Existing techniques used for intrusion detection do not fully utilize the intrinsic properties of embedded systems. In this paper, we propose a lightweight method for detecting anomalous executions using a distribution of system call frequencies. We use a cluster analysis to learn the legitimate execution contexts of embedded applications and then monitor them at run-time to capture abnormal executions. We also present an architectural framework with minor processor modifications to aid in this process. Our prototype shows that the proposed method can effectively detect anomalous executions without relying on sophisticated analyses or affecting the critical execution paths.
IntroductionAn increasing number of attacks are targeting embedded systems [21,37] that compromise the security, and hence safety, of such systems. It is not an easy task to retrofit embedded systems with security mechanisms that were developed for more general purpose scenarios since the former (a) have constraints in processing power, memory, battery life, etc. and (b) are required to meet stringent requirements such as timing constraints.Traditional behavior-based intrusion detection systems (IDS) [10] rely on specific signals such as network traffic [15,39], control flow [1,8], system calls [14,32,5], etc. The use of system calls, especially in the form of sequences [14,16,44,29,12,40], has been extensively studied in behavior-based IDSes for general purpose systems since many malicious activities often use system calls to execute privileged operations on system resources. Because server, desktop and mobile applications exhibit rich, wildly varying behaviors across executions, such IDSes need to rely either (a) on complex models of normal behavior, which are expensive to run and thus unsuitable for an embedded system, or (b) on simple, partial models, which validate only small windows of the application execution at a time. This opens the door for attacks where variations of a valid execution sequence are replayed with slightly different parameters to achieve a malicious goal; on the other hand, the application would not execute that sequence of operations in a normal manner, every time.