Mini-Me, You Complete Me! Data-Driven Drone Security via DNN-based Approximate Computing

The safe operation of robotic aerial vehicles (RAV) requires effective security protection of their controllers against cyber-physical attacks. The frequency and sophistication of past attacks against such embedded platforms highlight the need for better defense mechanisms. Existing estimation-based control monitors have tradeoffs, with lightweight linear state estimators lacking sufficient coverage, and heavier data-driven learned models facing implementation and accuracy issues on a constrained real-time RAV. We present Mini-Me, a data-driven online monitoring framework that models the program-level control state dynamics to detect runtime data-oriented attacks against RAVs. Mini-Me leverages the internal dataflow information and control variable dependencies of RAV controller functions to train a neural network-based approximate model as the lightweight replica of the original controller programs. Mini-Me runs the minimal approximate model and detects malicious control state deviation by comparing the estimated outputs with those outputs calculated by the original controller program. We demonstrate Mini-Me on a widely adopted RAV physical model as well as popular RAV virtual models based on open-source firmware, ArduPilot and PX4, and show its effectiveness in detecting five types of attack cases with an average 0.34% space overhead and 2.6% runtime overhead.

[1]  Shengyuan Xu,et al.  Neural-Network-Based Decentralized Adaptive Output-Feedback Control for Large-Scale Stochastic Nonlinear Systems , 2012, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[2]  Srdjan Capkun,et al.  On the requirements for successful GPS spoofing attacks , 2011, CCS '11.

[3]  Michail Maniatakos,et al.  ICSREF: A Framework for Automated Reverse Engineering of Industrial Control Systems Binaries , 2018, NDSS.

[4]  Katherine R. Davis,et al.  Crystal (ball): I Look at Physics and Predict Control Flow! Just-Ahead-Of-Time Controller Recovery , 2018, ACSAC.

[5]  Ian Postlethwaite,et al.  Neural network based sensor validation scheme demonstrated on an unmanned air vehicle (UAV) model , 2008, 2008 47th IEEE Conference on Decision and Control.

[6]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[7]  Jun Sun,et al.  Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[8]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[9]  Khurum Nazir Junejo,et al.  Behaviour-Based Attack Detection and Classification in Cyber Physical Systems Using Machine Learning , 2016, CPSS@AsiaCCS.

[10]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[11]  Bruno Sinopoli,et al.  False Data Injection Attacks in Electricity Markets , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[12]  Wenyuan Xu,et al.  WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[13]  S. Bharadwaj Yadavalli,et al.  Raising binaries to LLVM IR with MCTOLL (WIP paper) , 2019, LCTES.

[14]  Jairo Giraldo,et al.  SAVIOR: Securing Autonomous Vehicles with Robust Physical Invariants , 2020, USENIX Security Symposium.

[15]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[16]  Xuxian Jiang,et al.  On the Expressiveness of Return-into-libc Attacks , 2011, RAID.

[17]  Pengfei Sun,et al.  Tell Me More Than Just Assembly! Reversing Cyber-Physical Execution Semantics of Embedded IoT Controller Software Binaries , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[18]  Ahmad-Reza Sadeghi,et al.  Control Behavior Integrity for Distributed Cyber-Physical Systems , 2018, 2020 ACM/IEEE 11th International Conference on Cyber-Physical Systems (ICCPS).

[19]  Sridhar Adepu,et al.  Anomaly Detection in Cyber Physical Systems Using Recurrent Neural Networks , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

[20]  Saman A. Zonouz,et al.  Controller-aware false data injection against programmable logic controllers , 2014, 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm).

[21]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Saman A. Zonouz,et al.  CPAC: securing critical infrastructure with cyber-physical access control , 2016, ACSAC.

[23]  Paulo Tabuada,et al.  Non-invasive Spoofing Attacks for Anti-lock Braking Systems , 2013, CHES.

[24]  Naira Hovakimyan,et al.  VirtualDrone: Virtual Sensing, Actuation, and Communication for Attack-Resilient Unmanned Aerial Systems , 2017, 2017 ACM/IEEE 8th International Conference on Cyber-Physical Systems (ICCPS).

[25]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[26]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[27]  Xinyan Deng,et al.  Cross-Layer Retrofitting of UAVs Against Cyber-Physical Attacks , 2018, 2018 IEEE International Conference on Robotics and Automation (ICRA).

[28]  Todd E. Humphreys,et al.  Unmanned Aircraft Capture and Control Via GPS Spoofing , 2014, J. Field Robotics.

[29]  Wen-Chuan Lee,et al.  Detecting Attacks Against Robotic Vehicles: A Control Invariant Approach , 2018, CCS.

[30]  Peng Shi,et al.  Adaptive Neural Fault-Tolerant Control of a 3-DOF Model Helicopter System , 2016, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[31]  William H. Sanders,et al.  SCPSE: Security-Oriented Cyber-Physical State Estimation for Power Grid Critical Infrastructures , 2012, IEEE Transactions on Smart Grid.

[32]  Peng Shi,et al.  Novel Neural Networks-Based Fault Tolerant Control Scheme With Fault Alarm , 2014, IEEE Transactions on Cybernetics.

[33]  Xinyan Deng,et al.  RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing , 2019, USENIX Security Symposium.

[34]  Frank Piessens,et al.  Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base , 2013, USENIX Security Symposium.

[35]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[36]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[37]  M. Saif,et al.  Repetitive Learning Observer Based Actuator Fault Detection, Isolation, and Estimation with Application to a Satellite Attitude Control System , 2007, 2007 American Control Conference.

[38]  Klara Nahrstedt,et al.  Detecting False Data Injection Attacks on DC State Estimation , 2010 .

[39]  Rongxin Wu,et al.  Pinpoint: fast and precise sparse value flow analysis for million lines of code , 2018, PLDI.

[40]  Xinyan Deng,et al.  From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with MAYDAY , 2020, USENIX Security Symposium.

[41]  Jürgen Schmidhuber,et al.  Learning to forget: continual prediction with LSTM , 1999 .

[42]  Saurabh Bagchi,et al.  Protecting Bare-Metal Embedded Systems with Privilege Overlays , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[43]  R.V. Patel,et al.  An intelligent Fault Detection and Recovery scheme for reaction wheel actuator of satellite attitude control systems , 2006, 2006 IEEE Conference on Computer Aided Control System Design, 2006 IEEE International Conference on Control Applications, 2006 IEEE International Symposium on Intelligent Control.

[44]  Karl Henrik Johansson,et al.  On Security Indices for State Estimators in Power Networks , 2010 .

[45]  T. Humphreys,et al.  Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer , 2008 .

[46]  Benjamin Livshits,et al.  Just-in-time static analysis , 2016, ISSTA.

[47]  Jie Zhou,et al.  Silhouette: Efficient Protected Shadow Stacks for Embedded Systems , 2019, USENIX Security Symposium.

[48]  Yongdae Kim,et al.  Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors , 2015, USENIX Security Symposium.

[49]  Ahmad-Reza Sadeghi,et al.  DIAT: Data Integrity Attestation for Resilient Collaboration of Autonomous Systems , 2019, NDSS.

[50]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[51]  Saman A. Zonouz,et al.  Detecting Industrial Control Malware Using Automated PLC Code Analytics , 2014, IEEE Security & Privacy.

[52]  Jeffrey L. Elman,et al.  Finding Structure in Time , 1990, Cogn. Sci..

[53]  K. Pattabiraman,et al.  Out of control: stealthy attacks against robotic vehicles protected by control-based techniques , 2019, ACSAC.

[54]  Osama A. Mohammed,et al.  Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit , 2017, NDSS.

[55]  Chen Yan Can You Trust Autonomous Vehicles : Contactless Attacks against Sensors of Self-driving Vehicle , 2016 .

[56]  Alan J. Hu,et al.  Calysto: scalable and precise extended static checking , 2008, ICSE.

[57]  Saurabh Bagchi,et al.  µRAI: Securing Embedded Systems with Return Address Integrity , 2020, NDSS.

[58]  Hao Wu,et al.  Controlling UAVs with Sensor Input Spoofing Attacks , 2016, WOOT.

[59]  Long Cheng,et al.  Orpheus: Enforcing Cyber-Physical Execution Semantics to Defend Against Data-Oriented Attacks , 2017, ACSAC.

[60]  Gang Wang,et al.  LEMNA: Explaining Deep Learning based Security Applications , 2018, CCS.

[61]  Zhongshu Gu,et al.  Securing Real-Time Microcontroller Systems through Customized Memory View Switching , 2018, NDSS.

[62]  Yoshua Bengio,et al.  Learning long-term dependencies with gradient descent is difficult , 1994, IEEE Trans. Neural Networks.

[63]  Luis Ceze,et al.  Neural Acceleration for General-Purpose Approximate Programs , 2014, IEEE Micro.

[64]  Ahmad-Reza Sadeghi,et al.  HAFIX: Hardware-Assisted Flow Integrity eXtension , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[65]  Vijay Varadharajan,et al.  TrustLite: a security architecture for tiny embedded devices , 2014, EuroSys '14.

[66]  Adrian Perrig,et al.  VIPER: verifying the integrity of PERipherals' firmware , 2011, CCS '11.