579 research outputs found
Side-channel based intrusion detection for industrial control systems
Industrial Control Systems are under increased scrutiny. Their security is
historically sub-par, and although measures are being taken by the
manufacturers to remedy this, the large installed base of legacy systems cannot
easily be updated with state-of-the-art security measures. We propose a system
that uses electromagnetic side-channel measurements to detect behavioural
changes of the software running on industrial control systems. To demonstrate
the feasibility of this method, we show it is possible to profile and
distinguish between even small changes in programs on Siemens S7-317 PLCs,
using methods from cryptographic side-channel analysis.Comment: 12 pages, 7 figures. For associated code, see
https://polvanaubel.com/research/em-ics/code
Efficient template attacks
This is the accepted manuscript version. The final published version is available from http://link.springer.com/chapter/10.1007/978-3-319-08302-5_17.Template attacks remain a powerful side-channel technique to eavesdrop on tamper-resistant hardware. They model the probability distribution of leaking signals and noise to guide a search for secret data values. In practice, several numerical obstacles can arise when implementing such attacks with multivariate normal distributions. We propose efficient methods to avoid these. We also demonstrate how to achieve significant performance improvements, both in terms of information extracted and computational cost, by pooling covariance estimates across all data values. We provide a detailed and systematic overview of many different options for implementing such attacks. Our experimental evaluation of all these methods based on measuring the supply current of a byte-load instruction executed in an unprotected 8-bit microcontroller leads to practical guidance for choosing an attack algorithm.Omar Choudary is a recipient of the Google Europe Fellowship in
Mobile Security, and this research is supported in part by this Google Fellowship
Template attacks on different devices
Template attacks remain a most powerful side-channel technique
to eavesdrop on tamper-resistant hardware. They use a profiling
step to compute the parameters of a multivariate normal distribution
from a training device and an attack step in which the parameters obtained
during profiling are used to infer some secret value (e.g. cryptographic
key) on a target device. Evaluations using the same device for
both profiling and attack can miss practical problems that appear when
using different devices. Recent studies showed that variability caused by
the use of either different devices or different acquisition campaigns on
the same device can have a strong impact on the performance of template
attacks. In this paper, we explore further the effects that lead to
this decrease of performance, using four different Atmel XMEGA 256
A3U 8-bit devices. We show that a main difference between devices is a
DC offset and we show that this appears even if we use the same device
in different acquisition campaigns. We then explore several variants of
the template attack to compensate for these differences. Our results show
that a careful choice of compression method and parameters is the key
to improving the performance of these attacks across different devices.
In particular we show how to maximise the performance of template
attacks when using Fisher's Linear Discriminant Analysis or Principal
Component Analysis. Overall, we can reduce the entropy of an unknown
8-bit value below 1.5 bits even when using different devices.Omar Choudary is a recipient of the Google Europe Fellowship in
Mobile Security, and this research is supported in part by this Google Fellowship. The
opinions expressed in this paper do not represent the views of Google unless otherwise
explicitly stated.This is the author accepted manuscript. The final version is available from Springer at http://link.springer.com/chapter/10.1007%2F978-3-319-10175-0_13
Intelligent Log Analysis for Anomaly Detection
Computer logs are a rich source of information that can be analyzed to detect various issues. The large volumes of logs limit the effectiveness of manual approaches to log analysis. The earliest automated log analysis tools take a rule-based approach, which can only detect known issues with existing rules. On the other hand, anomaly detection approaches can detect new or unknown issues. This is achieved by looking for unusual behavior different from the norm, often utilizing machine learning (ML) or deep learning (DL) models. In this project, we evaluated various ML and DL techniques used for log anomaly detection. We propose a hybrid neural network (NN) we call CausalConvLSTM for modeling log sequences, which takes advantage of both Convolutional Neural Network and Long Short-Term Memory Network\u27s strengths. Furthermore, we evaluated and proposed a concrete strategy for retraining NN anomaly detection models to maintain a low false-positive rate in a drifting environment
Recommended from our members
Efficient, portable template attacks
Template attacks recover data values processed by tamper-resistant
devices from side-channel waveforms, such as supply-current
fluctuations (power analysis) or electromagnetic emissions. They
first profile a device to generate multivariate statistics of the
waveforms emitted for each of a set of known processed values, which
then identify maximum-likelihood candidates of unknown processed
values during an attack. We identify several practical obstacles
arising in the implementation of template attacks, ranging from
numerical errors to the incompatibility of templates across
different devices, and propose and compare several solutions. We
identify pooled covariance matrices and prior dimensionality
reduction through Fisher's Linear Discriminant Analysis as
particularly efficient and effective, especially where many attack
traces can be acquired. We evaluate alternative algorithms not only
for the task of recovering key bytes from a hardware implementation
of the Advanced Encryption Standard; we even reconstruct the value
transferred by an individual byte-load instruction, with success
rates reaching 85% (or a guessing entropy of less than a quarter
bit remaining) after 1000 attack traces, thereby demonstrating
direct eavesdropping of 8-bit parallel data lines. Using different
devices during the profiling and attack phase can substantially
reduce the effectiveness of template attacks. We demonstrate that
the same problem can also occur across different measurement
campaigns with the same device and that DC offsets (e.g. due to
temperature drift) are a significant cause. We improve the
portability of template parameters across devices by manipulating
the DC content of the eigenvectors that form the projection matrix
used for dimensionality reduction of the waveforms
Recommended from our members
Efficient Stochastic Methods: Profiled Attacks Beyond 8 Bits
Template attacks and stochastic models are among the most powerful side-channel attacks. However, they can be computationally expensive when processing a large number of samples. Various compression techniques have been used very successfully to reduce the data dimensionality prior to applying template attacks, most notably Principal Component Analysis (PCA) and Fisher’s Linear Discriminant Analysis (LDA). These make the attacks more efficient computationally and help the profiling phase to converge faster. We show how these ideas can also be applied to implement stochastic models more efficiently, and we also show that they can be applied and evaluated even for more than eight unknown data bits at once.This is the author accepted manuscript. The final version is available from Springer via http://dx.doi.org/10.1007/978-3-319-16763-3_
- …