AI→Sec

Module 4: Side-Channel & ICS/IoT

Side-Channel, Hardware, and ICS/IoT Security

Learning from noisy physical data; securing OT & embedded systems

Outcome: Apply ML to power/EM/timing/RF streams and secure industrial/embedded environments.

Learning Objectives (3)

• Build CNN/Transformer-based pipelines for power/EM side-channel analysis
• Model multivariate ICS telemetry for anomaly/attack detection with explainability
• Evaluate RF/device fingerprinting and attestation under domain shift

Topic Map (5)

• CNN/Transformer SCA pipelines
• Masking/shielding/randomization
• ICS anomaly detection
• Device identity & attestation
• Wireless/RF fingerprinting

Topic Map — Deep Dives (5)

• CNN/Transformer SCA pipelines
  • Acquisition: shunt vs. EM probe; sampling rate, trigger, desync sources.
  • Preprocess: alignment (XCorr/DTW), denoise, normalization, POI selection.
  • Models: 1D-CNN, residual stacks, Transformers; triplet/contrastive losses for templates.
  • Augment: jitter, crop, mixup, noise; calibration for distribution shift.
  • Metrics: success rate vs. #traces, guessing entropy, key rank.
• Masking/shielding/randomization
  • Leakage models: HW/HD; higher-order attacks under masking.
  • Random delay/instruction shuffling; clock jitter; hiding vs. masking trade-offs.
  • Board/packaging effects; probe placement; regression to quantify SNR drops.
• ICS anomaly detection
  • Signals: PLC tags (level/flow/pressure), setpoints, actuator states, alarms.
  • Forecasting vs. reconstruction: ARIMA/VAR baselines → AEs/LSTM/Transformers.
  • Context: maintenance windows, phase changes, and seasonality handling.
  • Explainability: variable contributions; safe playbooks and operator-friendly alerts.
• Device identity & attestation
  • Roots of trust and measured boot; attest evidence and freshness.
  • PUFs: stability vs. reliability; helper data and ML modeling concerns.
  • Operationalizing identity in fleets (rotation, revocation, supply-chain ties).
• Wireless/RF fingerprinting
  • IQ features, CFO/phase transients, preamble shapes; packet-level vs. stream-level views.
  • Deep sequence/CRF models; robustness to SNR/channel fading.
  • Domain adaptation and calibration across environments (temp/aging).

Key Shifts Powered by AI (3)

• Profiling attacks at scale CNNs learn leakage features directly, reducing manual preprocessing and boosting success on real devices. ^{[tches20_cnn] [ascad]}
  Why it matters: Faster SCA prototyping and evaluation of countermeasures.
• From rules to learned ICS monitors Deep models capture multivariate process dynamics for anomaly/attack detection in ICS. ^[ndss24_ics]
  Why it matters: Earlier detection with fewer handcrafted thresholds.
• RF identities via deep sequence models Deep CRF/sequence models improve robustness of RF device fingerprinting. ^{[tifs24_deepcrf]}
  Why it matters: More reliable device ID without full crypto handshakes.

Still Hard (5)

• Generalization across devices, process phases, and environments.
• Leakage desynchronization and countermeasures reducing SNR.
• Data scarcity and labeling in ICS plants; safety constraints on data collection.
• RF domain shift (temperature/aging/channel) and spoofer adaptation.
• Privacy/regulatory limits for telemetry retention and cross-site model sharing.

References

1. Zaid et al. “A Methodology for Efficient CNN Architectures in Profiling Attacks.” IACR TCHES 2020(1).
2. Prouff et al. “Study of Deep Learning Techniques for Side-Channel Analysis and Introduction to ASCAD Database.” IACR ePrint 2018.
3. Fung et al. “Attributions for ML-based ICS Anomaly Detection: From Theory to Practice.” NDSS 2024.
4. DeepCRF: Deep Learning-Enhanced CSI-Based RF Fingerprinting for Channel-Resilient WiFi Device Identification