TY - JOUR
T1 - Probabilistic Estimation of Threat Intrusion in Embedded Systems for Runtime Detection
AU - Carreon, Nadir A.
AU - Lu, Sixing
AU - Lysecky, Roman
N1 - Funding Information:
This research was partially supported by the National Science Foundation under Grant CNS-1615890. Probabilistic Estimation of Threat Intrusion in Embedded Systems for Runtime Detection. ACM Trans. On Embedded Computing Systems. (November 2020), 27 pages. Authors’ addresses: N. A. Carreón, S. Lu, R. Lysecky, University of Arizona, Tucson, Arizona, USA; emails: {nadir, sixinglu} @email.arizona.edu, rlysecky@ece.arizona.edu. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. © 2020 Association for Computing Machinery. 1539-9087/2020/12-ART14 $15.00 https://doi.org/10.1145/3432590
Publisher Copyright:
© 2021 ACM.
PY - 2021/3
Y1 - 2021/3
N2 - With billions of networked connected embedded systems, the security historically provided by the isolation of embedded systems is no longer sufficient. Millions of new malware are created every month and zero-day attacks are becoming an increasing concern. Therefore, proactive security measures are no longer enough to provide protection to embedded systems. Instead, reactive approaches that detect attacks that can circumvent the proactive defenses and react upon them are needed. Anomaly-based detection is a common reactive approach employed to detect malware by monitoring anomalous deviations in the system execution. Timing-based anomaly detection detects malware by monitoring the system's internal timing, which offers unique protection against mimicry malware compared to sequence-based anomaly detection. However, previous timing-based anomaly detection methods focus on each operation independently at the granularity of tasks, function calls, system calls, or basic blocks. These approaches neither consider the entire software execution path nor provide a quantitative estimate of the presence of malware. This article presents a novel model for specifying the normal timing for execution paths in software applications using cumulative distribution functions of timing data in sliding execution windows. A probabilistic formulation is used to estimate the presence of malware for individual operations and sequences of operations within the paths. Operation and path-based thresholds are determined during the training process to minimize false positives. Finally, the article presents an optimization method to assist system developers in selecting which operations to monitor based on different optimization goals and constraints. Experimental results with a smart connected pacemaker, an unmanned aerial vehicle, and seven sophisticated mimicry malware implemented at different levels demonstrate the effectiveness of the proposed approach.
AB - With billions of networked connected embedded systems, the security historically provided by the isolation of embedded systems is no longer sufficient. Millions of new malware are created every month and zero-day attacks are becoming an increasing concern. Therefore, proactive security measures are no longer enough to provide protection to embedded systems. Instead, reactive approaches that detect attacks that can circumvent the proactive defenses and react upon them are needed. Anomaly-based detection is a common reactive approach employed to detect malware by monitoring anomalous deviations in the system execution. Timing-based anomaly detection detects malware by monitoring the system's internal timing, which offers unique protection against mimicry malware compared to sequence-based anomaly detection. However, previous timing-based anomaly detection methods focus on each operation independently at the granularity of tasks, function calls, system calls, or basic blocks. These approaches neither consider the entire software execution path nor provide a quantitative estimate of the presence of malware. This article presents a novel model for specifying the normal timing for execution paths in software applications using cumulative distribution functions of timing data in sliding execution windows. A probabilistic formulation is used to estimate the presence of malware for individual operations and sequences of operations within the paths. Operation and path-based thresholds are determined during the training process to minimize false positives. Finally, the article presents an optimization method to assist system developers in selecting which operations to monitor based on different optimization goals and constraints. Experimental results with a smart connected pacemaker, an unmanned aerial vehicle, and seven sophisticated mimicry malware implemented at different levels demonstrate the effectiveness of the proposed approach.
KW - Embedded system security
KW - anomaly detection
KW - medical device security
KW - software security
KW - timing-based detection
UR - http://www.scopus.com/inward/record.url?scp=85102980516&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85102980516&partnerID=8YFLogxK
U2 - 10.1145/3432590
DO - 10.1145/3432590
M3 - Article
AN - SCOPUS:85102980516
SN - 1539-9087
VL - 20
JO - Transactions on Embedded Computing Systems
JF - Transactions on Embedded Computing Systems
IS - 2
M1 - 3432590
ER -