Content uploaded by Miad Faezipour
Author content
All content in this area was uploaded by Miad Faezipour on Aug 08, 2017
Content may be subject to copyright.
Malicious Behavior Monitoring of Embedded
Medical Devices
A Hardware-Based Specification Rules Approach
Razan Abdulhammed
1
, Miad Faezipour
2
and Khaled Elleithy
3
Department of Computer Science and Engineering
University of Bridgeport, Bridgeport, CT
rabdulha@my.bridgeport.edu
1
, mfaezipo@bridgeport.edu
2
, elleithy@bridgeport.edu
3
Abstract— This research paper proposes and analyzes a
hardware based specification rules approach for detecting
malicious behaviors of sensors and actuators embedded in
medical devices in which the safety of the patient is critical and of
utmost importance. The study includes four types of medical
devices, namely the Vital Sign Monitor (VSM), Patient Analgesic
Control (PCA), Cardiac Device (CD), and Continuous Glucose
Monitor (CGM) devices. The research is based on a methodology
that transforms a device’s behavior rules into a state machine.
We design a Finite State Machine (FSM) model out of
transformed behavior rules to build a Behavior Specification
Rules Monitoring (BSRM) tool for each device. Mentor Graphics
Altera ModelSim and Quartus II software packages are used to
check the validity of the transformed states machines. Through
our simulation and synthesis, we demonstrate that the BSRM tool
can effectively identify the expected normal behavior of the
device and detect any deviation from its normal behavior.
Furthermore, the model is consistent with the requirements for
lower power consumption and higher bandwidth applications.
The FPGA module of the BSRM can be embedded in the medical
devices so that any deviation from the behavior specification can
be detected. Moreover, the reconfigurable nature of the FPGA
chip adds an extra advantage to the designed model in which the
behavior rule can be easily updated and tailored according to the
requirements of the device, patient, treatment algorithm, and/or
pervasive healthcare applications.
Keywords— FSM; Behavior Rule; VSM; CGM; FPGA
I. INTRODUCTION
A medical device is defined as an instrument used alone or
in combination with other instruments to monitor and treat
human beings for one or more of specific medical conditions
[1]. Different device models are networkable and can send
their output to a central monitoring station, from which
healthcare personal process the medical data simultaneously.
Medical devices are often characterized and controlled by
sophisticated patient treatment algorithms that interact with
the physical environment and the patient [2]. The most
prominent characteristic of a medical device is its feedback
loop that reacts to the physical environment. For example, in
portable, wearable and transportable devices such as
Continuous Glaucous Monitor (CGM), the actual device
transmits the patient’s data via a wireless data connection.
Other devices such as Vital Sign Monitor (VSM) and Patient
Control Analgesia (PCA) which are non-portable, non-
wearable and non-transportable, can send their output using
wireline communication to a central monitoring station inside
a hospital. This is while other medical devices such as Cardiac
device (CD) are implanted in the patient and do not use
wireline communication. In this paper, four types of medical
devices are studied. Table I defines the types, properties,
functions, and model number of the medical devices used in
our research. These devices can exist in different medical
scenarios. One scenario is found in an automated
anesthesiologist [2]. In this case, the VSM medical device
monitors patient respiration (Hz), oxygen saturation (SpO2),
heart rate (Hz) and temperature (°C) as well as controls
intravenous delivery of sedatives for the patient. Another
example of an above mentioned medical device is PCA. In a
PCA scenario, when the patient requests an analgesic to
relieve pain, the physiological sensor readings from the VSM
will control the infusion pumps of the PCA. Additional
examples are found in the intensive care room. In a cardiac
Intensive Control Unit (ICU), a patient may have an implanted
cardiac device. The frequency and pulse readings of the
patient are monitored through the VSM to help the patient to
breathe and maintain normal heart function. Another medical
device example is found in diabetes treatment. In this scenario,
a CGM device senses glucose deficiency in a patient which in
turn, triggers an insulin infusion in the blood.
T
ABLE
I.
D
EVICE
T
YPES
Device Abbreviation Properties Model
number
Patient Control
Analgesic PCA [3, 4] Wireline Communication,
Non portable
Alaris PCA
model
Vita Sign
Monitor VSM [5] [6] Wireless Communication
Welch
Allyn600,
Philips
Cardiac Device CD [7] Implanted inside patient Medtronic
Continuous
Glucose
Monitor
CGM [8] Use Wireless
Communication
GlySens
ICGM
Based on these examples, our research concentrates on
behavior monitoring for detecting malicious behavior of
sensors and actuators embedded in medical devices for
supporting safe and secure applications for patients and
healthcare professionals. Existing works [9],[10] consider a
software based approach that use state machines to detect
malicious behavior of the misbehaving communication
protocol patterns. In addition, various works rely solely on
software-based approaches to monitor malicious behavior in
medical devices [2]. No previous study has investigated the use
of hardware approaches. This research uses a hardware
approach to monitor malicious behavior in medical devices. In
our research, we factored behavior rules for both the actuators
and the physiological sensors embedded in medical devices in
order to build a hardware module that is capable of checking
for any deviation of the device’s behavior against its state
machine.
The proposed Behavior Specification Rule Monitoring
(BSRM) tool is based on a set of behavior rules that have been
determined and designated during the debugging and
operational phases to specify acceptable behaviors of sensors
and actuators embedded in medical devices such as VSM,
PCA, CD and CGM. Accordingly, BSRM will identify
whether each medical device’s behavior is normal or
malicious according to the set of behavior rules. The
observations are composed from the audit data that were
represented by the logs generated by the relevant sensor or
actuator drivers, the MIMIC-III [11] Dataset, and the
University of Queensland vital signs Dataset [12]. The test
bench incorporates different acceptable parameter ranges that
reflect the physiology and responses for patient treatment
related to each device’s state components. BSRM operates
through individual medical devices, since BSRM has no
designated monitoring node, there is no single point of failure.
In a VSM example, one VSM is monitored by another peer
VSM for security purposes. In a PCA, one PCA is being
monitored by a VSM and a peer PCA, as shown in Table II.
T
ABLE
II.
N
ORMAL
B
EHAVIOR
R
ULES IN
CNF
Description Safe State Trustee Monitor
Pulse above threshold
during analgesic request
(Analgesic Request =
TRUE) ᴧ (Pulse > Ts )
PCA VSM
Analgesic request rate
below safe threshold
(Analgesic Request Rate
< Ts)
PCA VSM
No analgesic infusion
during defibrillation
(CD Mode = defibrillator)
ᴧ (Analgesic Infusion Rate
=0)
PCA VSM
Respiration above
threshold during analgesic
request
(Analgesic Request =
TRUE) ᴧ (Respiration >
Ts)
PCA VSM
Pulse matches pacemaker
frequency
Pulse = Pacemaker
frequency
CD VSM
Patie nt is uns table befor e
defibrillation
(Pulse < Tds) ᴧ
(Respiration <Ts) ᴧ (CD
Mode =Pacemaker)
CD VSM
Trustee blood pressure
matches monitor
Trustee blood pressure =
Monitor blood pressure
VSM Peer VSM
Trustee oxygen saturation
matches monitor
Trustee oxygen saturation
=Monitor oxygen
saturation
VSM Peer VSM
Trustee pulse matches
monitor
Trustee pulse =Monitor
Pulse
VSM Peer VSM
Trustee respiration
matches monitor
Trustee respiration =
Monitor respiration
VSM Peer VSM
Trustee temperature
matches monitor
Trustee temperature =
Monitor temperature
VSM Peer VSM
Glucose above threshold
during insulin request
(Insulin Request = TRUE)
ᴧ (Glucose > Ts)
CGM VSM
Insulin request rate below
safe threshold
(Insulin Request Rate <
Ts)
CGM VSM
II. PROPOSED BEHAVIOR RULES
A study by Mitchell and Chen [1] proposed a
methodology that transformed behavior rules of medical
devices to state machines. In their study, the authors stated the
behavior rules for three types of medical devices VSM, PCA,
and CD. They used a software approach to implement a
lightweight monitoring tool for a VSM device only. In
contrast, in our research, we develop a hardware approach to
implement lightweight monitoring tools for VSM, PCA, CD,
and CGM devices that can be mapped onto an FPGA chip
which can then be embedded into the medical device.
Furthermore, our research proposes behavior rules for a CGM
device, and transforms these behavior rules to state machines
to build the hardware module. The hardware module uses the
set of behavior rules along with the related readings and
settings of sensors and actuators to detect if a device’s
behavior deviates from the expected normal behavior. It
provides an output to distinguish among system states that are
safe, unsafe, warning, and idle.
T
ABLE
III.
M
ALICIOUS
B
EHAVIOR
R
ULE IN
CNF
Tables II and Table III show the normal behavior rules as
well as the malicious behavior rules for the medical devices
under review in the Conjunction Normal Form (CNF). The
relation between the trustee and the monitor are exemplified in
Section III. In this research, the behavior rules work,
specifically, to address the expected behavior of individual
physical components in certain medical device models as well
as to specify different acceptable parameter ranges that reflect
the physiology and responses for different types of patients.
Thus, these rules are applied to both certain types of devices
and certain types of patients, as previously mentioned in
Section I.
III. TRANSFORMING BEHAVIOR RULES TO STATE MACHINES
Our research incorporated the methodology presented by
Mitchell and Chen [1]. A simple continuous block diagram
that illustrates the proposed methodology is shown in Fig. 1.
In this methodology, the “malicious behavior state” is
identified as a result of a behavior rule being
violated. Here, the initial process identifies malicious
behavior for a specific device as a state. Then, this state
is converted into the Conjunctive Normal Form (CNF)
predicate and identifies the involved state components
Device Malicious State States Components
PCA (Analgesic Request = TRUE) ᴧ
(Pulse < T)
Analgesic Request, Pulse
PCA (Analgesic Request = TRUE) ᴧ
(Respiration < T)
Analgesic request, respiration
PCA Analgesic Request Rate > T Analgesic request rate
CD Analgesic Infusion Rate > 0 ᴧ
(Mode=Defibrillator)
Analgesic Infusion rate and CD
mode
CD (Mode =PACEMAKER) ᴧ (ǀ
Pulse -Pacemaker Frequency ǀ) >
ℓ
CD mode ,pulse
CD (Mode =DEFIBRLIATOR) ᴧ (L
< Pulse < H)
CD mode, pulse
VSM ǀ Monitor Temperature -Trustee
Temperature ǀ > ℓ
Temperature
VSM ǀ Monitor Respiration -Trustee
Respiration ǀ > ℓ
Respiration
VSM ǀ Monitor Pulse -Trustee Pulse ǀ
> ℓ
Pulse
VSM ǀ Monitor Oxygen Saturation -
Trustee Oxygen Saturation ǀ > ℓ
Oxygen Saturation
VSM ǀ Monitor Blood Pressure -
Trustee Blood Pressure ǀ > ℓ
Blood Pressure
CGM Insulin Request Rate > T Insulin Request rate
CGM (Ins ulin Request = TRUE) ᴧ
(Pulse < T) ᴧ (Glucose < T)
Insulin Request rate, pulse,
Glucose
CGM (Ins ulin Request = TRUE) ᴧ
(Respiration < T) ᴧ (G lucose <
T)
Respiration, Glucose
CGM ǀ Monitor Glucose - Trustee
Glucose ǀ > ℓ
Glucose
Fig. 1. Transforming Behavior Rules to State Machine
in the underlying state machine. Following that, a Boolean
expression in the Disjunctive Normal Form (DNF) is used to
group together all the extracted malicious behavior states that
are related to each device, as shown in the following DNF:
CGM. (Insulin Request Rate > T) ˅ G((Insulin Request = TRUE) ᴧ
(Pulse < T) ᴧ (Glucose < T)) ˅ ((Insulin Request = TRUE) ᴧ
(Respiration < T) ᴧ (Glucose < T)) ᴧ (ǀ Monitor Glucose - Trustee
Glucose ǀ > ℓ)
“A disjunctive normal form (DNF) can be defined as a
normalization of a logical formula which is a disjunction of
conjunctive clauses; it can also be described as an OR of
ANDs, a sum (
˅)
of products (
ᴧ
), or (in philosophical logic)
a cluster concept” [13]. Next, the union of all the predicate
variables is converted into state components of a state machine
to establish their corresponding ranges. Finally, the managing
process will collapse and identify the sequence of values that
are not legitimate in order to reduce the total number of states
in the states’ space. Table II and Table III present the set of
normal behavior rules and malicious behavior rules in CNF
representation. Furthermore, Table IV indicates the symbols
used in this study.
T
ABLE
IV.
S
YMBOL USED IN THIS STUDY
IV. STATE TRANSITION DIAGRAM
The normal behavior states as well as the malicious
behavior states are used to build a state transition diagram for
each specified device’s behavior monitoring tool. The state
components related to the designated state machine of our
model are shown in Table V. We use these state components
along with both normal and malicious behavior rules, sensors
and actuators readings, and settings to build an idealized
model of a finite state machine engine in Hardware
Description Language (HDL) for each device’s behavior
monitoring. Each designed state diagram consists of four
states that include: Idle, Safe, Unsafe, and Warning state.
Table V indicates the number of the device states and the
reasons why the device entered such states. It is worth to
mention that the unsafe state of the state machines are not
those “hazardous” states generated due to design faults (e.g.
software bugs). Such “hazardous” states are removed as a
result of the design faults that were identified during the
testing and debugging phases. In our research, the safe states
and unsafe states are permanent and are based on either
malicious or normal behavior in a specific medical device. The
idle state represents the initial status of the system module.
Through an asynchronous reset signal, the system can be
forced to enter this state. During system initialization, this
state is added to the Finite State
Machine (FSM) of the system.
Furthermore, the system is in a warning state as long as its
specified parameters exceed the warning threshold for at least
one behavior rule. This state may indicate an earlier sign of
malicious behavior or represents a slight difference in readings
of the two related sensors due to environmental influences
such as indoor noise. Moreover, a safe state represents normal
behavior of the specified device and indicates that the system
follows its designated normal behavior rules. On the contrary,
an unsafe state reflects malicious behavior. Fig. 2 shows a
state transition diagram of a device’s behavior pattern. Each
device has its own behavior rules related to being in safe,
unsafe, warning, and idle states, as described in Tables VI.
The malicious behavior of the compromised node is
identifiable through the specification-based behavior rule sets
shown in Table I. The following paragraphs have been added
to illustrate and describe the malicious behaviors in the
medical devices under analysis.
T
ABLE
V.
S
TATE
C
OMPONENT IN THE DESIGNED STATE MACHINE
Symbol Parameters Note
T
Threshold value Each value is tied to a specific device, system
state (warning, unsafe), and certain state
component
ℓ
Sensor Reading
Deviation
Each value is tied to a specific device, specific
patient, and specific syste m states (warning,
unsafe, safe)
L
Acceptable Low
Heart Rate Pulse
Each value is tied to a specific device, specific
system state, and patient
H
Acceptable Low
Heart Rate Pulse
Each value is tied to a specific device, specific
system state, and patient
Ts
Safe threshold
value
This value is tied to a specific device, specific
patient, and specific system state (safe)
Name Attribute Range Component Device
Analgesic Request Reading True, False Sensor PCA
Pulse Reading [0,240 bpm] Sensor VSM
Respiration Reading [0,60 bpm] Sensor VSM
Analgesic Request
Rate Reading [0,4/hour] Sensor PCA
Blood Pressure Reading [0,240mmHg] ×
[0,160mmHg] Sensor VSM
Oxygen saturation Reading [0,100%] Sensor VSM
Temperature Reading [32,42 C] Sensor VSM
Analgesic Infusion
Rate Control [0,100%] Actuator PCA
Mode Control
Passive, Pacemaker,
Defibrillator Sens or CD
Pacemaker Frequency Control [0,240 bpm] Actuator CD
Insulin Request Reading True, False Sensor CGM
Insulin Request Rate Reading [0,4/hour] Sensor CGM
Glucose Reading [0,200 mg/dL] Sensor CGM
Insulin Infusion Rate Control [0,100%] Actuator CGM
T
ABLE
VI.
N
UMBER OF THE DEVICE STATES AND THE REASON WHY THE
DEVICE ENTERED SUCH STATES
In the following state, the PCA device acts as a trustee;
while the VSM device acts as a monitor. Here, when the PCA
device receives the patient’s request for analgesic to relieve
pain, the PCA device will distribute the necessary analgesic
according to the patient’s request. Once the patient receives
pain relief, the patient’s vital signs displayed on the VSM
device would return to a relaxed state. One can infer that all of
the patient’s vital signs are stable. However, if the PCA device
is compromised through malicious behavior, then the PCA
device will continuously administer the analgesic, and the
final result would be an overdosed patient. Therefore, if the
PCA continues to receive additional requests for analgesic
while a patient’s pulse or respiration rate is below a normal
threshold, then malicious behavior is present in this device.
Furthermore, if the analgesic request rate of the PCA device
exceeds normal threshold, then malicious behavior is present.
It is imperative to differentiate between physical button
presses from a patient in pain from those requests that the
PCA device actually generates. The PCA device should only
fulfill requests within a normal threshold. If a PCA
device
fulfills requests too frequently, then malicious behavior is
present. In addition, another scenario when the PCA device
acts as a trustee and the VSM acts as a monitor occurs as the
PCA device administers a pain relief dosage with a certain
infusion rate to a cardiac patient who has an implanted CD in
the defibrillation mode. This state includes two components:
the infusion rate and the CD mode. As the device being
evaluated transitions from one state to another, the VSM can
determine if both states are either safe or malicious, depending
on the infusion rate and CD device mode. To illustrate further,
when a PCA device has an infusion rate R is in the range (0,
100%) and the cardiac device mode, M, is in defibrillation, the
monitor can check to see if (R0, M0) and (R1, M1) are both
safe states. In the following state, when the CD device acts as
a trustee and the VSM acts as a monitor, a malicious behavior
state is present if the pulse average is not equal to CD
frequency when acting as a pacemaker. One can infer that the
patient’s vital signs are stable from the VSM device readings.
Here, if the CD device’s frequency is substantially different
from the patient’s heart rate, then malicious behavior is
present in the CD device. Furthermore, malicious behavior is
present when a CD device enters a defibrillation mode while
the pulse average is within a normal range. In the following
state, two identical VSM devices exist whereby, one acts as a
monitor and the other acts as a trustee. Both VSM devices
measure the same blood pressure, oxygen saturation, pulse,
respiration, or temperature of a patient. If either device
displays a deviation from the other, then a device has been
compromised.
In the following state, the CGM device acts as a trustee;
while the VSM device acts as a monitor. Here, when the CGM
device receives a patient’s request for insulin to balance the
glucose level in the blood, the CGM device will distribute the
necessary insulin according to the patient’s request. Once the
patient receives the necessary insulin dosage, the patient's vital
signs displayed on the VSM device would return to normal
levels. One can infer that all of the patient’s vital signs are
stable. However, if the CGM device is compromised through
malicious behavior, then the CGM device will continuously
administer the insulin, and the final result would be an
overdosed patient. Therefore, if the CGM continues to receive
additional requests for insulin while a patient’s glucose is
within a normal threshold, then malicious behavior is present
in this device. In the following state, two identical CGM
devices exist whereby one acts as a monitor and the other acts
as a trustee. Both CGM devices measure the same glucose
levels of a patient. If either device displays a deviation from
the other, then a device has been compromised.
Fig. 2. State Transition Diagram
VSM PAC CD CGM Cause
Safe 1 50 4 3
The monitor and
trustee readings
match for all the
specified related
components as
described in Table I
Warning 31 80 23 57
The monitor and
trustee readings
differ by more than
the warning margin
for at least one of
the specified related
components but not
more than the unsafe
threshold for any of
the components as
described in Table I
Unsafe 211 194 54 48
At least one of the
specified related
components differs
by more than the
unsafe threshold as
described in Table I
Idle 1 1 1 1
Initia l State of t he
system
No. of
states
before
setting
ranges
244 325 82 109
The ranges were
limited according to
the medical prospect
No. of
states after
setting
ranges
4.016
× 1023
4.454 ×
107
1.760×
107
9.785
× 106
The ranges were
comprised of wide
ranges of natura l
numbers.
V. RECOGNIZING STATE COMPONENTS AND RANGES
In order to complete the synthesis process, our research
quantized the continuous components related to the sensors
and actuator readings based on an integer scale that fell within
admissible ranges. Table V shows a complete list of the
admissible ranges for the state components.
In VSM devices, the state components include pulse rate,
respiration rate, temperature, blood pressure, and pacemaker
frequency. According to the admissible ranges for these states,
the normal pulse rate range falls within [0, 240 bpm]
yielding
241 values; the normal respiration rate range falls within [0,
60 bpm] yielding 61 values; the normal temperature range
falls within [32, 42°C] yielding 11 values; the normal blood
pressure range falls within [0, 240mmHg] × [0, 160mmHg]
yielding 241 ×161 values; and the normal pacemaker
frequency range falls within [0, 240 bpm] yielding 241 values.
Therefore, the total values of all the states is equivalent to
241×161×241×161×101×101×241×241×61×61×11×11 =
4.016 × 10
23
states.
Similarly, in PCA devices, the state components
encompass of analgesic request, respiration rate, analgesic
request rate, and analgesic infusion rate. According to the
normal admissible ranges for these states: an analgesic request
is [0, 1] yielding 2 values; the respiration rate is [0, 240 bpm]
yielding 241 values; the analgesic request rate is in [0, 4]
yielding 5 values; and the analgesic infusion rate is [0, 100]
yielding 101 values. Therefore, the total value of all the states
is equivalent to 2×241×5×61×5×101×3 = 4.454 × 10
7
states.
Likewise, in CD devices, the state components comprise of
the pacemaker frequency, oxygen saturation level, pulse rate,
and CD device mode. According to the normal admissible
ranges for these states, the pacemaker frequency range is [0,
240 bpm] yielding 241 values; the oxygen saturation level
range is [0,100] yielding
241 values; the pulse rate’s range is
[0, 240 bpm] yielding 241 values; and in an active CD device
the mode is either defibrillation or pacemaker which yields 3
values (taking in consideration the active mode of the CD
device). Therefore, the total value of all the states is
equivalent to 241×101×241×3× = 1.760×10
7
states.
In the same manner, for CGM devices, the state
components consist of an insulin request, glucose level, insulin
request rate, insulin infusion rate, and pulse rate. The
admissible ranges for these states incorporate an insulin
request that is either true or false and falls within the range of
[0, 1] yielding 2 values; the glucose level is in the range of [0,
200] yielding 201 values; insulin request rate is in the range of
[0, 2] yielding 3 values; insulin infusion rate is in the range of
[0,100] yielding 101 values; the pulse is in the range of [0, 240
bpm] yielding 241 values. Therefore, the total value of all the
states is equivalent to 3×201×3×101×241 = 9.785 × 10
6
states.
As demonstrated, the resulting states’ space for each
device is huge, and a reduction technique is necessary to
reduce the total number of states. From a medical point of
view; our research reduces the states’ space by eliminating the
values of specific state components that are related to each
device. For example, in a VSM device, we define three values
that are relevant for pulse rate, respiration rate, temperature,
blood pressure, and pacemaker frequency. These are normal,
beyond warning threshold, and beyond unsafe threshold. In
addition to the standard states’ components connected to each
device, we monitor specific state components for each device.
For example, in the PCA device, we define the values that are
relevant for an analgesic infusion rate. Also, the two values
that are relevant for the analgesic request are zero or greater
than zero, the two values that are relevant for insulin request
are zero or greater than zero. In a CD device, we define the
values that are relevant for oxygen saturation levels. Also, we
define the values that are relevant for the CD device’s mode.
Through our research, we found that the resulting states’ space
for a VSM device is equivalent to 3× 3 ×3 × 3 × 3 = 243
states. In the PCA device, it is equivalent to 2 × 3 ×3 × 3 × 2 ×
3 = 324 states, and in a CD device is equivalent to 3 × 3 ×3 ×3
= 81 states. Lastly, the resulting states’ space in a CGM device
is equivalent to 2×3×3×2×3 = 108 states.
VI. SIMULATION AND SYNTHESIS
In our research, we develop a behavior monitoring tool
for four PCA, CD, VSM, and CGM devices, respectively. We
used Mentor Graphics ModelSim-Altera software and Quartus
II software to simulate and synthesize the design of the
idealized FSM model that reflect the monitoring tool. Timing
simulation was applied to the design files to make sure that the
logic of the design is correct and to ensure that the synthesized
design meets the functional and timing requirements and
behaves as expected. Tables VII through X the show resource
utilization and power analysis summary for PCA, CD, VSM,
and CGM, respectively. Furthermore, Tables XI through XIV
show timing analysis summaries for PCA,CD,VSM, and
CGM, respectively.
T
ABLE
VII.
A
.
U
TILIZATION
S
UMMARY OF
PCA
BSRM
Attribute Criteria
Family Cyclone III
Device EP3C120F780C7
Timing Models Final
Total logic elements 57 / 119,088 (< 1 %)
Total combinational functions 57 / 119,088 (< 1 %)
Dedicated logic registers 4 / 119,088 (< 1 %)
Total registers 4
Total pins 32 / 532 (6 %)
T
ABLE
VII.
B
.
P
OWER
A
NALYSIS SUMMARY OF
PCA
BSRM
Attribute Criteria
Family Cyclone III
Device EP3C120F780C7
Power Models Final
Total Thermal Power Dissipation 120.48 mW
Core Dynamic Thermal Power Dissipation 1.64 mW
Core Static Thermal Power Dissipation 99.06 mW
I/O Thermal Power Dissipation 19.77 mW
T
ABLE
VIII.
A
.
U
TILIZATION SUMMARY OF
CD
BSRM
Attribute Criteria
Family Cyclone IV GX
Device EP4CGX150DF31I7
Timing Models Final
Total logic elements 54 / 149,760 ( < 1 % )
Total combinational functions 54 / 149,760 ( < 1 % )
Dedicated logic registers 4 / 149,760 ( < 1 % )
Total registers 4
Total pins 36 / 508 ( 7 % )
T
ABLE
VIII.
B
.
P
OWER ANALYSIS SUMMARY OF
PCA
BSRM
Attribute Criteria
Family Cyclone IV GX
Device EP4CGX150DF31I7
Power Models Final
Total Thermal Power Dissipation 141.18 mW
Core Dynamic Thermal Power Dissipation 2.14 mW
Core Static Thermal Power Dissipation 118.71 mW
I/O Thermal Power Dissipation 20.33 mW
T
ABLE
IX.
A
.
U
TILIZATION SUMMARY OF
VSM
BSRM
T
ABLE
IX.
B
.
P
OWER
A
NALYSIS SUMMARY OF
VSM
BRSM
Attribute Criteria
Family Cyclone III
Device EP3C120F780I7
Power Models Final
Total Thermal Power Dissipation 121.77 mW
Core Dynamic Thermal Power Dissipation 1.67 mW
Core Static Thermal Power Dissipation 99.06 mW
I/O Thermal Power Dissipation 21.04 mW
T
ABLE
X.
A
.
U
TILIZATION SUMMARY OF
CGM
BSRM
Attribute Criteria
Family Cyclone III
Device EP3C120F780I7
Timing Models Final
Total logic elements 56 / 119,088 ( < 1 % )
Total combinational functions 56 / 119,088 ( < 1 % )
Dedicated logic registers 4 / 119,088 ( < 1 % )
Total registers 4
Total pins 45 / 532 ( 8 % )
T
ABLE
X.
B
.
P
OWER ANALYSIS SUMMARY OF
CGM
BRSM
Attribute Criteria
Family Cyclone IV GX
Device EP4CGX110DF31I7
Power Models Final
Total Thermal Power Dissipation 156.92 mW
Core Dynamic Thermal Power Dissipation 2.49 mW
Core Static Thermal Power Dissipation 118.74 mW
I/O Thermal Power Dissipation 35.69 mW
T
ABLE
XI.
T
IMING
A
NALYSIS SUMMARY OF
PCA
BSRM
Attribute Timing Summary
Minimum period 1.914 ns
Minimum input arrival time before clock 10.819 ns
Maximum output required time after clock 5.278 ns
Maximum combinational path delay 12.857 ns
Maximum Frequency 522.371MHz
T
ABLE
XII.
T
IMING
A
NALYSIS
S
UMMARY OF
CD
BRSM
Attribute Timing Summary
Minimum period 2.907ns
Minimum input arrival time before clock 14.113ns
Maximum output required time after clock 7.645ns
Maximum combinational path delay 16.110ns
Maximum Frequency 343.991MHz
T
ABLE
XIII.
T
IMING ANALYSIS SUMMARY OF
VSM
BRSM
Attribute Timing Summary
Minimum period 3.025ns
Minimum input arrival time before clock 12.601ns
Maximum output required time after clock 5.278 ns
Maximum combinational path delay 6.256ns
Maximum Frequency 330.600MHz
T
ABLE
XIV.
T
IMING
A
NALYSIS SUMMARY FOR
PCA
BSRM
Attribute Timing Summary
Minimum period 3.25ns
Minimum input arrival time before clock 7.006ns
Maximum output required time after clock 4.114ns
Maximum combinational path delay 8.275ns
Maximum Frequency 380.700MHz
VII. CONCLUSIONS
This study determined the effect of using a hardware
approach to detect malicious behavior in sensors and actuators
that are embedded in medical devices. The experimental
results confirmed that the specification behavior rules can be
utilized to build a hardware monitoring tool that can identify
the expected normal behavior of a device and detect any
deviation from its normal behavior. Furthermore, we showed
through our analysis that our model is consistent with two
dominant design requirements for next-generation high-end
applications; lower power consumption and higher bandwidth.
The reconfigurable nature of FPGA allows to modify and
update the whole design according to the set of behavior rules,
which outperform software based approaches that are difficult
to update. In addition, hardware approaches are difficult to be
hacked. One of the most significant findings to emerge from
this study is that a hardware based specification rules approach
can be used to identify malicious behavior. A natural
progression of this work is to analyze and investigate the
impact of attacker behaviors on the effectiveness of the
designed BSRM, and to analyze the mathematical expectation
of compliance degree of trustee from both theoretic and
practical stand point.
REFERENCES
[1] D. M. Zuckerman, P. Brown, and S. E. Nissen, "Medical device recalls
and the FDA approval process," Archives of internal medicine, vol. 171,
pp. 1006-1011, 2011.
[2] R. Mitchell and I.-R. Chen, "Behavior rule specification-based intrusion
detection for safety critical medical cyber physical systems,"
Dependable and Secure Computing, IEEE Transactions on, vol. 12, pp.
16-30, 2015.
[3] M. Karanikolas, D. Aretha, P. Kiekkas, G. Monantera, I. Tsolakis, and
K. Filos, "Intravenous fentanyl patient‐controlled analgesia for
perioperative treatment of neuropathic/ischaemic pain in haemodialysis
patients: a case series," Journal of clinical pharmacy and therapeutics,
vol. 35, pp. 603-608, 2010.
[4] B. Sherman, I. Enu, and R. S. Sinatra, "Patient-Controlled Analgesia
Devices and Analgesic Infusion Pumps," Acute Pain Management, p.
302, 2009.
[5] W. A. Connex and V. Signs, "Monitor 6000 Series™," 2013.
[6] R. R. Rajkumar, I. Lee, L. Sha, and J. Stankovic, "Cyber-physical
systems: the next computing revolution," in Proceedings of the 47th
Design Automation Conference, 2010, pp. 731-736.
[7] C. H. Cabell, P. A. Heidenreich, V. H. Chu, C. M. Moore, M. E.
Stryjewski, G. R. Corey, et al., "Increasing rates of cardiac device
infections among Medicare beneficiaries: 1990–1999," American heart
journal, vol. 147, pp. 582-586, 2004.
[8] D. Tsujino and K. Utsunomiya, "[Continuous glucose monitoring
(CGM)]," Rinsho byori. The Japanese journal of clinical pathology, vol.
62, pp. 53-59, 2014.
[9] A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. N. Fovino, and A.
Trombetta, "A multidimensional critical state analysis for detecting
intrusions in SCADA systems," IEEE Transactions on Industrial
Informatics, vol. 7, pp. 179-186, 2011.
[10] B. Dutertre, "Formal modeling and analysis of the Modbus protocol," in
International Conference on Critical Infrastructure Protection, 2007, pp.
189-204.
[11] A. E. W. Johnson, T. J. Pollard, L. Shen, L.-w. H. Lehman, M. Feng, M.
Ghassemi, et al., "MIMIC-III, a freely accessible critical care database,"
Scientific Data, vol. 3, p. 160035, 05/24/online 2016.
[12] D. Liu, M. Görges, and S. A. Jenkins, "University of Queensland vital
signs dataset: Development of an accessible repository of anesthesia
patient monitoring data for research," Anesthesia & Analgesia, vol. 114,
pp. 584-589, 2012.
[13] M. Hazewinkel, ed., Disjunctive normal form: Springers, 2001.
Attribute Criteria
Family Cyclone III
Device EP3C120F780I7
Timing Models Final
Total logic elements 56 / 119,088 ( < 1 % )
Total combinational functions 56 / 119,088 ( < 1 % )
Dedicated logic registers 4 / 119,088 ( < 1 % )
Total registers 4
Total pins 45 / 532 ( 8 % )