Kose Nuri Alperen, Jinad Razaq, Rasheed Amar, Shashidhar Narasimha, Baza Mohamed, Alshahrani Hani
Department of Computer Science, Sam Houston State University, Huntsville, TX 77340, USA.
Department of Computer Science, College of Charleston, Charleston, SC 29424, USA.
Sensors (Basel). 2024 Feb 2;24(3):983. doi: 10.3390/s24030983.
Embedded system technologies are increasingly being incorporated into manufacturing, smart grid, industrial control systems, and transportation systems. However, the vast majority of today's embedded platforms lack the support of built-in security features which makes such systems highly vulnerable to a wide range of cyber-attacks. Specifically, they are vulnerable to malware injection code that targets the power distribution system of an ARM Cortex-M-based microcontroller chipset (ARM, Cambridge, UK). Through hardware exploitation of the clock-gating distribution system, an attacker is capable of disabling/activating various subsystems on the chip, compromising the reliability of the system during normal operation. This paper proposes the development of an Intrusion Detection System (IDS) capable of detecting clock-gating malware deployed on ARM Cortex-M-based embedded systems. To enhance the robustness and effectiveness of our approach, we fully implemented, tested, and compared six IDSs, each employing different methodologies. These include IDSs based on K-Nearest Classifier, Random Forest, Logistic Regression, Decision Tree, Naive Bayes, and Stochastic Gradient Descent. Each of these IDSs was designed to identify and categorize various variants of clock-gating malware deployed on the system. We have analyzed the performance of these IDSs in terms of detection accuracy against various types of clock-gating malware injection code. Power consumption data collected from the chipset during normal operation and malware code injection attacks were used for models' training and validation. Our simulation results showed that the proposed IDSs, particularly those based on K-Nearest Classifier and Logistic Regression, were capable of achieving high detection rates, with some reaching a detection rate of 0.99. These results underscore the effectiveness of our IDSs in protecting ARM Cortex-M-based embedded systems against clock-gating malware.
嵌入式系统技术正越来越多地被应用于制造业、智能电网、工业控制系统和交通系统。然而,当今绝大多数嵌入式平台缺乏内置安全功能的支持,这使得此类系统极易受到各种网络攻击。具体而言,它们容易受到针对基于ARM Cortex-M的微控制器芯片组(ARM,英国剑桥)配电系统的恶意软件注入代码的攻击。通过对时钟门控分配系统进行硬件利用,攻击者能够禁用/激活芯片上的各种子系统,从而在正常运行期间损害系统的可靠性。本文提出开发一种入侵检测系统(IDS),该系统能够检测部署在基于ARM Cortex-M的嵌入式系统上的时钟门控恶意软件。为了提高我们方法的鲁棒性和有效性,我们全面实现、测试并比较了六种IDS,每种IDS采用不同的方法。这些方法包括基于K最近邻分类器、随机森林、逻辑回归、决策树、朴素贝叶斯和随机梯度下降的IDS。这些IDS中的每一个都旨在识别和分类部署在系统上的时钟门控恶意软件的各种变体。我们根据针对各种类型的时钟门控恶意软件注入代码的检测准确率分析了这些IDS的性能。在正常运行期间从芯片组收集的功耗数据以及恶意软件代码注入攻击数据被用于模型的训练和验证。我们的模拟结果表明,所提出的IDS,特别是那些基于K最近邻分类器和逻辑回归的IDS,能够实现高检测率,有些检测率达到了0.99。这些结果强调了我们的IDS在保护基于ARM Cortex-M的嵌入式系统免受时钟门控恶意软件攻击方面的有效性。
