Abstract-A potential threat to embedded systems is the execution of unknown or malicious software capable of triggering harmful system behaviour, aimed at theft of sensitive data or causing damage to the system. Commercial off-the-shelf embedded devices, such as embedded medical equipment, are more vulnerable as these type of products cannot be amended conventionally or have limited resources to implement protection mechanisms. In this paper, we present a Self-Organising Map based approach to enhance embedded system security by detecting abnormal program behaviour. The proposed method extracts features derived from processor's Program Counter and Cycles per Instruction, and then utilises the features to identify abnormal behaviour using the SOM. Results achieved in our experiment show that the proposed method can identify unknown program behaviours not included in the training set with over 98.4% accuracy.Index Terms-Embedded system security, abnormal behaviour detection, intrusion detection, Self-Organising Map.
I. INTRODUCTIONhe widespread use of embedded systems today has significantly changed the way we create, destroy, share, process and manage information. For instance, an embedded medical device often processes sensitive information or performs critical functions for multiple patients. Consequently, security of embedded systems is emerging as an important concern in embedded system design [1,2]. Although security has been extensively explored in the context of general purpose computing and communications systems, for example via cryptographic algorithms and security protocols [3], such security solutions usually are often incompatible with particular embedded architectures. The X. Zhai was with University of Essex, Colchester, UK. He is now with the Department of Engineering, University of K. Appiah was with University of Essex, Colchester, UK. He is now with the School of Science and Technology, Nottingham Trent University (e-mail: kofi.appiah@ntu.ac.uk).G. Howells is with the School of Engineering and Digital Arts, University of Kent, Canterbury, UK (e-mail: w.g.j.howells@kent.ac.uk).reason for this is, that embedded architectures use custom firmware or operating systems, and are normally specific to a certain function with limited cost and resource, which makes e.g. conventional antivirus (AV) programs difficult to implement. Generally, the protection of embedded systems can be developed either at hardware or/and at software level.From hardware perspective, Physical Unclonable Function (PUF) [4] or hardware intrinsic security [5], has been proposed to secure embedded devices physically. The manufacturing process variation is first used to identify the integrated circuits, and then the identifications are subsequently used for cryptography. There are also works focusing on detecting software failure, tampering and malicious codes in embedded architectures [1,6]. The main disadvantage of these approaches is that they require storing sensitive data in the system as "valid" samples or templates. For exam...