## Behavior-based Intrusion Detection for Cyber-Physical Systems

## Sibin Mohan

The George Washington University

## Challenges in CPS Security

#### **Limited Resources**

11 ,

- Computational power, energy, cost

#### **Timing Requirement** - Safety, reliability, deadlines

#### System Upgrade - Verifiability

#### Limitations in Existing Approaches



#### **Behavior-based Intrusion Detection for CPS**



#### Behavior Monitoring

• Non-intrusive observation of system "behavior"

#### Protection/Isolation

• Trusted hardware component





#### System Recovery

 Loss-less control guarantees

#### Outline

- Background: Real-Time Systems & Simplex
- Cyber-Physical Systems Behavior
- SecureCore: Multicore-based Intrusion Detection
- Control Flow Monitoring
- Anomaly Detection using Kernel-memory Behavior
- Execution Contexts Learned from System Call Distributions
- Current and Future Work
- Conclusion

## **Background | Real-Time Systems**

• A real-time system is defined as,

"a system that requires both, logical correctness as well as **temporal** correctness"

- Temporal correctness defined as a constraint: **deadline**
- o Deadlines determine usefulness of results
  - deadline passes → usefulness drops.
- E.g.: Anti-lock Braking System (ABS) in modern automobiles
  - must function correctly in milliseconds time-frame
  - even 1 second might be too late

(e.g.: a car traveling at 60 mph has travelled 88 ft. in 1s!)

- Some assumptions in Real-Time Systems:
  - no dynamically loaded code/function pointers/etc.
  - periodic programs ("tasks") that execute independent of each other
  - relatively simple operating systems
  - limited processing power/memory/network bandwidth/etc.









## **Background | Simplex Architecture Overview**

- $\circ$  Use simplicity to control complexity
- Simplex allows use of untrusted, yet high performance/complex subsystem
  - in a safety-critical control system
  - Used successfully in avionics, pacemakers, etc.
- High Level-architecture:



Detect problems if complex controller violates safety of plant

- System-level Simplex\*: hardware/software partitioning of system
- \* "The System-Level Simplex Architecture for Improved Real-Time Embedded System Safety" by Bak et al. RTAS 2009.

#### Outline

- Background: Real-Time Systems & Simplex
- Cyber-Physical Systems Behavior
- SecureCore: Multicore-based Intrusion Detection
- Control Flow Monitoring
- Anomaly Detection using Kernel-memory Behavior
- Execution Contexts Learned from System Call Distributions
- Current and Future Work
- Conclusion

# Question: can you use the innate properties of real-time systems to detect problems/anomalous behavior?

\* **[ICCPS 2010]** "Time-Based Intrusion Detection in Cyber-Physical Systems" by C. Zimmer, B. Bhatt, F. Mueller and S. Mohan.

- \* [HiCONS 2013] "S3A: Secure System Simplex Architecture for Enhanced Security and Robustness of Cyber-Physical Systems" by S. Mohan et al. in HiCONS 2013.
- \* [RTAS 2013] "SecureCore: A Multicore based Intrusion Detection Architecture for Real time Embedded Systems" by M. K. Yoon, S. Mohan, J. Choi, J. E. Kim and L. Sha in RTAS 2013.
- \* [CPSNA 2013] "On-chip control flow integrity check for real time embedded systems" by F. A. T. Abad, J. V. D. Woude, Y. Lu, S. Bak, M. Caccamo, L. Sha, R. Mancuso and S. Mohan in CPSNA 2013.
- \* **[DAC 2015]** "Memory Heat Map: Anomaly Detection in Real-Time Embedded Systems using Memory Behavior" by M. K. Yoon, J. Choi, L. Sha and S. Mohan in DAC 2015 [accepted].

#### **CPS Behavior**

- $\circ~$  CPS are predictable by design
  - Finite set of operational modes, periodic jobs, etc.
- In particular, because of their **real-time** nature their run-time behavior is
  - Fairly predictable and deterministic
- E.g.: execution time, memory access profile, I/O flows, OS resource usage, power consumption, etc.
- **Deviations from expected behavior** → **suspicious** (more evident than in general purpose systems)



• Combine with **trusted hardware module** to increase robustness

## **CPS Behavior (contd.)**

- Malicious activity consumes resources (e.g. CPU cycles, memory, network, etc.)
- Compromised systems behave differently
- High-level methods to obtain Behavioral Profiles:



#### **Compile-time Analysis**

Policy extraction from **source code analysis** 

- Exact models, policy checker
- Ex: legitimate control flow of application

#### Precise

But, cannot capture behavioral variations

Harder to apply to complex systems



## **Behavioral Signal | Execution Time**

- Say, we are interested in the **deterministic timing profiles** of real-time CPS
- Consider simple control flow:



11,

#### **Behavioral Signal | Variations in Execution Time**

#### • Reasons for variations in CPS Execution Time





• Will address them all of these types of variations

## **Timing Profiles**

- We profile the application at the **basic block** level
- By narrowing estimation domain (basic block), we get
  - Lesser variations
  - Better accuracy
- $\circ$  Block boundary  $\rightarrow$  check point to detect unexpected flow deviations

#### Challenges:

- Execution times can vary for even a single block
  - Due to execution path variations, input sets, system effects, etc.
- What is a good estimation on execution times?
  - min, max, variance, mean, etc. → **not representative**; cannot capture variations



## **Statistical/learning-based Behavioral Profiles**

- Obtain behavioral timing profiles for complex code
  - Variability due to control flow, input set variations, etc.

Statistical learning-based profiling/detection

- Profile execution times
  - Even legitimate variations
- Detect abnormal execution time probabilistically
- We use **probability density functions (PDF**s) for this purpose





#### **Kernel Density Estimation (KDE)**

#### • Non-parametric Probability Density Function Estimation





[Figure is from CSCE 666 "Pattern Analysis" by Ricardo Gutierrez-Osuna at Texas A&M]

- 2. Draw scaled distribution at each sample point
- 3. Sum them up



#### **Intrusion Detection Using PDFs**



How much **deviation** should we consider malicious?



Multiple regions: different inputs or persistent system effects

#### Outline

- Background: Real-Time Systems & Simplex
- Cyber-Physical Systems Behavior
- **o** SecureCore: Multicore-based Intrusion Detection
- Control Flow Monitoring
- Anomaly Detection using Kernel-memory Behavior
- Execution Contexts Learned from System Call Distributions
- Current and Future Work
- Conclusion

### SecureCore

- Can use redundancy in multiple cores to improve security of CPS
- Multicore-based on-chip hardware for monitoring behavior of tasks
- Directly obtain information from processor → don't rely on monitored task
- Analyze more complex control flows and behavioral variations
- Uses statistical/machine learning approach to creating behavior profiles



## System/App Model

• Periodic Controller task with real-time requirements



• A multicore-based real-time control system



**SecureCore** Architecture

Physical plant

#### SecureCore High-Level Design

• A dedicated core for inspecting behavior of other core(s)



#### Hypervisor-based SecureCore Protection

- Resource virtualization: memory space separation, I/O device consolidation
- Additional HW-based protection (e.g., ARM TrustZone)

#### SecureCore Architecture Low-level Design





#### Early Detection for Inverted Pendulum (IP)



Inverted Pendulum

#### Outline

- Background: Real-Time Systems & Simplex
- Cyber-Physical Systems Behavior
- SecureCore: Multicore-based Intrusion Detection
- Control Flow Monitoring
- Anomaly Detection using Kernel-memory Behavior
- Execution Contexts Learned from System Call Distributions
- Current and Future Work
- Conclusion

#### **CFM: Control Flow Monitor**

- Timing is just one of the behavioral 'signals' that can be monitored
  - Smart adversary can insert code that matches timing behavior closely
- The **behavior** of the **control flow** in real-time systems is deterministic
  - Not just for the real-time tasks, but also for OS components like scheduler

#### • CFM

- Profile the control flow for components on the main processor
- Track the flow of control at runtime
- Tracking module implemented as simple monitoring module on FPGA logic
- Get critical information directly from processor hooks

#### **CFM Sequence of Events**

\* Analyze source code/binary to extract control flow

\* Create processor hooks to get information → e.g. program counter \* Connect processor hooks to monitoring module on FPGA

\* Store control flow information in memory accessible only by monitor  \* At runtime, get information from processor

\* Check against stored control flow information to see if correct paths followed

- \* On detection of problem, take recovery actions:
- Raise Alarm
- Take control Away
- Reset main System

### **CFM High Level Architecture**



## **CFM Implementation**

o Automated tool to extract control flow information from single task binary

 $\circ$  Example

| 1  | main:  |                    |
|----|--------|--------------------|
| 2  |        | instr_1            |
| 3  |        | instr_2            |
| 4  | lb1_2: | instr_3            |
| 5  | _      | JEQ lbl_1          |
| 6  |        | instr_4            |
| 7  |        | instr_5            |
| 8  |        | instr_6            |
| 9  |        | JMP lbl_2          |
| 10 | lbl_1: | instr_7            |
| 11 |        | instr_8            |
| 12 |        | <b>CALL</b> func_1 |
| 13 |        | instr_9            |
| 14 |        | JMP lbl_2          |
| 15 | func_1 | :instr_f1          |
| 16 |        | instr_f2           |
| 17 |        | RET                |

October 11, 2022

28

## Implementation (contd.) & Evaluation

- Implemented using a Leon3 softcore processor on Xilinx Virtex-5 FPGA
- $\circ$  Remaining fabric on FPGA  $\rightarrow$  monitoring module with hooks into Leon3 pipeline
  - Program counter (PC) & Instruction Register (IR)
- Application: code for PID controller for temperature control in an industrial unit
  - Generated 240 separate execution blocks in the CFG
- Attacks:
  - 1. Code replacement attack by loading a modified binary  $\rightarrow$  different jump destination for one block
  - 2. Return address overwritten on the stack using buffer overflows
- Both attacks detected almost immediately i.e. within a few instructions (before next block executes)

#### Outline

- Background: Real-Time Systems & Simplex
- Cyber-Physical Systems Behavior
- SecureCore: Multicore-based Intrusion Detection
- Control Flow Monitoring
- Anomaly Detection using Kernel-memory Behavior
- Execution Contexts Learned from System Call Distributions
- Current and Future Work
- Conclusion

## **Tracking Memory Behavior**

- Multiple ways to track memory
  - Exact sequence of memory addresses → too much overhead [storage/computation]
  - Monitor the amount of memory traffic [e.g. bandwidth] → abstracts away details
- We introduce the **memory heat map (MHM)** 
  - Composition of different activities in a certain memory region
  - Provides necessary details
  - Concise data structure

• We use this to profile memory behavior for the operating system **kernel** 



### **Why Kernel Memory Behavior**

- Good indicator of system-wide behavior
  - Every application has to use kernel services
- Can also detect certain anomalies
  - e.g. unexpected start/end of applications or
  - Suspicious use of kernel services
- Simpler H/W design
  - Kernel memory location is **fixed** and **known**
  - No need to deal with address translation and paging

#### • Monitor kernel **instructions** [.text] section

Inspect which parts of kernel have executed

## **Key Approaches**

#### • Memory Heat Map (MHM)

- # of accesses to memory regions during a time interval
- Depends only on the size of the monitored region
- Image recognition technique
  - Dimensionality reduction
  - Normal behavior learning and anomalous behavior detection
- On-chip SecureCore-based hardware module (Memometer)
  - Real-time memory access monitoring







## Memory Heat Map (MHM)

#### Linux Kernel .text Segment [0xC0008000, 0xC02E7AA4)



## **Learning from Memory Heat Maps**

 $\circ$  Goal

- 1) Find the **legitimate behavior patterns** from the normal MHMs
- 2) Given a new observation (MHM), analyze the **statistical similarity** to the patterns



- o Idea & Intuition
  - Treat each MHM as an image
    - Normal memory behavior can be grouped into a finite number of similar image groups
  - Then, use an image recognition technique and clustering

## **Eigenface** | **Dimensionality Reduction**

- An image recognition technique
- Based on PCA (Principal Component Analysis)
  - Transform data to a low-dimensional coordinate system
  - They best describe the distribution of original data
    - The first principal component has the largest variance and so on
- Eigenface = a basic image
  - Learn (extract) a set of Eigenfaces from the original images using PCA
  - # of eigenfaces << # of original images</p>
  - They can be linearly composed to reconstruct the original images with a minimal approximation error

# Eigenface

#### • Face recognition technique



Original faces



Average face

#### Eigenfaces



Image source: http://www.scholarpedia.org/article/Eigenfaces

## **Dimensionality Reduction for MHMs**



11/2

## **Examples of MHMs captured as a Sequence**



Note: One MHM is captured every 10 ms

### **MHM Learning & Anomaly Detection**

#### • In our memory analysis domain:



#### Pattern learning using clustering

- E.g. Gaussian Mixture Model (GMM)
- Identify representative MHM patterns

#### **SecureCore Architecture for Memory Monitoring**



#### Memometer





#### **Implementation & Evaluation**

#### **Prototype implementation**

- ARM Cortex-A9 on Simics
- Linux 3.4  $\rightarrow$  .text segment is monitored
- 10ms interval, 2KB cell size
- Embedded benchmarks



|           | Exec. Time | Period | Category   |  |  |
|-----------|------------|--------|------------|--|--|
| FFT       | 2 ms       | 10 ms  | telecomm   |  |  |
| bitcount  | 3 ms       | 20 ms  | automotive |  |  |
| basicmath | 9 ms       | 50 ms  | automotive |  |  |
| sha       | 25 ms      | 100 ms | security   |  |  |

#### **Embedded benchmarks**

#### **Anomalies/attacks**

- Unknown application launch
- Application kill
- Shellcode execution
- Kernel rootkit

## Anomaly Scenario 1 | Unknown Application Launch



 250
 Normal
 251
 Normal
 253
 Normal
 254
 Normal
 255
 normal
 256
 Abnormal
 257
 normal
 258
 Abnormal
 259
 Abnormal

 Image: Second structure
 Image: Second structur

Sibin Mohan | Behavior-based Intrusion Detection for CPS

October 11, 2022

## Anomaly Scenario 2 | Kernel Rootkit

• A kernel rootkit (as a loadable kernel module) that hijacks 'read' system calls

- Calls the original handler and then read the buffer
- Note: the loadable kernel module is outside the target monitoring region



### **Analysis Overhead**

- How long does it take to decide whether an MHM is normal or not
- Cost: Transforming to reduced space + probabilistic calculation using GMM

| MHM Size (# cells) | 1472   | 368    | 1472   |
|--------------------|--------|--------|--------|
| # Eigenfaces       | 9      | 9      | 5      |
| # GMM components   | 5      | 5      | 5      |
| Avg. time          | 358 µs | 100 µs | 216 µs |

• Note: this analysis/transformation does not take place on critical path  $\rightarrow$  happens in the secure core

### Outline

- Background: Real-Time Systems & Simplex
- Cyber-Physical Systems Behavior
- SecureCore: Multicore-based Intrusion Detection
- Control Flow Monitoring
- Anomaly Detection using Kernel-memory Behavior
- Execution Contexts Learned from System Call Distributions
- Current and Future Work
- Conclusion

## System Call Frequency Distribution (SCFD)

- Distribution of system call frequencies
  - How many times each system call type has been called by an application during one execution
- $\circ$  Intuition
  - An application shows similar pattern for SCFDs
    - When the input (e.g., from sensors) is similar
  - Malicious activities involve system calls
    - For privileged operations (example: socket, connect, write, ...)
    - So, likely will show up as changes to SCFDs
- It's lightweight
  - No sequence. Just counting!



# **Challenges and Solutions**

- Multiple execution contexts
  - Due to various execution modes and inputs
  - So, even benign SCFDs vary so greatly

#### Solution: Clustering SCFDs

- How to catch system calls using hardware?
  - By not relying on system call interposition in SW level
  - Not easy to deceive HW-based approach

#### Solution: Catch system call 'instruction'

## SecureCore | System Call-based Detection Architecture



## **System Call-based Detection Process**



- Same process for offline learning and online detection
  - Learning: collect a set of SCFDs
  - Detection: Analyze SCFDs one at a time

## **System Call Instruction**



- Catch the invocation of the designated instruction for system call
  - Instruction x86: int 80h, x64: syscall, PowerPC: sc
  - System call number x86: eax, x64: rax, PowerPC: r0
- SCTM updates the record (i.e., current SCFD) on scratchpad memory (SPM)
  - Using AID, PID and the system call number



## **SCFD Clustering**

- K-means with Mahalanobis distance
  - Cluster SCFDs in the training set into **K** clusters
    - Each cluster represents similar execution patterns
- Why not Euclidean distance, but Mahalanobis distance?

$$\sqrt{(\mathbf{x}^* - \boldsymbol{\mu})^T (\mathbf{x}^* - \boldsymbol{\mu})} \quad \sqrt{(\mathbf{x}^* - \boldsymbol{\mu})^T \boldsymbol{\Sigma}^{-1} (\mathbf{x}^* - \boldsymbol{\mu})}$$

- To give more 'weight' to some system call types
  - Types with smaller variance
    - Ex: execve, socket
    - Δdist(Δexecve) > Δdist(Δread)
    - Their change in the run-time should be small too
    - See Cluster 2 and Points B and C



- Also, to learn correlation between types
  - i.e., how they should vary together
  - Ex: socket and open

#### How do we know what **K** is?

Learn K by global k-means

# **Legitimacy Test**

- Given an SCFD to test,
  - 1. Find the closest cluster
  - 2. Test if the distance is within the cutoff distance
    - If not, the execution is malicious

- A, B, D are legitimate
- C and E are malicious



# **Evaluation**



- PowerPC processor model on Simics
- Target Application
  - Raw image capture -> JPEG compression -> FTP upload -> HTTP logging
  - SCFDs vary due to 1) image content and 2) execution flow
- Attack scenarios
  - 1) Leak out user authentication information through HTTP
  - 2) Leak out the JPEG image through FTP
  - 3) memset the image array (which does not use any system calls)
  - 4) Shellcode (that spawns / bin/sh)



### **Evaluation**

- o Training set
  - 2000 SCFDs
  - 14 system call types
- Global k-means
  found 5 clusters

|               | # points |        | write   | read    | mmap  | open  | close | fstat | munmap | socket | connect | stat |
|---------------|----------|--------|---------|---------|-------|-------|-------|-------|--------|--------|---------|------|
| All 2000      | Mean     | 29.519 | 101.197 | 1.520   | 2.514 | 4.548 | 1.520 | 1.520 | 2.034  | 2.034  | 4.034   |      |
|               | Stdev    | 10.602 | 10.135  | 0.500   | 0.500 | 1.496 | 0.500 | 0.500 | 0.997  | 0.997  | 0.99    |      |
| Cl 1          | 490      | Mean   | 17.376  | 91.000  | 1.000 | 2.000 | 3.000 | 1.000 | 1.000  | 1.000  | 1.000   | 3.00 |
| Cluster 1     | 490      | Stdev  | 1.246   | 0.000   | 0.000 | 0.000 | 0.000 | 0.000 | 0.000  | 0.000  | 0.000   | 0.00 |
| Cluster 2     | 519      | Mean   | 33.613  | 108.306 | 2.000 | 3.000 | 6.000 | 2.000 | 2.000  | 3.000  | 3.000   | 5.00 |
| Cluster 2     | 519      | Stdev  | 2.539   | 1.269   | 0.000 | 0.000 | 0.000 | 0.000 | 0.000  | 0.000  | 0.000   | 0.00 |
| Cluster 3     | 506      | Mean   | 43.708  | 113.354 | 2.000 | 3.000 | 6.000 | 2.000 | 2.000  | 3.000  | 3.000   | 5.00 |
| Cluster 5     | 500      | Stdev  | 4.539   | 2.269   | 0.000 | 0.000 | 0.000 | 0.000 | 0.000  | 0.000  | 0.000   | 0.00 |
| Cluster 4 335 | Mean     | 21.176 | 91.000  | 1.000   | 2.000 | 3.000 | 1.000 | 1.000 | 1.000  | 1.000  | 2.99    |      |
|               | Stdev    | 1.080  | 0.000   | 0.000   | 0.000 | 0.000 | 0.000 | 0.000 | 0.000  | 0.000  | 0.05    |      |
| Charter 5 150 | Mean     | 25.575 | 91.000  | 1.000   | 2.000 | 3.000 | 1.000 | 1.000 | 1.000  | 1.000  | 3.00    |      |
| Cluster 5     | 150      | Stdev  | 1.627   | 0.000   | 0.000 | 0.000 | 0.000 | 0.000 | 0.000  | 0.000  | 0.000   | 0.00 |

- o 300 execution traces for each attack scenario
  - Attack 1 and 2 are detected well because of network-related system calls
  - Attack 3 is detected because of fewer calls of read and write
  - Attack 4 is detected because it calls execve which was never seen
- False positive rate: around 1% (depends on cutoff distance)

### **Evaluation**

- o Analysis overhead
  - Finding the closest cluster among 5 clusters

| # of system<br>call types | Number of instructions | Avg. (Stdev.) of<br>analysis times |  |  |
|---------------------------|------------------------|------------------------------------|--|--|
| 5                         | 2175                   | 0.914 us (0.553 us)                |  |  |
| 10                        | 4875                   | 2.624 us (1.405 us)                |  |  |
| 14                        | 8125                   | 5.231 us (1.965 us)                |  |  |

- # instructions is measured on Simics and the times are
- measured on a dual-core machine
- Detection problems:
  - Attack 2 is enabled on Flow 2.
  - Not differentiable from a benign execution on Flow 1



### Outline

- Background: Real-Time Systems & Simplex
- Cyber-Physical Systems Behavior
- SecureCore: Multicore-based Intrusion Detection
- Control Flow Monitoring
- Anomaly Detection using Kernel-memory Behavior
- Execution Contexts Learned from System Call Distributions
- Current and Future Work
- Conclusion

### **Current and Future Work**

- Individual behavioral signals detect certain problems
  - **Combination of multiple signals** to improve detection accuracy and increased difficulty for would-be attackers
- Monitor multiple cores and "long term detection"
- Full system monitoring (multiple tasks/cores + OS)
- Demonstration on actual real-time systems
  - Developing UAV platforms & hardware-in-the-loop simulators
  - Working with power system vendors for such demonstrations
- Extension to mobile and other general-purpose devices

### Conclusions

- Intrusion detection for Cyber-Physical Systems
- Focus on specific characteristics of such systems
- System architecture = isolated hardware + novel intrusion detection methods
- Multiple solutions
  - Hardware: Multicore, FPGA-based, simulation platform, etc.
  - Analysis: compile-time analysis, statistical/learning-based approach
  - Different behavioral signals: timing, memory, control flow, system calls
- Detect intrusions in short timeframes  $\rightarrow$  prevent harm to physical systems
- Resilient to attackers gaining administrative access on main systems

### Thanks

#### **Co-conspirators:**

 Lui Sha [UIUC], Marco Caccamo [UIUC], Frank Mueller [NCSU], Heechul Yun [Kansas], Stanley Bak [AFRL], Emiliano Betti [UIUC/Univ. of Rome]

#### Students [People that do the real work!]:

 Man-Ki Yoon [UIUC], Fardin Abdi [UIUC], William Condon [UIUC], Yi Lu [UIUC], Joel van der Woude [UIUC], Chris Zimmer [NCSU]





## **Backup Slides**

### **Behavior Monitoring Module on FPGA**

• Finite State Machine (on FPGA) to detect timing model violations



- S3A can be used to detect intrusions
  - Even if code has complex control flow (branches/loops/etc.)
  - Modification of this FSM

# **Application Model**



# Hardware Modification | Timing Trace Module



#### **Trace Instructions**





**SPM Layout** 

- Reade Eistestion from preventing Gravester of not bethe forged sor registers
- BAddBiaseBAdd1RCs (i.e. PCebattINESTddRESS fiRID)BA)

#### **Raw Trace Collection**



 $(Addr_1, t_1)$  $(Addr_{2}, t_{2})$  $(Addr_{3}, t_{3})$  $(Addr_{7}, t_{4})$  $(Addr_1, t_5)$  $(Addr_{2}, t_{6})$  $(Addr_{4}, t_{7})$  $(Addr_{6}, t_{8})$  $(Addr_{7}, t_{9})$  $(Addr_{1}, t_{10})$  $(Addr_{2}, t_{11})$  $(Addr_{4}, t_{12})$  $(Addr_{5}, t_{13})$  $(Addr_{7}, t_{14})$ 

...

### **Trace Tree Generation**



11,

## SecureCore Implementation



#### Freestede Perfolation Simical

- 8
- Onhytropheores Of Spranningd 1) Eacher (Itemport Signation for trace instruction ISA modification for trace instruction (Cart position, Rod's angle)
- •

## **Early Work | WCET-based Intrusion Detection \***

- WCET: guaranteed worst-case execution time on a specific hardware platform
- $\circ$  Security violations in hard real-time systems  $\rightarrow$  code injection attacks
  - doesn't even have to be fancy  $\rightarrow$  just cause delays in hard real-time systems
- Approach: use WCET values to validate programs
  - Instrument task checks throughout entire system
- Two techniques:
  - Timed Return Path Security (TRPS)
  - Timed Code Section Security (TCSS)

\* **[ICCPS 2010]** "Time-Based Intrusion Detection in Cyber-Physical Systems" by C. Zimmer, B. Bhatt, F. Mueller and S. Mohan.

## Timed Return Path Security (TRPS)

- o Instrument **return paths** of functions with timing checks
- Perform timing analysis on small code regions to obtain WCET
- $\circ$  Validate on return from function calls  $\rightarrow$  check to see if WCET exceeded?
- $\circ$  Also verify  $\rightarrow$  order of syscalls



- Drawbacks:
  - Covert attacks that maintain consistent state  $\rightarrow$  not detected
  - Requires clock protection → common in such systems anyways

### **Timed Code Section Security**

- Use periodic scheduler interrupts
- $\circ$  Use WCET and sequence of *checkpoints*  $\rightarrow$  calculate WCET to next checkpoint
- Intrusion detection at next preemption/checkpoint
- Checks managed by **scheduler**



- At deadlines, verify if all critical checkpoints have been hit
- Use in conjunction with TRPS

## **Intrusion Detection using WCET**

- o TRPS:
  - low overheads
  - local checks



- $\circ~$  TCSS:
  - Early detection  $\rightarrow$  within 20  $\mu$ s in most cases
  - Timer Interrupt dependent

| Task | Hijack Location   | Time Attack Ends |
|------|-------------------|------------------|
| FFT  | FFT Method Return | 1660 cycles      |
| LMS  | LMS Method Return | 869 cycles       |
| CNT  | Scheduler Check 2 | 1690 cycles      |

- Drawbacks
  - Depends on WCET → can be easily bypassed
  - Rely on software mechanisms to provide protection

### Outline

- Background: Real-Time Systems
- Background: Simplex
- Cyber-Physical Systems Behavior
- Early Work: Worst-case Execution Time (WCET) based detection
- S3A: Secure System Simplex Architecture
- SecureCore: Multicore-based Intrusion Detection
- Control Flow Monitoring
- Current and Future Work
- Conclusion

## **S3A: Secure System Simplex Architecture \***

- o Intrusion detection and safety for individual nodes in RT control systems
- $\circ$  Uses behavior-based monitoring of system  $\rightarrow$  execution time, in this case
- Combined with trusted hardware component on separate FPGA
- Essentially builds upon System-level Simplex
  - Includes cyber state to protect against malware directed at complex controller
- Maintains safety even if attackers obtain administrative access to controller

\* **[HiCONS 2013]** "S3A: Secure System Simplex Architecture for Enhanced Security and Robustness of Cyber-Physical Systems" by S. Mohan et al. in HiCONS 2013.

# **S3A Logical Architecture**

• Timing-based

#### Behavioral Signals:

- Exec time too small
- Exec time too large
- Activation Period too small
- Activation Period too large
- Idle task behavior

Safety Controller Complex Complex Controller Controller

- Behavior Signal Monitor
  - Checks if system is within performance envelope
  - Detect attacks early
  - Could even trigger restoration of Complex Controller

## **S3A Implementation**

- Trusted hardware module for this implementation: FPGA
  - Contains: Decision Module, Behavioral Signal Monitor, Simple Controller
  - Communicates with and monitors Complex Controller
- $\circ$   $\,$  Implementation Overview:



Advantage of using FPGA:

- Easy to retrofit existing systems
- Cannot be modified in field
  - Programmability turned off

# **S3A Implementation Details**

#### • Hardware Components:

| Component                                | Details                                                                       |
|------------------------------------------|-------------------------------------------------------------------------------|
| Inverted Pendulum                        | Quanser IP01                                                                  |
| FPGA                                     | Xilinx ML505                                                                  |
| Computer with Complex Controller         | Intel Quad Core 2.6 GHz                                                       |
| Operating System                         | Linux Kernel ver. 2.6.36                                                      |
| Timing Profile (dynamic timing analysis) | Timestamp Counter<br>(can use other mechanisms<br>e.g.: performance counters) |

11.

- Test Plant (control system): Inverted Pendulum
  - Rod must be maintained in upright position
  - Rod must be located near the center of the track



Sibin Mohan | Behavior-based Intrusion Detection for CPS

# S3A Implementation Details (contd.)

- Unsafe states for plant (inverted pendulum)
  - Buggy/malicious code should not make pendulum fall over OR
  - Deviate too far from the center of the track
- o FPGA
  - Monitors sensor readings on the bus (PCIe bus of the control computer)
  - Monitors the actuation commands being sent to the plant
- Behavior (timing) signal information
  - Sent to FPGA from computer via memory mapped regions
  - Actuation commands are also written on shared memory region
- Complex Controller
  - Few branches and statically bound loops → easy to analyze execution time

# **Timing Results**

• Control code executed multiple times inside a loop



- As number of iterations increases, system effects make WCET worse
- $\circ$  Double-banded execution time behavior  $\rightarrow$  cache replacement policy
- $\circ$  Malicious code  $\rightarrow$  extra loop iterations to increase execution time

Sibin Mohan | Behavior-based Intrusion Detection for CPS

#### **Intrusion Detection**

- Overhead for sending a single timing message to FPGA: **50 ns**
- Jitter of timing messages due to interconnect: 0.6 μs

| Measured Quantity                          | Time (µs) |
|--------------------------------------------|-----------|
| Control Task Exec. Time (single iteration) | 4.8 – 5.4 |
| Interconnect Extra Jitter                  | ~ 0.6     |
| Enforced Iteration Time                    | 4.5 - 5.7 |
| Timing Anomaly Detection Time (for IP)     | 5.7       |
| Timing Message CPU Overhead                | 0.05      |
| Simplex (vanilla) Anomaly Detection Time   | 10,000    |

- FPGA can detect an intrusion within 5.7 μs
- Anything that changes timing by **0.6 µs** will be detected.

## **S3A Review**

Limitations:

- System needs to be designed with S3A in mind
- Attacker may be able to replicate behavioral signal or hide its presence
  - E.g.: if code experiences significant timing deviations
- Trusted module depends on main system to provide critical information
  - Such as the timestamps sent from computer to FPGA → can be easily faked
- Complex controller code may not be easily analyzable to get strict exec. times
  - Significant engineering effort to get precise execution times

On the plus side,

- $\circ~$  Physical system maintained in safe state  $\rightarrow$  detection faster than Simplex
- Even if attackers gains administrative privileges on main system
- Not specific to any particular (classes of) attacks

### Outline

- Background: Real-Time Systems
- Background: Simplex
- Cyber-Physical Systems Behavior
- Early Work: Worst-case Execution Time (WCET) based detection
- S3A: Secure System Simplex Architecture
- SecureCore: Multicore-based Intrusion Detection
- CFM: Control Flow Monitoring
- Other Current and Future Work
- Conclusion

#### SecureCore\*

- Multicore architectures are here to stay
- Can use **redundancy in multiple cores** to improve security of CPS
- Multicore-based **on-chip hardware** for monitoring behavior of tasks
- Aims to address shortcomings of S3A
  - Directly obtain information from processor → don't rely on monitored task
  - Analyze more complex control flows and behavioral variations
- Uses **statistical/machine learning approach** to creating behavior profiles

\* **[RTAS 2013]** "SecureCore: A Multicore based Intrusion Detection Architecture for Real time Embedded Systems" by M. K. Yoon, S. Mohan, J. Choi, J. E. Kim and L. Sha in RTAS 2013.