Intrusion Detection System (IDS) for Real-Time applications

As technology advances, so do the risks associated with it. The need for Intrusion Detection Systems (IDS) in modern embedded systems applications is becoming increasingly crucial. This threat is especially true in fields such as the automotive industry, where products are more connected than ever. These systems require a high level of resiliency to external attacks. That is where IDS comes in. By serving as the first line of defense, IDS helps to identify any alterations in software's nominal behavior that could lead to harm. It is essential in ensuring the safety and security of modern embedded systems. This study proposes a new approach to developing an IDS that classifies running software based on Hardware Performance Counters (HPC). Initially designed for performance optimizations and safety, these special registers are now extensively utilized in cybersecurity-related applications. Previous research primarily focuses on side-channel attacks and identifying the optimal set of HPCs to detect specific malicious activities, such as software manipulation malware, with a particular emphasis on Real-Time Operating System (RTOS) system I/O tampering scenarios. The developed approach to testing the solution's efficiency involves using two boards with CAN communication capabilities. The boards simulate data transfer between a sensor and its corresponding Electronic Control Unit (ECU). The receiving board acts as an ECU emulator and receives data from the sensor. It then performs data-dependent operations, such as the Moving Average Filter (MAF), a digital filter designed to reduce random noise. This filter is commonly used in the automotive industry to process the NOx concentration level provided by the NOx sensor via CAN protocol. In addition, the system monitors Hardware Performance Counter (HPC) values. These values are utilized to train a one-class classifier that serves as the core of our IDS. This classifier distinguishes between legitimate and malicious data. The malicious data is obtained by reprogramming the board that acts as a NOX CAN sensor into an adversary NOX CAN Sensor emulator box, which is commonly available on the tuning online market and allows for the simulation of a real CAN tampering sensor on the CAN bus. The obtained results underscore the viability of utilizing Performance Counters as a consistent and novel option to construct an IDS that is closely tied to the activities of running tasks. This capability is particularly useful for systems with strict time requirements, such as those used in safety-critical applications. The tests also showed that the classification model could be trained with a limited dataset, making it more compact and suitable for resource-constrained environments like real-time embedded systems. Despite its compact size, the model maintained its precision in outlier detection, making it an ideal solution for present and future endeavors. Looking ahead, several potential future initiatives could build upon the work outlined in this report and contribute to a deeper understanding of real-time IDS classification. For example, researchers could experiment with different architectures and sets of HPCs to see how they impact the accuracy and speed of the classification process. These experiments could generate valuable insights to inform the development of more effective IDS systems.