AnCyR™: First Machine Learning IDS Successfully Ported to Microcontrollers / RTOS

Microcontrollers have advanced to a point where high-speed network connectivity is a common feature.  While this brings new levels of capabilities to low-cost devices, it also exposes these devices, many of which are part of critical infrastructure, to cyber-attacks. Detection and logging of cyber-events, enabled by an Intrusion Detection System (IDS), are now just as important in microcontroller-based devices as they are in full-fledged microprocessors running full-featured operating systems. NIST defines an IDS as one of the core baseline cybersecurity capabilities needed in any embedded device. Without an IDS, attacks can go undetected, resulting in significant financial losses and impacts on safety, including the potential for personal injury or loss of life.  

BG Networks’ AnCyR™ IDS was optimized from the beginning for embedded devices, with first implementations on multicore microprocessors given market demand. More recently requirements emerged for AnCyR implementations on microcontrollers and Real Time Operating Systems (e.g., Zephyr) without loss of performance, which we were able to achieve. Our microcontroller implementation of AnCyR has the capability of detecting a broad set of attacks with high detection rates and low false positives rates.  

AnCyR is a transformative IDS solution that combines:  

1. machine-learning (ML) and statistical analysis-based deep inspection of a device’s software execution to achieve fast detection with low overhead 

1. automated model training methods for rapid deployment 

1. continual model refinement to converge to zero false positives 

AnCyR’s multi-layer classification approach performs analysis on three layers. The first layer monitors the execution of individual software operations. The analysis performed at this level determines an estimated probability that the current execution is anomalous compared to the baseline model. The second layer uses probabilistic methods to analyze each execution path within each process/task/thread to determine an estimated probability of intrusion/attack for that execution path. The final layer uses regression-based ML models to perform a final classification at the system. When an intrusion is detected, AnCyR provides a detailed assessment of affected software components with estimated probabilities that each component was exploited in the detected attack.  

AnCyR monitors the execution time of software operations, including function calls, library calls, and system calls used by each process, task, or thread. Our timing model divides the timing measurements into timing sub-features, which yields timing data with significantly less noise that enable better intrusion classification. 

AnCyR’s anomaly-detection approach enables detecting a very large breadth of attacks, including zero days, buffer overflows, denial of service, fuzz attacks, malware threat execution, data exfiltration, code injection, return oriented programming, and more. AnCyR can detect any attack that affects execution behavior and detects each of these attacks with a detection latency of less than 1 second and as little as 0.25 seconds.  

AnCyR is optimized to have low overhead for performance, code size, and memory requirements. AnCyR can be deployed across a variety of embedded processors ranging from M-class ARM microcontrollers to A-class multicore processors. For a Zephyr RTOS integration, AnCyR runs on a single-core Arm Cortex-M33 microcontroller with about 5% compute overhead and about 10KB of memory.  

AnCyR’s model training is typically performing in parallel with existing testing, validation, and verification development phases. This approach ensures the model captures all expected behaviors of the target device. For an ADAS ECU system, we performed model training in just two weeks, yielding a false positive rate of 1.98e-9. Additionally, AnCyR supports an automated model refinement method to update the model for any false positives, providing a path for convergence to zero false positives. So, if any device in the fleet sees a false positive, the model can be automatically updated, and that update distributed to all vehicles so they will not see that false positive. The goal is to ensure that the same false positive is never seen twice. 

AnCyR sets a new standard for real-time intrusion detection in microcontroller-based devices with broad attack detection, high detection accuracy, low false positives, and low effort integration, leading to securing critical infrastructures in any industry.