Skip to feedback

Award Abstract # 1615890
TWC: Small: Time-Centric Modeling of Correct Behaviors for Efficient Non-intrusive Runtime Detection of Unauthorized System Actions

NSF Org: CNS
Division Of Computer and Network Systems
Recipient: UNIVERSITY OF ARIZONA
Initial Amendment Date: August 23, 2016
Latest Amendment Date: September 29, 2021
Award Number: 1615890
Award Instrument: Standard Grant
Program Manager: Daniela Oliveira
doliveir@nsf.gov  (703)292-0000
CNS  Division Of Computer and Network Systems
CSE  Directorate for Computer and Information Science and Engineering
Start Date: October 1, 2016
End Date: September 30, 2022 (Estimated)
Total Intended Award Amount: $453,413.00
Total Awarded Amount to Date: $453,413.00
Funds Obligated to Date: FY 2016 = $453,413.00
History of Investigator:
  • Jerzy Rozenblit (Principal Investigator)
     jerzyr@arizona.edu
  • Roman Lysecky (Co-Principal Investigator)
  • Roman Lysecky (Former Principal Investigator)
  • Jerzy Rozenblit (Former Co-Principal Investigator)
Recipient Sponsored Research Office: University of Arizona
 845 N PARK AVE RM 538
 TUCSON
 AZ  US  85721
(520)626-6000
Sponsor Congressional District: 07
Primary Place of Performance: University of Arizona
 AZ  US  85721-0001
Primary Place of Performance
Congressional District:		 07
Unique Entity Identifier (UEI): ED44Y3W6P7B9
Parent UEI:
NSF Program(s): Secure &Trustworthy Cyberspace
Primary Program Source: 01001617DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 7434, 7923, 9178, 9251
Program Element Code(s): 806000
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

Embedded computing systems are found at the heart of medical devices, automotive systems, smartphone, etc. Securing these embedded systems is a significant challenge that requires new methods that address the power, time, and cost requirements under which these systems operate. Because embedded systems must meet precise time requirements, detecting changes in timing can indicate the presence of malware. This research investigates new models for capturing the expected behavior of embedded systems, in which time requirements play a pivotal role. The project is developing fast, low power, and low cost methods to detect changes from the expected behavior. The resulting knowledge and tools will provide developers with techniques to eliminate, detect, or mitigate malware and cyber-threats in embedded systems. This research will further enable the development of embedded systems with stronger security guarantees compared to the existing state-of-the-art.

This project is investigating formal timing-centric nominal system behavior models that capture the correct system execution behavior, thereby enabling efficient runtime detection of unauthorized system actions. The formal models combine well-founded techniques relying on execution call graphs, sequence models, system timing requirements, and statistical analysis of execution times. The researchers are developing secure, non-intrusive, and efficient hardware-based identification methods to detect deviations from the timing and sequence characteristics defined within the nominal system behavior models. To ensure efficiency, the researchers are investigating performance models and systematic methods to evaluate and optimize the tradeoffs between security achieved by these methods and the area and energy overheads of the monitoring hardware. The project team is also investigating novel methods for analyzing the timing of networked embedded systems to separate the intrinsic software execution time from the incidental execution time resulting from the underlying hardware architecture, operating system, and physical environment. The resulting methods will substantially advance the state-of-the-art by: a) enabling fast, accurate, and non-intrusive detection, b) providing robust new ways of detecting unauthorized operations, and c) extending anomaly-based detection capabilities to zero-day exploits.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

(Showing: 1 - 10 of 24)
1.A. Rao, N. Carreón, R. Lysecky, J. Rozenblit, J. Sametinger. "Resilient Security of Medical Cyber-physical Systems." International Workshop on Cyber-Security and Functional Safety in Cyber-Physical Systems (IWCPS). , 2019
Aakarsh. Rao, Nadir A. Carreón, Roman Lyseckyand Jerzy Rozenblit "FIRE: A Finely Integrated Risk Evaluation Methodology for LifeCritical Embedded Systems" Journal , v.13 , 2022 , p.2 https://doi.org/10.3390/info13100487
Aakarsh Rao, Nadir Carreon Rascon, Roman Lysecky, Jerzy Rozenblit "Probabilistic Security Threat Detection for Risk Management in Cyber-physical Medical Systems" IEEE Software , v.35 , 2018
Aakarsh Rao, Nadir Carreon Rascon, Roman Lysecky, Jerzy Rozenblit "Probabilistic Security Threat Detection for Risk Management in Cyber-physical Medical Systems." IEEE Software , v.35 , 2018
Aakarsh Rao, Nadir Carreon Rascon, Roman Lysecky, Jerzy Rozenblit "Probabilistic Security Threat Detection for Risk Management in Cyber-physical Medical Systems.." IEEE Software. 35 (1), , v.35 , 2018
Ana S. Carreon-Rascon and Jerzy W. Rozenblit "Towards requirements for self-healing as a means of mitigating cyber-intrusions in medical devices" 2022 IEEE International Conference on Systems, Man and Cybernetics (SMC) , 2022 , p.1500 10.1109/SMC53654.2022.9945507
A. Rao, J. Rozenblit, R. Lysecky, J. Sametinger "Trustworthy multi-modal framework for life-critical systems security" Annual Simulation Symposium (ANSS '18). Society for Computer Simulation International , 2018
A. Rao, J. Rozenblit, R. Lysecky, J. Sametinger "Trustworthy multi-modal framework for life-critical systems security." Annual Simulation Symposium (ANSS '18). Society for Computer Simulation International. , 2018
A. Rao, J. Rozenblit, R. Lysecky, J. Sametinger. "Trustworthy multi-modal framework for life-critical systems security" Annual Simulation Symposium (ANSS '18). Society for Computer Simulation International. , 2018 , p.Article 1
A. Rao, N. Carreón, R. Lysecky, J. Rozenblit, J. Sametinger. "Resilient Security of Medical Cyber-physical Systems" International Workshop on Cyber-Security and Functional Safety in Cyber-Physical Systems (IWCPS) , 2019
C. Bresch, D. Hely, R. Lysecky "BackFlow: Backward Edge Control Flow Enforcement for Low End ARM Microcontrollers" Design Automated and Test in Europe Conference (DATE) , 2020
(Showing: 1 - 10 of 24)

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

Embedded computing systems are found at the heart of medical devices, automotive systems, smartphone, etc. These systems are now commonly part of the Internet of Things, which opens new attack surfaces for bad actors. Every year, millions of new malware are created targeting these systems, and the rate at which they are created is increasing. Securing such systems is a significant challenge that requires new methods that address the power, time, and cost requirements under which these systems operate. This project investigated defining and utilizing formal system behavior models with novel statistical and probabilistic anomaly detection algorithms to rapidly detect attacks, intrusions, and malware. Because embedded systems must meet precise time requirements, detecting changes in timing can indicate the presence of malware. Leveraging this insight, the researchers developed new methods for fast, low power, and low cost anomaly-based detection of changes from the expected behavior indicating the presence of cyber threats. Intrusions, malware, and attacks can be detected at runtime by noticing execution behaviors that deviate from the expected normal timing. Importantly, anomaly-based detection provides protection against zero-day attacks (e.g., attacks that are yet unknown). To ensure efficient operation, the timing-based anomaly detection was implemented in hardware, yielding no performance overhead and as little as 1.85% power overhead. The accuracy of the timing-based anomaly detection was evaluated using two prototype systems, including a smart-connected pacemaker and an unmanned aerial vehicle. The resulting knowledge and tools provide designers and developers with techniques to eliminate, detect, or mitigate malware and cyber threats in a broad range of embedded systems.

 


Last Modified: 01/23/2023
Modified by: Jerzy W Rozenblit

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page

Top