当前位置:
X-MOL 学术
›
ACM Trans. Embed. Comput. Syst.
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Probabilistic Estimation of Threat Intrusion in Embedded Systems for Runtime Detection
ACM Transactions on Embedded Computing Systems ( IF 2.8 ) Pub Date : 2021-01-04 , DOI: 10.1145/3432590 Nadir A. Carreon 1 , Sixing Lu 1 , Roman Lysecky 1
ACM Transactions on Embedded Computing Systems ( IF 2.8 ) Pub Date : 2021-01-04 , DOI: 10.1145/3432590 Nadir A. Carreon 1 , Sixing Lu 1 , Roman Lysecky 1
Affiliation
With billions of networked connected embedded systems, the security historically provided by the isolation of embedded systems is no longer sufficient. Millions of new malware are created every month and zero-day attacks are becoming an increasing concern. Therefore, proactive security measures are no longer enough to provide protection to embedded systems. Instead, reactive approaches that detect attacks that can circumvent the proactive defenses and react upon them are needed. Anomaly-based detection is a common reactive approach employed to detect malware by monitoring anomalous deviations in the system execution. Timing-based anomaly detection detects malware by monitoring the system's internal timing, which offers unique protection against mimicry malware compared to sequence-based anomaly detection. However, previous timing-based anomaly detection methods focus on each operation independently at the granularity of tasks, function calls, system calls, or basic blocks. These approaches neither consider the entire software execution path nor provide a quantitative estimate of the presence of malware. This article presents a novel model for specifying the normal timing for execution paths in software applications using cumulative distribution functions of timing data in sliding execution windows. A probabilistic formulation is used to estimate the presence of malware for individual operations and sequences of operations within the paths. Operation and path-based thresholds are determined during the training process to minimize false positives. Finally, the article presents an optimization method to assist system developers in selecting which operations to monitor based on different optimization goals and constraints. Experimental results with a smart connected pacemaker, an unmanned aerial vehicle, and seven sophisticated mimicry malware implemented at different levels demonstrate the effectiveness of the proposed approach.
中文翻译:
用于运行时检测的嵌入式系统中威胁入侵的概率估计
随着数十亿联网嵌入式系统的出现,历史上由嵌入式系统隔离提供的安全性已不再足够。每个月都会创建数以百万计的新恶意软件,零日攻击正成为越来越受关注的问题。因此,主动安全措施已不足以为嵌入式系统提供保护。相反,需要检测可以绕过主动防御并对其做出反应的攻击的反应性方法。基于异常的检测是一种常见的反应方法,用于通过监控系统执行中的异常偏差来检测恶意软件。基于时序的异常检测通过监控系统的内部时序来检测恶意软件,与基于序列的异常检测相比,这提供了针对模仿恶意软件的独特保护。然而,以前基于时间的异常检测方法在任务、函数调用、系统调用或基本块的粒度上独立地关注每个操作。这些方法既不考虑整个软件执行路径,也不提供恶意软件存在的定量估计。本文提出了一种新颖的模型,用于使用滑动执行窗口中时序数据的累积分布函数来指定软件应用程序中执行路径的正常时序。概率公式用于估计路径内单个操作和操作序列的恶意软件的存在。在训练过程中确定操作和基于路径的阈值,以最大限度地减少误报。最后,本文提出了一种优化方法,以帮助系统开发人员根据不同的优化目标和约束条件选择要监控的操作。智能连接起搏器、无人驾驶飞行器和在不同级别实施的七种复杂模仿恶意软件的实验结果证明了所提出方法的有效性。
更新日期:2021-01-04
中文翻译:
用于运行时检测的嵌入式系统中威胁入侵的概率估计
随着数十亿联网嵌入式系统的出现,历史上由嵌入式系统隔离提供的安全性已不再足够。每个月都会创建数以百万计的新恶意软件,零日攻击正成为越来越受关注的问题。因此,主动安全措施已不足以为嵌入式系统提供保护。相反,需要检测可以绕过主动防御并对其做出反应的攻击的反应性方法。基于异常的检测是一种常见的反应方法,用于通过监控系统执行中的异常偏差来检测恶意软件。基于时序的异常检测通过监控系统的内部时序来检测恶意软件,与基于序列的异常检测相比,这提供了针对模仿恶意软件的独特保护。然而,以前基于时间的异常检测方法在任务、函数调用、系统调用或基本块的粒度上独立地关注每个操作。这些方法既不考虑整个软件执行路径,也不提供恶意软件存在的定量估计。本文提出了一种新颖的模型,用于使用滑动执行窗口中时序数据的累积分布函数来指定软件应用程序中执行路径的正常时序。概率公式用于估计路径内单个操作和操作序列的恶意软件的存在。在训练过程中确定操作和基于路径的阈值,以最大限度地减少误报。最后,本文提出了一种优化方法,以帮助系统开发人员根据不同的优化目标和约束条件选择要监控的操作。智能连接起搏器、无人驾驶飞行器和在不同级别实施的七种复杂模仿恶意软件的实验结果证明了所提出方法的有效性。
京公网安备 11010802027423号