137,640 research outputs found
Real-Time Detection and Suppression of Malicious Attacks Using Machine Learning and Processor Core Events
Detecting and suppressing malicious attacks continues to challenge designers and users of embedded and edge processing systems. Embedded systems and IoT devices are becoming more prevalent and they are evolving to accommodate the increased complexity requirements of edge computing by incorporating increasing levels of advanced security, energy efficiency, connectivity, performance, and increased computational power to support, for example, machine learning intelligence. These capabilities can be used in a collaborative way to provide a means for detecting a family of side channel malware attacks based upon the exploitation of timing side channels arising from cache and branch prediction circuitry. The SPECTRE exploit serves as the exemplary attack based on data cache timing side channels; however, many variants of this attack have emerged and continue to emerge. Due to the increasing proliferation of this class of devices and the continuing emergence of new variants of timing side channel attacks, there is motivation to develop a malware detection approach that is suitable for embedded and edge processing-based systems that requires minimal computational resources, is robust under varying load conditions, and that is capable of detecting any of a number of different variants of this attack, including zero-day versions. The detection approach is demonstrated to be applicable to variants of the classic SPECTRE attack including the micro-ops cache attack that exploits X86 architectures. The method monitors concurrent processes running on a Linux-based system operating in an edge-computing device to detect if one or more of the processes implements a timing-based side channel attack . Furthermore, the malware detection approach is designed to be lightweight in the sense that it requires minimal computing resources and offers rapid detection times since it uses existing on-chip hardware, pre-programmed event or performance counters, as a data source combined with a simple but effective SVM to detect variants of malicious exploits that may be present within a standard application process. Upon detection of a malicious process, the edge device could automatically suspend or kill the detected and offending process. A feature selection technique is used to select the most appropriate CPU events that indicate the presence of the targeted malware family and to improve performance results and system efficiency. Analysis results are included that evaluated a number of different detection approaches to justify the selection of an SVM due to the tradeoff of accuracy versus computational resource requirements. This approach is demonstrated through implementations on both ARM and X86 instruction set architectures and provide experimental results regarding its accuracy and performance. Detection performance is characterized by a number of metrics including ROC curves. Experimental results assess the robustness of the malware detection approach. The detection of one variant of the cache timing attack is evaluated when the SVM is trained using a different variant. The detection accuracy over a variety of different and varying load conditions is evaluated. Finally, an evaluation of robustness is evaluated by injecting noise into the event counter data at increasing levels until significant detection failures are observed
A universal setup for active control of a single-photon detector
The influence of bright light on a single-photon detector has been described
in a number of recent publications. The impact on quantum key distribution
(QKD) is important, and several hacking experiments have been tailored to fully
control single-photon detectors. Special attention has been given to avoid
introducing further errors into a QKD system. We describe the design and
technical details of an apparatus which allows to attack a
quantum-cryptographic connection. This device is capable of controlling
free-space and fiber-based systems and of minimizing unwanted clicks in the
system. With different control diagrams, we are able to achieve a different
level of control. The control was initially targeted to the systems using BB84
protocol, with polarization encoding and basis switching using beamsplitters,
but could be extended to other types of systems. We further outline how to
characterize the quality of active control of single-photon detectors.Comment: 10 pages, 10 figure
Selective Jamming of LoRaWAN using Commodity Hardware
Long range, low power networks are rapidly gaining acceptance in the Internet
of Things (IoT) due to their ability to economically support long-range sensing
and control applications while providing multi-year battery life. LoRa is a key
example of this new class of network and is being deployed at large scale in
several countries worldwide. As these networks move out of the lab and into the
real world, they expose a large cyber-physical attack surface. Securing these
networks is therefore both critical and urgent. This paper highlights security
issues in LoRa and LoRaWAN that arise due to the choice of a robust but slow
modulation type in the protocol. We exploit these issues to develop a suite of
practical attacks based around selective jamming. These attacks are conducted
and evaluated using commodity hardware. The paper concludes by suggesting a
range of countermeasures that can be used to mitigate the attacks.Comment: Mobiquitous 2017, November 7-10, 2017, Melbourne, VIC, Australi
Vulnerability analysis of satellite-based synchronized smart grids monitoring systems
The large-scale deployment of wide-area monitoring systems could play a strategic role in supporting the evolution of traditional power systems toward smarter and self-healing grids. The correct operation of these synchronized monitoring systems requires a common and accurate timing reference usually provided by a satellite-based global positioning system. Although these satellites signals provide timing accuracy that easily exceeds the needs of the power industry, they are extremely vulnerable to radio frequency interference. Consequently, a comprehensive analysis aimed at identifying their potential vulnerabilities is of paramount importance for correct and safe wide-area monitoring system operation. Armed with such a vision, this article presents and discusses the results of an experimental analysis aimed at characterizing the vulnerability of global positioning system based wide-area monitoring systems to external interferences. The article outlines the potential strategies that could be adopted to protect global positioning system receivers from external cyber-attacks and proposes decentralized defense strategies based on self-organizing sensor networks aimed at assuring correct time synchronization in the presence of external attacks
Fast Sequence Component Analysis for Attack Detection in Synchrophasor Networks
Modern power systems have begun integrating synchrophasor technologies into
part of daily operations. Given the amount of solutions offered and the
maturity rate of application development it is not a matter of "if" but a
matter of "when" in regards to these technologies becoming ubiquitous in
control centers around the world. While the benefits are numerous, the
functionality of operator-level applications can easily be nullified by
injection of deceptive data signals disguised as genuine measurements. Such
deceptive action is a common precursor to nefarious, often malicious activity.
A correlation coefficient characterization and machine learning methodology are
proposed to detect and identify injection of spoofed data signals. The proposed
method utilizes statistical relationships intrinsic to power system parameters,
which are quantified and presented. Several spoofing schemes have been
developed to qualitatively and quantitatively demonstrate detection
capabilities.Comment: 8 pages, 4 figures, submitted to IEEE Transaction
Investigating computational models of perceptual attack time
The perceptual attack time (PAT) is the compensation for differing attack components of sounds, in the case of seeking a perceptually isochronous presentation of sounds. It has applications in scheduling and is related to, but not necessarily the same as, the moment of perceptual onset. This paper describes a computational investigation of PAT over a set of 25 synthesised stimuli, and a larger database of 100 sounds equally divided into synthesised and ecological. Ground truth PATs for modeling were obtained by the alternating presentation paradigm, where subjects adjusted the relative start time of a reference click and the sound to be judged. Whilst fitting experimental data from the 25 sound set was plausible, difficulties with existing models were found in the case of the larger test set. A pragmatic solution was obtained using a neural net architecture. In general, learnt schema of sound classification may be implicated in resolving the multiple detection cues evoked by complex sounds
Side-channel based intrusion detection for industrial control systems
Industrial Control Systems are under increased scrutiny. Their security is
historically sub-par, and although measures are being taken by the
manufacturers to remedy this, the large installed base of legacy systems cannot
easily be updated with state-of-the-art security measures. We propose a system
that uses electromagnetic side-channel measurements to detect behavioural
changes of the software running on industrial control systems. To demonstrate
the feasibility of this method, we show it is possible to profile and
distinguish between even small changes in programs on Siemens S7-317 PLCs,
using methods from cryptographic side-channel analysis.Comment: 12 pages, 7 figures. For associated code, see
https://polvanaubel.com/research/em-ics/code
- …