EDDIE: EM-Based Detection of Deviations in Program Execution - - PowerPoint PPT Presentation

EDDIE: EM-Based Detection of Deviations in Program Execution

Published at ISCA 2017

Alireza Nazari, Nader Sehatbakhsh, Monjur Alam, Alenka Zajic, Milos Prvulovic EECS 573 Presented by Janarthanan and Vivek

1

Goal

Detect Malicious changes to software

2

Detectors

• Static detectors

○ Anti-virus ○ Mutation or encryption could counter

• Dynamic detectors

○ Known types ○ Unknown types ■ Model based

3

Model based dynamic detectors

• Software too complex
• Model some aspects of execution
• The information about these aspects are only available within the monitored

system

4

Issues with in-system monitoring

• Require dedicated software or hardware in the monitored system
• Performance and resource overhead
• Monitoring itself could be attacked

Need a dynamic detector without the above issues!

5

Enter EDDIE!

Electromagnetic signal based detector

6

Electromagnetic (EM) signals

• Electronic circuits generate EM due to change in current flow
• Current flows vary with program activity
• EM contain information about program activity
• As Prof. Austin just mentioned, it has so much information!

7

EDDIE: Representing EM

• Continuous signal → overlapping windows

○ Using Short Term Fourier Transform (STFT)

• Window → Frequency spectrum

○ Short Term Spectrum (STS)

8

STS Source: Nazari et al., 2017

Why frequency spectrum?

• Frequency vs time domain

○ As discussed in the previous presentation

• STS has few prominent features (peaks)
• STS - robust to noise
• Lead to higher Efficiency and Accuracy

9

EDDIE

• Use observed STS as a surrogate for program behavior
• Training

○ Characterize normal execution behavior using peaks in the STS

• Monitoring

○ Compare if the observed STS statistically deviate from the expected STS

10

EDDIE

11

EDDIE: Advantages

• No overhead
• No additional hardware/software support in the monitored system
• No extra resources on the monitored system
• Well suited for embedded and IoT devices

12

EDDIE: Training

• Find possible sequences in which loop and inter-loop regions may execute

○ Build region level state machine

• Collect enough sample windows for each region

○ Multiple runs to improve coverage

• Convert into spectrum using STFT and identify peaks
• Determine number of samples to be used jointly during monitoring for desired

accuracy

13

EDDIE: Statistical test

• Exact matching will not work

○ Need statistical tests

• Compute probability that the program region’s reference distribution is same

as that observed during monitoring

• Parametric tests

○ Not suitable here

• Non parametric tests

○ K-S test

14

EDDIE: Statistical test; K-S test

• Reference data

○ m elements, distribution R(x)

• Observed data during monitoring

○ n elements, distribution M(x)

• K-S test

○ Dm,n = maxx | R(x) - M(x)|, largest difference between two empirical distributions ○ Anamonly if Dm,n > Dm,n,a, where Dm,n,a = c(a) √(m+n)/(mn)

15

EDDIE: Accuracy vs Latency Trade-off

• Number of monitoring-observed STSs for K-S test (n)
• Lower value of n

○ Uses recent STSs, low accuracy; low latency

• Higher value of n

○ Longer history of STSs, high accuracy; high latency

16

EDDIE: Monitoring Algorithm

• STS is observed during monitoring
• Compared with Reference STS

○ Using K-S test, one peak at a time

• If number of anomalies > Threshold, report

17

EDDIE: Experimental Setup

• Real IoT prototype system

○ Single board Linux computer ○ Signal is recorded using Keysight DS0S804A Oscilloscope

• SESC cycle accurate simulator

○ Applied to the power consumption signal of SESC ○ To test EDDIE’s applicability to a wide range of systems

18

EDDIE: Results on real IoT device

• Injections

○ Outside Loop: Invoking a shell and returning back ○ Inside Loop: 8 instruction code

• Results

○

• Avg. False Positives < 1%

○

• Avg. Accuracy 95%

19

Source: Nazari et al., 2017

EDDIE: Results on SESC simulator

• Injections

○ Dynamic instructions into simulated instruction stream

• Results

○

• Avg. False rejection 0.7 %

○ Accuracy and latency affected more by application rather than noise

20

Source: Nazari et al., 2017

EDDIE: Sensitivity to Processor Architecture

• In-order Vs Out-of-order processor

○ Similar False rejection and Accuracy ○ Higher latency for out-of-order ○ Processor pipeline depth has a weak impact on detection latency

21

Source: Nazari et al., 2017

EDDIE: Effect of execution rate of injected code

22

Source: Nazari et al., 2017

EDDIE: Size of injection

23

Loop with one sharp peak Loop with less well defined peak Loop with diffuse peak Static instructions injected inside a loop Source: Nazari et al., 2017

EDDIE: Size of injection

24

• Instructions injected outside the

loops

○ Shorter instructions, Increased latency ○ Longer instructions, Reduced latency Source: Nazari et al., 2017

EDDIE: Effect of changing confidence level

• Determines the trade-off between

false rejections and false acceptances

25

Source: Nazari et al., 2017

EDDIE: Effect of changing instruction

• Injections

○ Set 1: ■ 8 add instructions ○ Set 2: ■ 4 add and 4 store instructions

26

Source: Nazari et al., 2017

Conclusion

• Introduces EDDIE, an EM based approach for detecting deviations in program

executions

• No overhead

○ Does not require hardware or software modification

• EDDIE detects anomalies by performing statistical tests between reference

and observed EM spectra

• Achieves high accuracy, with low latency

27

Discussion

• How applicable is EDDIE in real world?
• Is it valid to assume that two different executions will produce different EM

spectra?

• Alternatives to EM spectrum and K-S test

○ Learning directly from the EM time-series signals ○ Using Machine Learning techniques to detect anomalies

28