Abstract
Network-connected embedded systems require multiple lines of defense against malware. In addition to preventing malware by designing secure interfaces and software, anomaly-based detection is needed to detect malware that successfully infiltrates these defenses. Timing based anomaly detection strengthens embedded system security by detecting anomalies in the execution time of critical software tasks. However, existing timing based anomaly detection methods use a lumped timing model that aggregates the timing of the software, processor architecture, operating system scheduling, etc., and thereby incurs significant variability. We present a non-intrusive hardware detector supporting two novel timing models, including a lumped timing multi-range model that clusters timing into multiple range bounds, and a subcomponent timing model that defines bounds for timing subcomponents of events. Timing subcomponents include intrinsic software execution, instruction cache misses, data cache misses, and interrupts. The experimental results demonstrate that the detection based on subcomponent timing model achieves greater malware detection accuracy compared to the lumped timing model without increasing false positives.
| Original language | English (US) |
|---|---|
| Title of host publication | Proceedings - 35th IEEE International Conference on Computer Design, ICCD 2017 |
| Publisher | Institute of Electrical and Electronics Engineers Inc. |
| Pages | 17-24 |
| Number of pages | 8 |
| ISBN (Electronic) | 9781538622544 |
| DOIs | |
| State | Published - Nov 22 2017 |
| Event | 35th IEEE International Conference on Computer Design, ICCD 2017 - Boston, United States Duration: Nov 5 2017 → Nov 8 2017 |
Other
| Other | 35th IEEE International Conference on Computer Design, ICCD 2017 |
|---|---|
| Country | United States |
| City | Boston |
| Period | 11/5/17 → 11/8/17 |
Fingerprint
Keywords
- Anomaly detection
- Embedded system security
- Non-intrusive
- Timing subcomponents
- Timing-based detection
ASJC Scopus subject areas
- Hardware and Architecture
Cite this
Subcomponent timing-based detection of malware in embedded systems. / Lu, Sixing; Lysecky, Roman L; Rozenblit, Jerzy W.
Proceedings - 35th IEEE International Conference on Computer Design, ICCD 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 17-24 8119185.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - Subcomponent timing-based detection of malware in embedded systems
AU - Lu, Sixing
AU - Lysecky, Roman L
AU - Rozenblit, Jerzy W
PY - 2017/11/22
Y1 - 2017/11/22
N2 - Network-connected embedded systems require multiple lines of defense against malware. In addition to preventing malware by designing secure interfaces and software, anomaly-based detection is needed to detect malware that successfully infiltrates these defenses. Timing based anomaly detection strengthens embedded system security by detecting anomalies in the execution time of critical software tasks. However, existing timing based anomaly detection methods use a lumped timing model that aggregates the timing of the software, processor architecture, operating system scheduling, etc., and thereby incurs significant variability. We present a non-intrusive hardware detector supporting two novel timing models, including a lumped timing multi-range model that clusters timing into multiple range bounds, and a subcomponent timing model that defines bounds for timing subcomponents of events. Timing subcomponents include intrinsic software execution, instruction cache misses, data cache misses, and interrupts. The experimental results demonstrate that the detection based on subcomponent timing model achieves greater malware detection accuracy compared to the lumped timing model without increasing false positives.
AB - Network-connected embedded systems require multiple lines of defense against malware. In addition to preventing malware by designing secure interfaces and software, anomaly-based detection is needed to detect malware that successfully infiltrates these defenses. Timing based anomaly detection strengthens embedded system security by detecting anomalies in the execution time of critical software tasks. However, existing timing based anomaly detection methods use a lumped timing model that aggregates the timing of the software, processor architecture, operating system scheduling, etc., and thereby incurs significant variability. We present a non-intrusive hardware detector supporting two novel timing models, including a lumped timing multi-range model that clusters timing into multiple range bounds, and a subcomponent timing model that defines bounds for timing subcomponents of events. Timing subcomponents include intrinsic software execution, instruction cache misses, data cache misses, and interrupts. The experimental results demonstrate that the detection based on subcomponent timing model achieves greater malware detection accuracy compared to the lumped timing model without increasing false positives.
KW - Anomaly detection
KW - Embedded system security
KW - Non-intrusive
KW - Timing subcomponents
KW - Timing-based detection
UR - http://www.scopus.com/inward/record.url?scp=85041669772&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85041669772&partnerID=8YFLogxK
U2 - 10.1109/ICCD.2017.12
DO - 10.1109/ICCD.2017.12
M3 - Conference contribution
AN - SCOPUS:85041669772
SP - 17
EP - 24
BT - Proceedings - 35th IEEE International Conference on Computer Design, ICCD 2017
PB - Institute of Electrical and Electronics Engineers Inc.
ER -