2024)A Survey on Security of UAV Swarm Networks: Attacks and CountermeasuresACM Computing Surveys10.1145/370362557:3(1-37)Online publication date: 22-Nov-2024
  • (2023)Run-time failure detection via non-intrusive event analysis in a large-scale cloud computing platformJournal of Systems and Software10.1016/j.jss.2023.111611198(111611)Online publication date: Apr-2023
  • (2023)A comprehensive evaluation approach for efficient countermeasure techniques against timing side-channel attack on MPSoC-based IoT using multi-criteria decision-making methodsEgyptian Informatics Journal10.1016/j.eij.2023.05.00524:2(351-364)Online publication date: Jul-2023
  • Show More Cited By

Index Terms

  1. Probabilistic Estimation of Threat Intrusion in Embedded Systems for Runtime Detection

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Transactions on Embedded Computing Systems
      ACM Transactions on Embedded Computing Systems  Volume 20, Issue 2
      March 2021
      230 pages
      ISSN:1539-9087
      EISSN:1558-3465
      DOI:10.1145/3446664
      • Editor:
      • Tulika Mitra
      Issue’s Table of Contents
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Journal Family

      Publication History

      Published: 04 January 2021
      Accepted: 01 October 2020
      Revised: 01 September 2020
      Received: 01 August 2019
      Published in TECS Volume 20, Issue 2

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. Embedded system security
      2. anomaly detection
      3. medical device security
      4. software security
      5. timing-based detection

      Qualifiers

      • Research-article
      • Research
      • Refereed

      Funding Sources

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)141
      • Downloads (Last 6 weeks)18
      Reflects downloads up to 18 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)A Survey on Security of UAV Swarm Networks: Attacks and CountermeasuresACM Computing Surveys10.1145/370362557:3(1-37)Online publication date: 22-Nov-2024
      • (2023)Run-time failure detection via non-intrusive event analysis in a large-scale cloud computing platformJournal of Systems and Software10.1016/j.jss.2023.111611198(111611)Online publication date: Apr-2023
      • (2023)A comprehensive evaluation approach for efficient countermeasure techniques against timing side-channel attack on MPSoC-based IoT using multi-criteria decision-making methodsEgyptian Informatics Journal10.1016/j.eij.2023.05.00524:2(351-364)Online publication date: Jul-2023
      • (2022)Context-Aware Security Modes For Medical Devices2022 Annual Modeling and Simulation Conference (ANNSIM)10.23919/ANNSIM55834.2022.9859283(372-382)Online publication date: 18-Jul-2022
      • (2022)Silent Listening to Detect False Data Injection Attack and Recognize the Attacker in Smart Car PlatooningComputational Intelligence for Unmanned Aerial Vehicles Communication Networks10.1007/978-3-030-97113-7_9(145-165)Online publication date: 30-Mar-2022
      • (2021)Specifics and Vulnerabilities of the Timing Control in Cyber-Physical SystemsProceedings of the Technical University of Sofia10.47978/TUS.2021.71.01.00471:1Online publication date: 15-May-2021

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format.

      HTML Format

      Login options

      Full Access

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media