Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters

We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.

[1]  Ramesh Karri,et al.  Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits , 2016, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[2]  Radford M. Neal Pattern Recognition and Machine Learning , 2007, Technometrics.

[3]  Adnan Darwiche,et al.  Modeling and Reasoning with Bayesian Networks , 2009 .

[4]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[5]  Ramesh Karri,et al.  Are hardware performance counters a cost effective way for integrity checking of programs , 2011, STC '11.

[6]  Ramesh Karri,et al.  NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[7]  Jörg Henkel,et al.  Emerging (un-)reliability based security threats and mitigations for embedded systems: special session , 2017, CASES.

[8]  E. Byres,et al.  The Myths and Facts behind Cyber Security Risks for Industrial Control Systems , 2004 .

[9]  Zhiyuan Zheng,et al.  Safeguarding Building Automation Networks: THE-Driven Anomaly Detector Based on Traffic Analysis , 2017, 2017 26th International Conference on Computer Communication and Networks (ICCCN).

[10]  Michail Maniatakos,et al.  Malicious Firmware Detection with Hardware Performance Counters , 2016, IEEE Transactions on Multi-Scale Computing Systems.

[11]  Robert J. Turk Cyber Incidents Involving Control Systems , 2005 .

[12]  E. F. Vogel,et al.  A plant-wide industrial process control problem , 1993 .

[13]  Robert Tibshirani,et al.  The Elements of Statistical Learning: Data Mining, Inference, and Prediction, 2nd Edition , 2001, Springer Series in Statistics.

[14]  Prashanth Krishnamurthy,et al.  A Game Theoretic Approach to Design a Resilient Controller For a Nonlinear Discrete System , 2017 .

[15]  Ramesh Karri,et al.  Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing , 2016, ACM Trans. Archit. Code Optim..

[16]  Kevin P. Murphy,et al.  Machine learning - a probabilistic perspective , 2012, Adaptive computation and machine learning series.

[17]  Michail Maniatakos,et al.  Machine learning-based defense against process-aware attacks on Industrial Control Systems , 2016, 2016 IEEE International Test Conference (ITC).

[18]  Jean-Pierre Seifert,et al.  Poster: Towards detecting DMA malware , 2011, CCS '11.

[19]  Iliano Cervesato,et al.  On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters , 2017, AsiaCCS.

[20]  D. Kushner,et al.  The real story of stuxnet , 2013, IEEE Spectrum.

[21]  Masoud Nikravesh,et al.  Feature Extraction: Foundations and Applications (Studies in Fuzziness and Soft Computing) , 2006 .

[22]  Ramesh Karri,et al.  Process-Aware Covert Channels Using Physical Instrumentation in Cyber-Physical Systems , 2018, IEEE Transactions on Information Forensics and Security.

[23]  A. Atiya,et al.  Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond , 2005, IEEE Transactions on Neural Networks.

[24]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[25]  Alberto Garcia-Serrano,et al.  Anomaly Detection for malware identification using Hardware Performance Counters , 2015, ArXiv.

[26]  Ramesh Karri,et al.  BRAIN: BehavioR Based Adaptive Intrusion Detection in Networks: Using Hardware Performance Counters to Detect DDoS Attacks , 2016, 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID).

[27]  Debdeep Mukhopadhyay,et al.  RAPPER: Ransomware Prevention via Performance Counters , 2018, ArXiv.

[28]  Sai Praveen Kadiyala,et al.  Hardware performance counters based runtime anomaly detection using SVM , 2017, 2017 TRON Symposium (TRONSHOW).

[29]  Ramesh Karri,et al.  Cybersecurity for Control Systems: A Process-Aware Perspective , 2016, IEEE Design & Test.

[30]  Mahdi Abadi,et al.  HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition , 2014, 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE).

[31]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[32]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[33]  Michail Maniatakos,et al.  The Cybersecurity Landscape in Industrial Control Systems , 2016, Proceedings of the IEEE.

[34]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.