SaTC: TTP: Small: TRACE: Tracking Run-time Anomalies in Code Execution

Connectivity of embedded computing devices in cyber-physical systems (CPS) makes robust cybersecurity crucial. While computer/network security approaches apply to CPS, leveraging the unique temporal behavior and code structure characteristics of CPS devices enables robust and complementary cybersecurity solutions. This project builds one such near-zero-cost solution, developed in part during the DARPA Rapid Attack Detection, Isolation and Characterization Systems (RADICS) project, that uses digital side channels to detect and characterize malware on embedded devices in CPS.

This Transition To Practice project transitions this solution to a commercialization stage per the program’s aim to "support the development, implementation, and deployment of later-stage and applied security or privacy research into an operational environment in order to bridge the gap between research and production." "Tracking Run-time Anomalies in Code Execution" (TRACE) system is of interest to power utilities, power grid equipment vendors, embedded system designers, and US government agencies.

For on-demand and continuous run-time integrity verification of fielded devices and detection of firmware/software anomalies, TRACE deploys lightweight measurer components to target devices to collect multi-modal on-device, time-series measurements (e.g., Hardware Performance Counters, stack traces, memory maps and memory-based measurements, kernel measurements). TRACE processes these measurements using an off-device machine learning based analysis component for threat detection (baseline-relative and baseline-independent).

The multi-modal anomaly detection in TRACE uses low-dimensional feature extraction, deep learning, dynamic event sequence analysis, and probabilistic modeling and estimation algorithms. TRACE can detect malicious modifications to software/firmware as well as operating system rootkits. Efficacy of TRACE anomaly detection is being demonstrated on a variety of computation load profiles and devices with a focus on power grid devices in a typical substation.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.