Persistent Link:
http://hdl.handle.net/10150/626111
Title:
Non-intrusive Runtime Anomaly Detection for Embedded Systems
Author:
Lu, Sixing
Issue Date:
2017
Publisher:
The University of Arizona.
Rights:
Copyright © is held by the author. Digital access to this material is made possible by the University Libraries, University of Arizona. Further transmission, reproduction or presentation (such as public display or performance) of protected items is prohibited except with permission of the author.
Embargo:
Release after 26-Sep-2018
Abstract:
Malware is a serious threat to network-connected embedded systems, as evidenced by the continued and rapid growth of such devices, commonly referred to as of the Internet of Things. Their ubiquitous use in critical applications require robust protection to ensure user safety and privacy. That protection must be applied to all system aspects, extending beyond protecting the network and external interfaces. Anomaly detection is one of the last lines of defense against malware, it can detect malware in embedded systems effectively and provide the advantage of detecting zero-day exploits relative to signature-based detection methods. However, embedded systems, particularly edge devices, face several challenges in applying data-driven anomaly detection, including unpredictability of malware, limited tolerance to long data collection windows, and limited computing/energy resources. In this dissertation, we present a formal runtime security model that defines the normal system behavior including execution sequence and execution timing. We utilize both lumped timing and subcomponent timing information of software execution, the latter of which includes intrinsic software execution, instruction cache misses, and data cache misses, to detect the anomalies based on ranges, multi-dimensional Euclidean distance, and classification at runtime. We design several on-chip hardware detectors implementing these data-driven detection methods, which non-intrusively measure lumped/subcomponent timing of all system/function calls of the embedded application through trace port of the processor and detect malicious activity at runtime. We evaluate the detection accuracy, false positives, area overhead, power consumption, and detection latency of the presented detector designs with two network-connected embedded system prototypes and several mimicry attacks. We further analyze the properties of the timing distribution for control flow events, and select subset of monitoring targets by three selection metrics to meet hardware constraint. Experimental results demonstrate that the subcomponent timing model provides sufficient features to achieve high detection accuracy with low false positive rates using a one-class support vector machine, considering sophisticated mimicry malware.
Type:
text; Electronic Dissertation
Degree Name:
Ph.D.
Degree Level:
doctoral
Degree Program:
Graduate College; Electrical & Computer Engineering
Degree Grantor:
University of Arizona
Advisor:
Lysecky, Roman

Full metadata record

DC FieldValue Language
dc.language.isoen_USen
dc.titleNon-intrusive Runtime Anomaly Detection for Embedded Systemsen_US
dc.creatorLu, Sixingen
dc.contributor.authorLu, Sixingen
dc.date.issued2017-
dc.publisherThe University of Arizona.en
dc.rightsCopyright © is held by the author. Digital access to this material is made possible by the University Libraries, University of Arizona. Further transmission, reproduction or presentation (such as public display or performance) of protected items is prohibited except with permission of the author.en
dc.description.releaseRelease after 26-Sep-2018en
dc.description.abstractMalware is a serious threat to network-connected embedded systems, as evidenced by the continued and rapid growth of such devices, commonly referred to as of the Internet of Things. Their ubiquitous use in critical applications require robust protection to ensure user safety and privacy. That protection must be applied to all system aspects, extending beyond protecting the network and external interfaces. Anomaly detection is one of the last lines of defense against malware, it can detect malware in embedded systems effectively and provide the advantage of detecting zero-day exploits relative to signature-based detection methods. However, embedded systems, particularly edge devices, face several challenges in applying data-driven anomaly detection, including unpredictability of malware, limited tolerance to long data collection windows, and limited computing/energy resources. In this dissertation, we present a formal runtime security model that defines the normal system behavior including execution sequence and execution timing. We utilize both lumped timing and subcomponent timing information of software execution, the latter of which includes intrinsic software execution, instruction cache misses, and data cache misses, to detect the anomalies based on ranges, multi-dimensional Euclidean distance, and classification at runtime. We design several on-chip hardware detectors implementing these data-driven detection methods, which non-intrusively measure lumped/subcomponent timing of all system/function calls of the embedded application through trace port of the processor and detect malicious activity at runtime. We evaluate the detection accuracy, false positives, area overhead, power consumption, and detection latency of the presented detector designs with two network-connected embedded system prototypes and several mimicry attacks. We further analyze the properties of the timing distribution for control flow events, and select subset of monitoring targets by three selection metrics to meet hardware constraint. Experimental results demonstrate that the subcomponent timing model provides sufficient features to achieve high detection accuracy with low false positive rates using a one-class support vector machine, considering sophisticated mimicry malware.en
dc.typetexten
dc.typeElectronic Dissertationen
thesis.degree.namePh.D.en
thesis.degree.leveldoctoralen
thesis.degree.disciplineGraduate Collegeen
thesis.degree.disciplineElectrical & Computer Engineeringen
thesis.degree.grantorUniversity of Arizonaen
dc.contributor.advisorLysecky, Romanen
dc.contributor.committeememberLysecky, Romanen
dc.contributor.committeememberRozenblit, Jerzy W.en
dc.contributor.committeememberLazos, Loukasen
All Items in UA Campus Repository are protected by copyright, with all rights reserved, unless otherwise indicated.