Window-based statistical analysis of timing subcomponents for efficient detection of malware in life-critical systems

Nadir Carreon; Allison Gilbreath; Roman Lysecky

doi:10.23919/SpringSim.2019.8732899

Window-based statistical analysis of timing subcomponents for efficient detection of malware in life-critical systems

Nadir Carreon, Allison Gilbreath, Roman Lysecky

Electrical and Computer Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Scopus citations

Abstract

Securing life-critical embedded systems, particularly medical devices, requires both proactive security measures that prevent intrusions and reactive measures that detect intrusions. This paper presents a novel model for specifying the normal timing for operations in software applications using cumulative distribution functions of timing subcomponent within sliding execution windows. We present a probabilistic formulation for estimating the presence of malware for individual operations by monitoring the internal timing of the different components of the system, and we define thresholds to minimize false positives based on training data. Experimental results with a smart connected pacemaker and three sophisticated mimicry malware scenarios demonstrate improved performance and accuracy compared to state-of-the-art timing-based malware detection

Original language	English (US)
Title of host publication	Simulation Series
Publisher	The Society for Modeling and Simulation International
Edition	5
ISBN (Electronic)	9781510892521, 9781510892538, 9781510892545, 9781510892552, 9781510892569
DOIs	https://doi.org/10.23919/SpringSim.2019.8732899
State	Published - 2019
Event	2019 Modeling and Simulation in Medicine, MSM 2019, Part of the 2019 Spring Simulation Multi-Conference, SpringSim 2019 - Tucson, United States Duration: Apr 29 2019 → May 2 2019

Publication series

Name	Simulation Series
Number	5
Volume	51
ISSN (Print)	0735-9276

Conference

Conference	2019 Modeling and Simulation in Medicine, MSM 2019, Part of the 2019 Spring Simulation Multi-Conference, SpringSim 2019
Country/Territory	United States
City	Tucson
Period	4/29/19 → 5/2/19

Keywords

Anomaly detection
Embedded system security
Non-intrusive hardware
Timing-based threat detection

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.23919/SpringSim.2019.8732899

Cite this

Window-based statistical analysis of timing subcomponents for efficient detection of malware in life-critical systems. / Carreon, Nadir; Gilbreath, Allison; Lysecky, Roman.

Simulation Series. 5. ed. The Society for Modeling and Simulation International, 2019. (Simulation Series; Vol. 51, No. 5).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Carreon, N, Gilbreath, A & Lysecky, R 2019, Window-based statistical analysis of timing subcomponents for efficient detection of malware in life-critical systems. in Simulation Series. 5 edn, Simulation Series, no. 5, vol. 51, The Society for Modeling and Simulation International, 2019 Modeling and Simulation in Medicine, MSM 2019, Part of the 2019 Spring Simulation Multi-Conference, SpringSim 2019, Tucson, United States, 4/29/19. https://doi.org/10.23919/SpringSim.2019.8732899

@inproceedings{04dd7e88db4b4dd5a9ffc64faf681f3a,

title = "Window-based statistical analysis of timing subcomponents for efficient detection of malware in life-critical systems",

abstract = "Securing life-critical embedded systems, particularly medical devices, requires both proactive security measures that prevent intrusions and reactive measures that detect intrusions. This paper presents a novel model for specifying the normal timing for operations in software applications using cumulative distribution functions of timing subcomponent within sliding execution windows. We present a probabilistic formulation for estimating the presence of malware for individual operations by monitoring the internal timing of the different components of the system, and we define thresholds to minimize false positives based on training data. Experimental results with a smart connected pacemaker and three sophisticated mimicry malware scenarios demonstrate improved performance and accuracy compared to state-of-the-art timing-based malware detection",

keywords = "Anomaly detection, Embedded system security, Non-intrusive hardware, Timing-based threat detection",

author = "Nadir Carreon and Allison Gilbreath and Roman Lysecky",

note = "Funding Information: This research was partially supported by the National Science Foundation under Grant CNS-1615890. Publisher Copyright: {\textcopyright} 2019 Society for Modeling & Simulation International (SCS).; 2019 Modeling and Simulation in Medicine, MSM 2019, Part of the 2019 Spring Simulation Multi-Conference, SpringSim 2019 ; Conference date: 29-04-2019 Through 02-05-2019",

year = "2019",

doi = "10.23919/SpringSim.2019.8732899",

language = "English (US)",

series = "Simulation Series",

publisher = "The Society for Modeling and Simulation International",

number = "5",

booktitle = "Simulation Series",

edition = "5",

}

TY - GEN

T1 - Window-based statistical analysis of timing subcomponents for efficient detection of malware in life-critical systems

AU - Carreon, Nadir

AU - Gilbreath, Allison

AU - Lysecky, Roman

N1 - Funding Information: This research was partially supported by the National Science Foundation under Grant CNS-1615890. Publisher Copyright: © 2019 Society for Modeling & Simulation International (SCS).

PY - 2019

Y1 - 2019

N2 - Securing life-critical embedded systems, particularly medical devices, requires both proactive security measures that prevent intrusions and reactive measures that detect intrusions. This paper presents a novel model for specifying the normal timing for operations in software applications using cumulative distribution functions of timing subcomponent within sliding execution windows. We present a probabilistic formulation for estimating the presence of malware for individual operations by monitoring the internal timing of the different components of the system, and we define thresholds to minimize false positives based on training data. Experimental results with a smart connected pacemaker and three sophisticated mimicry malware scenarios demonstrate improved performance and accuracy compared to state-of-the-art timing-based malware detection

AB - Securing life-critical embedded systems, particularly medical devices, requires both proactive security measures that prevent intrusions and reactive measures that detect intrusions. This paper presents a novel model for specifying the normal timing for operations in software applications using cumulative distribution functions of timing subcomponent within sliding execution windows. We present a probabilistic formulation for estimating the presence of malware for individual operations by monitoring the internal timing of the different components of the system, and we define thresholds to minimize false positives based on training data. Experimental results with a smart connected pacemaker and three sophisticated mimicry malware scenarios demonstrate improved performance and accuracy compared to state-of-the-art timing-based malware detection

KW - Anomaly detection

KW - Embedded system security

KW - Non-intrusive hardware

KW - Timing-based threat detection

UR - http://www.scopus.com/inward/record.url?scp=85073686757&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85073686757&partnerID=8YFLogxK

U2 - 10.23919/SpringSim.2019.8732899

DO - 10.23919/SpringSim.2019.8732899

M3 - Conference contribution

AN - SCOPUS:85073686757

T3 - Simulation Series

BT - Simulation Series

PB - The Society for Modeling and Simulation International

T2 - 2019 Modeling and Simulation in Medicine, MSM 2019, Part of the 2019 Spring Simulation Multi-Conference, SpringSim 2019

Y2 - 29 April 2019 through 2 May 2019

ER -

Window-based statistical analysis of timing subcomponents for efficient detection of malware in life-critical systems

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this