TWC: Small: Time-Centric Modeling of Correct Behaviors for Efficient Non-intrusive Runtime Detection of Unauthorized System Actions

TWC：小型：以时间为中心的正确行为建模，用于对未经授权的系统操作进行有效的非侵入式运行时检测

• 批准号: 1615890
• 负责人: Jerzy Rozenblit
• 金额: $ 45.34万
• 依托单位: University of Arizona
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-10-01 至 2022-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1615890&HistoricalAwards=false
• 关键词: TWC; Small; Time; Centric; Modeling

Embedded computing systems are found at the heart of medical devices, automotive systems, smartphone, etc. Securing these embedded systems is a significant challenge that requires new methods that address the power, time, and cost requirements under which these systems operate. Because embedded systems must meet precise time requirements, detecting changes in timing can indicate the presence of malware. This research investigates new models for capturing the expected behavior of embedded systems, in which time requirements play a pivotal role. The project is developing fast, low power, and low cost methods to detect changes from the expected behavior. The resulting knowledge and tools will provide developers with techniques to eliminate, detect, or mitigate malware and cyber-threats in embedded systems. This research will further enable the development of embedded systems with stronger security guarantees compared to the existing state-of-the-art.This project is investigating formal timing-centric nominal system behavior models that capture the correct system execution behavior, thereby enabling efficient runtime detection of unauthorized system actions. The formal models combine well-founded techniques relying on execution call graphs, sequence models, system timing requirements, and statistical analysis of execution times. The researchers are developing secure, non-intrusive, and efficient hardware-based identification methods to detect deviations from the timing and sequence characteristics defined within the nominal system behavior models. To ensure efficiency, the researchers are investigating performance models and systematic methods to evaluate and optimize the tradeoffs between security achieved by these methods and the area and energy overheads of the monitoring hardware. The project team is also investigating novel methods for analyzing the timing of networked embedded systems to separate the intrinsic software execution time from the incidental execution time resulting from the underlying hardware architecture, operating system, and physical environment. The resulting methods will substantially advance the state-of-the-art by: a) enabling fast, accurate, and non-intrusive detection, b) providing robust new ways of detecting unauthorized operations, and c) extending anomaly-based detection capabilities to zero-day exploits.

嵌入式计算系统位于医疗设备，汽车系统，智能手机等的核心。保护这些嵌入式系统是一个重大挑战，需要解决这些系统运行的功率，时间和成本要求的新方法。由于嵌入式系统必须满足精确的时间要求，因此检测时序变化可以表明恶意软件的存在。这项研究研究了捕获嵌入式系统的预期行为的新模型，在这种情况下，时间要求起着关键作用。该项目正在开发快速，低功率和低成本方法，以检测预期行为的变化。最终的知识和工具将为开发人员提供嵌入式系统中消除，检测或减轻恶意软件和网络威胁的技术。这项研究将进一步使与现有最新的嵌入式系统具有更强的安全保证的开发。该项目正在研究以正式的定时标称系统行为模型来捕获正确的系统执行行为，从而实现了未经授权的系统操作的有效运行时检测。正式模型结合了依靠执行呼叫图，序列模型，系统定时要求和执行时间统计分析的良好基础技术。研究人员正在开发安全，非侵入和高效的基于硬件的识别方法，以检测偏离名义系统行为模型中定义的时间和序列特征的偏差。为了确保效率，研究人员正在研究绩效模型和系统的方法，以评估和优化这些方法实现的安全性与监视硬件的区域和能源开销之间的权衡。该项目团队还正在研究分析网络嵌入式系统的时间安排的新方法，以将固有的软件执行时间与基础硬件架构，操作系统和物理环境产生的偶然执行时间分开。最终的方法将通过以下方式实质上推动了最新的方法：a）启用快速，准确且非侵入性检测，b）提供强大的检测未经授权操作的新方法，c）将基于异常的检测功能扩展到零日的利用。