SaTC: TTP: Small: TRACE: Tracking Run-time Anomalies in Code Execution

SaTC：TTP：小：TRACE：跟踪代码执行中的运行时异常

• 批准号: 2039615
• 负责人: Farshad Khorrami
• 金额: $ 49.97万
• 依托单位: New York University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-07-15 至 2024-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2039615&HistoricalAwards=false
• 关键词: SaTC; TTP; Small; TRACE; Tracking

Connectivity of embedded computing devices in cyber-physical systems (CPS) makes robust cybersecurity crucial. While computer/network security approaches apply to CPS, leveraging the unique temporal behavior and code structure characteristics of CPS devices enables robust and complementary cybersecurity solutions. This project builds one such near-zero-cost solution, developed in part during the DARPA Rapid Attack Detection, Isolation and Characterization Systems (RADICS) project, that uses digital side channels to detect and characterize malware on embedded devices in CPS. This Transition To Practice project transitions this solution to a commercialization stage per the program’s aim to "support the development, implementation, and deployment of later-stage and applied security or privacy research into an operational environment in order to bridge the gap between research and production." "Tracking Run-time Anomalies in Code Execution" (TRACE) system is of interest to power utilities, power grid equipment vendors, embedded system designers, and US government agencies.For on-demand and continuous run-time integrity verification of fielded devices and detection of firmware/software anomalies, TRACE deploys lightweight measurer components to target devices to collect multi-modal on-device, time-series measurements (e.g., Hardware Performance Counters, stack traces, memory maps and memory-based measurements, kernel measurements). TRACE processes these measurements using an off-device machine learning based analysis component for threat detection (baseline-relative and baseline-independent). The multi-modal anomaly detection in TRACE uses low-dimensional feature extraction, deep learning, dynamic event sequence analysis, and probabilistic modeling and estimation algorithms. TRACE can detect malicious modifications to software/firmware as well as operating system rootkits. Efficacy of TRACE anomaly detection is being demonstrated on a variety of computation load profiles and devices with a focus on power grid devices in a typical substation.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

网络物理系统（CPS）中嵌入式计算设备的连通性至关重要。当计算机/网络安全方法适用于CPS时，利用CPS设备的唯一临时行为和代码结构特征可实现鲁棒和完整的网络安全解决方案。该项目构建了一个接近零成本的解决方案，部分是在DARPA快速攻击检测，隔离和表征系统（RADIC）项目中开发的，该项目使用数字侧渠道检测和表征CPS中嵌入式设备上的恶意软件。实践项目的过渡将该解决方案转变为该计划的目标，目的是“支持开发，实施和部署后期和应用安全性或隐私研究到运营环境，以弥合研究与生产之间的差距”。 “在代码执行中跟踪运行时异常”（跟踪）系统对电源公用事业，电网设备供应商，嵌入式系统设计师和美国政府机构都很感兴趣。对于现场设备的按需和连续的运行时完整性验证，对固件/软件的检测进行了固件/软件的检测，请跟踪型号的测量仪，以衡量级别的测量人员对数量的竞争量表，以供应量级量表，以衡量目标的跨度量表。 （例如，硬件性能计数器，堆栈跟踪，内存图和基于内存的测量，内核测量值）。痕量处理这些测量方法，使用基于机器学习的分析组件进行威胁检测（基线相关性和基线无关）。痕量中的多模式异常检测使用低维特征提取，深度学习，动态事件序列分析以及概率建模和估计算法。跟踪可以检测到对软件/固件以及操作系统rootkit的恶意修改。痕量异常检测的功效正在对各种计算负荷概况和设备进行证明，重点是典型变电站中的电网设备。该奖项反映了NSF的法定任务，并被认为是通过基金会的智力优点和更广泛的影响标准来评估通过评估来获得支持的。