EDDIE: EM-Based Detection of Deviations in Program Execution Published at ISCA 2017 Alireza Nazari, Nader Sehatbakhsh, Monjur Alam, Alenka Zajic, Milos Prvulovic EECS 573 Presented by Janarthanan and Vivek 1
Goal Detect Malicious changes to software 2
Detectors ● Static detectors ○ Anti-virus ○ Mutation or encryption could counter ● Dynamic detectors ○ Known types ○ Unknown types ■ Model based 3
Model based dynamic detectors ● Software too complex ● Model some aspects of execution ● The information about these aspects are only available within the monitored system 4
Issues with in-system monitoring ● Require dedicated software or hardware in the monitored system ● Performance and resource overhead ● Monitoring itself could be attacked Need a dynamic detector without the above issues! 5
Enter EDDIE! Electromagnetic signal based detector 6
Electromagnetic (EM) signals ● Electronic circuits generate EM due to change in current flow ● Current flows vary with program activity ● EM contain information about program activity ● As Prof. Austin just mentioned, it has so much information! 7
EDDIE: Representing EM ● Continuous signal → overlapping windows ○ Using Short Term Fourier Transform (STFT) ● Window → Frequency spectrum ○ Short Term Spectrum (STS) STS 8 Source: Nazari et al., 2017
Why frequency spectrum? ● Frequency vs time domain ○ As discussed in the previous presentation ● STS has few prominent features (peaks) ● STS - robust to noise ● Lead to higher Efficiency and Accuracy 9
EDDIE ● Use observed STS as a surrogate for program behavior ● Training ○ Characterize normal execution behavior using peaks in the STS ● Monitoring ○ Compare if the observed STS statistically deviate from the expected STS 10
EDDIE 11
EDDIE: Advantages ● No overhead ● No additional hardware/software support in the monitored system ● No extra resources on the monitored system ● Well suited for embedded and IoT devices 12
EDDIE: Training ● Find possible sequences in which loop and inter-loop regions may execute ○ Build region level state machine ● Collect enough sample windows for each region ○ Multiple runs to improve coverage ● Convert into spectrum using STFT and identify peaks ● Determine number of samples to be used jointly during monitoring for desired accuracy 13
EDDIE: Statistical test ● Exact matching will not work ○ Need statistical tests ● Compute probability that the program region’s reference distribution is same as that observed during monitoring ● Parametric tests ○ Not suitable here ● Non parametric tests ○ K-S test 14
EDDIE: Statistical test; K-S test ● Reference data ○ m elements, distribution R(x) ● Observed data during monitoring ○ n elements, distribution M(x) ● K-S test ○ D m,n = max x | R(x) - M(x)|, largest difference between two empirical distributions ○ Anamonly if D m,n > D m,n,a , where D m,n,a = c(a) √(m+n)/(mn) 15
EDDIE: Accuracy vs Latency Trade-off ● Number of monitoring-observed STSs for K-S test (n) ● Lower value of n ○ Uses recent STSs, low accuracy; low latency ● Higher value of n ○ Longer history of STSs, high accuracy; high latency 16
EDDIE: Monitoring Algorithm ● STS is observed during monitoring ● Compared with Reference STS ○ Using K-S test, one peak at a time ● If number of anomalies > Threshold, report 17
EDDIE: Experimental Setup ● Real IoT prototype system ○ Single board Linux computer ○ Signal is recorded using Keysight DS0S804A Oscilloscope ● SESC cycle accurate simulator ○ Applied to the power consumption signal of SESC ○ To test EDDIE’s applicability to a wide range of systems 18
EDDIE: Results on real IoT device ● Injections ○ Outside Loop: Invoking a shell and returning back ○ Inside Loop: 8 instruction code ● Results ○ Avg. False Positives < 1% ○ Avg. Accuracy 95% 19 Source: Nazari et al., 2017
EDDIE: Results on SESC simulator ● Injections ○ Dynamic instructions into simulated instruction stream ● Results ○ Avg. False rejection 0.7 % ○ Accuracy and latency affected more by application rather than noise 20 Source: Nazari et al., 2017
EDDIE: Sensitivity to Processor Architecture ● In-order Vs Out-of-order processor ○ Similar False rejection and Accuracy ○ Higher latency for out-of-order ○ Processor pipeline depth has a weak impact on detection latency 21 Source: Nazari et al., 2017
EDDIE: Effect of execution rate of injected code 22 Source: Nazari et al., 2017
EDDIE: Size of injection Static instructions injected inside a loop Loop with one sharp peak Loop with less well defined peak Loop with diffuse peak Source: Nazari et al., 2017 23
EDDIE: Size of injection ● Instructions injected outside the loops ○ Shorter instructions, Increased latency ○ Longer instructions, Reduced latency 24 Source: Nazari et al., 2017
EDDIE: Effect of changing confidence level ● Determines the trade-off between false rejections and false acceptances 25 Source: Nazari et al., 2017
EDDIE: Effect of changing instruction ● Injections ○ Set 1: ■ 8 add instructions ○ Set 2: ■ 4 add and 4 store instructions 26 Source: Nazari et al., 2017
Conclusion ● Introduces EDDIE, an EM based approach for detecting deviations in program executions ● No overhead ○ Does not require hardware or software modification ● EDDIE detects anomalies by performing statistical tests between reference and observed EM spectra ● Achieves high accuracy, with low latency 27
Discussion ● How applicable is EDDIE in real world? ● Is it valid to assume that two different executions will produce different EM spectra? ● Alternatives to EM spectrum and K-S test ○ Learning directly from the EM time-series signals ○ Using Machine Learning techniques to detect anomalies 28
Recommend
More recommend
