Exploring ICMetrics to detect abnormal program behaviour on embedded devices

Execution of unknown or malicious software on an embedded system may trigger harmful system behaviour targeted at stealing sensitive data and/or causing damage to the system. It is thus considered a potential and significant threat to the security of embedded systems. Generally, the resource constrained nature of Commercial off-the-shelf (COTS) embedded devices, such as embedded medical equipment, does not allow computationally expensive protection solutions to be deployed on these devices, rendering them vulnerable. A Self-Organising Map (SOM) based and Fuzzy C-means based approaches are proposed in this paper for detecting abnormal program behaviour to boost embedded system security. The presented technique extracts features derived from processor's Program Counter (PC) and Cycles per Instruction (CPI), and then utilises the features to identify abnormal behaviour using the SOM. Results achieved in our experiment show that the proposed SOM based and Fuzzy C-means based methods can identify unknown program behaviours not included in the training set with 90.9% and 98.7% accuracy

A Method for Detecting Abnormal Program Behavior on Embedded Devices

A potential threat to embedded systems is the execution of unknown or malicious software capable of triggering harmful system behavior, aimed at theft of sensitive data or causing damage to the system. Commercial off-the-shelf embedded devices, such as embedded medical equipment, are more vulnerable as these type of products cannot be amended conventionally or have limited resources to implement protection mechanisms. In this paper, we present a self-organizing map (SOM)-based approach to enhance embedded system security by detecting abnormal program behavior. The proposed method extracts features derived from processor's program counter and cycles per instruction, and then utilises the features to identify abnormal behavior using the SOM. Results achieved in our experiment show that the proposed method can identify unknown program behaviors not included in the training set with over 98.4% accuracy

An intelligent intrusion detection system for external communications in autonomous vehicles

Advancements in computing, electronics and mechanical systems have resulted in the creation of a new class of vehicles called autonomous vehicles. These vehicles function using sensory input with an on-board computation system. Self-driving vehicles use an ad hoc vehicular network called VANET. The network has ad hoc infrastructure with mobile vehicles that communicate through open wireless channels. This thesis studies the design and implementation of a novel intelligent intrusion detection system which secures the external communication of self-driving vehicles. This thesis makes the following four contributions: It proposes a hybrid intrusion detection system to protect the external communication in self-driving vehicles from potential attacks. This has been achieved using fuzzification and artificial intelligence. The second contribution is the incorporation of the Integrated Circuit Metrics (ICMetrics) for improved security and privacy. By using the ICMetrics, specific device features have been used to create a unique identity for vehicles. Our work is based on using the bias in on board sensory systems to create ICMetrics for self-driving vehicles. The incorporation of fuzzy petri net in autonomous vehicles is the third contribution of the thesis. Simulation results show that the scheme can successfully detect denial-of-service attacks. The design of a clustering based hierarchical detection system has also been presented to detect worm hole and Sybil attacks. The final contribution of this research is an integrated intrusion detection system which detects various attacks by using a central database in BusNet. The proposed schemes have been simulated using the data extracted from trace files. Simulation results have been compared and studied for high levels of detection capability and performance. Analysis shows that the proposed schemes provide high detection rate with a low rate of false alarm. The system can detect various attacks in an optimised way owing to a reduction in the number of features, fuzzification

Nature-inspired survivability: Prey-inspired survivability countermeasures for cloud computing security challenges

As cloud computing environments become complex, adversaries have become highly sophisticated and unpredictable. Moreover, they can easily increase attack power and persist longer before detection. Uncertain malicious actions, latent risks, Unobserved or Unobservable risks (UUURs) characterise this new threat domain. This thesis proposes prey-inspired survivability to address unpredictable security challenges borne out of UUURs. While survivability is a well-addressed phenomenon in non-extinct prey animals, applying prey survivability to cloud computing directly is challenging due to contradicting end goals. How to manage evolving survivability goals and requirements under contradicting environmental conditions adds to the challenges. To address these challenges, this thesis proposes a holistic taxonomy which integrate multiple and disparate perspectives of cloud security challenges. In addition, it proposes the TRIZ (Teorija Rezbenija Izobretatelskib Zadach) to derive prey-inspired solutions through resolving contradiction. First, it develops a 3-step process to facilitate interdomain transfer of concepts from nature to cloud. Moreover, TRIZ’s generic approach suggests specific solutions for cloud computing survivability. Then, the thesis presents the conceptual prey-inspired cloud computing survivability framework (Pi-CCSF), built upon TRIZ derived solutions. The framework run-time is pushed to the user-space to support evolving survivability design goals. Furthermore, a target-based decision-making technique (TBDM) is proposed to manage survivability decisions. To evaluate the prey-inspired survivability concept, Pi-CCSF simulator is developed and implemented. Evaluation results shows that escalating survivability actions improve the vitality of vulnerable and compromised virtual machines (VMs) by 5% and dramatically improve their overall survivability. Hypothesis testing conclusively supports the hypothesis that the escalation mechanisms can be applied to enhance the survivability of cloud computing systems. Numeric analysis of TBDM shows that by considering survivability preferences and attitudes (these directly impacts survivability actions), the TBDM method brings unpredictable survivability information closer to decision processes. This enables efficient execution of variable escalating survivability actions, which enables the Pi-CCSF’s decision system (DS) to focus upon decisions that achieve survivability outcomes under unpredictability imposed by UUUR

A self-organising map based algorithm for analysis of ICmetrics features

ICmetrics is a new approach that exploits the characteristic and behaviour of an embedded system to obtain a collection of properties and features, which aims to uniquely identify and secure an embedded system based on its own behavioural identity. In this paper, an algorithm based on a self-organising map (SOM) neural network is proposed to extract and analyse the features derived from a processor's performance profile (i.e. average cycles per instruction (CPI)), where the extracted features are used to help finding the main behaviours of the system. The proposed algorithm has been tested with different programs selected from the MiBench benchmark suite, and the results achieved show that it can successfully segment each program into different main phases based on the unique extracted features, which confirms its utility for the ICmetrics technology