research-article

Memory heat map: anomaly detection in real-time embedded systems using memory behavior

Authors:

Lui ShaAuthors Info & Claims

DAC '15: Proceedings of the 52nd Annual Design Automation Conference

Article No.: 35, Pages 1 - 6

https://doi.org/10.1145/2744769.2744869

Published: 07 June 2015 Publication History

Abstract

In this paper, we introduce a novel mechanism that identifies abnormal system-wide behaviors using the predictable nature of real-time embedded applications. We introduce Memory Heat Map (MHM) to characterize the memory behavior of the operating system. Our machine learning algorithms automatically (a) summarize the information contained in the MHMs and then (b) detect deviations from the normal memory behavior patterns. These methods are implemented on top of a multicore processor architecture to aid in the process of monitoring and detection. The techniques are evaluated using multiple attack scenarios including kernel rootkits and shellcode. To the best of our knowledge, this is the first work that uses aggregated memory behavior for detecting system anomalies especially the concept of memory heat maps.

References

[1]

http://shell-storm.org/shellcode/files/shellcode-669.php.

[2]

P. Barford, J. Kline, D. Plonka, and A. Ron. A signal analysis of network traffic anomalies. In SIGCOMM Workshop on Internet Measurment, 2002.

Digital Library

[3]

C. Beecks, A. M. Ivanescu, S. Kirchhoff, and T. Seidl. Modeling image similarity by gaussian mixture models and the signature quadratic form distance. In IEEE International Conference on Computer Vision, 2011.

Digital Library

[4]

S. Chen, B. Falsafi, P. B. Gibbons, M. Kozuch, T. C. Mowry, R. Teodorescu, A. Ailamaki, L. Fix, G. R. Ganger, B. Lin, and S. W. Schlosser. Log-based architectures for general-purpose monitoring of deployed code. In Workshop on architectural and system support for improving software dependability, 2006.

Digital Library

[5]

J. Criswell, N. Dautenhahn, and V. Adve. Kcofi: Complete control-flow integrity for commodity operating system kernels. In IEEE Symposium on Security and Privacy, 2014.

Digital Library

[6]

A. P. Dempster, N. M. Laird, and D. B. Rubin. Maximum likelihood from incomplete data via the em algorithm. Journal of the Royal Statistical Society, Series B, 39(1):1--38, 1977.

[7]

D. Y. Deng, D. Lo, G. Malysa, S. Schneider, and G. E. Suh. Flexible and efficient instruction-grained run-time monitoring using on-chip reconfigurable fabric. In IEEE/ACM International Symposium on Microarchitecture, 2010.

Digital Library

[8]

M. A. T. Figueiredo and A. Jain. Unsupervised learning of finite mixture models. Pattern Analysis and Machine Intelligence, IEEE Transactions on, 24(3):381--396, 2002.

Digital Library

[9]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Network and Distributed Systems Security Symposium, 2003.

[10]

G. Golub and C. Reinsch. Singular value decomposition and least squares solutions. Numerische Mathematik, 14(5):403--420, 1970.

Digital Library

[11]

Y. Gu, A. McCallum, and D. Towsley. Detecting anomalies in network traffic using maximum entropy estimation. In SIGCOMM Conference on Internet Measurement, 2005.

Digital Library

[12]

M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. Mibench: A free, commercially representative embedded benchmark suite. In IEEE Annual Workshop on Workload Characterization, 2001.

Digital Library

[13]

G. E. Hinton, S. Osindero, and Y.-W. Teh. A fast learning algorithm for deep belief nets. Neural Comput., 18(7):1527--1554, 2006.

Digital Library

[14]

I. Jolliffe. Principal Component Analysis. Springer Series in Statistics, 2002.

[15]

H. Kannan, M. Dalton, and C. Kozyrakis. Decoupling dynamic information flow tracking with a dedicated coprocessor. In IEEE/IFIP International Conference on Dependable Systems and Networks, 2009.

[16]

P. S. Magnusson, M. Christensson, J. Eskilson, D. Forsgren, G. Hållberg, J. Högberg, F. Larsson, A. Moestedt, and B. Werner. Simics: A full system simulation platform. Computer, 35(2):50--58, 2002.

Digital Library

[17]

S. Mohan, S. Bak, E. Betti, H. Yun, L. Sha, and M. Caccamo. S3A: Secure system simplex architecture for enhanced security and robustness of cyber-physical systems. In ACM Conference on High Confidence Networked Systems, 2013.

Digital Library

[18]

H. Permuter, J. Francos, and I. Jermyn. A study of gaussian mixture models of color and texture features for image classification and segmentation. Pattern Recognition, 39(4):695--706, 2006.

Digital Library

[19]

plaguez. Weakening the linux kernel. Phrack, 8(52), 1998.

[20]

W. Shi, H.-H. S. Lee, L. Falk, and M. Ghosh. An integrated framework for dependable and revivable architectures using multicore processors. In International Symposium on Computer Architecture, 2006.

Digital Library

[21]

M. Turk and A. Pentland. Face recognition using eigenfaces. In IEEE Coference on Computer Vision and Pattern Recognition, 1991.

[22]

M.-K. Yoon and G. Ciocarlie. Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems. In NDSS Workshop on Security of Emerging Networking Technologies, 2014.

[23]

M.-K. Yoon, S. Mohan, J. Choi, J.-E. Kim, and L. Sha. SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems. In IEEE Real-Time Embedded Technology and Applications Symposium, 2013.

Digital Library

Cited By

Hasan MKashinath AChen CMohan S(2024)SoK: Security in Real-Time SystemsACM Computing Surveys10.1145/364949956:9(1-31)Online publication date: 25-Apr-2024
https://dl.acm.org/doi/10.1145/3649499
Huber RBelles DBücher TFranke LAmrouch HLemmer U(2024)Integrated CPU Monitoring Using 2D Temperature Sensor Arrays Directly Printed on Heat SinksAdvanced Materials Technologies10.1002/admt.2023016319:8Online publication date: 8-Mar-2024
https://doi.org/10.1002/admt.202301631
Bansal AKandikuppa AHasan MChen CBates AMohan S(2023)System Auditing for Real-Time SystemsACM Transactions on Privacy and Security10.1145/362522926:4(1-37)Online publication date: 13-Nov-2023
https://dl.acm.org/doi/10.1145/3625229
Show More Cited By

Index Terms

Memory heat map: anomaly detection in real-time embedded systems using memory behavior
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Anomaly detection: A survey

Anomaly detection is an important problem that has been researched within diverse research areas and application domains. Many anomaly detection techniques have been specifically developed for certain application domains, while others are more generic. ...
Learning Execution Contexts from System Call Distribution for Anomaly Detection in Smart Embedded System
IoTDI '17: Proceedings of the Second International Conference on Internet-of-Things Design and Implementation

Existing techniques used for anomaly detection do not fully utilize the intrinsic properties of embedded devices. In this paper, we propose a lightweight method for detecting anomalous executions using a distribution of system call frequencies. We use a ...
Circular heat map transition diagram
ETSA '13: Proceedings of the 2013 Conference on Eye Tracking South Africa

Eye tracking experiments are the state-of-the-art technique to study questions of usability of graphical interfaces. Visualizations help to analyse eye tracking data by presenting it in a graphical way. In this paper we contribute a new visualization ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

DAC '15: Proceedings of the 52nd Annual Design Automation Conference

June 2015

1204 pages

ISBN:9781450335201

DOI:10.1145/2744769

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGDA: ACM Special Interest Group on Design Automation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 June 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

DAC '15

Sponsor:

SIGDA

DAC '15: The 52nd Annual Design Automation Conference 2015

June 7 - 11, 2015

California, San Francisco

Acceptance Rates

Overall Acceptance Rate 1,770 of 5,499 submissions, 32%

Upcoming Conference

DAC '25

Sponsor:
sigda

62nd ACM/IEEE Design Automation Conference

June 22 - 26, 2025

San Francisco , CA , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
381
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)7

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hasan MKashinath AChen CMohan S(2024)SoK: Security in Real-Time SystemsACM Computing Surveys10.1145/364949956:9(1-31)Online publication date: 25-Apr-2024
https://dl.acm.org/doi/10.1145/3649499
Huber RBelles DBücher TFranke LAmrouch HLemmer U(2024)Integrated CPU Monitoring Using 2D Temperature Sensor Arrays Directly Printed on Heat SinksAdvanced Materials Technologies10.1002/admt.2023016319:8Online publication date: 8-Mar-2024
https://doi.org/10.1002/admt.202301631
Bansal AKandikuppa AHasan MChen CBates AMohan S(2023)System Auditing for Real-Time SystemsACM Transactions on Privacy and Security10.1145/362522926:4(1-37)Online publication date: 13-Nov-2023
https://dl.acm.org/doi/10.1145/3625229
Hasan MMohan S(2023)You Can’t Always Check What You Wanted: : Selective Checking and Trusted Execution to Prevent False Actuations in Real-Time Internet-of-Things2023 IEEE 26th International Symposium on Real-Time Distributed Computing (ISORC)10.1109/ISORC58943.2023.00017(42-53)Online publication date: May-2023
https://doi.org/10.1109/ISORC58943.2023.00017
Kukkala VThiruloga SPasricha S(2023)Stacked LSTM Based Anomaly Detection in Time-Critical Automotive NetworksMachine Learning and Optimization Techniques for Automotive Cyber-Physical Systems10.1007/978-3-031-28016-0_11(349-380)Online publication date: 2-Sep-2023
https://doi.org/10.1007/978-3-031-28016-0_11
Kukkala VThiruloga SPasricha S(2023)Real-Time Intrusion Detection in Automotive Cyber-Physical Systems with Recurrent AutoencodersMachine Learning and Optimization Techniques for Automotive Cyber-Physical Systems10.1007/978-3-031-28016-0_10(317-347)Online publication date: 2-Sep-2023
https://doi.org/10.1007/978-3-031-28016-0_10
Kukkala VThiruloga SPasricha S(2023)AI for Cybersecurity in Distributed Automotive IoT SystemsFrontiers of Quality Electronic Design (QED)10.1007/978-3-031-16344-9_8(297-326)Online publication date: 12-Jan-2023
https://doi.org/10.1007/978-3-031-16344-9_8
Bai YStern APark JTehranipoor MForte D(2022)RASCv2: Enabling Remote Access to Side-Channels for Mission Critical and IoT SystemsACM Transactions on Design Automation of Electronic Systems10.1145/352412327:6(1-25)Online publication date: 27-Jun-2022
https://dl.acm.org/doi/10.1145/3524123
Kang DJung ILee KBaek H(2022)Partitioned Real-Time Scheduling for Preventing Information LeakageIEEE Access10.1109/ACCESS.2022.315405510(22712-22723)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3154055
Li HWu YHuang Y(2022)On the Feasibility of Anomaly Detection with Fine-Grained Program Tracing EventsJournal of Network and Systems Management10.1007/s10922-021-09635-330:2Online publication date: 20-Jan-2022
https://doi.org/10.1007/s10922-021-09635-3
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten