Embedded systems are being deployed as a part of critical infrastructures and are vulnerable to malicious attacks due to internet accessibility. Intrusion detection systems have been proposed to protect computer systems from unauthorized penetration. Detecting an attack early on pays off since further damage is avoided and in some cases, resilient recovery could be adopted. This is especially important for embedded systems deployed in critical infrastructures such as Power Grids etc. where a timely intervention could save catastrophes. An intrusion detection system monitors dynamic program behavior against normal program behavior and raises an alert when an anomaly is detected. The normal behavior is learnt by the system through training and profiling.However, all current intrusion detection systems are purely software based and thus suffer from large performance degradation due to constant monitoring operations inserted in application code. Due to the potential performance overheads, software based solutions cannot monitor program behavior at a very fine level of granularity, thus leaving potential security holes as shown in the literature. Another important drawback of such methods is that they are unable to detect intrusions in near real time and the time lag could prove disastrous in real time embedded systems. In this paper, we propose a hardware-based approach to verify program execution paths of target applications dynamically and to detect anomalous executions. With hardware support, our approach offers multiple advantages over software based solutions including minor performance degradation, much stronger detection capability (a larger variety of attacks get detected) and zero-latency reaction upon an anomaly for near real time detection and thus much better security.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Allen Householder, Kevin Houle, and Chad Dougherty, "Computer Attack Trends Challenge Internet Security", IEEE security and Privacy, Apr. 2002.
	2	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
	3	David Wagner , Drew Dean, Intrusion Detection via Static Analysis, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.156, May 14-16, 2001
	4	R. Sekar , M. Bendre , D. Dhurjati , P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.144, May 14-16, 2001
	5	Henry Hanping Feng , Oleg M. Kolesnikov , Prahlad Fogla , Wenke Lee , Weibo Gong, Anomaly Detection Using Call Stack Information, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.62, May 11-14, 2003
	6	Henry H. Feng, Jonathon T. Giffin, Yong Huang, Somesh Jha, Wenke Lee, Barton P. Miller, "Formalizing Sensitivity in Static Analysis for Intrusion Detection," In Proceedings of the 2004 IEEE Symposium on Security and Privacy, 2004.
	7	Andrew P. Kosoresow , Steven A. Hofmeyr, Intrusion Detection via System Call Traces, IEEE Software, v.14 n.5, p.35-42, September 1997  [doi>10.1109/52.605929]
	8	Christoph Michael , Anup K. Ghosh, Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, p.66-79, October 02-04, 2000
	9	Debin Gao, Michael K. Reiter, Dawn Song, "On Gray-Box Program Tracking for Anomaly Detection", 13th USENIX Security Symposium, pages 103--118, August 2004.
	10	Debin Gao , Michael K. Reiter , Dawn Song, Gray-box extraction of execution graphs for anomaly detection, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030126]
	11	C. Krügel, D. Mutz, F. Valeur, G. Vigna, "On the Detection of Anomalous System Call Arguments", In Proceedings of ESORICS 2003, pages 326--343, Norway, 2003.
	12	Tao Zhang, Xiaotong Zhuang, Santosh Pande, Wenke Lee, "Hardware Supported Anomaly Detection: down to the Control Flow Level," Technical Report GIT-CERCS-04-11.
	13	James R. Larus, Whole program paths, Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation, p.259-269, May 01-04, 1999, Atlanta, Georgia, United States
	14	Youtao Zhang , Rajiv Gupta, Timestamped whole program path representation and its applications, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.180-190, June 2001, Snowbird, Utah, United States
	15	David Lie Chandramohan Thekkath , Mark Mitchell , Patrick Lincoln , Dan Boneh , John Mitchell , Mark Horowitz, Architectural support for copy and tamper resistant software, Proceedings of the ninth international conference on Architectural support for programming languages and operating systems, p.168-177, November 2000, Cambridge, Massachusetts, United States
	16	Doug Burger and Todd M. Austin. "The SimpleScalar Tool Set Version 2.0".
	17	TAXI: Trace Analysis for X86 Interpretation, Proceedings of the 2002 IEEE International Conference on Computer Design: VLSI in Computers and Processors (ICCD'02), p.508, September 16-18, 2002
	18	D. Grunwald , D. Lindsay , B. Zorn, Static Methods in Hybrid Branch Prediction, Proceedings of the 1998 International Conference on Parallel Architectures and Compilation Techniques, p.222, October 12-18, 1998
	19	Robert Jasper , Mike Brennan , Keith Williamson , Bill Currier , David Zimmerman, Test data generation and feasible path analysis, Proceedings of the 1994 ACM SIGSOFT international symposium on Software testing and analysis, p.95-107, August 17-19, 1994, Seattle, Washington, United States  [doi>10.1145/186258.187150]
	20	J. Wilander and M. Kamkar. "A comparison of publicly available tools for dynamic buffer overflow prevention". In 10th NDSSS, 2003.
	21	Scut. "Exploiting format string vulnerabilities". TESO Security Group.
	22	C. Cowan, S. Beattie, J. Johansen, and P. Wagle, "Point-Guard: Protecting Pointers From Buffer Overflow Vulnerabilities," Proceedings of 12th USENIX Security Symposium, Washington DC, Aug., 2003.
	23	C. Cowan, C. Pu, D. Maier, J.Walpole,P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," 7th USENIX Security Conf., pages 63--78.
	24	G. Edward Suh , Jae W. Lee , David Zhang , Srinivas Devadas, Secure program execution via dynamic information flow tracking, Proceedings of the 11th international conference on Architectural support for programming languages and operating systems, October 07-13, 2004, Boston, MA, USA
	25	A.K. Ghosh, T. O'Connor, G. McGraw, "An automated approach for identifying potential vulnerabilities in software", 1998 IEEE Symposium on Security and Privacy, pp. 104--114.
	26	Bochs: the Open Source IA-32 Emulation Project, http://bochs.sourceforge.net.