Analysis of control flow events for timing-based runtime anomaly detection

Sixing Lu, Roman L Lysecky

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

Embedded system security has become a critical challenge given the increasing prevalence of network-connected systems. While anomaly-based detection methods provide the advantage of detecting zero-day exploits, existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this paper, we present a formal runtime security model that defines the normal system behavior. The runtime security model is applied to a timing-based, runtime anomaly detection method that utilizes on-chip hardware to non-intrusively monitor both the system execution sequence and execution timing to detect malicious activity. Monitoring all possible execution paths of an embedded application is infeasible due to its complexity. Thus, we analyze the properties of the timing distribution for control flow events within a network- connected pacemaker to evaluate the resulting detection rate for various levels of mimicry attacks, considering constraints on the number of monitored events supported in the on-chip hardware.

Original languageEnglish (US)
Title of host publicationProceedings of the 10th Workshop on Embedded Systems Security, WESS 2015
PublisherAssociation for Computing Machinery, Inc
ISBN (Electronic)9781450336673
DOIs
StatePublished - Oct 4 2015
Event10th Workshop on Embedded Systems Security, WESS 2015 - Amsterdam, Netherlands
Duration: Oct 4 2015Oct 9 2015

Other

Other10th Workshop on Embedded Systems Security, WESS 2015
CountryNetherlands
CityAmsterdam
Period10/4/1510/9/15

Fingerprint

Flow control
Hardware
Pacemakers
Embedded systems
Monitoring

Keywords

  • Anomaly detection
  • Embedded system security
  • Network-connected pacemaker
  • Software security
  • Timing based detection

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture

Cite this

Lu, S., & Lysecky, R. L. (2015). Analysis of control flow events for timing-based runtime anomaly detection. In Proceedings of the 10th Workshop on Embedded Systems Security, WESS 2015 [a3] Association for Computing Machinery, Inc. https://doi.org/10.1145/2818362.2818365

Analysis of control flow events for timing-based runtime anomaly detection. / Lu, Sixing; Lysecky, Roman L.

Proceedings of the 10th Workshop on Embedded Systems Security, WESS 2015. Association for Computing Machinery, Inc, 2015. a3.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Lu, S & Lysecky, RL 2015, Analysis of control flow events for timing-based runtime anomaly detection. in Proceedings of the 10th Workshop on Embedded Systems Security, WESS 2015., a3, Association for Computing Machinery, Inc, 10th Workshop on Embedded Systems Security, WESS 2015, Amsterdam, Netherlands, 10/4/15. https://doi.org/10.1145/2818362.2818365
Lu S, Lysecky RL. Analysis of control flow events for timing-based runtime anomaly detection. In Proceedings of the 10th Workshop on Embedded Systems Security, WESS 2015. Association for Computing Machinery, Inc. 2015. a3 https://doi.org/10.1145/2818362.2818365
Lu, Sixing ; Lysecky, Roman L. / Analysis of control flow events for timing-based runtime anomaly detection. Proceedings of the 10th Workshop on Embedded Systems Security, WESS 2015. Association for Computing Machinery, Inc, 2015.
@inproceedings{b28a59ce4d45413cafceacc56a3ff659,
title = "Analysis of control flow events for timing-based runtime anomaly detection",
abstract = "Embedded system security has become a critical challenge given the increasing prevalence of network-connected systems. While anomaly-based detection methods provide the advantage of detecting zero-day exploits, existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this paper, we present a formal runtime security model that defines the normal system behavior. The runtime security model is applied to a timing-based, runtime anomaly detection method that utilizes on-chip hardware to non-intrusively monitor both the system execution sequence and execution timing to detect malicious activity. Monitoring all possible execution paths of an embedded application is infeasible due to its complexity. Thus, we analyze the properties of the timing distribution for control flow events within a network- connected pacemaker to evaluate the resulting detection rate for various levels of mimicry attacks, considering constraints on the number of monitored events supported in the on-chip hardware.",
keywords = "Anomaly detection, Embedded system security, Network-connected pacemaker, Software security, Timing based detection",
author = "Sixing Lu and Lysecky, {Roman L}",
year = "2015",
month = "10",
day = "4",
doi = "10.1145/2818362.2818365",
language = "English (US)",
booktitle = "Proceedings of the 10th Workshop on Embedded Systems Security, WESS 2015",
publisher = "Association for Computing Machinery, Inc",

}

TY - GEN

T1 - Analysis of control flow events for timing-based runtime anomaly detection

AU - Lu, Sixing

AU - Lysecky, Roman L

PY - 2015/10/4

Y1 - 2015/10/4

N2 - Embedded system security has become a critical challenge given the increasing prevalence of network-connected systems. While anomaly-based detection methods provide the advantage of detecting zero-day exploits, existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this paper, we present a formal runtime security model that defines the normal system behavior. The runtime security model is applied to a timing-based, runtime anomaly detection method that utilizes on-chip hardware to non-intrusively monitor both the system execution sequence and execution timing to detect malicious activity. Monitoring all possible execution paths of an embedded application is infeasible due to its complexity. Thus, we analyze the properties of the timing distribution for control flow events within a network- connected pacemaker to evaluate the resulting detection rate for various levels of mimicry attacks, considering constraints on the number of monitored events supported in the on-chip hardware.

AB - Embedded system security has become a critical challenge given the increasing prevalence of network-connected systems. While anomaly-based detection methods provide the advantage of detecting zero-day exploits, existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this paper, we present a formal runtime security model that defines the normal system behavior. The runtime security model is applied to a timing-based, runtime anomaly detection method that utilizes on-chip hardware to non-intrusively monitor both the system execution sequence and execution timing to detect malicious activity. Monitoring all possible execution paths of an embedded application is infeasible due to its complexity. Thus, we analyze the properties of the timing distribution for control flow events within a network- connected pacemaker to evaluate the resulting detection rate for various levels of mimicry attacks, considering constraints on the number of monitored events supported in the on-chip hardware.

KW - Anomaly detection

KW - Embedded system security

KW - Network-connected pacemaker

KW - Software security

KW - Timing based detection

UR - http://www.scopus.com/inward/record.url?scp=84983185761&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84983185761&partnerID=8YFLogxK

U2 - 10.1145/2818362.2818365

DO - 10.1145/2818362.2818365

M3 - Conference contribution

AN - SCOPUS:84983185761

BT - Proceedings of the 10th Workshop on Embedded Systems Security, WESS 2015

PB - Association for Computing Machinery, Inc

ER -