Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems

Securing cyber-physical systems (CPS) against malicious attacks is of paramount importance because these may cause irreparable damages to physical systems. Recent studies have revealed that control programs running on CPS devices suffer from both control-oriented (e.g., code-injection or code-reuse attacks) and data-oriented non-control data attacks). Unfortunately, existing detection mechanisms are insufficient detect runtime exploits, due the lack execution semantics checking. In this work, we propose Orpheus, a new security methodology for defending by enforcing semantics. We first present general method reasoning program (i.e., causal dependencies between context flows), including event identification dependence analysis. As an instantiation then behavior model, i.e., event-aware finite-state automaton (eFSA). eFSA takes advantage event-driven nature incorporates checking in anomaly detection. It detects exploits if specific missing along with corresponding dependent state transition. evaluate our prototype's performance conducting case under attacks. Results show can successfully different Our prototype Raspberry Pi incurs low overhead, taking 0.0001s each transition integrity checking, 0.063s~0.211s contextual consistency