You are here

Cyber Attack Immunity for Embedded Systems

Description:

TECHNOLOGY AREA(S): Info Systems 

OBJECTIVE: Develop a capability to evolve and generate malware test samples for automated malicious feature extraction to support cyber-attack immunity for embedded systems 

DESCRIPTION: The ability to detect targeted cyber-attacks against military weapon systems and to quantitatively measure the effectiveness of cyber security solutions remains an unsolved problem. One reason for this is the lack of relevant malware samples that target the embedded system of interest to the Air Force, namely avionics and sensor systems. The lack of an embedded system malware repository impacts our ability to both develop malware detection algorithms for these platform as well as test existing cyber security solutions against malware payloads that could in principle be created by our adversaries. The root cause of the problem is the fact that the effectiveness of cyber security solutions is a function of the adversary’s knowledge about the security flaws in the system, their ability to gain access to those flaws, and their ability to exploit those flaws [1], which is often unknown to the developers of the protection solutions. While red teaming is often used as a means to measure the effectiveness of cyber solutions, these exercises are limited in scope and by the knowledge, skills, and resources of the red team, which do not necessarily reflect a determined nation-state adversary in a war-time scenario. The lack of quantitative measures of effectiveness is exacerbated by the fact that flaws may exist on the system that are unknown to the cyber protection developers and their red teams that could be uncovered and exploited by real adversaries. What is required is the ability to objectively simulate the attack creation process of our cyber adversaries and to proactively develop malware detection solutions in anticipation of those threats [2]. The goal of this topic is to use malware samples that have been automatically generated [2] to create a co-evolving protection system that can detect, respond, and adapt to unforeseen threats. In particular, focus should be given to detecting and responding to malware that has been surreptitiously embedded in legitimate avionics/ISR software and firmware. A co-evolutionary protection architecture would result in the capability to quantitatively test existing malware detection algorithms with novel malware samples in advance of a real-world attack, as well as to extract distinguishing malicious patterns that can be used as part of a cyber immune system [3]. While not foolproof, immune system-like protections for avionics and ISR-based embedded systems would be game-changing with respect to existing cyber security solutions and would provide measures of effectiveness for other cyber security products. The above approach requires innovative research and development of evolvable malware that targets an embedded system and an ability to evaluate the effectiveness of those malware samples, whether through instantiation on actual hardware or through software simulation. For the purpose of this topic, suggested target platforms include, but are not limited to, small unmanned aerial vehicles (sUAV) or representative embedded system components that might be found in an avionics or intelligence, surveillance, reconnaissance (ISR) system. The ultimate goal is to create an ability to detect malware that has been embedded within legitimate software or firmware that is critical to the operation of the embedded system. 

PHASE I: Develop an approach, architecture and limited-scope prototype that demonstrates the ability to evolve malware samples that targets embedded system software or firmware. These malware samples should be undetectable by at least one commonly used commercial off-the-shelf anti-virus program. Malicious features that are differentiable from the host software should be identified. 

PHASE II: Expand the quantity of malware test samples generated, categorize the classes of attacks, and automate the malicious feature extraction process for use in the cyber immune system. Demonstrate the ability to distinguish malicious features from the targeted software or firmware. Determine the false positive and false negative rates of detection of the cyber immune system. 

PHASE III: The final product will have both commercial and military avionics system applications, as well as a broad class of embedded system applications, including Supervisory, Control, and Data Acquisition (SCADA) and Industrial Control Systems (ICS). 

REFERENCES: 

1. Jeff Hughes and George Cybenko, “Three Tenets for Secure Cyber-Physical System Design and Assessment,” Proc. of SPIE Vol. 9097, 9097A, 18 June 2014.; 2. Sadia Norren, Shafaq Muraza, M. Zubair Shafiq, and Muddassar Farooq, “Evolvable Malware,” Proceedings of the 11th Annual conference on Genetic and evolutionary computation (GECCO), Montreal, Quebec, Canada, 2009.; 3. Mohammad M. Masud, Latifur Khan, and Bhavani Thuraisingham, “A scalable multi-level feature extraction technique to detect malicious executables,” Information System Frontiers, 10(1): 33-45, March 2008.

KEYWORDS: Evolutionary Computing, Genetic Algorithms, Malware Detection, Embedded System Security, Avionics Cyber Security 

US Flag An Official Website of the United States Government