TWC: Small: Time-Centric Modeling of Correct Behaviors for Efficient Non-intrusive Runtime Detection of Unauthorized System Actions

TWC：小型：以时间为中心的正确行为建模，用于对未经授权的系统操作进行有效的非侵入式运行时检测

• 批准号: 1615890
• 负责人: Jerzy Rozenblit
• 金额: $ 45.34万
• 依托单位: University of Arizona
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-10-01 至 2022-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1615890&HistoricalAwards=false
• 关键词: TWC; Small; Time; Centric; Modeling

Embedded computing systems are found at the heart of medical devices, automotive systems, smartphone, etc. Securing these embedded systems is a significant challenge that requires new methods that address the power, time, and cost requirements under which these systems operate. Because embedded systems must meet precise time requirements, detecting changes in timing can indicate the presence of malware. This research investigates new models for capturing the expected behavior of embedded systems, in which time requirements play a pivotal role. The project is developing fast, low power, and low cost methods to detect changes from the expected behavior. The resulting knowledge and tools will provide developers with techniques to eliminate, detect, or mitigate malware and cyber-threats in embedded systems. This research will further enable the development of embedded systems with stronger security guarantees compared to the existing state-of-the-art.This project is investigating formal timing-centric nominal system behavior models that capture the correct system execution behavior, thereby enabling efficient runtime detection of unauthorized system actions. The formal models combine well-founded techniques relying on execution call graphs, sequence models, system timing requirements, and statistical analysis of execution times. The researchers are developing secure, non-intrusive, and efficient hardware-based identification methods to detect deviations from the timing and sequence characteristics defined within the nominal system behavior models. To ensure efficiency, the researchers are investigating performance models and systematic methods to evaluate and optimize the tradeoffs between security achieved by these methods and the area and energy overheads of the monitoring hardware. The project team is also investigating novel methods for analyzing the timing of networked embedded systems to separate the intrinsic software execution time from the incidental execution time resulting from the underlying hardware architecture, operating system, and physical environment. The resulting methods will substantially advance the state-of-the-art by: a) enabling fast, accurate, and non-intrusive detection, b) providing robust new ways of detecting unauthorized operations, and c) extending anomaly-based detection capabilities to zero-day exploits.

嵌入式计算系统是医疗设备、汽车系统、智能手机等的核心。保护这些嵌入式系统是一项重大挑战，需要新的方法来解决这些系统运行时的功耗、时间和成本要求。由于嵌入式系统必须满足精确的时间要求，因此检测到时间的变化可以指示恶意软件的存在。本研究探讨了捕获嵌入式系统预期行为的新模型，其中时间需求起着关键作用。该项目正在开发快速、低功耗和低成本的方法来检测预期行为的变化。由此产生的知识和工具将为开发人员提供消除、检测或减轻嵌入式系统中的恶意软件和网络威胁的技术。这项研究将进一步促进嵌入式系统的发展，与现有的最先进的技术相比，具有更强的安全保障。该项目正在研究正式的以时间为中心的名义系统行为模型，该模型捕获正确的系统执行行为，从而实现对未经授权的系统操作的有效运行时检测。正式模型结合了基于执行调用图、序列模型、系统时序需求和执行时间统计分析的基础良好的技术。研究人员正在开发安全、非侵入性和高效的基于硬件的识别方法，以检测标称系统行为模型中定义的时序和序列特征的偏差。为了确保效率，研究人员正在研究性能模型和系统方法，以评估和优化这些方法所实现的安全性与监控硬件的面积和能源开销之间的权衡。项目团队还在研究分析网络嵌入式系统时序的新方法，以便将固有的软件执行时间与由底层硬件体系结构、操作系统和物理环境导致的附带执行时间分开。由此产生的方法将通过以下方式极大地推进最先进的技术：a)实现快速、准确和非侵入式检测；b)提供检测未经授权操作的强大新方法；c)扩展基于异常的检测能力，以实现零日攻击。