Method of resource-limited device and device class identification using system and function call tracing techniques, performance, and statistical analysis

US 10,242,193 B1
Filed: 01/04/2018
Issued: 03/26/2019
Est. Priority Date: 01/04/2018
Status: Active Grant

First Claim

Patent Images

1. A method of device and device class classification, the method comprising:

providing a known cyber physical system (CPS) device;

extracting, by an extracting device, using system and function call tracing techniques, system and function calls and parameters from the known CPS device;

extracting, by the extracting device using system and function call tracing techniques, system and function calls and parameters at different time intervals from the known CPS device;

calculating an autocorrelation value between different realizations of the system and function calls and parameters of the known CPS device;

determining whether the autocorrelation value is greater than a threshold amount; and

storing in computer memory, the system and function calls and parameters of the known CPS device whose autocorrelation value is greater than the threshold amount in a database,the database being subdivided into classes of CPS devices.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for cyber physical systems device classification are provided. A method can include receiving system and function calls and parameters and a device performance index from an unknown CPS device and a device performance index of similar class of CPS devices, calculating an autocorrelation value between different realizations of the system and function calls and parameters of the known CPS device, determining whether the autocorrelation value is greater than a threshold amount, and storing the system and function calls and parameters and the device performance characteristics of the known CPS device in the database. A method can also include calculating a correlation between system and function calls and parameters of an unknown CPS device and known CPS devices classes included in the database, as well as determining whether the maximum correlation is also greater than a threshold amount.

22 Citations

View as Search Results

20 Claims

1. A method of device and device class classification, the method comprising:
- providing a known cyber physical system (CPS) device;
  
  extracting, by an extracting device, using system and function call tracing techniques, system and function calls and parameters from the known CPS device;
  
  extracting, by the extracting device using system and function call tracing techniques, system and function calls and parameters at different time intervals from the known CPS device;
  
  calculating an autocorrelation value between different realizations of the system and function calls and parameters of the known CPS device;
  
  determining whether the autocorrelation value is greater than a threshold amount; and
  
  storing in computer memory, the system and function calls and parameters of the known CPS device whose autocorrelation value is greater than the threshold amount in a database,the database being subdivided into classes of CPS devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - inserting the system and function calls and parameters in a vector expressed as follows;
      
      PSCL_i={x_i∈
      
      X_i;
      
      ∃
      
      X_i∧
      
      X_i≠
      
      ∅
      
      },x_irepresenting parameters from system and function calls from device i and X_irepresenting system and function call lists from device i.
  - 3. The method of claim 2, further comprising:
    - calculating the autocorrelation between different realizations of the system and function calls and parameters of the known CPS device using the following expression;
  - 4. The method of claim 1, the threshold value of the autocorrelation value between different realizations of the system and function calls and parameters of the known CPS device being 0.6.
  - 5. The method of claim 1, further comprising:
    - providing an unknown CPS device;
      
      extracting, by the extracting device, using system and function call tracing techniques, system and function calls and parameters from the unknown CPS device;
      
      calculating a correlation value between the system and function calls and parameters of the unknown CPS device and systems and function calls and parameters of each CPS class device in the database;
      
      determining whether the correlation value is greater than a threshold amount;
      
      accepting the unknown device whose maximum correlation value is also greater than the threshold amount in the database as a known CPS device; and
      
      storing, in computer memory, the system and function calls and parameters of the known CPS device in the database.
  - 6. The method of claim 5, further comprising:
    - storing, in the computer memory, the system and function calls and parameters of the known device whose correlation value is equal to or less than the threshold amount in the database as a new class of CPS device.
  - 7. The method of claim 6, the threshold amount of the correlation between system and function calls and parameters of the unknown device and each system and function calls and parameters of each CPS class device in the database being 0.6.
  - 8. The method of claim 6, the correlation between the system and function calls and parameters of the unknown CPS device and the system and function calls and parameters in the database being calculated using the following expression:
  - 9. The method of claim 1, further comprising:
    - extracting, by an extracting device, device performance characteristics from the known CPS device and the device performance characteristics of an unknown CPS device.
  - 10. The method of claim 9, the device performance characteristics including memory utilization, CPU utilization, and real time of application execution.
  - 11. The method of claim 10, the device performance characteristics being expressed as the following equation:
    - DPI=α
      
      ×
      
      β
      
      ×
      
      γ
      
      ,α
      
      representing an average of memory utilization, β
      
      representing an average of CPU utilization, and γ
      
      representing a time period that an application takes to execute a specific task.
  - 12. The method of claim 1, further comprising:
    - storing, in computer memory, a device signature for each known and unknown CPS device as a function of a parametric system call list (PSCL) and a device performance index (DPI).

13. A non-transitory computer-readable storage medium comprising stored instructions thereon, the instructions when executed causing a processor to:
- receive system and function calls and parameters from a known CPS device;
  
  receive device performance characteristics from the known CPS device;
  
  receive system and function calls and parameters at different time intervals from the known CPS device;
  
  receive device performance characteristics at different time intervals from the known device;
  
  calculate an autocorrelation value between different executions of the system and function calls and parameters of the known CPS device;
  
  determine whether the autocorrelation value is greater than a threshold amount; and
  
  store the system and function calls and parameters of the known CPS device whose autocorrelation value is greater than a threshold amount in a database,the database being subdivided into classes of CPS devices.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, the device performance characteristics being expressed as the following equation:
    - DPI=α
      
      ×
      
      β
      
      ×
      
      γ
      
      ,α
      
      representing an average of memory utilization, β
      
      representing an average of CPU utilization, and γ
      
      representing a time period the application takes to execute a specific task.
  - 15. The method of claim 13, the instructions when executed further causing the processor to:
    - calculate the autocorrelation between different realizations the system and function calls and parameters of the known CPS device with the following expression;
  - 16. The method of claim 14, the threshold value of the autocorrelation value between different realizations of the system and function calls and parameters of the known CPS device being 0.6.
  - 17. The method of claim 14, the instructions when executed further causing the processor to:
    - receive system and function calls and parameters from an unknown CPS device;
      
      calculate a correlation value between the system and function calls and parameters of the unknown CPS device and the system and function calls and parameters of each CPS device class in the database;
      
      determine whether the correlation value is greater than a threshold amount;
      
      accept the unknown device whose maximum correlation value is also greater than the threshold amount in the database as a known CPS device; and
      
      store the system and function calls and parameters of the unknown CPS device in the database.
  - 18. The method of claim 16, the threshold value of the correlation value between system and function calls and parameters of the unknown CPS device and the system and function calls and parameters of each CPS device class in the database being 0.6.
  - 19. The method of claim 17, the correlation between the system and function calls and parameters of the unknown CPS device and the system and function calls and parameters of each CPS device class in the database being calculated using the following expression:

20. A non-transitory computer-readable storage medium comprising stored instructions thereon, the instructions when executed causing a processor to:
- receive system and function calls and parameters from a known Cyber Physical Systems (CPS) device;
  
  receive characteristic parameters related to memory utilization, CPU utilization, and real time of application execution from the known CPS device;
  
  receive system and function calls and parameters from a known CPS device;
  
  receive characteristic parameters related to memory utilization, CPU utilization, and real time of application execution from the unknown CPS device;
  
  calculate an autocorrelation value between different realizations of the system and function calls and parameters of the known CPS device;
  
  determine whether the autocorrelation value is greater than 0.6;
  
  store the system and function calls and parameters of the known CPS device whose autocorrelation value is greater than 0.6 in a database,the database being subdivided into classes of CPS devices;
  
  receive system and function calls and parameters from an unknown CPS device;
  
  receive characteristic parameters related to memory utilization, CPU utilization, and real time of application execution from the known CPS device;
  
  receive from the database, system and function calls and parameters of each CPS device class;
  
  calculate a correlation value between the system and function calls and parameters of the unknown CPS device and the system and function calls and parameters of each CPS device class in the database;
  
  determine whether the correlation value is greater than 0.6;
  
  accept the unknown device whose maximum correlation value is also greater 0.6 in the database as a known CPS device; and
  
  store the system and function calls and parameters and the device performance characteristics of the unknown CPS device in the database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Florida International University Board of Trustees (State University System of Florida)
Original Assignee
The Florida International University Board of Trustees (State University System of Florida)
Inventors
Babun, Leonardo, Aksu, Hidayet, Uluagac, A. Selcuk
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/862,044
Time in Patent Office

446 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

H04L 63/14   for detecting or protecting...

H04L 67/12   specially adapted for propr...

Method of resource-limited device and device class identification using system and function call tracing techniques, performance, and statistical analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method of resource-limited device and device class identification using system and function call tracing techniques, performance, and statistical analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links