• Exploring ICMetrics to detect abnormal program behaviour on embedded devices

      Zhai, Xiaojun; Ehsan, Shoaib; Howells, Gareth; Gu, Dongbing; McDonald-Maier, Klaus; Appiah, Kofi; Hu, Huosheng; University of Leicester; University of Essex; University of Kent (Elsevier, 2015-11)
      Execution of unknown or malicious software on an embedded system may trigger harmful system behaviour targeted at stealing sensitive data and/or causing damage to the system. It is thus considered a potential and significant threat to the security of embedded systems. Generally, the resource constrained nature of commercial off-the-shelf (COTS) embedded devices, such as embedded medical equipment, does not allow computationally expensive protection solutions to be deployed on these devices, rendering them vulnerable. A Self-Organising Map (SOM) based and Fuzzy C-means based approaches are proposed in this paper for detecting abnormal program behaviour to boost embedded system security. The presented technique extracts features derived from processor’s Program Counter (PC) and Cycles per Instruction (CPI), and then utilises the features to identify abnormal behaviour using the SOM. Results achieved in our experiment show that the proposed SOM based and Fuzzy C-means based methods can identify unknown program behaviours not included in the training set with 90.9% and 98.7% accuracy.
    • A method for detecting abnormal program behavior on embedded devices

      Zhai, Xiaojun; Ehsan, Shoaib; Howells, Gareth; Dongbing, Gu; McDonald-Maier, Klaus; Appiah, Kofi; Hu, Huosheng; University of Leicester; University of Essex; University of Kent; et al. (IEEE, 2015-04-13)
      A potential threat to embedded systems is the execution of unknown or malicious software capable of triggering harmful system behavior, aimed at theft of sensitive data or causing damage to the system. Commercial off-the-shelf embedded devices, such as embedded medical equipment, are more vulnerable as these type of products cannot be amended conventionally or have limited resources to implement protection mechanisms. In this paper, we present a self-organizing map (SOM)-based approach to enhance embedded system security by detecting abnormal program behavior. The proposed method extracts features derived from processor's program counter and cycles per instruction, and then utilises the features to identify abnormal behavior using the SOM. Results achieved in our experiment show that the proposed method can identify unknown program behaviors not included in the training set with over 98.4% accuracy.