SaTC: TTP: Small: TRACE: Tracking Run-time Anomalies in Code Execution

SaTC：TTP：小：TRACE：跟踪代码执行中的运行时异常

• 批准号: 2039615
• 负责人: Farshad Khorrami
• 金额: $ 49.97万
• 依托单位: New York University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-07-15 至 2024-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2039615&HistoricalAwards=false
• 关键词: SaTC; TTP; Small; TRACE; Tracking

Connectivity of embedded computing devices in cyber-physical systems (CPS) makes robust cybersecurity crucial. While computer/network security approaches apply to CPS, leveraging the unique temporal behavior and code structure characteristics of CPS devices enables robust and complementary cybersecurity solutions. This project builds one such near-zero-cost solution, developed in part during the DARPA Rapid Attack Detection, Isolation and Characterization Systems (RADICS) project, that uses digital side channels to detect and characterize malware on embedded devices in CPS. This Transition To Practice project transitions this solution to a commercialization stage per the program’s aim to "support the development, implementation, and deployment of later-stage and applied security or privacy research into an operational environment in order to bridge the gap between research and production." "Tracking Run-time Anomalies in Code Execution" (TRACE) system is of interest to power utilities, power grid equipment vendors, embedded system designers, and US government agencies.For on-demand and continuous run-time integrity verification of fielded devices and detection of firmware/software anomalies, TRACE deploys lightweight measurer components to target devices to collect multi-modal on-device, time-series measurements (e.g., Hardware Performance Counters, stack traces, memory maps and memory-based measurements, kernel measurements). TRACE processes these measurements using an off-device machine learning based analysis component for threat detection (baseline-relative and baseline-independent). The multi-modal anomaly detection in TRACE uses low-dimensional feature extraction, deep learning, dynamic event sequence analysis, and probabilistic modeling and estimation algorithms. TRACE can detect malicious modifications to software/firmware as well as operating system rootkits. Efficacy of TRACE anomaly detection is being demonstrated on a variety of computation load profiles and devices with a focus on power grid devices in a typical substation.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

网络物理系统 (CPS) 中的嵌入式计算设备的连接性使得强大的网络安全至关重要，而计算机/网络安全方法适用于 CPS，利用 CPS 设备独特的时间行为和代码结构特征可实现强大且互补的网络安全解决方案。一种这样的近乎零成本的解决方案是在 DARPA 快速攻击检测、隔离和表征系统 (RADICS) 项目期间开发的，它使用数字侧通道来检测和表征 CPS 中嵌入式设备上的恶意软件。根据该计划的目标，将该解决方案过渡到商业化阶段，以“支持后期和应用安全或隐私研究的开发、实施和部署到操作环境中，以弥合研究和生产之间的差距。”电力公司、电网设备供应商、嵌入式系统设计者和美国政府机构都对“代码执行时异常”（TRACE）系统感兴趣。用于现场设备的按需和连续运行时完整性验证和固件检测/软件异常情况下，TRACE 将轻量级测量器组件部署到目标设备，以收集多模式设备上的时间序列测量（例如，硬件性能计数器、堆栈跟踪、内存映射和基于内存的测量、TRACE 使用内核测量来处理这些测量）。用于威胁检测（基线相关和基线独立）的基于设备外机器学习的分析组件 TRACE 中的多模式异常检测使用低维特征提取、深度学习、动态事件序列分析， TRACE 可以检测对软件/固件以及操作系统 Rootkit 的恶意修改。TRACE 异常检测的功效正在各种计算负载配置文件和设备上得到验证，重点是典型的电网设备。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。