Non-intrusive Runtime Anomaly Detection for Embedded Systems

Abstract

Malware is a serious threat to network-connected embedded systems, as evidenced by the continued and rapid growth of such devices, commonly referred to as of the Internet of Things. Their ubiquitous use in critical applications require robust protection to ensure user safety and privacy. That protection must be applied to all system aspects, extending beyond protecting the network and external interfaces. Anomaly detection is one of the last lines of defense against malware, it can detect malware in embedded systems effectively and provide the advantage of detecting zero-day exploits relative to signature-based detection methods. However, embedded systems, particularly edge devices, face several challenges in applying data-driven anomaly detection, including unpredictability of malware, limited tolerance to long data collection windows, and limited computing/energy resources. In this dissertation, we present a formal runtime security model that defines the normal system behavior including execution sequence and execution timing. We utilize both lumped timing and subcomponent timing information of software execution, the latter of which includes intrinsic software execution, instruction cache misses, and data cache misses, to detect the anomalies based on ranges, multi-dimensional Euclidean distance, and classification at runtime. We design several on-chip hardware detectors implementing these data-driven detection methods, which non-intrusively measure lumped/subcomponent timing of all system/function calls of the embedded application through trace port of the processor and detect malicious activity at runtime. We evaluate the detection accuracy, false positives, area overhead, power consumption, and detection latency of the presented detector designs with two network-connected embedded system prototypes and several mimicry attacks. We further analyze the properties of the timing distribution for control flow events, and select subset of monitoring targets by three selection metrics to meet hardware constraint. Experimental results demonstrate that the subcomponent timing model provides sufficient features to achieve high detection accuracy with low false positive rates using a one-class support vector machine, considering sophisticated mimicry malware.