Flexible Intrusion Detection Systems for Memory-Constrained Embedded Systems

Embedded systems are widely used in critical situations and hence, are targets for malicious users. Researchers have demonstrated successful attacks against embedded systems used in power grids, modern cars, and medical devices. This makes building Intrusion Detection Systems (IDS) for embedded devices a necessity. However, embedded devices have constraints (such as limited memory capacity) that make building IDSes monitoring all their security properties challenging. In this paper, we formulate building IDS for embedded systems as an optimization problem. Having the set of the security properties of the system and the invariants that verify those properties, we build an IDS that maximizes the coverage for the security properties, with respect to the available memory. This allows our IDS to be applicable to a wide range of embedded devices with different memory capacities. In our formulation users may define their own coverage criteria for the security properties. We also propose two coverage criteria and build IDSes based on them. We implement our IDSes for SegMeter, an open source smart meter. Our results show that our IDSes provide a high detection rate in spite of memory constraints of the system. Further, the detection rate of our IDSes at runtime are close to their estimated coverage at design time. This validates our approach in quantifying the coverage of our IDSes and optimizing them.