SaTC: TTP: Small: TRACE: Tracking Run-time Anomalies in Code Execution

SaTC：TTP：小：TRACE：跟踪代码执行中的运行时异常

• 批准号: 2039615
• 负责人: Farshad Khorrami
• 金额: $ 49.97万
• 依托单位: New York University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-07-15 至 2024-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2039615&HistoricalAwards=false
• 关键词: SaTC; TTP; Small; TRACE; Tracking

Connectivity of embedded computing devices in cyber-physical systems (CPS) makes robust cybersecurity crucial. While computer/network security approaches apply to CPS, leveraging the unique temporal behavior and code structure characteristics of CPS devices enables robust and complementary cybersecurity solutions. This project builds one such near-zero-cost solution, developed in part during the DARPA Rapid Attack Detection, Isolation and Characterization Systems (RADICS) project, that uses digital side channels to detect and characterize malware on embedded devices in CPS. This Transition To Practice project transitions this solution to a commercialization stage per the program’s aim to "support the development, implementation, and deployment of later-stage and applied security or privacy research into an operational environment in order to bridge the gap between research and production." "Tracking Run-time Anomalies in Code Execution" (TRACE) system is of interest to power utilities, power grid equipment vendors, embedded system designers, and US government agencies.For on-demand and continuous run-time integrity verification of fielded devices and detection of firmware/software anomalies, TRACE deploys lightweight measurer components to target devices to collect multi-modal on-device, time-series measurements (e.g., Hardware Performance Counters, stack traces, memory maps and memory-based measurements, kernel measurements). TRACE processes these measurements using an off-device machine learning based analysis component for threat detection (baseline-relative and baseline-independent). The multi-modal anomaly detection in TRACE uses low-dimensional feature extraction, deep learning, dynamic event sequence analysis, and probabilistic modeling and estimation algorithms. TRACE can detect malicious modifications to software/firmware as well as operating system rootkits. Efficacy of TRACE anomaly detection is being demonstrated on a variety of computation load profiles and devices with a focus on power grid devices in a typical substation.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

网络物理系统（CPS）中嵌入式计算设备的连接性使得强大的网络安全至关重要。虽然计算机/网络安全方法适用于CPS，但利用CPS设备的独特时间行为和代码结构特征，可以实现强大且互补的网络安全解决方案。该项目构建了一个这样的接近零成本的解决方案，部分在DARPA快速攻击检测，隔离和表征系统（RADICS）项目期间开发，该项目使用数字侧通道来检测和表征CPS中嵌入式设备上的恶意软件。 该过渡到实践项目根据该计划的目标将该解决方案过渡到商业化阶段，以“支持后期和应用安全或隐私研究的开发、实施和部署，以弥合研究和生产之间的差距。“Tracking Run-time Anomalies in Code Execution”（TRACE）系统是电力公司、电网设备供应商、嵌入式系统设计者和美国政府机构感兴趣的。为了现场设备的按需和连续运行时完整性验证以及固件/软件异常的检测，TRACE将轻量级测量器组件部署到目标设备以收集多模态设备上的时间序列测量（例如，硬件性能计数器、堆栈跟踪、内存映射和基于内存的测量、内核测量）。TRACE使用基于离线机器学习的分析组件来处理这些测量结果，以进行威胁检测（基线相关和基线无关）。TRACE中的多模态异常检测使用低维特征提取、深度学习、动态事件序列分析以及概率建模和估计算法。TRACE可以检测对软件/固件以及操作系统rootkit的恶意修改。TRACE异常检测的有效性正在各种计算负载配置文件和设备上得到验证，重点是典型变电站中的电网设备。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。