Towards Anomaly Detection in Embedded Systems Application Using LLVM Passes

Software security exploits, such as Return-Oriented Programming (ROP) attacks, have persisted for more than a decade. ROP attacks inject malicious behaviors into programs, posing serious risks to computing devices, and they can be par-ticularly challenging to detect in systems with limited resources. In this paper, we introduce an approach that exploits Low-Level Virtual Machine (LLVM) passes, programmatic transformations applied during compilation, to detect ROP attacks in ARM-based embedded systems. By customizing LLVM passes, developers can integrate tailored security checks and optimizations into embedded systems requirements. Our approach is motivated by the use of Hardware Performance Counters (HPCs) for certain mitigations, which are not commonly available on all embedded systems. The experimental evaluation of our approach for de-tecting ROP attacks in real-world applications shows that it is feasible and can be extended to detect new attacks independently of an Operating System (OS). The storage overhead induced by our approach is approximately 55%

Multi-signal Anomaly Detection for Real-Time Embedded Systems

This thesis presents MuSADET, an anomaly detection framework targeting timing anomalies found in event traces from real-time embedded systems. The method leverages stationary event generators, signal processing, and distance metrics to classify inter-arrival time sequences as normal/anomalous. Experimental evaluation of traces collected from two real-time embedded systems provides empirical evidence of MuSADET’s anomaly detection performance. MuSADET is appropriate for embedded systems, where many event generators are intrinsically recurrent and generate stationary sequences of timestamp. To find timinganomalies, MuSADET compares the frequency domain features of an unknown trace to a normal model trained from well-behaved executions of the system. Each signal in the analysis trace receives a normal/anomalous score, which can help engineers isolate the source of the anomaly. Empirical evidence of anomaly detection performed on traces collected from an industrygrade hexacopter and the Controller Area Network (CAN) bus deployed in a real vehicle demonstrates the feasibility of the proposed method. In all case studies, anomaly detection did not require an anomaly model while achieving high detection rates. For some of the studied scenarios, the true positive detection rate goes above 99 %, with false-positive rates below one %. The visualization of classification scores shows that some timing anomalies can propagate to multiple signals within the system. Comparison to the similar method, Signal Processing for Trace Analysis (SiPTA), indicates that MuSADET is superior in detection performance and provides complementary information that can help link anomalies to the process where they occurred

Framework for Anomaly Detection in OKL4-Linux Based Smartphones

Smartphones face the same threats as traditional computers. As long as a device has the capabilities to perform logic processing, the threat of running malicious logic exists. The only difference between security threats on traditional computers versus security threats on smartphones is the challenge to understand the inner workings of the operating system on different hardware processor architectures. To improve upon the security of smartphones, anomaly detection capabilities can be implemented at different functional layers of a smartphone in a coherent manner; instead of just looking at individual functional layers. This paper will focus on identifying conceptual points for measuring normalcy in different functional layers of a smartphone based on OKL4 and LiMo Foundation’s platform architecture

Data Mining in Electronic Commerce

Modern business is rushing toward e-commerce. If the transition is done properly, it enables better management, new services, lower transaction costs and better customer relations. Success depends on skilled information technologists, among whom are statisticians. This paper focuses on some of the contributions that statisticians are making to help change the business world, especially through the development and application of data mining methods. This is a very large area, and the topics we cover are chosen to avoid overlap with other papers in this special issue, as well as to respect the limitations of our expertise. Inevitably, electronic commerce has raised and is raising fresh research problems in a very wide range of statistical areas, and we try to emphasize those challenges.Comment: Published at http://dx.doi.org/10.1214/088342306000000204 in the Statistical Science (http://www.imstat.org/sts/) by the Institute of Mathematical Statistics (http://www.imstat.org

Development of monitoring systems for anomaly detection using ASTD specifications

Anomaly-based intrusion detection systems are essential defenses against cybersecurity threats because they can identify anomalies in current activities. However, these systems have difficulties providing entity processing independence through a programming language. In addition, a degradation of the detection process is caused by the complexity of scheduling the training and detection processes, which are required to keep the anomaly detection system continuously updated. This paper shows how to use the algebraic state-transition diagram (ASTD) language to develop flexible anomaly detection systems. This paper provides a model for detecting point anomalies using the unsupervised non-parametric technique Kernel Density Estimation to estimate the probability density of event occurrence. The proposed model caters for both the training and the detection phase continuously. The ASTD language streamlines the modeling of detection systems thanks to its process algebraic operators that provide a solution to overcome these challenges. By delegating the combination of anomaly-based detection processes to the ASTD language, the effort and complexity are reduced during detection models development. Finally, using a qualitative evaluation, this study demonstrates that the algebraic operators in the ASTD specification language overcome these challenges

Hierarchical Kohonenen Net for Anomaly Detection in Network Security

A novel multilevel hierarchicalKohonen Net (K-Map) for an intrusion detection system is presented. Each level of the hierarchical map is modeled as a simple winner-take-all K-Map. One significant advantage of this multilevel hierarchical K-Map is its computational efficiency. Unlike other statistical anomaly detection methods such as nearest neighbor approach, K-means clustering or probabilistic analysis that employ distance computation in the feature space to identify the outliers, our approach does not involve costly point-to-point computation in organizing the data into clusters. Another advantage is the reduced network size. We use the classification capability of the K-Map on selected dimensions of data set in detecting anomalies. Randomly selected subsets that contain both attacks and normal records from the KDD Cup 1999 benchmark data are used to train the hierarchical net. We use a confidence measure to label the clusters. Then we use the test set from the same KDD Cup 1999 benchmark to test the hierarchical net. We show that a hierarchical K-Map in which each layer operates on a small subset of the feature space is superior to a single-layer K-Map operating on the whole feature space in detecting a variety of attacks in terms of detection rate as well as false positive rate