Real-Time Detection and Suppression of Malicious Attacks Using Machine Learning and Processor Core Events

Detecting and suppressing malicious attacks continues to challenge designers and users of embedded and edge processing systems. Embedded systems and IoT devices are becoming more prevalent and they are evolving to accommodate the increased complexity requirements of edge computing by incorporating increasing levels of advanced security, energy efficiency, connectivity, performance, and increased computational power to support, for example, machine learning intelligence. These capabilities can be used in a collaborative way to provide a means for detecting a family of side channel malware attacks based upon the exploitation of timing side channels arising from cache and branch prediction circuitry. The SPECTRE exploit serves as the exemplary attack based on data cache timing side channels; however, many variants of this attack have emerged and continue to emerge. Due to the increasing proliferation of this class of devices and the continuing emergence of new variants of timing side channel attacks, there is motivation to develop a malware detection approach that is suitable for embedded and edge processing-based systems that requires minimal computational resources, is robust under varying load conditions, and that is capable of detecting any of a number of different variants of this attack, including zero-day versions. The detection approach is demonstrated to be applicable to variants of the classic SPECTRE attack including the micro-ops cache attack that exploits X86 architectures. The method monitors concurrent processes running on a Linux-based system operating in an edge-computing device to detect if one or more of the processes implements a timing-based side channel attack . Furthermore, the malware detection approach is designed to be lightweight in the sense that it requires minimal computing resources and offers rapid detection times since it uses existing on-chip hardware, pre-programmed event or performance counters, as a data source combined with a simple but effective SVM to detect variants of malicious exploits that may be present within a standard application process. Upon detection of a malicious process, the edge device could automatically suspend or kill the detected and offending process. A feature selection technique is used to select the most appropriate CPU events that indicate the presence of the targeted malware family and to improve performance results and system efficiency. Analysis results are included that evaluated a number of different detection approaches to justify the selection of an SVM due to the tradeoff of accuracy versus computational resource requirements. This approach is demonstrated through implementations on both ARM and X86 instruction set architectures and provide experimental results regarding its accuracy and performance. Detection performance is characterized by a number of metrics including ROC curves. Experimental results assess the robustness of the malware detection approach. The detection of one variant of the cache timing attack is evaluated when the SVM is trained using a different variant. The detection accuracy over a variety of different and varying load conditions is evaluated. Finally, an evaluation of robustness is evaluated by injecting noise into the event counter data at increasing levels until significant detection failures are observed

A universal setup for active control of a single-photon detector

The influence of bright light on a single-photon detector has been described in a number of recent publications. The impact on quantum key distribution (QKD) is important, and several hacking experiments have been tailored to fully control single-photon detectors. Special attention has been given to avoid introducing further errors into a QKD system. We describe the design and technical details of an apparatus which allows to attack a quantum-cryptographic connection. This device is capable of controlling free-space and fiber-based systems and of minimizing unwanted clicks in the system. With different control diagrams, we are able to achieve a different level of control. The control was initially targeted to the systems using BB84 protocol, with polarization encoding and basis switching using beamsplitters, but could be extended to other types of systems. We further outline how to characterize the quality of active control of single-photon detectors.Comment: 10 pages, 10 figure

Selective Jamming of LoRaWAN using Commodity Hardware

Long range, low power networks are rapidly gaining acceptance in the Internet of Things (IoT) due to their ability to economically support long-range sensing and control applications while providing multi-year battery life. LoRa is a key example of this new class of network and is being deployed at large scale in several countries worldwide. As these networks move out of the lab and into the real world, they expose a large cyber-physical attack surface. Securing these networks is therefore both critical and urgent. This paper highlights security issues in LoRa and LoRaWAN that arise due to the choice of a robust but slow modulation type in the protocol. We exploit these issues to develop a suite of practical attacks based around selective jamming. These attacks are conducted and evaluated using commodity hardware. The paper concludes by suggesting a range of countermeasures that can be used to mitigate the attacks.Comment: Mobiquitous 2017, November 7-10, 2017, Melbourne, VIC, Australi

Vulnerability analysis of satellite-based synchronized smart grids monitoring systems

The large-scale deployment of wide-area monitoring systems could play a strategic role in supporting the evolution of traditional power systems toward smarter and self-healing grids. The correct operation of these synchronized monitoring systems requires a common and accurate timing reference usually provided by a satellite-based global positioning system. Although these satellites signals provide timing accuracy that easily exceeds the needs of the power industry, they are extremely vulnerable to radio frequency interference. Consequently, a comprehensive analysis aimed at identifying their potential vulnerabilities is of paramount importance for correct and safe wide-area monitoring system operation. Armed with such a vision, this article presents and discusses the results of an experimental analysis aimed at characterizing the vulnerability of global positioning system based wide-area monitoring systems to external interferences. The article outlines the potential strategies that could be adopted to protect global positioning system receivers from external cyber-attacks and proposes decentralized defense strategies based on self-organizing sensor networks aimed at assuring correct time synchronization in the presence of external attacks

Fast Sequence Component Analysis for Attack Detection in Synchrophasor Networks

Modern power systems have begun integrating synchrophasor technologies into part of daily operations. Given the amount of solutions offered and the maturity rate of application development it is not a matter of "if" but a matter of "when" in regards to these technologies becoming ubiquitous in control centers around the world. While the benefits are numerous, the functionality of operator-level applications can easily be nullified by injection of deceptive data signals disguised as genuine measurements. Such deceptive action is a common precursor to nefarious, often malicious activity. A correlation coefficient characterization and machine learning methodology are proposed to detect and identify injection of spoofed data signals. The proposed method utilizes statistical relationships intrinsic to power system parameters, which are quantified and presented. Several spoofing schemes have been developed to qualitatively and quantitatively demonstrate detection capabilities.Comment: 8 pages, 4 figures, submitted to IEEE Transaction

Investigating computational models of perceptual attack time

The perceptual attack time (PAT) is the compensation for differing attack components of sounds, in the case of seeking a perceptually isochronous presentation of sounds. It has applications in scheduling and is related to, but not necessarily the same as, the moment of perceptual onset. This paper describes a computational investigation of PAT over a set of 25 synthesised stimuli, and a larger database of 100 sounds equally divided into synthesised and ecological. Ground truth PATs for modeling were obtained by the alternating presentation paradigm, where subjects adjusted the relative start time of a reference click and the sound to be judged. Whilst fitting experimental data from the 25 sound set was plausible, difficulties with existing models were found in the case of the larger test set. A pragmatic solution was obtained using a neural net architecture. In general, learnt schema of sound classification may be implicated in resolving the multiple detection cues evoked by complex sounds

Side-channel based intrusion detection for industrial control systems

Industrial Control Systems are under increased scrutiny. Their security is historically sub-par, and although measures are being taken by the manufacturers to remedy this, the large installed base of legacy systems cannot easily be updated with state-of-the-art security measures. We propose a system that uses electromagnetic side-channel measurements to detect behavioural changes of the software running on industrial control systems. To demonstrate the feasibility of this method, we show it is possible to profile and distinguish between even small changes in programs on Siemens S7-317 PLCs, using methods from cryptographic side-channel analysis.Comment: 12 pages, 7 figures. For associated code, see https://polvanaubel.com/research/em-ics/code