Biblio

Hardware Trojans are modifications made by malicious insiders or third party providers during the design or fabrication phase of the IC (Integrated Circuits) design cycle in a covert manner. These cause catastrophic consequences ranging from manipulating the functionality of individual blocks to disabling the entire chip. Thus, a need for detecting trojans becomes necessary. In this work, we propose a deep learning based approach for detecting trojans in IC chips. In particular, we insert trojans at the circuit-level and generate data by measuring power during normal operation and under attack. Further, we develop deep learning models using Neural networks and Auto-encoders to analyze datasets for outlier detection by profiling the normal behavior and leveraging them to detect anomalies in power consumption. Our approach is generic and non-invasive in that it can be applied to any block without any modifications to the design. Evaluation of the proposed approach shows an accuracy ranging from 92.23% to 99.33% in detecting trojans.

The utilization of Third-party modules is very common nowadays. Hence, combating Hardware Trojans affecting the applications' functionality and data security becomes inevitably essential. This paper focuses on the detection/masking of Hardware Trojans' undesirable effects concerned with spying and information leakage due to the growing care about applications' data confidentiality. It is assumed here that the Trojan-infected system consists mainly of a Microprocessor module (MP) followed by an encryption module and then a Medium Access Control (MAC) module. Also, the system can be application-specific integrated circuit (ASIC) based or Field Programmable Gate Arrays (FPGA) based. A general solution, including encryption, CRC encoder/decoder, and zero padding modules, is presented to handle such Trojans. Special cases are then discussed carefully to prove that Trojans will be detected/masked with a corresponding overhead that depends on the Trojan's location, and the system's need for encryption. An implementation of the CRC encoder along with the zero padding module is carried out on an Altera Cyclone IV E FPGA to illustrate the extra resource utilization required by such a system, given that it is already using encryption.

For the purpose of stealthiness, trigger-based Hardware Trojans(HTs) tend to have at least one trigger signal with an extremely low transition probability to evade the functional verification. In this paper, we discuss the correlation between poor testability and low transition probability, and then propose a kind of systematic Trojan trigger model with extremely low transition probability but reasonable testability, which can disable the Controllability and Observability for hardware Trojan Detection (COTD) technique, an efficient HT detection method based on circuits testability. Based on experiments and tests on circuits, we propose that the more imbalanced 0/1-controllability can indicate the lower transition probability. And a trigger signal identification method using the imbalanced 0/1-controllability is proposed. Experiments on ISCAS benchmarks show that the proposed method can obtain a 100% true positive rate and average 5.67% false positive rate for the trigger signal.

Always-On Denial of Service (DoS) Trojans with power drain payload can be disastrous in systems where on-chip power resources are limited. These Trojans are designed so that they have no impact on system behavior and hence, harder to detect. A formal verification method is presented to detect sequential always-on DoS Trojans in pipelined circuits and pipelined microprocessors. Since the method is proof-based, it provides a 100% accurate classification of sequential Trojan components. Another benefit of the approach is that it does not require a reference model, which is one of the requirements of many Trojan detection techniques (often a bottleneck to practical application). The efficiency and scalability of the proposed method have been evaluated on 36 benchmark circuits. The most complex of these benchmarks has as many as 135,898 gates. Detection times are very efficient with a 100% rate of detection, i.e., all Trojan sequential elements were detected and all non-trojan sequential elements were classified as such.

Nowadays malicious vendors can easily insert hardware Trojans into integrated circuit chips as the entire integrated chip supply chain involves numerous design houses and manufacturers on a global scale. It is thereby becoming a necessity to expose any possible hardware Trojans, if they ever exist in a chip. A typical Trojan circuit is made of a trigger and a payload that are interconnected with a trigger net. As trigger net can be viewed as the signature of a hardware Trojan, in this paper, we propose a gate-level hardware Trojan detection method and model that can be applied to screen the entire chip for trigger nets. In specific, we extract the trigger-net features for each net from known netlists and use the machine learning method to train multiple detection models according to the trigger modes. The detection models are used to identify suspicious trigger nets from the netlist of the integrated circuit under detection, and score each net in terms of suspiciousness value. By flagging the top 2% suspicious nets with the highest suspiciousness values, we shall be able to detect majority hardware Trojans, with an average accuracy rate of 96%.

There is an increasing concern about possible hostile modification done to ICs, which are used in various critical applications. Such malicious modifications are referred to as Hardware Trojan. A novel procedure to detect these malicious Trojans using Genetic algorithm along with the logical masking technique which masks the Trojan module when embedded is presented in this paper. The circuit features such as transition probability and SCOAP are used as suitable parameters to identify the rare nodes which are more susceptible for Trojan insertion. A set of test patterns called optimal test patterns are generated using Genetic algorithm to claim that these test vectors are more feasible to detect the presence of Trojan in the circuit under test. The proposed methodologies are validated in accordance with ISCAS '85 and ISCAS '89 benchmark circuits. The experimental results proven that it achieves maximum Trigger coverage, Trojan coverage and is also able to successfully mask the inserted Trojan when it is triggered by the optimal test patterns.

Hardware Trojans are malicious modules causing vulnerabilities in designs. Secured hardware designs are desirable in almost all applications. So, it is important to make a trustworthy design that actually exposes malfunctions when a Trojan is present in it. Recently, ring oscillator based detection methods are gaining prominence as they help in detecting Trojans accurately. In this work, a non-destructive method of Trojan detection by modifying the circuit paths into oscillators is proposed. The change in frequencies of ring oscillators upon taking the process corners into account, indicate the presence of Trojans. Since Transient Effect Ring Oscillators (TERO) are also emerging as a good alternative to classical ring oscillators in Trojan detection, an effort is made to analyze the detection capability. Evaluation is done using ISCAS'85 benchmark circuits. Comparison is done in terms of frequency and findings indicate that TERO based Trojan detection is precise. Evaluation is carried out using Xilinx Vivado and ModelSim platforms.

Memristive nano crossbar array has paved the way for high density memories but in a very low power environment. But such high density circuits face multiple problems at the time of implementation. The sneak path problem in crossbar array is one such problem which causes difficulty in distinguishing the logical states of the memristors. On the other hand, hardware Trojan causes malfunctioning of the circuit or performance degradation. If any of these are present in the nano crossbar, it is difficult to identify whether the performance degradation is due to the sneak path problem or due to that of Hardware Trojan.This paper makes a comparative study of the sneak path problem and the hardware Trojan to understand the performance difference between both. It is observed that some parameters are affected by sneak path problem but remains unaffected in presence of Hardware Trojan and vice versa. Analyzing these parameters, we can classify whether the performance degradation is due to sneak path or due to Hardware Trojan. The experimental results well establish the proposed methods of detection of hardware Trojan in presence of sneak path in memristive nano crossbar circuits.

In the recent time due to advancement of technology, Malware and its clan have continued to advance and become more diverse. Malware otherwise Malicious Software consists of Virus, Trojan horse, Adware, Spyware etc. This said software leads to extrusion of data (Spyware), continuously flow of Ads (Adware), modifying or damaging the system files (Virus), or access of personal information (Trojan horse). Some of the major factors driving the growth of these attacks are due to poorly secured devices and the ease of availability of tools in the Internet with which anyone can attack any system. The attackers or the developers of Malware usually lean towards blending of malware into the executable file, which makes it hard to detect the presence of malware in executable files. In this paper we have done experimental study on various algorithms of Machine Learning for detecting the presence of Malware in executable files. After testing Naïve Bayes, KNN and SVM, we found out that SVM was the most suited algorithm and had the accuracy of 94%. We then created a web application where the user could upload executable file and test the authenticity of the said executable file if it is a Malware file or a benign file.

Recently, with the spread of Internet of Things (IoT) devices, embedded hardware devices have been used in a variety of everyday electrical items. Due to the increased demand for embedded hardware devices, some of the IC design and manufacturing steps have been outsourced to third-party vendors. Since malicious third-party vendors may insert malicious circuits, called hardware Trojans, into their products, developing an effective hardware Trojan detection method is strongly required. In this paper, we propose 25 hardware-Trojan features based on the structure of trigger circuits for machine-learning-based hardware Trojan detection. Combining the proposed features into 11 existing hardware-Trojan features, we totally utilize 36 hardware-Trojan features for classification. Then we classify the nets in an unknown netlist into a set of normal nets and Trojan nets based on the random-forest classifier. The experimental results demonstrate that the average true positive rate (TPR) becomes 63.6% and the average true negative rate (TNR) becomes 100.0%. They improve the average TPR by 14.7 points while keeping the average TNR compared to existing state-of-the-art methods. In particular, the proposed method successfully finds out Trojan nets in several benchmark circuits, which are not found by the existing method.

Edge computing promises higher bandwidth and lower latency to end-users. However, edge servers usually have limited computing resources and are geographically distributed over the edge. This imposes new challenges for efficient system monitoring and control of edge servers.In this paper, we propose EdgeVMI, a framework to monitor and control services running on edge servers with lightweight virtual machine introspection(VMI). The key of our technique is to run the monitor in a lightweight virtual machine which can leverage hardware events for monitoring memory read and writes. In addition, the small binary size and memory footprints of the monitor could reduce the start/stop time of service, the runtime overhead, as well as the deployment efforts.Inspired by unikernels, we build our monitor with only the necessary system modules, libraries, and functionalities of a specific monitor task. To reduce the security risk of the monitoring behavior, we separate the monitor into two isolated modules: one acts as a sensor to collect security information and another acts as an actuator to conduct control commands. Our evaluation shows the effectiveness and the efficiency of the monitoring system, with an average performance overhead of 2.7%.

Smart grid architecture and Software-defined Networking (SDN) have evolved into a centrally controlled infrastructure that captures and extracts data in real-time through sensors, smart-meters, and virtual machines. These advances pose a risk and increase the vulnerabilities of these infrastructures to sophisticated cyberattacks like distributed denial of service (DDoS), false data injection attack (FDIA), and Data replay. Integrating machine learning with a network intrusion detection system (NIDS) can improve the system's accuracy and precision when detecting suspicious signatures and network anomalies. Analyzing data in real-time using trained and tested hyperparameters on a network traffic dataset applies to most network infrastructures. The NSL-KDD dataset implemented holds various classes, attack types, protocol suites like TCP, HTTP, and POP, which are critical to packet transmission on a smart grid network. In this paper, we leveraged existing machine learning (ML) algorithms, Support vector machine (SVM), K-nearest neighbor (KNN), Random Forest (RF), Naïve Bayes (NB), and Bagging; to perform a detailed performance comparison of selected classifiers. We propose a multi-level hybrid model of SVM integrated with RF for improved accuracy and precision during network filtering. The hybrid model SVM-RF returned an average accuracy of 94% in 10-fold cross-validation and 92.75%in an 80-20% split during class classification.

Modern enterprises increasingly take advantage of cloud infrastructures. Yet, outsourcing code and data into the cloud requires enterprises to trust cloud providers not to meddle with their data. To reduce the level of trust towards cloud providers, AMD has introduced Secure Encrypted Virtualization (SEV). By encrypting Virtual Machines (VMs), SEV aims to ensure data confidentiality, despite a compromised or curious Hypervisor. The SEV Encrypted State (SEV-ES) extension additionally protects the VM’s register state from unauthorized access. Yet, both extensions do not provide integrity of the VM’s memory, which has already been abused to leak the protected data or to alter the VM’s control-flow. In this paper, we introduce the SEVerity attack; a missing puzzle piece in the series of attacks against the AMD SEV family. Specifically, we abuse the system’s lack of memory integrity protection to inject and execute arbitrary code within SEV-ES-protected VMs. Contrary to previous code execution attacks against the AMD SEV family, SEVerity neither relies on a specific CPU version nor on any code gadgets inside the VM. Instead, SEVerity abuses the fact that SEV-ES prohibits direct memory access into the encrypted memory. Specifically, SEVerity injects arbitrary code into the encrypted VM through I/O channels and uses the Hypervisor to locate and trigger the execution of the encrypted payload. This allows us to sidestep the protection mechanisms of SEV-ES. Overall, our results demonstrate a success rate of 100% and hence highlight that memory integrity protection is an obligation when encrypting VMs. Consequently, our work presents the final stroke in a series of attacks against AMD SEV and SEV-ES and renders the present implementation as incapable of protecting against a curious, vulnerable, or malicious Hypervisor.

Commodity hypervisors are widely deployed to support virtual machines (VMs) on multiprocessor hardware. Their growing complexity poses a security risk. To enable formal verification over such a large codebase, we introduce microverification, a new approach that decomposes a commodity hypervisor into a small core and a set of untrusted services so that we can prove security properties of the entire hypervisor by verifying the core alone. To verify the multiprocessor hypervisor core, we introduce security-preserving layers to modularize the proof without hiding information leakage so we can prove each layer of the implementation refines its specification, and the top layer specification is refined by all layers of the core implementation. To verify commodity hypervisor features that require dynamically changing information flow, we introduce data oracles to mask intentional information flow. We can then prove noninterference at the top layer specification and guarantee the resulting security properties hold for the entire hypervisor implementation. Using microverification, we retrofitted the Linux KVM hypervisor with only modest modifications to its codebase. Using Coq, we proved that the hypervisor protects the confidentiality and integrity of VM data, while retaining KVM’s functionality and performance. Our work is the first machine-checked security proof for a commodity multiprocessor hypervisor.

Containers that can be easily created, transported and scaled with the use of container-based virtualization technologies work better than classical virtualization technologies and provide efficient resource usage. The Docker platform is one of the most widely used solutions among container-based virtualization technologies. The OS-level virtualization of the Docker platform and the container’s use of the host operating system kernel may cause security problems. In this study, a method including static and dynamic analysis has been proposed to ensure Docker image and container security. In the static analysis phase of the method, the packages of the images are scanned for vulnerabilities and malware. In the dynamic analysis phase, Docker containers are run for a certain period of time, after the open port scanning, network traffic is analyzed with the Snort3. Seven Docker images are analyzed and the results are shared.

In order to improve the continuity of cryptographic services and ensure the quality of services in the cloud environment, a dynamic migration framework of cryptographic service virtual machines based on the network shared storage system is proposed. Based on the study of the security threats in the migration process, a dynamic migration attack model is established, and the security requirement of dynamic migration is analyzed. It designs and implements the dynamic security migration management software, which includes a dynamic migration security enhancement module based on the Libvirt API, role-based access control policy, and transmission channel protection module. A cryptographic service virtual machine migration environment is built, and the designed management software and security mechanism are verified and tested. The experimental results show that the method proposed in the paper can effectively improve the security of cryptographic service virtual machine migration.

Cloud computing systems (CCSs) enable the sharing of physical computing resources through virtualisation, where a group of virtual machines (VMs) can share the same physical resources of a given machine. However, this sharing can lead to a so-called side-channel attack (SCA), widely recognised as a potential threat to CCSs. Specifically, malicious VMs can capture information from (target) VMs, i.e., those with sensitive information, by merely co-located with them on the same physical machine. As such, a VM allocation algorithm needs to be cognizant of this issue and attempts to allocate the malicious and target VMs onto different machines, i.e., the allocation algorithm needs to be security-aware. This paper investigates the allocation patterns of VM allocation algorithms that are more likely to lead to a secure allocation. A driving objective is to reduce the number of VM migrations during allocation. We also propose a graph-based secure VMs allocation algorithm (GbSRS) to minimise SCA threats. Our results show that algorithms following a stacking-based behaviour are more likely to produce secure VMs allocation than those following spreading or random behaviours.

Computer network and virtual machine security is very essential in today's era. Various architectures have been proposed for network security or prevent malicious access of internal or external users. Various existing systems have already developed to detect malicious activity on victim machines; sometimes any external user creates some malicious behavior and gets unauthorized access of victim machines to such a behavior system considered as malicious activities or Intruder. Numerous machine learning and soft computing techniques design to detect the activities in real-time network log audit data. KKDDCUP99 and NLSKDD most utilized data set to detect the Intruder on benchmark data set. In this paper, we proposed the identification of intruders using machine learning algorithms. Two different techniques have been proposed like a signature with detection and anomaly-based detection. In the experimental analysis, demonstrates SVM, Naïve Bayes and ANN algorithm with various data sets and demonstrate system performance on the real-time network environment.

Cloud computing is one of the greatest innovations and emerging technologies of the century. It incorporates networks, databases, operating systems, and virtualization technologies thereby bringing the security challenges associated with these technologies. Security Measures such as two-factor authentication, intrusion detection systems, and data backup are already in place to handle most of the security threats and vulnerabilities associated with these technologies but there are still other threats that may not be easily detected. Such a threat is a malicious user gaining access to the Virtual Machines (VMs) of other genuine users and using the Virtual Machine resources for their benefits without the knowledge of the user or the cloud service provider. This research proposes a model for proactive monitoring and detection of anomalies in VM resource usage. The proposed model can detect and pinpoint the time such anomaly occurred. Isolation Forest and One-Class Support Vector Machine (OCSVM) machine learning algorithms were used to train and test the model on sampled virtual machine workload trace using a combination of VM resource metrics together. OCSVM recorded an average F1-score of 0.97 and 0.89 for hourly and daily time series respectively while Isolation Forest has an average of 0.93 and 0.80 for hourly and daily time series. This result shows that both algorithms work for the model however OCSVM had a higher classification success rate than Isolation Forest.

Nowadays is becoming trivial to have multiple virtual machines working in parallel on hardware platforms with high processing power. This appropriate cost effective approach can be found at Internet Service Providers, in cloud service providers’ environments, in research and development lab testing environment (for example Universities’ student’s lab), in virtual application for security evaluation and in many other places. In the aforementioned cases, it is often necessary to start and/or stop virtual machines on the fly. In cloud service providers all the creation / tear down actions are triggered by a customer request and cannot be postponed or delayed for later evaluation. When a new virtual machine is created, it is imperative to assign unique IP addresses to all network interfaces and also domain name system DNS records that contain text based data, IP addresses, etc. Even worse, if a virtual machine has to be stopped or torn down, the critical network resources such as IP addresses and DNS records have to be carefully controlled in order to avoid IP addresses conflicts and name resolution problems between an old virtual machine and a newly created virtual machine. This paper proposes a provisioning mechanism to avoid both DNS records and IP addresses conflicts due to human misconfiguration, problems that can cause networking operation service disruptions.

Software vulnerabilities are weaknesses in software systems that can have serious consequences when exploited. Examples of side effects include unauthorized authentication, data breaches, and financial losses. Due to the nature of the software industry, companies are increasingly pressured to deploy software as quickly as possible, leading to a large number of undetected software vulnerabilities. Static code analysis, with the support of Static Analysis Tools (SATs), can generate security alerts that highlight potential vulnerabilities in an application's source code. Software Metrics (SMs) have also been used to predict software vulnerabilities, usually with the support of Machine Learning (ML) classification algorithms. Several datasets are available to support the development of improved software vulnerability detection techniques. However, they suffer from the same issues: they are either outdated or use a single type of information. In this paper, we present a methodology for collecting software vulnerabilities from known vulnerability databases and enhancing them with static information (namely SAT alerts and SMs). The proposed methodology aims to define a mechanism capable of more easily updating the collected data.

Edge nodes are crucial for detection against multitudes of cyber attacks on Internet-of-Things endpoints and is set to become part of a multi-billion industry. The resource constraints in this novel network infrastructure tier constricts the deployment of existing Network Intrusion Detection System with Deep Learning models (DLM). We address this issue by developing a novel light, fast and accurate `Edge-Detect' model, which detects Distributed Denial of Service attack on edge nodes using DLM techniques. Our model can work within resource restrictions i.e. low power, memory and processing capabilities, to produce accurate results at a meaningful pace. It is built by creating layers of Long Short-Term Memory or Gated Recurrent Unit based cells, which are known for their excellent representation of sequential data. We designed a practical data science pipeline with Recurring Neural Network to learn from the network packet behavior in order to identify whether it is normal or attack-oriented. The model evaluation is from deployment on actual edge node represented by Raspberry Pi using current cybersecurity dataset (UNSW2015). Our results demonstrate that in comparison to conventional DLM techniques, our model maintains a high testing accuracy of 99% even with lower resource utilization in terms of cpu and memory. In addition, it is nearly 3 times smaller in size than the state-of-art model and yet requires a much lower testing time.

With the explosive growth of IoT applications, billions of things are now connected via edge devices and a colossal volume of data is sent over the internet. Providing security to the user data becomes crucial. The rise in zero-day attacks are a challenge in IoT scenarios. With the large scale of IoT application detection and mitigation of such attacks by the network administrators is cumbersome. The edge device Raspberry pi is remotely logged using Secure Shell (SSH) protocol in 90% of the IoT applications. The case study of SSH brute force attack on the edge device Raspberry pi is demonstrated with experimentation in the IoT networking scenario using Intrusion Detection System (IDS). The IP crawlers available on the internet are used by the attacker to obtain the IP address of the edge device. The proposed system continuously monitors traffic, analysis the log of attack patterns, detects and mitigates SSH brute attack. An attack hijacks and wastes the system resources depriving the authorized users of the resources. With the proposed IDS, we observe 25% CPU conservation, 40% power conservation and 10% memory conservation in resource utilization, as the IDS, mitigates the attack and releases the resources blocked by the attacker.

Aiming at the cyber security problem of the advanced metering infrastructure(AMI), an anomaly detection method based on edge computing framework for the AMI is proposed. Due to the characteristics of the edge node of data concentrator, the data concentrator has the capability of computing a large amount of data. In this paper, distributing the intrusion detection model on the edge node data concentrator of the AMI instead of the metering center, meanwhile, two-way communication of distributed local model parameters replaces a large amount of data transmission. The proposed method avoids the risk of privacy leakage during the communication of data in AMI, and it greatly reduces communication delay and computational time. In this paper, KDDCUP99 datasets is used to verify the effectiveness of the method. The results show that compared with Deep Convolutional Neural Network (DCNN), the detection accuracy of the proposed method reach 99.05%, and false detection rate only gets 0.74%, and the results indicts the proposed method ensures a high detection performance with less communication rounds, it also reduces computational consumption.

The emergence of the 5G network has boosted the advancements in the field of the internet of things (IoT) and edge/cloud computing. We present a novel architecture to detect fire in indoor and outdoor environments, dubbed as EAC-FD, an abbreviation of edge and cloud-based fire detection. Compared with existing frameworks, ours is lightweight, secure, cost-effective, and reliable. It utilizes a hybrid edge and cloud computing framework with Intel neural compute stick 2 (NCS2) accelerator is for inference in real-time with Raspberry Pi 3B as an edge device. Our fire detection model runs on the edge device while also capable of cloud computing for more robust analysis making it a secure system. We compare different versions of SSD-MobileNet architectures with ours suitable for low-end devices. The fire detection model shows a good balance between computational cost frames per second (FPS) and accuracy.