ABSTRACT
Detecting anomalous application executions is a challenging problem, due to the diversity of anomalies that can occur, such as programming bugs, silent data corruption, or even malicious code corruption. Moreover, the similarity to a regular execution that can occur in these cases, especially in silent data corruption, makes distinction from normal executions difficult. In this paper, we develop a mechanism that can detect such anomalous executions based on changes in the memory access pattern of an application. We analyze memory patterns using a two-level machine learning approach. First, we classify the behavior of different memory access periods within applications using Gaussian mixtures. Then, based on these classifications, we construct matrix representations of Markov chains to obtain information regarding the temporal behavior of these memory accesses. Based on metrics of matrix similarity, we can classify whether the application behaves as expected or anomalously. Using gradient boosting on the metrics of matrix similarity, our technique correctly classifies more than 85% of all executions, identifying instances of the same application and different applications. We can also detect a range of faulty executions caused by benign or malicious permanent bit flips in the code section.
- Gogul Balakrishnan and Thomas Reps. 2004. Analyzing memory accesses in x86 executables. In International conference on compiler construction. 5--23.Google ScholarCross Ref
- Francieli Zanon Boito, Rodrigo Kassick, Philippe OA Navaux, and Yves Denneulin. 2015. Towards fast profiling of storage devices regarding access sequentiality. In Proceedings of the 30th Annual ACM Symposium on Applied Computing. ACM. Google ScholarDigital Library
- E. Borin, Cheng Wang, Youfeng Wu, and G. Araujo. 2006. Software-based transparent and comprehensive control-flow error detection. In International Symposium on Code Generation and Optimization (CGO'06). 13 pp.--. Google ScholarDigital Library
- Jerome H Friedman. 2001. Greedy function approximation: a gradient boosting machine. Annals of statistics (2001), 1189--1232.Google Scholar
- Grigori Fursin, John Cavazos, Michael O'Boyle, and Olivier Temam. 2007. Midatasets: Creating the conditions for a more realistic evaluation of iterative optimization. In International Conference on High-Performance Embedded Architectures and Compilers. 245--260. Google ScholarDigital Library
- Crispin W Gardiner and others. 1985. Handbook of stochastic methods. Vol. 3. Springer Berlin.Google Scholar
- Matthew R Guthaus, Jeffrey S Ringenberg, Dan Ernst, Todd M Austin, Trevor Mudge, and Richard B Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In IEEE International Workshop on Workload Characterization (WWC). 3--14. Google ScholarDigital Library
- Tanay Karnik and Peter Hazucha. 2004. Characterization of soft errors caused by single event upsets in CMOS processes. IEEE Transactions on Dependable and Secure Computing 1, 2 (2004), 128--143. Google ScholarDigital Library
- Rahul Khanna and Huaping Liu. 2006. System approach to intrusion detection using hidden markov model. In Proceedings of the 2006 international conference on Wireless communications and mobile computing. 349--354. Google ScholarDigital Library
- Thomas A Lasko, Jui G Bhagwat, Kelly H Zou, and Lucila Ohno-Machado. 2005. The use of receiver operating characteristic curves in biomedical informatics. Journal of biomedical informatics 38, 5 (2005), 404--415. Google ScholarDigital Library
- Richard P Lippmann, David J Fried, Isaac Graf, Joshua W Haines, Kristopher R Kendall, David McClung, Dan Weber, Seth E Webster, Dan Wyschogrod, Robert K Cunningham, and others. 2000. Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. In DARPA Information Survivability Conference and Exposition (DISCEX), Vol. 2. 12--26.Google Scholar
- Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 190--200. Google ScholarDigital Library
- Sparsh Mittal. 2016. A Survey of Recent Prefetching Techniques for Processor Caches. ACM Comput. Surv (2016). Google ScholarDigital Library
- Shubhendu S Mukherjee, Christopher Weaver, Joel Emer, Steven K Reinhardt, and Todd Austin. 2003. A systematic methodology to compute the architectural vulnerability factors for a high-performance microprocessor. In IEEE/ACM International Symposium Microarchitecture (Micro). 29--40. Google ScholarDigital Library
- Nitin, I. Pomeranz, and T. N. Vijaykumar. 2015. FaultHound: Value-locality-based soft-fault tolerance. In 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA). 668--681. Google ScholarDigital Library
- Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2013. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In USENIX Security Symposium. 447--462. Google ScholarDigital Library
- J Thomas Pawlowski. 2011. Hybrid memory cube (HMC). In Hot Chips, Vol. 23.Google ScholarCross Ref
- Fabian Pedregosa, Gaël Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, and others. 2011. Scikit-learn: Machine learning in Python. Journal of Machine Learning Research 12, Oct (2011), 2825--2830. Google ScholarDigital Library
- Carl Edward Rasmussen. 1999. The infinite Gaussian mixture model. In NIPS, Vol. 12. 554--560. Google ScholarDigital Library
- Francesco Regazzoni, Thomas Eisenbarth, Luca Breveglieri, Paolo Ienne, and Israel Koren. 2008. Can knowledge regarding the presence of countermeasures against fault attacks simplify power attacks on cryptographic devices?. In International Symposium on Defect and Fault Tolerance of VLSI Systems. 202--210. Google ScholarDigital Library
- George A Reis, Jonathan Chang, Neil Vachharajani, Ram Rangan, and David I August. 2005. SWIFT: Software implemented fault tolerance. In International Symposium on Code Generation and Optimization (CGO). 243--254. Google ScholarDigital Library
- Mark Russinovich. 2007. Inside the windows vista kernel: Part 3. Microsoft TechNet Magazine (2007).Google Scholar
- Ralph Gregory Taylor. 1998. Models of computation and formal languages. (1998). Google ScholarDigital Library
- Doe Hyun Yoon and Mattan Erez. 2009. Memory mapped ECC: low-cost error protection for last level caches. In ACM SIGARCH Computer Architecture News, Vol. 37. ACM, 116--127. Google ScholarDigital Library
Index Terms
- Data mining the memory access stream to detect anomalous application behavior
Recommendations
Classifying Memory Access Patterns for Prefetching
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating SystemsPrefetching is a well-studied technique for addressing the memory access stall time of contemporary microprocessors. However, despite a large body of related work, the memory access behavior of applications is not well understood, and it remains ...
An Analysis of Graph Neural Network Memory Access Patterns
SC-W '23: Proceedings of the SC '23 Workshops of The International Conference on High Performance Computing, Network, Storage, and AnalysisGraph Neural Networks (GNNs) are becoming increasingly popular for applying neural networks to graph data. However, as the size of the input graph increases, the GPU memory wall problem becomes an important issue. Since both current solutions to reduce ...
LOCATE: Locally Anomalous Behavior Change Detection in Behavior Information Sequence
Web and Big DataAbstractWith the availability of diverse data reflecting people’s behavior, behavior analysis has been studied extensively. Detecting anom-alies can improve the monitoring and understanding of the objects’ (e.g., people’s) behavior. This work considers ...
Comments