PERSONAL Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.
This PDF file contains the front matter associated with SPIE Proceedings Volume 11417, including the Title Page, Copyright Information, and Table of Contents.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
The DARPA LADS program uses unintended emissions, including RF emissions, to try to determine the internal state of a digital device. The CASPER project uses a combination of digital signal processing and machine learning in order to discover changes of state that may indicate unwanted activity on the device. In this paper, we will discuss our recent experiences fielding the CASPER system as part of the DARPA RADICS exercise. The RADICS program is building the tools necessary to recover from a catastrophic attack on the cyber assets of the electrical grid. CASPER provides a complementary technology for discovering which assets are performing anomalously to help speed remediation efforts. The RADICS exercise lasted 7 days and is conducted on a live electrical grid in a remote area. The design of the exercise is to provide a high degree of realism including no Internet access and limited access to supplies not already on site.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
Traditionally, host-based defenses are limited to transmitting alerts and attestation data over a standard network or other communication channel. Unfortunately, these channels themselves and the network devices that forward traffic can be compromised by sophisticated attackers. Out-of-band communication channels are needed in order to have a final layer of defense that is resilient in the case of attackers compromising devices and the entire network infrastructure. In this paper, we present practical applications of utilizing existing device LEDs to transmit host-based defense attestation data to low cost sensors made of COTS components. We demonstrate these techniques multiple widely deployed embedded devices including a PLC module, a ruggedized switch, and an enterprise router. These example devices cover a variety of major embedded device instruction set architectures and operating systems providing evidence that this technique is scalable and practical.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
Over the past few years, globalization of the semiconductor supply chain has led companies to outsource much of the production cycle for integrated circuits (ICs). While outsourcing helps companies significantly reduce their cost and time-to-market, it also introduces concerns about the trustworthiness of an IC. One of the most serious problems is counterfeiting of ICs, which not only negatively impacts innovation and economic growth of the IC industry, but also creates serious threats and risks for systems that incorporate those counterfeit ICs. This paper proposes a novel method that uses the backscattering side-channel to cluster ICs such that counterfeits are separated from legitimate ICs. The backscattering side-channel, which has been introduced only recently, has been proven to outperform other side-channels in detecting hardware Trojan horses (HTs), i.e. ICs where additional logic gates (and connections to existing logic gates) have been added. In this work we use it to robustly separate ICs into legitimate and counterfeit ones, even when only layout or placement of the IC has changed, without any added logic or connections. We evalute our technique on a set of ten boards over six different counterfeit IC designs, and find that our technique tolerates manufacturing variations among different hardware instances, detecting counterfeit ICs with 100% accuracy and 0% false positives.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
We present results showing that software programs which are not part of the training set can be characterized into broad classes using involuntary RF side channels. This extends previous work on program identification through analog side channels focused on identifying the specific program out of the training set or flagging previously-unseen programs as "anomalous." This new approach enables an intrusion detection system to be robust to benign changes such as software updates and eliminates the need for an exhaustive training set which covers all possible device functions and states. We have applied our approach to a variety of devices under test, ranging from microcontrollers to laptop computers, and identify program classes such as processor-bound, signal processing, database access, etc. This approach is particularly applicable for defending devices which lack the computational resources to run traditional cybersecurity solutions, including industrial control systems (ICS) and internet of things (IoT) devices.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
Many denial of service attacks target flaws and ill-specified features of network protocol designs and implementations. To most effectively mitigate such DoS attacks, a defense system should be able to detect an anomaly and attribute its root cause to the traffic protocols, features, and source associated with it. The Adaptive Resource Management Enabling Deception (ARMED) approach to these issues, described in previous work, is to push the measurement and analysis of traffic away from service endpoints - and into the network - to facilitate transparent anomaly detection of network protocols before the endpoint is affected. But what tools are available to do the heavy-lifting of analyzing traffic and pinpointing anomalies? This paper describes one such option - Robust Principal Component Analysis (RPCA). We adopted RPCA for use in an ARMED prototype to detect anomalies in real time for a variety of attack vectors. We found such an analysis can be performed within typical CPU and memory constraints of modern servers, and the anomaly detection is general enough to be able to detect both well-known attacks and, in theory, zero-day vulnerabilities in common network protocols.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
In this paper, we present a technique to label and record consistent device modes using an isolated system that can sense the side-channel electromagnetic emanations (EM) of the device. This allows us to characterize the device's normal behavior and detect anomalous behavior that is a result of a security breach of the device. Our technique does not require any prior knowledge of the device or its behavior and is based on a new density-based clustering technique. Our clustering technique uses the training data to create a density map over the instance space by approximating the density of any point by counting the number of points in a fixed radius ball centered at that point. The radius is computed to ensure that a majority of the training data has a low relative error density estimate. This density map is used to incrementally build the clusters in order of the density of the training data. Our approach is similar to DBSCAN but our modifications allow us to remove difficult to set parameters and allow the algorithm to discover clusters of greatly different densities. Given that accurate density estimates are difficult in high-dimensional spaces, we perform experiments after applying PCA to reduce the number of dimensions while retaining much of the clustering structure. We have applied this technique to various devices and confirmed the discovery of device behavior by running code with a known looping behavior that is mirrored in our mode predictions. This has allowed us to detect deviations in device behavior that correspond to unauthorized code running on the device.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
As one of the fundamental approaches for code optimization and performance analysis, profiling software activities can provide information on the existence of malware, code execution problems, etc. In this paper, we propose a methodology to profile a system with no overhead. The approach leverages electromagnetic (EM) emanations while executing a program, and exploits its flow diagram by constructing a Markov model. The states of the model are considered as the heavily executed blocks (called hot paths) of the program, and the transition between any two states is possible only if there exists a branching operation which enables execution of corresponding states without any intermediate state. To identify the state of the program, we utilize a supervised learning method. To do so, we first collect signals for each state, extract features, and generate a dictionary. The features are considered as the activated frequencies when the program is executed. The assumption here is that there exists at least one unique frequency component that is only active for one unique state. Moreover, to degrade the e↵ect of interruptions and other signals emanated from other parts of the device, and to obtain signals with high Signal-to-Noise Ratio (SNR), we average the output of Short-Time Fourier Transform (STFT). After extracting features, we apply Principle Component Analysis (PCA) for dimension reduction which helps monitoring systems in real time. Finally, we describe experimental setup and show results to demonstrate that the proposed methodology can detect malware activity with high accuracy.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
As the sporting industry continues to increase dependence on new and often massive data sets, they also risk exposing themselves, as well as the leagues, teams, venues, players, and fans, to risks posed by not protecting the confidentiality and integrity of this data. The industry, especially true for professional sports, demands an ever increasing supply of new forms of data to achieve their goals of enticing new fans; enhancing experience; expanding the fan experience from venues and television to the internet and mobile devices; measuring and evaluating the performance and safety of players; and increasing revenue. New methods have emerged to collect data about a variety of aspects of sports ranging from players to fans to teams to venues. Data collected during sporting events is combined with historical data to also help teams analyze and predict performance. To synthesize these predictive analytical and historical memories, sports teams and organizations mix a variety of computer technologies. System integration tends to focus on ensuring the availability of the data and reliability of the technologies but might introduce risks to the confidentiality (privacy) and integrity of the data. Recognizing the potential risks requires review and evaluation. Much of the data is collected for publicly providing information to the fans, so threats to confidentiality pose fewer risks. The greatest risk is violating the privacy of players, such a private performance test, or using technology to gain a competitive advantage.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
We propose a tool called BigHASH for efficiently detecting tampering of big data programs (e.g., by malware) when executed in a private cluster or a public cloud environment. BigHASH produces the execution metadata of a program that precisely captures the critical internal data structures and content of the program (at runtime) using graph algorithms and homomorphic hashing. Homomorphic hashing provides two key benefits: (a) It enables parallel hash computation for efficiency. (b) It provides the ability to cope with cluster environments containing different number of servers when executing the program. BigHASH uses a blockchain network to store the execution metadata of programs as it provides a decentralized, secure, tamper-proof storage. To detect whether a program has been tampered or not during execution, BigHASH compares the execution metadata published by the owner (in a trusted environment) on the blockchain network to that produced by a user in his/her cluster environment. BigHASH is simple to use and provides automatic code instrumentation so that a programmer is not burdened to write any extra code to use BigHASH.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.