Subcomponent timing-based detection of malware in embedded systems

Sixing Lu; Roman L Lysecky; Jerzy W Rozenblit

doi:10.1109/ICCD.2017.12

Subcomponent timing-based detection of malware in embedded systems

Sixing Lu, Roman L Lysecky, Jerzy W Rozenblit

Electrical and Computer Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Scopus citations

Abstract

Network-connected embedded systems require multiple lines of defense against malware. In addition to preventing malware by designing secure interfaces and software, anomaly-based detection is needed to detect malware that successfully infiltrates these defenses. Timing based anomaly detection strengthens embedded system security by detecting anomalies in the execution time of critical software tasks. However, existing timing based anomaly detection methods use a lumped timing model that aggregates the timing of the software, processor architecture, operating system scheduling, etc., and thereby incurs significant variability. We present a non-intrusive hardware detector supporting two novel timing models, including a lumped timing multi-range model that clusters timing into multiple range bounds, and a subcomponent timing model that defines bounds for timing subcomponents of events. Timing subcomponents include intrinsic software execution, instruction cache misses, data cache misses, and interrupts. The experimental results demonstrate that the detection based on subcomponent timing model achieves greater malware detection accuracy compared to the lumped timing model without increasing false positives.

Original language	English (US)
Title of host publication	Proceedings - 35th IEEE International Conference on Computer Design, ICCD 2017
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	17-24
Number of pages	8
ISBN (Electronic)	9781538622544
DOIs	https://doi.org/10.1109/ICCD.2017.12
State	Published - Nov 22 2017
Event	35th IEEE International Conference on Computer Design, ICCD 2017 - Boston, United States Duration: Nov 5 2017 → Nov 8 2017

Other

Other	35th IEEE International Conference on Computer Design, ICCD 2017
Country	United States
City	Boston
Period	11/5/17 → 11/8/17

Fingerprint

Keywords

Anomaly detection
Embedded system security
Non-intrusive
Timing subcomponents
Timing-based detection

ASJC Scopus subject areas

Hardware and Architecture

Cite this

Lu, S., Lysecky, R. L., & Rozenblit, J. W. (2017). Subcomponent timing-based detection of malware in embedded systems. In Proceedings - 35th IEEE International Conference on Computer Design, ICCD 2017 (pp. 17-24). [8119185] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICCD.2017.12

Lu, S, Lysecky, RL & Rozenblit, JW 2017, Subcomponent timing-based detection of malware in embedded systems. in Proceedings - 35th IEEE International Conference on Computer Design, ICCD 2017., 8119185, Institute of Electrical and Electronics Engineers Inc., pp. 17-24, 35th IEEE International Conference on Computer Design, ICCD 2017, Boston, United States, 11/5/17. https://doi.org/10.1109/ICCD.2017.12

@inproceedings{7fbfe360728c4df1aacb1b59cbd9b51f,

title = "Subcomponent timing-based detection of malware in embedded systems",

abstract = "Network-connected embedded systems require multiple lines of defense against malware. In addition to preventing malware by designing secure interfaces and software, anomaly-based detection is needed to detect malware that successfully infiltrates these defenses. Timing based anomaly detection strengthens embedded system security by detecting anomalies in the execution time of critical software tasks. However, existing timing based anomaly detection methods use a lumped timing model that aggregates the timing of the software, processor architecture, operating system scheduling, etc., and thereby incurs significant variability. We present a non-intrusive hardware detector supporting two novel timing models, including a lumped timing multi-range model that clusters timing into multiple range bounds, and a subcomponent timing model that defines bounds for timing subcomponents of events. Timing subcomponents include intrinsic software execution, instruction cache misses, data cache misses, and interrupts. The experimental results demonstrate that the detection based on subcomponent timing model achieves greater malware detection accuracy compared to the lumped timing model without increasing false positives.",

keywords = "Anomaly detection, Embedded system security, Non-intrusive, Timing subcomponents, Timing-based detection",

author = "Sixing Lu and Lysecky, {Roman L} and Rozenblit, {Jerzy W}",

year = "2017",

month = nov,

day = "22",

doi = "10.1109/ICCD.2017.12",

language = "English (US)",

pages = "17--24",

booktitle = "Proceedings - 35th IEEE International Conference on Computer Design, ICCD 2017",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

note = "35th IEEE International Conference on Computer Design, ICCD 2017 ; Conference date: 05-11-2017 Through 08-11-2017",

}

TY - GEN

T1 - Subcomponent timing-based detection of malware in embedded systems

AU - Lu, Sixing

AU - Lysecky, Roman L

AU - Rozenblit, Jerzy W

PY - 2017/11/22

Y1 - 2017/11/22

N2 - Network-connected embedded systems require multiple lines of defense against malware. In addition to preventing malware by designing secure interfaces and software, anomaly-based detection is needed to detect malware that successfully infiltrates these defenses. Timing based anomaly detection strengthens embedded system security by detecting anomalies in the execution time of critical software tasks. However, existing timing based anomaly detection methods use a lumped timing model that aggregates the timing of the software, processor architecture, operating system scheduling, etc., and thereby incurs significant variability. We present a non-intrusive hardware detector supporting two novel timing models, including a lumped timing multi-range model that clusters timing into multiple range bounds, and a subcomponent timing model that defines bounds for timing subcomponents of events. Timing subcomponents include intrinsic software execution, instruction cache misses, data cache misses, and interrupts. The experimental results demonstrate that the detection based on subcomponent timing model achieves greater malware detection accuracy compared to the lumped timing model without increasing false positives.

AB - Network-connected embedded systems require multiple lines of defense against malware. In addition to preventing malware by designing secure interfaces and software, anomaly-based detection is needed to detect malware that successfully infiltrates these defenses. Timing based anomaly detection strengthens embedded system security by detecting anomalies in the execution time of critical software tasks. However, existing timing based anomaly detection methods use a lumped timing model that aggregates the timing of the software, processor architecture, operating system scheduling, etc., and thereby incurs significant variability. We present a non-intrusive hardware detector supporting two novel timing models, including a lumped timing multi-range model that clusters timing into multiple range bounds, and a subcomponent timing model that defines bounds for timing subcomponents of events. Timing subcomponents include intrinsic software execution, instruction cache misses, data cache misses, and interrupts. The experimental results demonstrate that the detection based on subcomponent timing model achieves greater malware detection accuracy compared to the lumped timing model without increasing false positives.

KW - Anomaly detection

KW - Embedded system security

KW - Non-intrusive

KW - Timing subcomponents

KW - Timing-based detection

UR - http://www.scopus.com/inward/record.url?scp=85041669772&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85041669772&partnerID=8YFLogxK

U2 - 10.1109/ICCD.2017.12

DO - 10.1109/ICCD.2017.12

M3 - Conference contribution

AN - SCOPUS:85041669772

SP - 17

EP - 24

BT - Proceedings - 35th IEEE International Conference on Computer Design, ICCD 2017

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 35th IEEE International Conference on Computer Design, ICCD 2017

Y2 - 5 November 2017 through 8 November 2017

ER -

Access to Document

10.1109/ICCD.2017.12