TY - GEN
T1 - Remote non-intrusive malware detection for PLCs based on chain of trust rooted in hardware
AU - Rajput, Prashant Hari Narayan
AU - Sarkar, Esha
AU - Tychalas, Dimitrios
AU - Maniatakos, Michail
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021/9
Y1 - 2021/9
N2 - Digitization has been rapidly integrated with manufacturing industries and critical infrastructure to increase efficiency, productivity, and reduce wastefulness, a transition being labeled as Industry 4.0. However, this expansion, coupled with the poor cybersecurity posture of these Industrial Internet of Things (IIoT) devices, has made them prolific targets for exploitation. Moreover, modern Programmable Logic Controllers (PLC) used in the Operational Technology (OT) sector are adopting open-source operating systems such as Linux instead of proprietary software, making such devices susceptible to Linux-based malware. Traditional malware detection approaches cannot be applied directly or extended to such environments due to the unique restrictions of these PLC devices, such as limited computational power and real-time requirements. In this paper, we propose ORRIS, a novel lightweight and out-of-the-device framework that detects malware at both kernel and user-level by processing the information collected using the Joint Test Action Group (JTAG) interface. We evaluate ORRIS against in-the-wild Linux malware achieving maximum detection accuracy of ≈99.7% with very few false-positive occurrences, a result comparable to the state-of-the-art commercial products. Moreover, we also develop and demonstrate a real-time implementation of ORRIS for commercial PLCs.
AB - Digitization has been rapidly integrated with manufacturing industries and critical infrastructure to increase efficiency, productivity, and reduce wastefulness, a transition being labeled as Industry 4.0. However, this expansion, coupled with the poor cybersecurity posture of these Industrial Internet of Things (IIoT) devices, has made them prolific targets for exploitation. Moreover, modern Programmable Logic Controllers (PLC) used in the Operational Technology (OT) sector are adopting open-source operating systems such as Linux instead of proprietary software, making such devices susceptible to Linux-based malware. Traditional malware detection approaches cannot be applied directly or extended to such environments due to the unique restrictions of these PLC devices, such as limited computational power and real-time requirements. In this paper, we propose ORRIS, a novel lightweight and out-of-the-device framework that detects malware at both kernel and user-level by processing the information collected using the Joint Test Action Group (JTAG) interface. We evaluate ORRIS against in-the-wild Linux malware achieving maximum detection accuracy of ≈99.7% with very few false-positive occurrences, a result comparable to the state-of-the-art commercial products. Moreover, we also develop and demonstrate a real-time implementation of ORRIS for commercial PLCs.
KW - Hardware Performance Counters
KW - Hardware Root-of-Trust
KW - JTAG
KW - Malware Detection
KW - Rootkit
UR - http://www.scopus.com/inward/record.url?scp=85119271658&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85119271658&partnerID=8YFLogxK
U2 - 10.1109/EuroSP51992.2021.00033
DO - 10.1109/EuroSP51992.2021.00033
M3 - Conference contribution
AN - SCOPUS:85119271658
T3 - Proceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021
SP - 369
EP - 384
BT - Proceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 6th IEEE European Symposium on Security and Privacy, Euro S and P 2021
Y2 - 6 September 2021 through 10 September 2021
ER -