A Method for Detecting Abnormal Program Behavior on Embedded Devices

A potential threat to embedded systems is the execution of unknown or malicious software capable of triggering harmful system behavior, aimed at theft of sensitive data or causing damage to the system. Commercial off-the-shelf embedded devices, such as embedded medical equipment, are more vulnerable as these type of products cannot be amended conventionally or have limited resources to implement protection mechanisms. In this paper, we present a self-organizing map (SOM)-based approach to enhance embedded system security by detecting abnormal program behavior. The proposed method extracts features derived from processor's program counter and cycles per instruction, and then utilises the features to identify abnormal behavior using the SOM. Results achieved in our experiment show that the proposed method can identify unknown program behaviors not included in the training set with over 98.4% accuracy.

[1]  Teuvo Kohonen,et al.  Learning vector quantization , 1998 .

[2]  Sencun Zhu,et al.  Behavior based software theft detection , 2009, CCS.

[3]  Christian S. Collberg,et al.  Software watermarking: models and dynamic embeddings , 1999, POPL '99.

[4]  Klaus D. McDonald-Maier,et al.  Debug support strategy for systems-on-chips with multiple processor cores , 2006, IEEE Transactions on Computers.

[5]  Cemal Hanilçi,et al.  Recognition of Brand and Models of Cell-Phones From Recorded Speech Signals , 2012, IEEE Transactions on Information Forensics and Security.

[6]  Hessam Kooti,et al.  Hardware-Assisted Detection of Malicious Software in Embedded Systems , 2012, IEEE Embedded Systems Letters.

[7]  Helena Handschuh,et al.  Hardware Intrinsic Security from Physically Unclonable Functions , 2010, Towards Hardware-Intrinsic Security.

[8]  Min Wu,et al.  Data Hiding in Compiled Program Binaries for Enhancing Computer System Performance , 2005, Information Hiding.

[9]  Andrew Hunter,et al.  Implementation and Applications of Tri-State Self-Organizing Maps on FPGA , 2012, IEEE Transactions on Circuits and Systems for Video Technology.

[10]  Klaus D. McDonald-Maier,et al.  Overview of ICmetrics Technology – Security Infrastructure for Autonomous and Intelligent Healthcare System , 2011 .

[11]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[12]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[13]  Jiwu Huang,et al.  Detecting digital audio forgeries by checking frame offsets , 2008, MM&Sec '08.

[14]  Srivaths Ravi,et al.  Secure embedded processing through hardware-assisted run-time monitoring , 2005, Design, Automation and Test in Europe.

[15]  T. N. Vijaykumar,et al.  Accelerating private-key cryptography via multithreading on symmetric multiprocessors , 2003, 2003 IEEE International Symposium on Performance Analysis of Systems and Software. ISPASS 2003..

[16]  Petros Boufounos,et al.  Secure binary embeddings for privacy preserving nearest neighbors , 2011, 2011 IEEE International Workshop on Information Forensics and Security.

[17]  Klaus D. McDonald-Maier,et al.  Debug support for complex systems on-chip: a review , 2006 .

[18]  Srivaths Ravi,et al.  Hardware-Assisted Run-Time Monitoring for Secure Program Execution on Embedded Processors , 2006, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[19]  Klaus D. Maier On-chip debug support for embedded Systems-on-Chip , 2003, Proceedings of the 2003 International Symposium on Circuits and Systems, 2003. ISCAS '03..

[20]  Wenyuan Xu,et al.  WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices , 2013, HealthTech.

[21]  Michael Stepp,et al.  Dynamic path-based software watermarking , 2004, PLDI '04.

[22]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[23]  Constantine Kotropoulos,et al.  Telephone handset identification by feature selection and sparse representations , 2012, 2012 IEEE International Workshop on Information Forensics and Security (WIFS).

[24]  Daniel Garcia-Romero,et al.  Automatic acquisition device identification from speech recordings , 2010, 2010 IEEE International Conference on Acoustics, Speech and Signal Processing.