Hierarchical framework for early intrusion detection in embedded computing systems
It has been well recognized in the literature that intrusion detection in embedded computing systems is both challenging and computationally demanding. The ominous threat of malware in such systems necessitates the need for lightweight real-time intrusion detection methods that are capable of keepin...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Thesis-Doctor of Philosophy |
| Language: | English |
| Published: |
Nanyang Technological University
2019
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/136535 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | It has been well recognized in the literature that intrusion detection in embedded computing systems is both challenging and computationally demanding. The ominous threat of malware in such systems necessitates the need for lightweight real-time intrusion detection methods that are capable of keeping up with the fast evolving and sophisticated malware attacks. In this thesis, a hierarchical framework for real-time intrusion detection in embedded computing systems has been proposed. Runtime monitoring of power consumption provides for a lightweight mechanism for the early detection of anomalies. A new metric called _ has been implemented to facilitate a lightweight detection of anomalies by comparing the offline generated power trace model. Unlike existing methods, the proposed lightweight technique provides for the early detection of anomalies at runtime. The proposed method has been extensively validated to confirm that runtime power monitoring can be effectively deployed to separate benign applications from abnormal ones that have been compromised by user-space malware and/or operating systems compromised by a Rootkit. Next, a lightweight technique has been proposed for the detection and classification of user-space malware using system call trace. This approach has been shown to rely only on a minimal set of malware signatures to effectively detect malware. The proposed approach achieves comparable performance as the state-of-the-art technique reported in the literature with a detection rate of 93.4% and classification rate of 83%. However, unlike the existing approaches, the proposed method is capable of real-time classification at runtime without compromising the detection and classification rates by observing only the Hardware Performance Counters (HPC) for extracting system call trace specific information. Subsequently, low-level architecture-specific feature using HPC has been proposed to detect anomalies in the kernel-space (operating system) caused by a Rootkit. A model that relies on the combined analysis of benign system calls and tainted system calls compromised by Rootkit is introduced to detect such anomalies. Unlike
existing methods that incur high monitoring overheads, the proposed technique employs a lightweight method that yields a comparable level of accuracy in detecting Rootkits. Experimental results confirm that the proposed approach can achieve a classification accuracy rate of up to 96% while requiring significantly less resource to store the models. Another metric called _ is also proposed to distinguish benign programs from those infected with malware to facilitate the early detection of anomalous operations at runtime. The proposed method relies on statistical hypothesis testing based on runtime measures obtained using HPC. Performance evaluations confirm that the HPC based observation of operating system indicators makes _ an effective metric for differentiating benign and malicious applications. The detection accuracy rate is as high as 90% with a false positive rate of 1.52% and a false negative of close to 0% respectively. This compares very favourably with the state-of-the-art method reported in the literature. The proposed techniques have been integrated into a framework to provide for a hierarchical method to facilitate the simultaneous detection of malware and Rootkit at runtime. Moreover, the proposed techniques can be incorporated into any embedded computing system without any modifications to the application or the operating system. This multi-metric approach has resulted in an effective and yet lightweight approach to realize a robust intrusion detection system. It has been shown that the framework is capable of detecting a wide range of anomalous behaviour at real-time i.e. Worm, Trojan, Viruses and Rootkit without the need to instrument the application or the operating system. It is noteworthy that the proposed techniques have also been integrated to incorporate fault-tolerance without compromising the overall accuracy and performance. Moreover, the framework is also capable of separating abnormal operations due to system faults and potential zero days. Finally, the proposed framework is well suited for incorporation into embedded computing systems with limited computing resources to avail the first line of defence for early detection of malware, Rootkit, system faults and potential zero days at runtime. |
|---|