Exploring ICMetrics to detect abnormal program behaviour on embedded devices

Execution of unknown or malicious software on an embedded system may trigger harmful system behaviour targeted at stealing sensitive data and/or causing damage to the system. It is thus considered a potential and significant threat to the security of embedded systems. Generally, the resource constrained nature of commercial off-the-shelf (COTS) embedded devices, such as embedded medical equipment, does not allow computationally expensive protection solutions to be deployed on these devices, rendering them vulnerable. A Self-Organising Map (SOM) based and Fuzzy C-means based approaches are proposed in this paper for detecting abnormal program behaviour to boost embedded system security. The presented technique extracts features derived from processor's Program Counter (PC) and Cycles per Instruction (CPI), and then utilises the features to identify abnormal behaviour using the SOM. Results achieved in our experiment show that the proposed SOM based and Fuzzy C-means based methods can identify unknown program behaviours not included in the training set with 90.9% and 98.7% accuracy.

[1]  Wenyuan Xu,et al.  WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices , 2013, HealthTech.

[2]  Cemal Hanilçi,et al.  Recognition of Brand and Models of Cell-Phones From Recorded Speech Signals , 2012, IEEE Transactions on Information Forensics and Security.

[3]  Sencun Zhu,et al.  Behavior based software theft detection , 2009, CCS.

[4]  Petros Boufounos,et al.  Secure binary embeddings for privacy preserving nearest neighbors , 2011, 2011 IEEE International Workshop on Information Forensics and Security.

[5]  Klaus D. McDonald-Maier,et al.  Debug support for complex systems on-chip: a review , 2006 .

[6]  Andrew Hunter,et al.  Implementation and Applications of Tri-State Self-Organizing Maps on FPGA , 2012, IEEE Transactions on Circuits and Systems for Video Technology.

[7]  Sri Parameswaran,et al.  Ensuring secure program execution in multiprocessor embedded systems: A case study , 2007, 2007 5th IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS).

[8]  Christian S. Collberg,et al.  Software watermarking: models and dynamic embeddings , 1999, POPL '99.

[9]  K. Ming Leung,et al.  Learning Vector Quantization , 2017, Encyclopedia of Machine Learning and Data Mining.

[10]  Michael Stepp,et al.  Dynamic path-based software watermarking , 2004, PLDI '04.

[11]  Klaus D. Maier On-chip debug support for embedded Systems-on-Chip , 2003, Proceedings of the 2003 International Symposium on Circuits and Systems, 2003. ISCAS '03..

[12]  Ryan N. Rakvic,et al.  The Fuzzy Correlation between Code and Performance Predictability , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[13]  Klaus D. McDonald-Maier,et al.  Overview of ICmetrics Technology – Security Infrastructure for Autonomous and Intelligent Healthcare System , 2011 .

[14]  T. N. Vijaykumar,et al.  Accelerating private-key cryptography via multithreading on symmetric multiprocessors , 2003, 2003 IEEE International Symposium on Performance Analysis of Systems and Software. ISPASS 2003..

[15]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[16]  Jiwu Huang,et al.  Detecting digital audio forgeries by checking frame offsets , 2008, MM&Sec '08.

[17]  Srivaths Ravi,et al.  Secure embedded processing through hardware-assisted run-time monitoring , 2005, Design, Automation and Test in Europe.

[18]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[19]  Constantine Kotropoulos,et al.  Telephone handset identification by feature selection and sparse representations , 2012, 2012 IEEE International Workshop on Information Forensics and Security (WIFS).

[20]  Daniel Garcia-Romero,et al.  Automatic acquisition device identification from speech recordings , 2010, 2010 IEEE International Conference on Acoustics, Speech and Signal Processing.

[21]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[22]  Min Wu,et al.  Data Hiding in Compiled Program Binaries for Enhancing Computer System Performance , 2005, Information Hiding.

[23]  James C. Bezdek,et al.  Pattern Recognition with Fuzzy Objective Function Algorithms , 1981, Advanced Applications in Pattern Recognition.

[24]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[25]  Hessam Kooti,et al.  Hardware-Assisted Detection of Malicious Software in Embedded Systems , 2012, IEEE Embedded Systems Letters.

[26]  Helena Handschuh,et al.  Hardware Intrinsic Security from Physically Unclonable Functions , 2010, Towards Hardware-Intrinsic Security.

[27]  Klaus D. McDonald-Maier,et al.  Debug support strategy for systems-on-chips with multiple processor cores , 2006, IEEE Transactions on Computers.

[28]  Dongbing Gu,et al.  Detecting Compromised Programs for Embedded System Applications , 2014, ARCS.