Side-Channel Based Runtime Intrusion Detection for Network Equipment

Side-Channel Based Runtime Intrusion Detection for Network Equipment

연구 분야: Verification

학회: Joint European Conference on Machine Learning and Knowledge Discovery in Databases

Current security protection mechanisms for embedded systems often include running a Host-based Intrusion Detection System (HIDS) on the system itself. HIDSs cover a wide attack surface but still present some blind side and vulnerabilities. In the case of a compromized device, the detection capability of its HIDS becomes untrustworthy. In this context, embedded systems such as network equipment remain vulnerable to firmware and hardware tampering, as well as log manipulation. Side-channel emissions provide an independent and extrinsic source of information about the system, purely based on the physical by-product of its activities. Leveraging side-channel information, we propose a physics-based Intrusion Detection System (IDS) as an additional layer of protection for embedded systems. The physics-based IDS uses machine-learning-based power analysis to monitor and assess the behaviour and integrity of network equipment. The IDS successfully detects three different classes of attacks on an HP Procurve Network Switch 5406zl: (i) firmware manipulation with 99% accuracy, (ii) brute-force SSH login attempts with 98% accuracy, and (iii) hardware tampering with 100% accuracy. The machine-learning models require a small number of power traces for training and still achieve a high accuracy for attack detection. The concepts and techniques discussed in the paper can also extend to offer intrusion detection for embedded systems in general.