Hierarchical framework for early intrusion detection in embedded computing systems

It has been well recognized in the literature that intrusion detection in embedded computing systems is both challenging and computationally demanding. The ominous threat of malware in such systems necessitates the need for lightweight real-time intrusion detection methods that are capable of keepin...

Full description

Saved in:
Bibliographic Details
Main Author: Muhamed Fauzi Abbas
Other Authors: Thambipillai Srikanthan
Format: Thesis-Doctor of Philosophy
Language:English
Published: Nanyang Technological University 2019
Subjects:
Online Access:https://hdl.handle.net/10356/136535
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
id sg-ntu-dr.10356-136535
record_format dspace
institution Nanyang Technological University
building NTU Library
continent Asia
country Singapore
Singapore
content_provider NTU Library
collection DR-NTU
language English
topic Engineering::Computer science and engineering
spellingShingle Engineering::Computer science and engineering
Muhamed Fauzi Abbas
Hierarchical framework for early intrusion detection in embedded computing systems
description It has been well recognized in the literature that intrusion detection in embedded computing systems is both challenging and computationally demanding. The ominous threat of malware in such systems necessitates the need for lightweight real-time intrusion detection methods that are capable of keeping up with the fast evolving and sophisticated malware attacks. In this thesis, a hierarchical framework for real-time intrusion detection in embedded computing systems has been proposed. Runtime monitoring of power consumption provides for a lightweight mechanism for the early detection of anomalies. A new metric called _ has been implemented to facilitate a lightweight detection of anomalies by comparing the offline generated power trace model. Unlike existing methods, the proposed lightweight technique provides for the early detection of anomalies at runtime. The proposed method has been extensively validated to confirm that runtime power monitoring can be effectively deployed to separate benign applications from abnormal ones that have been compromised by user-space malware and/or operating systems compromised by a Rootkit. Next, a lightweight technique has been proposed for the detection and classification of user-space malware using system call trace. This approach has been shown to rely only on a minimal set of malware signatures to effectively detect malware. The proposed approach achieves comparable performance as the state-of-the-art technique reported in the literature with a detection rate of 93.4% and classification rate of 83%. However, unlike the existing approaches, the proposed method is capable of real-time classification at runtime without compromising the detection and classification rates by observing only the Hardware Performance Counters (HPC) for extracting system call trace specific information. Subsequently, low-level architecture-specific feature using HPC has been proposed to detect anomalies in the kernel-space (operating system) caused by a Rootkit. A model that relies on the combined analysis of benign system calls and tainted system calls compromised by Rootkit is introduced to detect such anomalies. Unlike existing methods that incur high monitoring overheads, the proposed technique employs a lightweight method that yields a comparable level of accuracy in detecting Rootkits. Experimental results confirm that the proposed approach can achieve a classification accuracy rate of up to 96% while requiring significantly less resource to store the models. Another metric called _ is also proposed to distinguish benign programs from those infected with malware to facilitate the early detection of anomalous operations at runtime. The proposed method relies on statistical hypothesis testing based on runtime measures obtained using HPC. Performance evaluations confirm that the HPC based observation of operating system indicators makes _ an effective metric for differentiating benign and malicious applications. The detection accuracy rate is as high as 90% with a false positive rate of 1.52% and a false negative of close to 0% respectively. This compares very favourably with the state-of-the-art method reported in the literature. The proposed techniques have been integrated into a framework to provide for a hierarchical method to facilitate the simultaneous detection of malware and Rootkit at runtime. Moreover, the proposed techniques can be incorporated into any embedded computing system without any modifications to the application or the operating system. This multi-metric approach has resulted in an effective and yet lightweight approach to realize a robust intrusion detection system. It has been shown that the framework is capable of detecting a wide range of anomalous behaviour at real-time i.e. Worm, Trojan, Viruses and Rootkit without the need to instrument the application or the operating system. It is noteworthy that the proposed techniques have also been integrated to incorporate fault-tolerance without compromising the overall accuracy and performance. Moreover, the framework is also capable of separating abnormal operations due to system faults and potential zero days. Finally, the proposed framework is well suited for incorporation into embedded computing systems with limited computing resources to avail the first line of defence for early detection of malware, Rootkit, system faults and potential zero days at runtime.
author2 Thambipillai Srikanthan
author_facet Thambipillai Srikanthan
Muhamed Fauzi Abbas
format Thesis-Doctor of Philosophy
author Muhamed Fauzi Abbas
author_sort Muhamed Fauzi Abbas
title Hierarchical framework for early intrusion detection in embedded computing systems
title_short Hierarchical framework for early intrusion detection in embedded computing systems
title_full Hierarchical framework for early intrusion detection in embedded computing systems
title_fullStr Hierarchical framework for early intrusion detection in embedded computing systems
title_full_unstemmed Hierarchical framework for early intrusion detection in embedded computing systems
title_sort hierarchical framework for early intrusion detection in embedded computing systems
publisher Nanyang Technological University
publishDate 2019
url https://hdl.handle.net/10356/136535
_version_ 1683493355894341632
spelling sg-ntu-dr.10356-1365352020-10-28T08:40:42Z Hierarchical framework for early intrusion detection in embedded computing systems Muhamed Fauzi Abbas Thambipillai Srikanthan School of Computer Science and Engineering ASTSRIKAN@ntu.edu.sg Engineering::Computer science and engineering It has been well recognized in the literature that intrusion detection in embedded computing systems is both challenging and computationally demanding. The ominous threat of malware in such systems necessitates the need for lightweight real-time intrusion detection methods that are capable of keeping up with the fast evolving and sophisticated malware attacks. In this thesis, a hierarchical framework for real-time intrusion detection in embedded computing systems has been proposed. Runtime monitoring of power consumption provides for a lightweight mechanism for the early detection of anomalies. A new metric called _ has been implemented to facilitate a lightweight detection of anomalies by comparing the offline generated power trace model. Unlike existing methods, the proposed lightweight technique provides for the early detection of anomalies at runtime. The proposed method has been extensively validated to confirm that runtime power monitoring can be effectively deployed to separate benign applications from abnormal ones that have been compromised by user-space malware and/or operating systems compromised by a Rootkit. Next, a lightweight technique has been proposed for the detection and classification of user-space malware using system call trace. This approach has been shown to rely only on a minimal set of malware signatures to effectively detect malware. The proposed approach achieves comparable performance as the state-of-the-art technique reported in the literature with a detection rate of 93.4% and classification rate of 83%. However, unlike the existing approaches, the proposed method is capable of real-time classification at runtime without compromising the detection and classification rates by observing only the Hardware Performance Counters (HPC) for extracting system call trace specific information. Subsequently, low-level architecture-specific feature using HPC has been proposed to detect anomalies in the kernel-space (operating system) caused by a Rootkit. A model that relies on the combined analysis of benign system calls and tainted system calls compromised by Rootkit is introduced to detect such anomalies. Unlike existing methods that incur high monitoring overheads, the proposed technique employs a lightweight method that yields a comparable level of accuracy in detecting Rootkits. Experimental results confirm that the proposed approach can achieve a classification accuracy rate of up to 96% while requiring significantly less resource to store the models. Another metric called _ is also proposed to distinguish benign programs from those infected with malware to facilitate the early detection of anomalous operations at runtime. The proposed method relies on statistical hypothesis testing based on runtime measures obtained using HPC. Performance evaluations confirm that the HPC based observation of operating system indicators makes _ an effective metric for differentiating benign and malicious applications. The detection accuracy rate is as high as 90% with a false positive rate of 1.52% and a false negative of close to 0% respectively. This compares very favourably with the state-of-the-art method reported in the literature. The proposed techniques have been integrated into a framework to provide for a hierarchical method to facilitate the simultaneous detection of malware and Rootkit at runtime. Moreover, the proposed techniques can be incorporated into any embedded computing system without any modifications to the application or the operating system. This multi-metric approach has resulted in an effective and yet lightweight approach to realize a robust intrusion detection system. It has been shown that the framework is capable of detecting a wide range of anomalous behaviour at real-time i.e. Worm, Trojan, Viruses and Rootkit without the need to instrument the application or the operating system. It is noteworthy that the proposed techniques have also been integrated to incorporate fault-tolerance without compromising the overall accuracy and performance. Moreover, the framework is also capable of separating abnormal operations due to system faults and potential zero days. Finally, the proposed framework is well suited for incorporation into embedded computing systems with limited computing resources to avail the first line of defence for early detection of malware, Rootkit, system faults and potential zero days at runtime. Doctor of Philosophy 2019-12-26T05:15:59Z 2019-12-26T05:15:59Z 2019 Thesis-Doctor of Philosophy Muhamed Fauzi Abbas (2019). Hierarchical framework for early intrusion detection in embedded computing systems. Doctoral thesis, Nanyang Technological University, Singapore. https://hdl.handle.net/10356/136535 10.32657/10356/136535 en application/pdf Nanyang Technological University