Conference PaperPDF Available

Malicious Behavior Monitoring of Embedded Medical Devices: A Hardware-Based Specification Rules Approach

Authors:
Malicious Behavior Monitoring of Embedded
Medical Devices
A Hardware-Based Specification Rules Approach
Razan Abdulhammed
1
, Miad Faezipour
2
and Khaled Elleithy
3
Department of Computer Science and Engineering
University of Bridgeport, Bridgeport, CT
rabdulha@my.bridgeport.edu
1
, mfaezipo@bridgeport.edu
2
, elleithy@bridgeport.edu
3
Abstract— This research paper proposes and analyzes a
hardware based specification rules approach for detecting
malicious behaviors of sensors and actuators embedded in
medical devices in which the safety of the patient is critical and of
utmost importance. The study includes four types of medical
devices, namely the Vital Sign Monitor (VSM), Patient Analgesic
Control (PCA), Cardiac Device (CD), and Continuous Glucose
Monitor (CGM) devices. The research is based on a methodology
that transforms a device’s behavior rules into a state machine.
We design a Finite State Machine (FSM) model out of
transformed behavior rules to build a Behavior Specification
Rules Monitoring (BSRM) tool for each device. Mentor Graphics
Altera ModelSim and Quartus II software packages are used to
check the validity of the transformed states machines. Through
our simulation and synthesis, we demonstrate that the BSRM tool
can effectively identify the expected normal behavior of the
device and detect any deviation from its normal behavior.
Furthermore, the model is consistent with the requirements for
lower power consumption and higher bandwidth applications.
The FPGA module of the BSRM can be embedded in the medical
devices so that any deviation from the behavior specification can
be detected. Moreover, the reconfigurable nature of the FPGA
chip adds an extra advantage to the designed model in which the
behavior rule can be easily updated and tailored according to the
requirements of the device, patient, treatment algorithm, and/or
pervasive healthcare applications.
Keywords— FSM; Behavior Rule; VSM; CGM; FPGA
I. INTRODUCTION
A medical device is defined as an instrument used alone or
in combination with other instruments to monitor and treat
human beings for one or more of specific medical conditions
[1]. Different device models are networkable and can send
their output to a central monitoring station, from which
healthcare personal process the medical data simultaneously.
Medical devices are often characterized and controlled by
sophisticated patient treatment algorithms that interact with
the physical environment and the patient [2]. The most
prominent characteristic of a medical device is its feedback
loop that reacts to the physical environment. For example, in
portable, wearable and transportable devices such as
Continuous Glaucous Monitor (CGM), the actual device
transmits the patient’s data via a wireless data connection.
Other devices such as Vital Sign Monitor (VSM) and Patient
Control Analgesia (PCA) which are non-portable, non-
wearable and non-transportable, can send their output using
wireline communication to a central monitoring station inside
a hospital. This is while other medical devices such as Cardiac
device (CD) are implanted in the patient and do not use
wireline communication. In this paper, four types of medical
devices are studied. Table I defines the types, properties,
functions, and model number of the medical devices used in
our research. These devices can exist in different medical
scenarios. One scenario is found in an automated
anesthesiologist [2]. In this case, the VSM medical device
monitors patient respiration (Hz), oxygen saturation (SpO2),
heart rate (Hz) and temperature (°C) as well as controls
intravenous delivery of sedatives for the patient. Another
example of an above mentioned medical device is PCA. In a
PCA scenario, when the patient requests an analgesic to
relieve pain, the physiological sensor readings from the VSM
will control the infusion pumps of the PCA. Additional
examples are found in the intensive care room. In a cardiac
Intensive Control Unit (ICU), a patient may have an implanted
cardiac device. The frequency and pulse readings of the
patient are monitored through the VSM to help the patient to
breathe and maintain normal heart function. Another medical
device example is found in diabetes treatment. In this scenario,
a CGM device senses glucose deficiency in a patient which in
turn, triggers an insulin infusion in the blood.
T
ABLE
I.
D
EVICE
T
YPES
Device Abbreviation Properties Model
number
Patient Control
Analgesic PCA [3, 4] Wireline Communication,
Non portable
Alaris PCA
model
Vita Sign
Monitor VSM [5] [6] Wireless Communication
Welch
Allyn600,
Philips
Cardiac Device CD [7] Implanted inside patient Medtronic
Continuous
Glucose
Monitor
CGM [8] Use Wireless
Communication
GlySens
ICGM
Based on these examples, our research concentrates on
behavior monitoring for detecting malicious behavior of
sensors and actuators embedded in medical devices for
supporting safe and secure applications for patients and
healthcare professionals. Existing works [9],[10] consider a
software based approach that use state machines to detect
malicious behavior of the misbehaving communication
protocol patterns. In addition, various works rely solely on
software-based approaches to monitor malicious behavior in
medical devices [2]. No previous study has investigated the use
of hardware approaches. This research uses a hardware
approach to monitor malicious behavior in medical devices. In
our research, we factored behavior rules for both the actuators
and the physiological sensors embedded in medical devices in
order to build a hardware module that is capable of checking
for any deviation of the device’s behavior against its state
machine.
The proposed Behavior Specification Rule Monitoring
(BSRM) tool is based on a set of behavior rules that have been
determined and designated during the debugging and
operational phases to specify acceptable behaviors of sensors
and actuators embedded in medical devices such as VSM,
PCA, CD and CGM. Accordingly, BSRM will identify
whether each medical device’s behavior is normal or
malicious according to the set of behavior rules. The
observations are composed from the audit data that were
represented by the logs generated by the relevant sensor or
actuator drivers, the MIMIC-III [11] Dataset, and the
University of Queensland vital signs Dataset [12]. The test
bench incorporates different acceptable parameter ranges that
reflect the physiology and responses for patient treatment
related to each device’s state components. BSRM operates
through individual medical devices, since BSRM has no
designated monitoring node, there is no single point of failure.
In a VSM example, one VSM is monitored by another peer
VSM for security purposes. In a PCA, one PCA is being
monitored by a VSM and a peer PCA, as shown in Table II.
T
ABLE
II.
N
ORMAL
B
EHAVIOR
R
ULES IN
CNF
Description Safe State Trustee Monitor
Pulse above threshold
during analgesic request
(Analgesic Request =
TRUE) (Pulse > Ts )
PCA VSM
Analgesic request rate
below safe threshold
(Analgesic Request Rate
< Ts)
PCA VSM
No analgesic infusion
during defibrillation
(CD Mode = defibrillator)
(Analgesic Infusion Rate
=0)
PCA VSM
Respiration above
threshold during analgesic
request
(Analgesic Request =
TRUE) (Respiration >
Ts)
PCA VSM
Pulse matches pacemaker
frequency
Pulse = Pacemaker
frequency
CD VSM
Patie nt is uns table befor e
defibrillation
(Pulse < Tds)
(Respiration <Ts) (CD
Mode =Pacemaker)
CD VSM
Trustee blood pressure
matches monitor
Trustee blood pressure =
Monitor blood pressure
VSM Peer VSM
Trustee oxygen saturation
matches monitor
Trustee oxygen saturation
=Monitor oxygen
saturation
VSM Peer VSM
Trustee pulse matches
monitor
Trustee pulse =Monitor
Pulse
VSM Peer VSM
Trustee respiration
matches monitor
Trustee respiration =
Monitor respiration
VSM Peer VSM
Trustee temperature
matches monitor
Trustee temperature =
Monitor temperature
VSM Peer VSM
Glucose above threshold
during insulin request
(Insulin Request = TRUE)
(Glucose > Ts)
CGM VSM
Insulin request rate below
safe threshold
(Insulin Request Rate <
Ts)
CGM VSM
II. PROPOSED BEHAVIOR RULES
A study by Mitchell and Chen [1] proposed a
methodology that transformed behavior rules of medical
devices to state machines. In their study, the authors stated the
behavior rules for three types of medical devices VSM, PCA,
and CD. They used a software approach to implement a
lightweight monitoring tool for a VSM device only. In
contrast, in our research, we develop a hardware approach to
implement lightweight monitoring tools for VSM, PCA, CD,
and CGM devices that can be mapped onto an FPGA chip
which can then be embedded into the medical device.
Furthermore, our research proposes behavior rules for a CGM
device, and transforms these behavior rules to state machines
to build the hardware module. The hardware module uses the
set of behavior rules along with the related readings and
settings of sensors and actuators to detect if a device’s
behavior deviates from the expected normal behavior. It
provides an output to distinguish among system states that are
safe, unsafe, warning, and idle.
T
ABLE
III.
M
ALICIOUS
B
EHAVIOR
R
ULE IN
CNF
Tables II and Table III show the normal behavior rules as
well as the malicious behavior rules for the medical devices
under review in the Conjunction Normal Form (CNF). The
relation between the trustee and the monitor are exemplified in
Section III. In this research, the behavior rules work,
specifically, to address the expected behavior of individual
physical components in certain medical device models as well
as to specify different acceptable parameter ranges that reflect
the physiology and responses for different types of patients.
Thus, these rules are applied to both certain types of devices
and certain types of patients, as previously mentioned in
Section I.
III. TRANSFORMING BEHAVIOR RULES TO STATE MACHINES
Our research incorporated the methodology presented by
Mitchell and Chen [1]. A simple continuous block diagram
that illustrates the proposed methodology is shown in Fig. 1.
In this methodology, the “malicious behavior state” is
identified as a result of a behavior rule being
violated. Here, the initial process identifies malicious
behavior for a specific device as a state. Then, this state
is converted into the Conjunctive Normal Form (CNF)
predicate and identifies the involved state components
Device Malicious State States Components
PCA (Analgesic Request = TRUE)
(Pulse < T)
Analgesic Request, Pulse
PCA (Analgesic Request = TRUE)
(Respiration < T)
Analgesic request, respiration
PCA Analgesic Request Rate > T Analgesic request rate
CD Analgesic Infusion Rate > 0
(Mode=Defibrillator)
Analgesic Infusion rate and CD
mode
CD (Mode =PACEMAKER) (ǀ
Pulse -Pacemaker Frequency ǀ) >
CD mode ,pulse
CD (Mode =DEFIBRLIATOR) (L
< Pulse < H)
CD mode, pulse
VSM ǀ Monitor Temperature -Trustee
Temperature ǀ >
Temperature
VSM ǀ Monitor Respiration -Trustee
Respiration ǀ >
Respiration
VSM ǀ Monitor Pulse -Trustee Pulse ǀ
>
Pulse
VSM ǀ Monitor Oxygen Saturation -
Trustee Oxygen Saturation ǀ >
Oxygen Saturation
VSM ǀ Monitor Blood Pressure -
Trustee Blood Pressure ǀ >
Blood Pressure
CGM Insulin Request Rate > T Insulin Request rate
CGM (Ins ulin Request = TRUE)
(Pulse < T) (Glucose < T)
Insulin Request rate, pulse,
Glucose
CGM (Ins ulin Request = TRUE)
(Respiration < T) (G lucose <
T)
Respiration, Glucose
CGM ǀ Monitor Glucose - Trustee
Glucose ǀ >
Glucose
Fig. 1. Transforming Behavior Rules to State Machine
in the underlying state machine. Following that, a Boolean
expression in the Disjunctive Normal Form (DNF) is used to
group together all the extracted malicious behavior states that
are related to each device, as shown in the following DNF:
CGM. (Insulin Request Rate > T) ˅ G((Insulin Request = TRUE)
(Pulse < T) (Glucose < T)) ˅ ((Insulin Request = TRUE)
(Respiration < T) (Glucose < T)) (ǀ Monitor Glucose - Trustee
Glucose ǀ > )
“A disjunctive normal form (DNF) can be defined as a
normalization of a logical formula which is a disjunction of
conjunctive clauses; it can also be described as an OR of
ANDs, a sum (
˅)
of products (
), or (in philosophical logic)
a cluster concept” [13]. Next, the union of all the predicate
variables is converted into state components of a state machine
to establish their corresponding ranges. Finally, the managing
process will collapse and identify the sequence of values that
are not legitimate in order to reduce the total number of states
in the states’ space. Table II and Table III present the set of
normal behavior rules and malicious behavior rules in CNF
representation. Furthermore, Table IV indicates the symbols
used in this study.
T
ABLE
IV.
S
YMBOL USED IN THIS STUDY
IV. STATE TRANSITION DIAGRAM
The normal behavior states as well as the malicious
behavior states are used to build a state transition diagram for
each specified device’s behavior monitoring tool. The state
components related to the designated state machine of our
model are shown in Table V. We use these state components
along with both normal and malicious behavior rules, sensors
and actuators readings, and settings to build an idealized
model of a finite state machine engine in Hardware
Description Language (HDL) for each device’s behavior
monitoring. Each designed state diagram consists of four
states that include: Idle, Safe, Unsafe, and Warning state.
Table V indicates the number of the device states and the
reasons why the device entered such states. It is worth to
mention that the unsafe state of the state machines are not
those “hazardous” states generated due to design faults (e.g.
software bugs). Such “hazardous” states are removed as a
result of the design faults that were identified during the
testing and debugging phases. In our research, the safe states
and unsafe states are permanent and are based on either
malicious or normal behavior in a specific medical device. The
idle state represents the initial status of the system module.
Through an asynchronous reset signal, the system can be
forced to enter this state. During system initialization, this
state is added to the Finite State
Machine (FSM) of the system.
Furthermore, the system is in a warning state as long as its
specified parameters exceed the warning threshold for at least
one behavior rule. This state may indicate an earlier sign of
malicious behavior or represents a slight difference in readings
of the two related sensors due to environmental influences
such as indoor noise. Moreover, a safe state represents normal
behavior of the specified device and indicates that the system
follows its designated normal behavior rules. On the contrary,
an unsafe state reflects malicious behavior. Fig. 2 shows a
state transition diagram of a device’s behavior pattern. Each
device has its own behavior rules related to being in safe,
unsafe, warning, and idle states, as described in Tables VI.
The malicious behavior of the compromised node is
identifiable through the specification-based behavior rule sets
shown in Table I. The following paragraphs have been added
to illustrate and describe the malicious behaviors in the
medical devices under analysis.
T
ABLE
V.
S
TATE
C
OMPONENT IN THE DESIGNED STATE MACHINE
Symbol Parameters Note
T
Threshold value Each value is tied to a specific device, system
state (warning, unsafe), and certain state
component
Sensor Reading
Deviation
Each value is tied to a specific device, specific
patient, and specific syste m states (warning,
unsafe, safe)
L
Acceptable Low
Heart Rate Pulse
Each value is tied to a specific device, specific
system state, and patient
H
Acceptable Low
Heart Rate Pulse
Each value is tied to a specific device, specific
system state, and patient
Ts
Safe threshold
value
This value is tied to a specific device, specific
patient, and specific system state (safe)
Name Attribute Range Component Device
Analgesic Request Reading True, False Sensor PCA
Pulse Reading [0,240 bpm] Sensor VSM
Respiration Reading [0,60 bpm] Sensor VSM
Analgesic Request
Rate Reading [0,4/hour] Sensor PCA
Blood Pressure Reading [0,240mmHg] ×
[0,160mmHg] Sensor VSM
Oxygen saturation Reading [0,100%] Sensor VSM
Temperature Reading [32,42 C] Sensor VSM
Analgesic Infusion
Rate Control [0,100%] Actuator PCA
Mode Control
Passive, Pacemaker,
Defibrillator Sens or CD
Pacemaker Frequency Control [0,240 bpm] Actuator CD
Insulin Request Reading True, False Sensor CGM
Insulin Request Rate Reading [0,4/hour] Sensor CGM
Glucose Reading [0,200 mg/dL] Sensor CGM
Insulin Infusion Rate Control [0,100%] Actuator CGM
T
ABLE
VI.
N
UMBER OF THE DEVICE STATES AND THE REASON WHY THE
DEVICE ENTERED SUCH STATES
In the following state, the PCA device acts as a trustee;
while the VSM device acts as a monitor. Here, when the PCA
device receives the patient’s request for analgesic to relieve
pain, the PCA device will distribute the necessary analgesic
according to the patient’s request. Once the patient receives
pain relief, the patient’s vital signs displayed on the VSM
device would return to a relaxed state. One can infer that all of
the patient’s vital signs are stable. However, if the PCA device
is compromised through malicious behavior, then the PCA
device will continuously administer the analgesic, and the
final result would be an overdosed patient. Therefore, if the
PCA continues to receive additional requests for analgesic
while a patient’s pulse or respiration rate is below a normal
threshold, then malicious behavior is present in this device.
Furthermore, if the analgesic request rate of the PCA device
exceeds normal threshold, then malicious behavior is present.
It is imperative to differentiate between physical button
presses from a patient in pain from those requests that the
PCA device actually generates. The PCA device should only
fulfill requests within a normal threshold. If a PCA
device
fulfills requests too frequently, then malicious behavior is
present. In addition, another scenario when the PCA device
acts as a trustee and the VSM acts as a monitor occurs as the
PCA device administers a pain relief dosage with a certain
infusion rate to a cardiac patient who has an implanted CD in
the defibrillation mode. This state includes two components:
the infusion rate and the CD mode. As the device being
evaluated transitions from one state to another, the VSM can
determine if both states are either safe or malicious, depending
on the infusion rate and CD device mode. To illustrate further,
when a PCA device has an infusion rate R is in the range (0,
100%) and the cardiac device mode, M, is in defibrillation, the
monitor can check to see if (R0, M0) and (R1, M1) are both
safe states. In the following state, when the CD device acts as
a trustee and the VSM acts as a monitor, a malicious behavior
state is present if the pulse average is not equal to CD
frequency when acting as a pacemaker. One can infer that the
patient’s vital signs are stable from the VSM device readings.
Here, if the CD device’s frequency is substantially different
from the patient’s heart rate, then malicious behavior is
present in the CD device. Furthermore, malicious behavior is
present when a CD device enters a defibrillation mode while
the pulse average is within a normal range. In the following
state, two identical VSM devices exist whereby, one acts as a
monitor and the other acts as a trustee. Both VSM devices
measure the same blood pressure, oxygen saturation, pulse,
respiration, or temperature of a patient. If either device
displays a deviation from the other, then a device has been
compromised.
In the following state, the CGM device acts as a trustee;
while the VSM device acts as a monitor. Here, when the CGM
device receives a patient’s request for insulin to balance the
glucose level in the blood, the CGM device will distribute the
necessary insulin according to the patient’s request. Once the
patient receives the necessary insulin dosage, the patient's vital
signs displayed on the VSM device would return to normal
levels. One can infer that all of the patient’s vital signs are
stable. However, if the CGM device is compromised through
malicious behavior, then the CGM device will continuously
administer the insulin, and the final result would be an
overdosed patient. Therefore, if the CGM continues to receive
additional requests for insulin while a patient’s glucose is
within a normal threshold, then malicious behavior is present
in this device. In the following state, two identical CGM
devices exist whereby one acts as a monitor and the other acts
as a trustee. Both CGM devices measure the same glucose
levels of a patient. If either device displays a deviation from
the other, then a device has been compromised.
Fig. 2. State Transition Diagram
VSM PAC CD CGM Cause
Safe 1 50 4 3
The monitor and
trustee readings
match for all the
specified related
components as
described in Table I
Warning 31 80 23 57
The monitor and
trustee readings
differ by more than
the warning margin
for at least one of
the specified related
components but not
more than the unsafe
threshold for any of
the components as
described in Table I
Unsafe 211 194 54 48
At least one of the
specified related
components differs
by more than the
unsafe threshold as
described in Table I
Idle 1 1 1 1
Initia l State of t he
system
No. of
states
before
setting
ranges
244 325 82 109
The ranges were
limited according to
the medical prospect
No. of
states after
setting
ranges
4.016
× 1023
4.454 ×
107
1.760×
107
9.785
× 106
The ranges were
comprised of wide
ranges of natura l
numbers.
V. RECOGNIZING STATE COMPONENTS AND RANGES
In order to complete the synthesis process, our research
quantized the continuous components related to the sensors
and actuator readings based on an integer scale that fell within
admissible ranges. Table V shows a complete list of the
admissible ranges for the state components.
In VSM devices, the state components include pulse rate,
respiration rate, temperature, blood pressure, and pacemaker
frequency. According to the admissible ranges for these states,
the normal pulse rate range falls within [0, 240 bpm]
yielding
241 values; the normal respiration rate range falls within [0,
60 bpm] yielding 61 values; the normal temperature range
falls within [32, 42°C] yielding 11 values; the normal blood
pressure range falls within [0, 240mmHg] × [0, 160mmHg]
yielding 241 ×161 values; and the normal pacemaker
frequency range falls within [0, 240 bpm] yielding 241 values.
Therefore, the total values of all the states is equivalent to
241×161×241×161×101×101×241×241×61×61×11×11 =
4.016 × 10
23
states.
Similarly, in PCA devices, the state components
encompass of analgesic request, respiration rate, analgesic
request rate, and analgesic infusion rate. According to the
normal admissible ranges for these states: an analgesic request
is [0, 1] yielding 2 values; the respiration rate is [0, 240 bpm]
yielding 241 values; the analgesic request rate is in [0, 4]
yielding 5 values; and the analgesic infusion rate is [0, 100]
yielding 101 values. Therefore, the total value of all the states
is equivalent to 2×241×5×61×5×101×3 = 4.454 × 10
7
states.
Likewise, in CD devices, the state components comprise of
the pacemaker frequency, oxygen saturation level, pulse rate,
and CD device mode. According to the normal admissible
ranges for these states, the pacemaker frequency range is [0,
240 bpm] yielding 241 values; the oxygen saturation level
range is [0,100] yielding
241 values; the pulse rate’s range is
[0, 240 bpm] yielding 241 values; and in an active CD device
the mode is either defibrillation or pacemaker which yields 3
values (taking in consideration the active mode of the CD
device). Therefore, the total value of all the states is
equivalent to 241×101×241×3× = 1.760×10
7
states.
In the same manner, for CGM devices, the state
components consist of an insulin request, glucose level, insulin
request rate, insulin infusion rate, and pulse rate. The
admissible ranges for these states incorporate an insulin
request that is either true or false and falls within the range of
[0, 1] yielding 2 values; the glucose level is in the range of [0,
200] yielding 201 values; insulin request rate is in the range of
[0, 2] yielding 3 values; insulin infusion rate is in the range of
[0,100] yielding 101 values; the pulse is in the range of [0, 240
bpm] yielding 241 values. Therefore, the total value of all the
states is equivalent to 3×201×3×101×241 = 9.785 × 10
6
states.
As demonstrated, the resulting states’ space for each
device is huge, and a reduction technique is necessary to
reduce the total number of states. From a medical point of
view; our research reduces the states’ space by eliminating the
values of specific state components that are related to each
device. For example, in a VSM device, we define three values
that are relevant for pulse rate, respiration rate, temperature,
blood pressure, and pacemaker frequency. These are normal,
beyond warning threshold, and beyond unsafe threshold. In
addition to the standard states’ components connected to each
device, we monitor specific state components for each device.
For example, in the PCA device, we define the values that are
relevant for an analgesic infusion rate. Also, the two values
that are relevant for the analgesic request are zero or greater
than zero, the two values that are relevant for insulin request
are zero or greater than zero. In a CD device, we define the
values that are relevant for oxygen saturation levels. Also, we
define the values that are relevant for the CD device’s mode.
Through our research, we found that the resulting states’ space
for a VSM device is equivalent to 3× 3 ×3 × 3 × 3 = 243
states. In the PCA device, it is equivalent to 2 × 3 ×3 × 3 × 2 ×
3 = 324 states, and in a CD device is equivalent to 3 × 3 ×3 ×3
= 81 states. Lastly, the resulting states’ space in a CGM device
is equivalent to 2×3×3×2×3 = 108 states.
VI. SIMULATION AND SYNTHESIS
In our research, we develop a behavior monitoring tool
for four PCA, CD, VSM, and CGM devices, respectively. We
used Mentor Graphics ModelSim-Altera software and Quartus
II software to simulate and synthesize the design of the
idealized FSM model that reflect the monitoring tool. Timing
simulation was applied to the design files to make sure that the
logic of the design is correct and to ensure that the synthesized
design meets the functional and timing requirements and
behaves as expected. Tables VII through X the show resource
utilization and power analysis summary for PCA, CD, VSM,
and CGM, respectively. Furthermore, Tables XI through XIV
show timing analysis summaries for PCA,CD,VSM, and
CGM, respectively.
T
ABLE
VII.
A
.
U
TILIZATION
S
UMMARY OF
PCA
BSRM
Attribute Criteria
Family Cyclone III
Device EP3C120F780C7
Timing Models Final
Total logic elements 57 / 119,088 (< 1 %)
Total combinational functions 57 / 119,088 (< 1 %)
Dedicated logic registers 4 / 119,088 (< 1 %)
Total registers 4
Total pins 32 / 532 (6 %)
T
ABLE
VII.
B
.
P
OWER
A
NALYSIS SUMMARY OF
PCA
BSRM
Attribute Criteria
Family Cyclone III
Device EP3C120F780C7
Power Models Final
Total Thermal Power Dissipation 120.48 mW
Core Dynamic Thermal Power Dissipation 1.64 mW
Core Static Thermal Power Dissipation 99.06 mW
I/O Thermal Power Dissipation 19.77 mW
T
ABLE
VIII.
A
.
U
TILIZATION SUMMARY OF
CD
BSRM
Attribute Criteria
Family Cyclone IV GX
Device EP4CGX150DF31I7
Timing Models Final
Total logic elements 54 / 149,760 ( < 1 % )
Total combinational functions 54 / 149,760 ( < 1 % )
Dedicated logic registers 4 / 149,760 ( < 1 % )
Total registers 4
Total pins 36 / 508 ( 7 % )
T
ABLE
VIII.
B
.
P
OWER ANALYSIS SUMMARY OF
PCA
BSRM
Attribute Criteria
Family Cyclone IV GX
Device EP4CGX150DF31I7
Power Models Final
Total Thermal Power Dissipation 141.18 mW
Core Dynamic Thermal Power Dissipation 2.14 mW
Core Static Thermal Power Dissipation 118.71 mW
I/O Thermal Power Dissipation 20.33 mW
T
ABLE
IX.
A
.
U
TILIZATION SUMMARY OF
VSM
BSRM
T
ABLE
IX.
B
.
P
OWER
A
NALYSIS SUMMARY OF
VSM
BRSM
Attribute Criteria
Family Cyclone III
Device EP3C120F780I7
Power Models Final
Total Thermal Power Dissipation 121.77 mW
Core Dynamic Thermal Power Dissipation 1.67 mW
Core Static Thermal Power Dissipation 99.06 mW
I/O Thermal Power Dissipation 21.04 mW
T
ABLE
X.
A
.
U
TILIZATION SUMMARY OF
CGM
BSRM
Attribute Criteria
Family Cyclone III
Device EP3C120F780I7
Timing Models Final
Total logic elements 56 / 119,088 ( < 1 % )
Total combinational functions 56 / 119,088 ( < 1 % )
Dedicated logic registers 4 / 119,088 ( < 1 % )
Total registers 4
Total pins 45 / 532 ( 8 % )
T
ABLE
X.
B
.
P
OWER ANALYSIS SUMMARY OF
CGM
BRSM
Attribute Criteria
Family Cyclone IV GX
Device EP4CGX110DF31I7
Power Models Final
Total Thermal Power Dissipation 156.92 mW
Core Dynamic Thermal Power Dissipation 2.49 mW
Core Static Thermal Power Dissipation 118.74 mW
I/O Thermal Power Dissipation 35.69 mW
T
ABLE
XI.
T
IMING
A
NALYSIS SUMMARY OF
PCA
BSRM
Attribute Timing Summary
Minimum period 1.914 ns
Minimum input arrival time before clock 10.819 ns
Maximum output required time after clock 5.278 ns
Maximum combinational path delay 12.857 ns
Maximum Frequency 522.371MHz
T
ABLE
XII.
T
IMING
A
NALYSIS
S
UMMARY OF
CD
BRSM
Attribute Timing Summary
Minimum period 2.907ns
Minimum input arrival time before clock 14.113ns
Maximum output required time after clock 7.645ns
Maximum combinational path delay 16.110ns
Maximum Frequency 343.991MHz
T
ABLE
XIII.
T
IMING ANALYSIS SUMMARY OF
VSM
BRSM
Attribute Timing Summary
Minimum period 3.025ns
Minimum input arrival time before clock 12.601ns
Maximum output required time after clock 5.278 ns
Maximum combinational path delay 6.256ns
Maximum Frequency 330.600MHz
T
ABLE
XIV.
T
IMING
A
NALYSIS SUMMARY FOR
PCA
BSRM
Attribute Timing Summary
Minimum period 3.25ns
Minimum input arrival time before clock 7.006ns
Maximum output required time after clock 4.114ns
Maximum combinational path delay 8.275ns
Maximum Frequency 380.700MHz
VII. CONCLUSIONS
This study determined the effect of using a hardware
approach to detect malicious behavior in sensors and actuators
that are embedded in medical devices. The experimental
results confirmed that the specification behavior rules can be
utilized to build a hardware monitoring tool that can identify
the expected normal behavior of a device and detect any
deviation from its normal behavior. Furthermore, we showed
through our analysis that our model is consistent with two
dominant design requirements for next-generation high-end
applications; lower power consumption and higher bandwidth.
The reconfigurable nature of FPGA allows to modify and
update the whole design according to the set of behavior rules,
which outperform software based approaches that are difficult
to update. In addition, hardware approaches are difficult to be
hacked. One of the most significant findings to emerge from
this study is that a hardware based specification rules approach
can be used to identify malicious behavior. A natural
progression of this work is to analyze and investigate the
impact of attacker behaviors on the effectiveness of the
designed BSRM, and to analyze the mathematical expectation
of compliance degree of trustee from both theoretic and
practical stand point.
REFERENCES
[1] D. M. Zuckerman, P. Brown, and S. E. Nissen, "Medical device recalls
and the FDA approval process," Archives of internal medicine, vol. 171,
pp. 1006-1011, 2011.
[2] R. Mitchell and I.-R. Chen, "Behavior rule specification-based intrusion
detection for safety critical medical cyber physical systems,"
Dependable and Secure Computing, IEEE Transactions on, vol. 12, pp.
16-30, 2015.
[3] M. Karanikolas, D. Aretha, P. Kiekkas, G. Monantera, I. Tsolakis, and
K. Filos, "Intravenous fentanyl patientcontrolled analgesia for
perioperative treatment of neuropathic/ischaemic pain in haemodialysis
patients: a case series," Journal of clinical pharmacy and therapeutics,
vol. 35, pp. 603-608, 2010.
[4] B. Sherman, I. Enu, and R. S. Sinatra, "Patient-Controlled Analgesia
Devices and Analgesic Infusion Pumps," Acute Pain Management, p.
302, 2009.
[5] W. A. Connex and V. Signs, "Monitor 6000 Series™," 2013.
[6] R. R. Rajkumar, I. Lee, L. Sha, and J. Stankovic, "Cyber-physical
systems: the next computing revolution," in Proceedings of the 47th
Design Automation Conference, 2010, pp. 731-736.
[7] C. H. Cabell, P. A. Heidenreich, V. H. Chu, C. M. Moore, M. E.
Stryjewski, G. R. Corey, et al., "Increasing rates of cardiac device
infections among Medicare beneficiaries: 1990–1999," American heart
journal, vol. 147, pp. 582-586, 2004.
[8] D. Tsujino and K. Utsunomiya, "[Continuous glucose monitoring
(CGM)]," Rinsho byori. The Japanese journal of clinical pathology, vol.
62, pp. 53-59, 2014.
[9] A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. N. Fovino, and A.
Trombetta, "A multidimensional critical state analysis for detecting
intrusions in SCADA systems," IEEE Transactions on Industrial
Informatics, vol. 7, pp. 179-186, 2011.
[10] B. Dutertre, "Formal modeling and analysis of the Modbus protocol," in
International Conference on Critical Infrastructure Protection, 2007, pp.
189-204.
[11] A. E. W. Johnson, T. J. Pollard, L. Shen, L.-w. H. Lehman, M. Feng, M.
Ghassemi, et al., "MIMIC-III, a freely accessible critical care database,"
Scientific Data, vol. 3, p. 160035, 05/24/online 2016.
[12] D. Liu, M. Görges, and S. A. Jenkins, "University of Queensland vital
signs dataset: Development of an accessible repository of anesthesia
patient monitoring data for research," Anesthesia & Analgesia, vol. 114,
pp. 584-589, 2012.
[13] M. Hazewinkel, ed., Disjunctive normal form: Springers, 2001.
Attribute Criteria
Family Cyclone III
Device EP3C120F780I7
Timing Models Final
Total logic elements 56 / 119,088 ( < 1 % )
Total combinational functions 56 / 119,088 ( < 1 % )
Dedicated logic registers 4 / 119,088 ( < 1 % )
Total registers 4
Total pins 45 / 532 ( 8 % )
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
MIMIC-III (‘Medical Information Mart for Intensive Care’) is a large, single-center database comprising information relating to patients admitted to critical care units at a large tertiary care hospital. Data includes vital signs, medications, laboratory measurements, observations and notes charted by care providers, fluid balance, procedure codes, diagnostic codes, imaging reports, hospital length of stay, survival data, and more. The database supports applications including academic and industrial research, quality improvement initiatives, and higher education coursework.
Conference Paper
Full-text available
Cyber-physical systems (CPS) are physical and engineered systems whose operations are monitored, coordinated, controlled and integrated by a computing and communication core. Just as the internet transformed how humans interact with one another, cyber-physical systems will transform how we interact with the physical world around us. Many grand challenges await in the economically vital domains of transportation, health-care, manufacturing, agriculture, energy, defense, aerospace and buildings. The design, construction and verification of cyber-physical systems pose a multitude of technical challenges that must be addressed by a cross-disciplinary community of researchers and educators.
Article
Full-text available
Unlike prescription drugs, medical devices are reviewed by the US Food and Drug Administration (FDA) using 2 alternative regulatory standards: (1) premarket approval (PMA), which requires clinical testing and inspections; or (2) the 510(k) process, which requires that the device be similar to a device already marketed (predicate device). The second standard is intended for devices that the FDA deems to involve low or moderate risk. We analyzed the FDA's high-risk List of Device Recalls from 2005 through 2009. Using FDA data, we determined whether the recalled devices were approved by the more rigorous (PMA) process, the 510(k) process, or were exempt from FDA review. There were 113 recalls from 2005 through 2009 that the FDA determined could cause serious health problems or death. Only 21 of the 113 devices had been approved through the PMA process (19%). Eighty were cleared through the 510(k) process (71%), and an additional 8 were exempt from any FDA regulation (7%). Cardiovascular devices comprised the largest recall category, with 35 of the high-risk recalls (31%); two-thirds were cleared by the 510(k) process (66%; n = 23). Fifty-one percent of the high-risk recalls were in 5 other device categories: general hospital, anesthesiology, clinical chemistry, neurology, or ophthalmology. Most medical devices recalled for life-threatening or very serious hazards were originally cleared for market using the less stringent 510(k) process or were considered so low risk that they were exempt from review (78%). These findings suggest that reform of the regulatory process is needed to ensure the safety of medical devices.
Article
Patient-controlled analgesia (PCA) describes the conceptual framework for on-demand, intermittent administration of opioid and nonopioid analgesics under patient control. The broader concept of PCA should neither be restricted to a single route or mode of administration, nor should PCA imply a mandatory need for a sophisticated or expensive infusion device. This chapter reviews the history, scientific validity, and available technology of three different forms of PCA, including intravenous PCA (IV PCA), neuraxial PCA, and ambulatory PCA, all of which offer the patient autonomy and control in the management of their pain. Intravenous Systems: Opioid analgesics remain the mainstay for the treatment of moderate to severe postoperative pain. Traditionally, they are administered on an as-needed (PRN) basis via oral and intravenous routes and, less often, intramuscularly. To achieve optimal analgesic benefit, several pharmacokinetic principles must be appreciated. (1) Therapeutic plasma levels and adequate central nervous system (CNS) delivery must be achieved to assure sufficient occupancy and activation of opiate receptors. (2) Therapeutic concentrations for different opioid agonists exhibit wide interpatient variability. (3) For most opioids, the therapeutic window is relatively narrow; hence, underdosing and overdosing can easily occur. In light of these variables, and in the attempt to optimize analgesic benefits, the use of IV PCA offers a reliable and titratable administration option. Plasma and CNS concentrations are most uniform when opioids are administered by either continuous infusion or as multiple small doses. © Cambridge University Press, 2009 and Raymond S. Sinatra, Oscar A. de Leon-Casasola, Brian Ginsberg, Eugene R. Viscusi 2009.
Article
We propose and analyze a behavior-rule specification-based technique for intrusion detection of medical devices embedded in a medical cyber physical system (MCPS) in which the patient's safety is of the utmost importance. We propose a methodology to transform behavior rules to a state machine, so that a device that is being monitored for its behavior can easily be checked against the transformed state machine for deviation from its behavior specification. Using vital sign monitor medical devices as an example, we demonstrate that our intrusion detection technique can effectively trade false positives off for a high detection probability to cope with more sophisticated and hidden attackers to support ultra safe and secure MCPS applications. Moreover, through a comparative analysis, we demonstrate that our behavior-rule specification-based IDS technique outperforms two existing anomaly-based techniques for detecting abnormal patient behaviors in pervasive healthcare applications.
Article
Self-monitoring of blood glucose (SMBG) is now commonly used as a tool to measure blood glucose levels of diabetic patients, as health insurance started to cover its cost for patients receiving insulin. However, SMBG is used to evaluate blood glucose levels at different time points, making it impossible to speculate on changes in blood glucose levels occurring before and after measurement. Currently, continuous glucose monitoring (CGM), which determines diurnal blood glucose patterns on a continuous basis, is being introduced into routine clinical diabetic care. CGM results sometimes show abnormal blood glucose variations or hypoglycemia after meals or during sleep, even if SMBG results show normal levels in the same patient. The identification of blood glucose variations is the main advantage of CGM. This study reviewed the characteristic of and methods for preventing hypo and hyperglycemia based on the pattern of blood glucose variations in type 1 and type 2 diabetes that was identified by the introduction of CGM.
Article
A relatively new trend in Critical Infrastructures (e.g., power plants, nuclear plants, energy grids, etc.) is the massive migration from the classic model of isolated systems, to a system-of-systems model, where these infrastructures are intensifying their interconnections through Information and Communications Technology (ICT) means. The ICT core of these industrial installations is known as Supervisory Control And Data Acquisition Systems (SCADA). Traditional ICT security countermeasures (e.g., classic firewalls, anti-viruses and IDSs) fail in providing a complete protection to these systems since their needs are different from those of traditional ICT. This paper presents an innovative approach to Intrusion Detection in SCADA systems based on the concept of Critical State Analysis and State Proximity. The theoretical framework is supported by tests conducted with an Intrusion Detection System prototype implementing the proposed detection approach.
Article
Data recorded from the devices used to monitor a patient's vital signs are often used in the development of displays, alarms, and information systems, but high-resolution, multiple-parameter datasets of anesthesia monitoring data from patients during anesthesia are often difficult to obtain. Existing databases have typically been collected from patients in intensive care units. However, the physical state of intensive care patients is dissimilar to those undergoing surgery, more frequent and marked changes to cardiovascular and respiratory variables are seen in operating room patients, and additional and highly relevant information to anesthesia (e.g., end-tidal agent monitoring, etc.) is omitted from these intensive care databases. We collected a set of high-quality, high-resolution, multiple-parameter monitoring data suitable for anesthesia monitoring research. Vital signs data were recorded from patients undergoing anesthesia at the Royal Adelaide Hospital. Software was developed to capture, time synchronize, and interpolate vital signs data from Philips IntelliVue MP70 and MP30 patient monitors and Datex-Ohmeda Aestiva/5 anesthesia machines into 10 millisecond resolution samples. The recorded data were saved in a variety of accessible file formats. Monitoring data were recorded from 32 cases (25 general anesthetics, 3 spinal anesthetics, 4 sedations) ranging in duration from 13 minutes to 5 hours (median 105 min). Most cases included data from the electrocardiograph, pulse oximeter, capnograph, noninvasive arterial blood pressure monitor, airway flow, and pressure monitor and, in a few cases, the Y-piece spirometer, electroencephalogram monitor, and arterial blood pressure monitor. Recorded data were processed and saved into 4 file formats: (1) comma-separated values text files with full numerical and waveform data, (2) numerical parameters recorded in comma-separated values files at 1-second intervals, (3) graphical plots of all waveform data in a range of resolutions as Portable Network Graphics image files, and (4) graphical overview plots of numerical data for entire cases as Portable Network Graphics and Scalable Vector Graphics files. The complete dataset is freely available online via doi:102.100.100/6914 and has been listed in the Australian National Data Service Collections Registry. The present dataset provides clinical anesthesia monitoring data from entire surgical cases where patients underwent anesthesia, includes a wide range of vital signs variables that are commonly monitored during surgery, and is published in accessible, user-friendly file formats. The text and image file formats let researchers without engineering or computer science backgrounds easily access the data using standard spreadsheet and image browsing software. In future work, monitoring data should be collected from a wider range and larger number of cases, and software tools are needed to support searching and navigating the database.
Article
Use of opioids is common in perioperative haemodialysis patients because they often suffer from intractable ischaemic or neuropathic lower extremity pain. Intravenous (IV) fentanyl, patient-controlled analgesia (PCA) does not appear to have been evaluated in this setting; hence this study. This is a prospective, single-centre study. IV fentanyl PCA was used for pain control in 16 patients with lower extremity, neuropathic/ischaemic pain, scheduled for major lower extremity amputation. IV fentanyl PCA was used before and after amputation in eight patients, before but not after amputation in seven patients, and until death in one terminal cancer patient who chose to forgo surgery. Pain intensity was assessed with the Visual Analogue Scale (VAS) and the McGill Pain Questionnaire. Depth of sedation was assessed on a 4-point scale. Ischaemic pain scores were high before fentanyl PCA started, but decreased significantly and remained low with fentanyl PCA use (P<0·001). Phantom pain scores were low (VAS≤4). Respiratory depression was not a problem in any patient. Concerns about accumulation of active opioid metabolites make provision of adequate analgesia problematic in haemodialysis patients scheduled for amputation, and emergency surgery. Our data on a small patient population suggest that IV fentanyl PCA is safe and effective for severe pain in haemodialysis patients.