Cyber threats are increasing on a continuous basis, and the Internet of Things (IoT) and embedded devices are also increasingly exposed to attackers. Given the critical nature of these devices in Industrial Control Systems (ICS), the implementation of an Intrusion Detection System (IDS) is necessary. In particular, current researches focus on Host-Intrusion Detection Systems (H-IDS) which leverage signals from the device to detect attacks and intrusions before their impacts become devastating. This paper presents an H-IDS solution that relies on Hardware Performance Counters (HPC) and Machine Learning (ML) anomaly detection to raise alarms when an attack is detected on an embedded device. The proposed solution collects HPCs at the kernel level of the device and uses a remote computer to extract statistical features from the HPC values, then makes a decision with a ML model. An experimental platform simulating an Industrial Control System is presented with a simulated hydroelectric physical process and a hardware emulation of the Programmable Logic Controller managing sensors and actuators logic. The platform also contains 6 typical attacks that often target embedded devices, such as a ransomware, flooding on a communication protocol, SSH bruteforce, malicious data transfers and intensive CPU resources. This setup enables the evaluation of our H-IDS solution under both normal and malicious conditions. Results show that our solution has low CPU and memory footprint on the embedded device and is able to detect critical attacks without raising false alarm.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Hardware Performance Counters for Anomaly Detection in Embedded Devices

  • Victor Breux,
  • Pierre-Henri Thevenon

摘要

Cyber threats are increasing on a continuous basis, and the Internet of Things (IoT) and embedded devices are also increasingly exposed to attackers. Given the critical nature of these devices in Industrial Control Systems (ICS), the implementation of an Intrusion Detection System (IDS) is necessary. In particular, current researches focus on Host-Intrusion Detection Systems (H-IDS) which leverage signals from the device to detect attacks and intrusions before their impacts become devastating. This paper presents an H-IDS solution that relies on Hardware Performance Counters (HPC) and Machine Learning (ML) anomaly detection to raise alarms when an attack is detected on an embedded device. The proposed solution collects HPCs at the kernel level of the device and uses a remote computer to extract statistical features from the HPC values, then makes a decision with a ML model. An experimental platform simulating an Industrial Control System is presented with a simulated hydroelectric physical process and a hardware emulation of the Programmable Logic Controller managing sensors and actuators logic. The platform also contains 6 typical attacks that often target embedded devices, such as a ransomware, flooding on a communication protocol, SSH bruteforce, malicious data transfers and intensive CPU resources. This setup enables the evaluation of our H-IDS solution under both normal and malicious conditions. Results show that our solution has low CPU and memory footprint on the embedded device and is able to detect critical attacks without raising false alarm.