Papers by Haider A Khan
Establishing trust for an execution environment is an important problem, and practical solutions ... more Establishing trust for an execution environment is an important problem, and practical solutions for it rely on attestation, where an untrusted system (prover) computes a response to a challenge sent by the trusted system (verifier). The response typically is a checksum of the prover's program, which the verifier checks against expected values for a "clean" (trustworthy) system. The main challenge in attestation is that, in addition to checking the response, the verifier also needs to verify the integrity of the response computation. On higher-end processors, this integrity is verified cryptographically, using dedicated trusted hardware. On embedded systems, however, constraints prevent the use of such hardware support. Instead, a popular approach is to use the request-to-response time as a way to establish confidence. However, the overall requestto-response time provides only one coarse-grained measurement from which the integrity of the attestation is to be inferred, and even that is noisy because it includes the network latency and/or variations due to micro-architectural events. Thus, the attestation is vulnerable to attacks where the adversary has tampered with response computation, but the resulting additional computation time is small relative to the overall request-to-response time. In this paper, we make a key observation that execution-time measurement is only one example of using externally measurable side-channel information, and that other side-channels, some of which can provide much finer-grain information about the computation, can be used. As a proof of concept, we propose EMMA, a novel method for attestation that leverages electromagnetic side-channel signals that are emanated by the system during response computation, to confirm that the device has, upon receiving the challenge, actually computed the response using the valid program code for that computation. This new approach requires physical proximity, but imposes no overhead to the system, and provides accurate monitoring during the attestation. We implement EMMA on a popular embedded system, Arduino UNO, and evaluate our system with a wide range of attacks on attestation integrity. Our results show that EMMA can successfully detect these attacks with high accuracy. We compare our method with the existing methods and show how EMMA outperforms them in terms of security guarantees, scalability, and robustness.
Abnormal mass classification in breast mammography using rotation invariant LBP
2016 3rd International Conference on Electrical Engineering and Information Communication Technology (ICEEICT), 2016
We present a novel approach for abnormal breast mass classification from digitized mammography im... more We present a novel approach for abnormal breast mass classification from digitized mammography images. The proposed framework exploits rotation invariant uniform Local Binary Pattern (LBP) as texture feature. These features are classified using Support Vector Machine (SVM). In addition, we take advantage of the breast mammograms taken from multiple views or angles. We classify breast scans from ‘cranial-caudal’ view and ‘mediolateral-oblique’ view separately, and combine these classification scores to make an improved diagnosis. This reduces the classification error, and achieves higher recognition rate than that of either views individually. The proposed computer aided diagnosis system was evaluated on DDSM (Digital Database for Screening Mammography) data set, and was able to achieve a classification accuracy of 74%.
Cyber Sensing 2018, 2018
Side-channel signals have long been used in cryptanalysis, and recently they have also been utili... more Side-channel signals have long been used in cryptanalysis, and recently they have also been utilized as a way to monitor program execution without involving the monitored system in its own monitoring. Both of these use-cases for side-channel analysis have seen steady improvement, allowing ever-smaller deviations in program behavior to be monitored (to track program behavior and/or identify anomalies) or exploited (to steal sensitive information). However, there is still very little intuition about where the limits for this are, e.g. whether a single-instruction or a single-bit difference can realistically be recovered from the signal. In this paper, we use a popular open-source cryptographic software package as a test subject to demonstrate that, with enough training data, enough signal bandwidth, and enough signal-to-noise ratio, the decision of branch instructions that cause even single-instruction-differences in program execution can be recovered from the electromagnetic (EM) emanations of an IoT/embedded system. We additionally show that, in cryptographic implementations where branch decisions contain information about the secret key, nearly all such information can be extracted from the signal that corresponds to only a single cryptographic operation (e.g. encryption). Finally, we analyze how the received signal bandwidth, the amount of training, and the signal-to-noise ratio (SNR) affect the accuracy of side-channel-based reconstruction of individual branch decisions that occur during program execution.
Journal of Hardware and Systems Security, 2019
We propose a novel malware detection system for critical embedded and cyber-physical systems (CPS... more We propose a novel malware detection system for critical embedded and cyber-physical systems (CPS). The system exploits electromagnetic (EM) side-channel signals from the device to detect malicious activity. During training, the system models EM emanations from an uncompromised device using a neural network. These EM patterns act as fingerprints for the normal program activity. Next, we continuously monitor the target device's EM emanations. Any deviation in the device's activity causes a variation in the EM fingerprint, which in turn violates the trained model, and is reported as an anomalous activity. The system can monitor the target device remotely (without any physical contact), and does not require any modification to the monitored system. We evaluate the system with different malware behavior (DDoS, ransomware, and code modification) on different applications using an Altera Nios-II soft-processor. Experimental evaluation reveals that our framework can detect DDoS and ransomware with 100% accuracy (AUC = 1.0), and stealthier code modification (which is roughly a 5 μs long attack) with an AUC ≈ 0.99, from distances up to 3 m. In addition, we execute control-flow hijack, DDoS, and ransomware on different applications using an A13-OLinuXino-a Cortex A8 ARM processor single board computer with Debian Linux OS. Furthermore, we evaluate the practicality and the robustness of our system on a medical CPS, implemented using two different devices (TS-7250 and A13-OLinuXino), while executing control-flow hijack attack. Our evaluations show that our framework can detect these attacks with perfect accuracy.
IEEE Transactions on Dependable and Secure Computing, 2019
We propose a novel framework called IDEA that exploits electromagnetic (EM) side-channel signals ... more We propose a novel framework called IDEA that exploits electromagnetic (EM) side-channel signals to detect malicious activity on embedded and cyber-physical systems (CPS). IDEA first records EM emanations from an uncompromised reference device to establish a baseline of reference EM patterns. IDEA then monitors the target device's EM emanations. When the observed EM emanations deviate from the reference patterns, IDEA reports this as an anomalous or malicious activity. IDEA does not require any resource or infrastructure on, or any modification to, the monitored system itself. In fact, IDEA is isolated from the target device, and monitors the device without any physical contact. We evaluate IDEA by monitoring the target device while it is executing embedded applications with malicious code injections such as DDoS, Ransomware and code modification. We further implement a control-flow hijack attack, an advanced persistent threat, and a firmware modification on three CPSs: an embedded medical device called SyringePump, an industrial PID Controller, and a Robotic Arm, using a popular embedded system, Arduino UNO. The results demonstrate that IDEA can detect different attacks with excellent accuracy (AUC > 99.5%, and 100% detection with less than 1% false positives) from distances up to 3 m.
Handwritten Bangla numeral recognition using Local Binary Pattern
2015 International Conference on Electrical Engineering and Information Communication Technology (ICEEICT), 2015
Local Binary Pattern (LBP) is a simple yet robust texture descriptor that has been widely used in... more Local Binary Pattern (LBP) is a simple yet robust texture descriptor that has been widely used in many computer vision applications including face recognition. In this paper, we exploit LBP for handwritten Bangla numeral recognition. We classify Bangla digits from their LBP histograms using K Nearest Neighbors (KNN) classifier. The performance of three different variations of LBP - the basic LBP, the uniform LBP and the simplified LBP was investigated. The proposed OCR system was evaluated on the off-line handwritten Bangla numeral database CMATERdb 3.1.1, and achieved an excellent accuracy of 96:7% character recognition rate.
Handwritten Bangla digit recognition using Sparse Representation Classifier
2014 International Conference on Informatics, Electronics & Vision (ICIEV), 2014
ABSTRACT We present a framework for handwritten Bangla digit recognition using Sparse Representat... more ABSTRACT We present a framework for handwritten Bangla digit recognition using Sparse Representation Clas-sifier. The classifier assumes that a test sample can be represented as a linear combination of the train samples from its native class. Hence, a test sample can be rep-resented using a dictionary constructed from the train samples. The most sparse linear representation of the test sample in terms of this dictionary can be efficiently computed through 1 -minimization, and can be exploited to classify the test sample. We applied Sparse Representation Classifier on the image zone density, an image domain statistical feature extracted from the character image, to classify the Bangla numerals. This is a novel approach for Bangla Optical Character Recognition, and demonstrates an excellent accuracy of 94% on the off-line handwritten Bangla numeral database CMATERdb 3.1.1. This result is promising, and should be investigated further.
Zero-Overhead Path Prediction with Progressive Symbolic Execution
2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)
In previous work, we introduced zero-overhead profiling (ZOP), a technique that leverages the ele... more In previous work, we introduced zero-overhead profiling (ZOP), a technique that leverages the electromagnetic emissions generated by the computer hardware to profile a program without instrumenting it. Although effective, ZOP has several shortcomings: it requires test inputs that achieve extensive code coverage for its training phase; it predicts path profiles instead of complete execution traces; and its predictions can suffer unrecoverable accuracy losses. In this paper, we present zero-overhead path prediction (ZOP-2), an approach that extends ZOP and addresses its limitations. First, ZOP-2 achieves high coverage during training through progressive symbolic execution (PSE)-symbolic execution of increasingly small program fragments. Second, ZOP-2 predicts complete execution traces, rather than path profiles. Finally, ZOP-2 mitigates the problem of path mispredictions by using a stateless approach that can recover from prediction errors. We evaluated our approach on a set of benchmarks with promising results; for the cases considered, (1) ZOP-2 achieved over 90% path prediction accuracy, and (2) PSE covered feasible paths missed by traditional symbolic execution, thus boosting ZOP-2's accuracy.
2013 International Conference on Informatics, Electronics and Vision (ICIEV), 2013
Cell segmentation in microscopic images is inherently challenging due to the embedded optical art... more Cell segmentation in microscopic images is inherently challenging due to the embedded optical artifacts and the overlapping of cells. Proper segmentation can help for shape analysis, motion tracking and cell counting. We present a framework for cell segmentation and counting by detection of cell centroids in microscopic images. The method is specifically designed for counting circular cells with a high probability of occlusion. The proposed algorithm has been implemented and evaluated on images of fluorescent cell population, collected from the Broad Bioimage Benchmark Collection (www.broad.mit.edu/bbbc), with different degrees of overlap probability. The experimental results show an excellent accuracy of 92% for cell counting even at a very high 60% overlap probability.
IEEE Transactions on Dependable and Secure Computing, 2019
We propose a novel framework called IDEA that exploits electromagnetic (EM) side-channel signals ... more We propose a novel framework called IDEA that exploits electromagnetic (EM) side-channel signals to detect malicious activity on embedded and cyber-physical systems (CPS). IDEA first records EM emanations from an uncompromised reference device to establish a baseline of reference EM patterns. IDEA then monitors the target device's EM emanations. When the observed EM emanations deviate from the reference patterns, IDEA reports this as an anomalous or malicious activity. IDEA does not require any resource or infrastructure on, or any modification to, the monitored system itself. In fact, IDEA is isolated from the target device, and monitors the device without any physical contact. We evaluate IDEA by monitoring the target device while it is executing embedded applications with malicious code injections such as DDoS, Ransomware and code modification. We further implement a control-flow hijack attack, an advanced persistent threat, and a firmware modification on three CPSs: an embedded medical device called SyringePump, an industrial PID Controller, and a Robotic Arm, using a popular embedded system, Arduino UNO. The results demonstrate that IDEA can detect different attacks with excellent accuracy (AUC > 99.5%, and 100% detection with less than 1% false positives) from distances up to 3 m.
Journal of Hardware and Systems Security, 2019
We propose a novel malware detection system for critical embedded and cyber-physical systems (CPS... more We propose a novel malware detection system for critical embedded and cyber-physical systems (CPS). The system exploits electromagnetic (EM) side-channel signals from the device to detect malicious activity. During training, the system models EM ema-nations from an uncompromised device using a neural network. These EM patterns act as fingerprints for the normal program activity. Next, we continuously monitor the target device's EM emanations. Any deviation in device's activity causes a variation in the EM fingerprint , which in turn violates the trained model, and is reported as an anomalous activity. The system can monitor the target device remotely (without any physical contact), and does not require any modification to the monitored system. We evaluate the system with different malware behavior (DDoS, Ransomware and Code Modification) on different applications using an Altera Nios-II soft-processor. Experimental evaluation reveals that our framework can detect DDoS, Ransomware and control flow hijack with 100% accuracy (AUC = 1.0), and stealthier code modification (which is roughly a 5µs long attack) with an AUC ≈ 0.99, from distances up to 4 m. To further evaluate the practicality and the robust-ness of our system, we evaluate our system on a medical cyber-physical system using two different devices (TS-7250 and A13-OLinuXino development board), while executing a control-flow hijack attack. Our evaluations
Side-channel signals have long been used in cryptanalysis, and recently they have also been utili... more Side-channel signals have long been used in cryptanalysis, and recently they have also been utilized as a way to monitor program execution without involving the monitored system in its own monitoring. Both of these use-cases for side-channel analysis have seen steady improvement, allowing ever-smaller deviations in program behavior to be monitored (to track program behavior and/or identify anomalies) or exploited (to steal sensitive information). However, there is still very little intuition about where the limits for this are, e.g. whether a single-instruction or a single-bit difference can realistically be recovered from the signal. In this paper, we use a popular open-source cryptographic software package as a test subject to demonstrate that, with enough training data, enough signal bandwidth, and enough signal-to-noise ratio, the decision of branch instructions that cause even single-instruction-differences in program execution can be recovered from the electromagnetic (EM) emanations of an IoT/embedded system. We additionally show that, in cryptographic implementations where branch decisions contain information about the secret key, nearly all such information can be extracted from the signal that corresponds to only a single cryptographic operation (e.g. encryption). Finally, we analyze how the received signal bandwidth, the amount of training, and the signal-to-noise ratio (SNR) affect the accuracy of side-channel-based reconstruction of individual branch decisions that occur during program execution.
IEEE, 2016
We present a novel approach for abnormal breast mass classification from digitized mammography im... more We present a novel approach for abnormal breast mass classification from digitized mammography images. The proposed framework exploits rotation invariant uniform Local Binary Pattern (LBP) as texture feature. These features are classified using Support Vector Machine (SVM). In addition, we take advantage of the breast mammograms taken from multiple views or angles. We classify breast scans from 'cranial-caudal' view and 'mediolateral-oblique' view separately, and combine these classification scores to make an improved diagnosis. This reduces the classification error, and achieves higher recognition rate than that of either views individually. The proposed computer aided diagnosis system was evaluated on DDSM (Digital Database for Screening Mammography) data set, and was able to achieve a classification accuracy of 74%.
IEEE, 2015
Local Binary Pattern (LBP) is a simple yet robust texture descriptor that has been widely used in... more Local Binary Pattern (LBP) is a simple yet robust texture descriptor that has been widely used in many computer vision applications including face recognition. In this paper, we exploit LBP for handwritten Bangla numeral recognition. We classify Bangla digits from their LBP histograms using K Nearest Neighbors (KNN) classifier. The performance of three different
variations of LBP – the basic LBP, the uniform LBP and the simplified LBP was investigated. The proposed OCR system was
evaluated on the off-line handwritten Bangla numeral database
CMATERdb 3.1.1, and achieved an excellent accuracy of 96:7%
character recognition rate.
IEEE, 2013
Cell segmentation in microscopic images is inherently challenging due to the embedded optical art... more Cell segmentation in microscopic images is inherently challenging due to the embedded optical artifacts and the overlapping of cells. Proper segmentation can help for shape analysis, motion tracking and cell counting. We present a framework for cell segmentation and counting by detection of cell centroids in microscopic images. The method is specifically designed for counting circular cells with a high probability of occlusion. The proposed algorithm has been implemented and evaluated on images of fluorescent cell population, collected from the Broad Bioimage Benchmark Collection (www.broad.mit.edu/bbbc), with different degrees of overlap probability. The experimental results show an excellent accuracy of 92% for cell counting even at a very high 60% overlap probability.
IEEE, 2014
We present a framework for handwritten Bangla digit recognition using Sparse Representation Class... more We present a framework for handwritten Bangla digit recognition using Sparse Representation Classifier. The classifier assumes that a test sample can be represented as a linear combination of the train samples from its native class. Hence, a test sample can be rep- resented using a dictionary constructed from the train samples. The most sparse linear representation of the test sample in terms of this dictionary can be efficiently computed through l1-minimization, and can be exploited to classify the test sample. We applied Sparse Representation Classifier on the image zone density, an image domain statistical feature extracted from the character image, to classify the Bangla numerals. This is a novel approach for Bangla Optical Character Recognition, and demonstrates an excellent accuracy of 94% on the off-line handwritten Bangla numeral database CMATERdb 3.1.1. This result is promising, and should be investigated further.
Springer, Berlin, Heidelberg, 2013
We present the Adaptive Vector Pattern Matching (AVPM) method, a novel method for the detection o... more We present the Adaptive Vector Pattern Matching (AVPM) method, a novel method for the detection of vortical structures specifically designed for velocity encoded 4D PCMRI data sets. AVPM is based on vector pattern matching combined with robust orientation estimation. This combination provides for a simple yet robust algorithm, which is apriori axial flow invariant. We demonstrate these properties by comparing the performance of AVPM with Heiberg’s Vector Pattern Matching algorithm.
Ultrasound elastography is a promising technique for detection and classification of abnormal gro... more Ultrasound elastography is a promising technique for detection and classification of abnormal growths and tumors. It is a functional imaging modality that maps the elastic properties
(strain) of the soft tissues, and can be an effective tool in the
diagnosis of tumors and lesions. In this paper, we overview the
time-domain and frequency-domain strain estimation methods,
and propose a simple yet effective optimization to speed up the
time-domain indirect strain estimation. The proposed method
exploits the displacement values of the neighbors to predict
the displacement and utilizes this predicted value to define an
adaptive search region for finding the best match between pre and post compression signals. This method is faster than other block matching algorithms such as SAD, SSD or cross-correlation. We evaluated the method using performance parameters such as elastrographic Signal to Noise Ratio (SNRe), elastrographic Contrast to Noise Ratio (CNRe), elastrographic Peak-Signal to Noise Ratio (PSNRe) and Mean Structural Similarity (MSSIM). For lower percentage of strain, the proposed method demonstrated similar performance to the other methods.
Thesis Chapters by Haider A Khan
Georgia Institute of Techonology, 2020
If I have seen further it is by standing on the shoulders of Giants.
Uploads
Papers by Haider A Khan
variations of LBP – the basic LBP, the uniform LBP and the simplified LBP was investigated. The proposed OCR system was
evaluated on the off-line handwritten Bangla numeral database
CMATERdb 3.1.1, and achieved an excellent accuracy of 96:7%
character recognition rate.
(strain) of the soft tissues, and can be an effective tool in the
diagnosis of tumors and lesions. In this paper, we overview the
time-domain and frequency-domain strain estimation methods,
and propose a simple yet effective optimization to speed up the
time-domain indirect strain estimation. The proposed method
exploits the displacement values of the neighbors to predict
the displacement and utilizes this predicted value to define an
adaptive search region for finding the best match between pre and post compression signals. This method is faster than other block matching algorithms such as SAD, SSD or cross-correlation. We evaluated the method using performance parameters such as elastrographic Signal to Noise Ratio (SNRe), elastrographic Contrast to Noise Ratio (CNRe), elastrographic Peak-Signal to Noise Ratio (PSNRe) and Mean Structural Similarity (MSSIM). For lower percentage of strain, the proposed method demonstrated similar performance to the other methods.
Thesis Chapters by Haider A Khan