TY - GEN
T1 - Analysis of control flow events for timing-based runtime anomaly detection
AU - Lu, Sixing
AU - Lysecky, Roman
N1 - Publisher Copyright:
© 2015 ACM.
PY - 2015/10/4
Y1 - 2015/10/4
N2 - Embedded system security has become a critical challenge given the increasing prevalence of network-connected systems. While anomaly-based detection methods provide the advantage of detecting zero-day exploits, existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this paper, we present a formal runtime security model that defines the normal system behavior. The runtime security model is applied to a timing-based, runtime anomaly detection method that utilizes on-chip hardware to non-intrusively monitor both the system execution sequence and execution timing to detect malicious activity. Monitoring all possible execution paths of an embedded application is infeasible due to its complexity. Thus, we analyze the properties of the timing distribution for control flow events within a network- connected pacemaker to evaluate the resulting detection rate for various levels of mimicry attacks, considering constraints on the number of monitored events supported in the on-chip hardware.
AB - Embedded system security has become a critical challenge given the increasing prevalence of network-connected systems. While anomaly-based detection methods provide the advantage of detecting zero-day exploits, existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this paper, we present a formal runtime security model that defines the normal system behavior. The runtime security model is applied to a timing-based, runtime anomaly detection method that utilizes on-chip hardware to non-intrusively monitor both the system execution sequence and execution timing to detect malicious activity. Monitoring all possible execution paths of an embedded application is infeasible due to its complexity. Thus, we analyze the properties of the timing distribution for control flow events within a network- connected pacemaker to evaluate the resulting detection rate for various levels of mimicry attacks, considering constraints on the number of monitored events supported in the on-chip hardware.
KW - Anomaly detection
KW - Embedded system security
KW - Network-connected pacemaker
KW - Software security
KW - Timing based detection
UR - http://www.scopus.com/inward/record.url?scp=84983185761&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84983185761&partnerID=8YFLogxK
U2 - 10.1145/2818362.2818365
DO - 10.1145/2818362.2818365
M3 - Conference contribution
AN - SCOPUS:84983185761
T3 - Proceedings of the 10th Workshop on Embedded Systems Security, WESS 2015
BT - Proceedings of the 10th Workshop on Embedded Systems Security, WESS 2015
PB - Association for Computing Machinery, Inc
T2 - 10th Workshop on Embedded Systems Security, WESS 2015
Y2 - 4 October 2015 through 9 October 2015
ER -