etecting a Weakened Encryption Algorithm in Microcontrollers Using Correlation-Based Anomaly Detection

Since the 1960s, increasingly more Integrated Circuit (IC) device manufacturers have been outsourcing fabrication of semiconductor devices to Taiwan, China, and other countries where the cost of labor is less expensive, as described by Adee (2008). This includes situations where United States companies contracted by the military to develop semiconductor-based systems outsourced the design work for the semiconductors to foreign nations according to Yudken (2010). This practice brings to bear security concerns regarding the possibility of overseas fabrication facilities embedding malicious hardware in the device early in the supply chain. Microcontrollers, specifically, are used in a large number of military operations including encryption, such as the microcontrollers used to encrypt information found in the smart cards issued by the Department of Defense, as stated by the United States General Services Administration (GSA) (2004). According to Beaumont et al. (2011), current IC testing and verification focuses on testing the chips to specifications which may detect whether functionality was removed, but will likely not detect any functionality added by an adversary. Systems used in environments where antivirus and intrusion detection systems are not feasible are particularly vulnerable. In order to detect compromised programming, or potential zero-day attacks from entering combat systems, an efficient and effective method of anomaly detection is required. This paper proposes expanding use of the Correlation-Based Anomaly Detection (CBAD) as introduced by Stone (2013) for detecting anomalous microcontroller operation using Unintentional Radio Frequency (RF) Emissions (UREs). Specifically, this paper presents the results of using the CBAD process to detect a modified Advanced Encryption Standard (AES) algorithm implemented on a microcontroller. This process was shown to be effective in detecting anomalous operations in a more limited Programmable Logic Controller (PLC) program by Stone (2013), and was less resource-intensive than alternatives such as the RF fingerprinting method used for discriminating between hardware devices by Cobb (2011). The CBAD process consists of four major steps: URE collection, signal post-processing, test statistic generation, and a declaration. In the process declaration stage, the microcontroller's program is classified as either Normal operation or Anomalous operation after comparison with a reference response. Results using the CBAD process against the UREs of a microcontroller have been encouraging thus far, and show a True Anomaly Detection Rate (TADR) of greater than 90% at Signal to Noise Ratios (SNRs) greater than 5 dB while maintaining a False Anomaly Detection Rate (FADR) of approximately 10% across all SNRs. Additionally, Receiver Operating Characteristic (ROC) curve Equal Error Rates (EER) are presented for the proposed anomaly detection process.