Flexible Intrusion Detection Systems for Memory-Constrained Embedded Systems

Size: px

Start display at page:

Download "Flexible Intrusion Detection Systems for Memory-Constrained Embedded Systems"

Rodger Hopkins
7 years ago
Views:

1 Flexible Intrusion Detection Systems for Memory-Constrained Embedded Systems Farid Molazem, Karthik Pattabiraman University of British Columbia

2 2 Embedded Systems

3 3 Attacks spreading

4 Attacks spreading Need an Intrusion Detection System Intrusion Alarm 4

5 Existing solutions Statistical Techniques Neural networks [Moradi et. al.] Hidden Markov Models [Warrender et. al.] Support Vector Machines [Wenjie et. al.] Static analysis Call-graph, NDPDA [Wagner et. al.] Dyck [Giffin et. al.] 5

6 Challenge False positives device device device Center device device device device 6

7 Challenge Memory { a = receive(); if (a > 0) foo(a); else bar(a); } void foo(int a) { if (a % 2 == 0) even(a); else odd(a); } void bar(int a) { if (a == -1) error1(); else if (a == -2) error2(); } a > 0 a <= 0 a % 2 == 0 a % 2 == 1 a == -1 a == -2 7

8 Idea Can t fit everything in memory Quantify security Optimize security for the memory we have 8

9 Overview Coverage function Documents (SDD) Our work Code Monitoring trace IDS 9

10 What we do Coverage function Coverage function Documents (SDD) Documents (SDD) 1- Study Document Our work 2-Generating abstract Code 3-Static Analysis 4- Generating concrete 5- Select optimized Code 10

11 Steps Study Document 2-Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Storage/Retrieval integrity Sensor data must eventually be stored on flash memory (getting sensordata ( store on flash)) Receive sensor data Temporal Logic : Something eventually happens : Something always happens : Something happens the next time Store on flash memory 11

12 Steps 3-4 Coverage function Documents (SDD) 1- Study Document 2-Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Code 12 Abstract Concrete (contain system calls)

13 Steps Study Document 2-Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized { }. data = socket.receive();. { }. write(f, data);. recv(4, 0x47cf68, 8192, 0) write(1, 0x47cf68, 4) = 4 (getting sensordata(data) ( store on flash(data))) 13 (receive(d) ( write(d)))

14 Step 5 Coverage function Documents (SDD) 1- Study Document 2-Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Code 14

15 Coverage, Example 1- Study Document 2- Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Define a coverage function on the graph and maximize it v 1 v 2 v 3 Security Properties p 1 p 2 p 3 v 4 p 4 15 v 5 v 6

16 Coverage, Example 1- Study Document 2- Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Define a coverage function on the graph and maximize it Security Properties p 1 p 2 p 3 p 4 v 1 16 v 2 v 3 v 4 v 5 v 6

17 Coverage, Example 1- Study Document 2- Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized MaxMin Coverage IDS: Intuition: Make the weakest coverage as strong as possible Security Properties 1/2 2/3 1/2 0/1 p 1 p 2 p 3 p 4 17 v 1 v 2 v 3 v 4 v 5 v 6

18 Coverage, Example 1- Study Document 2- Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized MaxMin Coverage IDS: Intuition: Make the weakest coverage as strong as possible Security Properties 2/2 2/3 1/2 1/1 p 1 p 2 p 3 p 4 18 v 1 v 2 v 3 v 4 v 5 v 6

19 Building the IDS Select the from the graph Automatically convert it to Buchi Automaton Iterative process, optimize for memory. 19

20 Building the IDS (a -> F b) && (a -> F s) && (b -> F c) && (e -> F c) && (t -> F (a && X b)) && (v -> F (e && X d)) && (s -> F d) && (s -> F e) && (s -> F w) 20

21 Building the IDS (a -> F b) && (a -> F s) && (b -> F c) && (e -> F c) && (t -> F (a && X b)) 21

22 Building the IDS (a -> F b) && (a -> F s) 22

23 Evaluation SegMeter: Smart meter, an important device used in smart homes Meter: Arduino board ATMEGA 32x series microcontroller Sensors Gateway board Broadcom BCM MHz CPU 16 MB RAM 4 MB available for IDS OpenWRT Linux IDS runs on the Gateway board No attack database available => We use fault injection to simulate attacks 23

24 Fault injection Flipping branches if (data_file ~= nil) then big_string = data_file:read("*all") end if (data_file == nil) then big_string = data_file:read("*all") end 24

25 Research questions How close is the estimated coverage at design time to the coverage at run-time? Shows whether the theoretical optimization is useful What is the performance overhead Shows whether it is practical to implement and use 25

26 Results (MaxMin IDS) How good is the coverage of the IDS? How good the graph-based optimization is reflected at run-time? detection(%)= number of detected attacks/total umber of injected attac 26

27 27 Performance overhead

28 Discussions Quantifiable coverage provides flexibility How to pick a coverage function? Having a complete software engineering life cycle can help producing automated security solutions 28

29 Conclusions Traditional solutions don t work We can quantify security We can use different security measurement functions Coverage function Documents (SDD) 1- Study Document 2- Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Code 29 faridm@ece.ubc.ca

30 Coverage, Example 2 MaxProperty IDS: Maxmize security properties that are fully covered v 1 v 2 v 3 v 4 v 5 v 6 Security Properties p 1 p 2 p 3 p 4 30

31 Results (MaxProperty IDS) How good is the coverage of the IDS? How good the graph-based optimization is reflected at run-time? 31

A Model-Based Intrusion Detection System for Smart Meters

A Model-Based Intrusion Detection System for Smart Meters Farid Molazem Tabrizi and Karthik Pattabiraman Department of Electrical and Computer Engineering, University of British Columbia (UBC), Vancouver