Learning Execution Contexts from System Call Distribution for Anomaly Detection in Smart Embedded System

Yoon, Man-Ki; Mohan, Sibin; Choi, Jaesik; Christodorescu, Mihai; Sha, Lui

doi:10.1145/3054977.3054999

Cited by 41 publications

(46 citation statements)

References 37 publications

(69 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• CPS platform. We assume the initial state (i.e., the training stage) of the application is trustworthy, which is a general requirement of most behavior-based intrusion detection systems [31]. We also assume the runtime monitoring module (running on the host) is trusted and cannot be disabled or modified.…”

Section: Attack Model and Assumptionsmentioning

confidence: 99%

Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems

Cheng

Tian

Yao

et al. 2021

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

Securing cyber-physical systems (CPS) against malicious attacks is of paramount importance because these attacks may cause irreparable damages to physical systems. Recent studies have revealed that control programs running on CPS devices suffer from both control-oriented attacks (e.g., code-injection or code-reuse attacks) and data-oriented attacks (e.g., non-control data attacks). Unfortunately, existing detection mechanisms are insufficient to detect runtime data-oriented exploits, due to the lack of runtime execution semantics checking. In this work, we propose Orpheus, a new security methodology for defending against data-oriented attacks by enforcing cyber-physical execution semantics. We first present a general method for reasoning cyber-physical execution semantics of a control program (i.e., causal dependencies between the physical context/event and program control flows), including the event identification and dependence analysis. As an instantiation of Orpheus, we then present a new program behavior model, i.e., the event-aware finite-state automaton (eFSA). eFSA takes advantage of the event-driven nature of CPS control programs and incorporates event checking in anomaly detection. It detects data-oriented exploits if a specific physical event is missing along with the corresponding event dependent state transition. We evaluate our prototype's performance by conducting case studies under data-oriented attacks. Results show that eFSA can successfully detect different runtime attacks. Our prototype on Raspberry Pi incurs a low overhead, taking 0.0001s for each state transition integrity checking, and 0.063s∼0.211s for the cyber-physical contextual consistency checking.

show abstract

Section: Attack Model and Assumptionsmentioning

confidence: 99%

Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems

Cheng

Tian

Yao

et al. 2021

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Authors of [19] have an anomaly model built using system call frequency distribution and clustering techniques to detect when processes deviate from their standard profiles. Similar to the anomaly frameworks of [13], [14], the model of [19] has no temporal modeling of the events and can only be used for post-mortem analysis. Furthermore, the authors of [20] used the statistical metric of entropy to implement an anomaly detection model for network logs.…”

Section: Related Workmentioning

confidence: 99%

Design and Development of AD-CGAN: Conditional Generative Adversarial Networks for Anomaly Detection

2020

View full text Add to dashboard Cite

Whether in the realm of software or hardware, datasets representing the state of systems are mostly imbalanced. This imbalance is because these systems' reliability requirements make the occurrence of an anomaly a rare phenomenon. Hence, most datasets on anomaly detection have a relatively small percentage that captures the anomaly. Recently, generative adversarial networks (GAN) have shown promising results in image generation tasks. Therefore, in this research work, we build on conditional GANs (CGAN) to generate plausible distributions of a given profile to solve the challenge of data imbalance in anomaly detection tasks and present a novel framework for anomaly detection. Firstly, we learn the pattern of the minority class data samples using a single class CGAN. Secondly, we use the knowledge base of the single class CGAN to generate samples that augment the minority class samples so that a binary class CGAN can train on the typical and malicious profiles with a balanced dataset. This approach inherently eliminates the bias imposed on algorithms from the dataset and results in a robust framework with improved generalization. Thirdly, the binary class CGAN generates a knowledge base that we use to construct the cluster-based anomaly detector. During testing, we do not use the single class CGAN, thereby providing us with a lean and efficient algorithm for anomaly detection that can do anomaly detection on semisupervised and non-parametric multivariate data. We test the framework on logs and image-based anomaly detection datasets with class imbalance. We compare the performance of AD-CGAN with GAN-derived and non-GAN-derived state of the art algorithms on benchmark datasets. AD-CGAN outperforms most of the algorithms in the standard metrics of Precision, Recall, and F-1 Score. Where AD-CGAN does not perform better in the parameters used, it has the advantage of being lightweight. Therefore, it can be deployed for both online and offline anomaly detection tasks since it does not use an input sample inversion strategy.

show abstract

“…Otherwise, the adversary can perform more active attacks than what is described above -this is out of scope for this paper and we intend to analyze it in future work. There are various other threats faced by real-time systems [14], [26]- [29], [31] -most of these techniques are about intrusion detection and hence complementary to those presented here.…”

Section: A Adversary Modelmentioning

confidence: 99%

“…Hence, any perturbations to these operational modes can result in the safety of such systems being compromised. On one hand, recent studies [14], [26]- [29], [31] have shown that the security of real-time systems can be improved by taking advantage of these very properties, viz., predictability (or regularity) in their behavior. Such security mechanisms try to detect abnormal deviations from expected patterns.…”

Section: Introductionmentioning

confidence: 99%

TaskShuffler: A Schedule Randomization Protocol for Obfuscation against Timing Inference Attacks in Real-Time Systems

Yoon

Mohan

Chen

et al. 2016

2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS)

Self Cite

View full text Add to dashboard Cite

The high degree of predictability in real-time systems makes it possible for adversaries to launch timing inference attacks such as those based on side-channels and covert-channels. We present TaskShuffler, a schedule obfuscation method aimed at randomizing the schedule for such systems while still providing the real-time guarantees that are necessary for their safe operation. This paper also analyzes the effect of these mechanisms by presenting schedule entropy -a metric to measure the uncertainty (as perceived by attackers) introduced by TaskShuffler. These mechanisms will increase the difficulty for would-be attackers thus improving the overall security guarantees for real-time systems.

show abstract

Learning Execution Contexts from System Call Distribution for Anomaly Detection in Smart Embedded System

Cited by 41 publications

References 37 publications

Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems

Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems

Design and Development of AD-CGAN: Conditional Generative Adversarial Networks for Anomaly Detection

TaskShuffler: A Schedule Randomization Protocol for Obfuscation against Timing Inference Attacks in Real-Time Systems

Contact Info

Product

Resources

About