Statistical Time-based Intrusion Detection in Embedded Systems
Nadir A. Carreóna, Allison Gilbreathb and Roman Lyseckyc
Department of Electrical and Computer Engineering, University of Arizona, Tucson, Arizona, USA
anadir@email.arizona.edu
balligilbreath@email.arizona.edu
crlysecky@ece.arizona.edu
ABSTRACT
This paper presents a statistical method based on cumulative distribution functions (CDF) to analyze an embedded system' s behavior to detect anomalous and malicious executions behaviors. The proposed method analyzes the internal timing of the system by monitoring individual operations and sequences of operations, wherein the timing of operations is decomposed into multiple timing subcomponents. Creating the normal model of the system utilizing the internal timing adds resilience to zero-day attacks, and mimicry malware. The combination of CDF-based statistical analysis and timing subcomponents enable both higher detection rates and lower false positives rates. We demonstrate the effectiveness of the approach and compare to several state-of-theart malware detection methods using two embedded systems benchmarks, namely a network connected pacemaker and an unmanned aerial vehicle, utilizing seven different malware.
Keywords: Embedded Systems Security, Anomaly-Based Detection, Runtime Intrusion Detection, Timing-Based Detection