skip to main content
research-article

Data-driven Anomaly Detection with Timing Features for Embedded Systems

Published: 02 April 2019 Publication History

Abstract

Malware is a serious threat to network-connected embedded systems, as evidenced by the continued and rapid growth of such devices, commonly referred to as the Internet of Things. Their ubiquitous use in critical applications require robust protection to ensure user safety and privacy. That protection must be applied to all system aspects, extending beyond protecting the network and external interfaces. Anomaly detection is one of the last lines of defence against malware, in which data-driven approaches that require the least domain knowledge are popular. However, embedded systems, particularly edge devices, face several challenges in applying data-driven anomaly detection, including unpredictability of malware, limited tolerance to long data collection windows, and limited computing/energy resources. In this article, we utilize subcomponent timing information of software execution, including intrinsic software execution, instruction cache misses, and data cache misses as features, to detect anomalies based on ranges, multi-dimensional Euclidean distance, and classification at runtime. Detection methods based on lumped timing range are also evaluated and compared. We design several hardware detectors implementing these data-driven detection methods, which non-intrusively measuring lumped/subcomponent timing of all system/function calls of the embedded application. We evaluate the area, power, and detection latency of the presented detector designs. Experimental results demonstrate that the subcomponent timing model provides sufficient features to achieve high detection accuracy with low false-positive rates using a one-class support vector machine, considering sophisticated mimicry malware.

References

[1]
ARM. 2011. Embedded Trace Macrocell ETMv1.0 to ETMv3.5 Architecture Specification.
[2]
J. Bergstra, R. Bardenet, Y. Bengio, and B. Kégl. 2011. Algorithms for hyper-parameter optimization. In Proceedings of the Conference on Neural Information Processing Systems (NIPS’11).
[3]
Z. I. Botev, J. F. Grotowski, and D. P. Kroese. 2010. Kernel density estimation via diffusion annals of statistics. Annals of Statistics 38, 5 (2010), 2916--2957.
[4]
G. Cai, J. Dias, and L. Seneviratne. 2014. A survey of small-scale unmanned aerial vehicles: Recent advances and future development trends. Unman. Syst. 2 (2014).
[5]
V. Chandola, A. Banerjee, and V. Kumar. 2009. Anomaly detection: A survey. ACM Comput. Surv. 41, 3 (2009).
[6]
D. Cheboli. 2010. Anomaly Detection of Time Series. PhD dissertation, University of Minnesota.
[7]
C-V. Eremia, G. Neculoiu, O. Grigoriu, N. Oboukhova, and A. Motuko. Data compression and panoramic images formation in UAV military TV-monitoring system. Eur. Sci. J. 9, 33, 436--449.
[8]
T. Fawcett. 2006. An introduction to ROC analysis. Pattern Recogn. Lett. 27, 8 (2006), 861--874.
[9]
Frost and Sullivan. 2007. Study Analysing the Current Activities in the Field of UAV. Technical report, European Commission Enterprise and Industry Directorate-General.
[10]
M. Goldstein and A. Dengel. 2012. Histogram-based outlier score (HBOS): A fast unsupervised anomaly detection algorithm. Poster Demo Track 59--63.
[11]
K. Hartmann and C. Steup. 2013. The vulnerability of UAVs to cyberattacks—An approach to the risk assessment. In Proceedings of the Conference on Cyber Conflict (CYCON’13).
[12]
K. A. Heller, K. M. Svore, A. D. Keromytis, and S. J. Stolfo. 2003. One class support vector machines for detecting anomalous windows registry accesses. In Proceedings of the Workshop on Data Mining for Computer Security.
[13]
K. Irick, M. DeBole, V. Narayanan, and A. Gayasen. 2008. A hardware efficient support vector machine architecture for FPGA. In Proceedings of the Annual IEEE Symposium on Field-Programming and Custom Computing Machines. 304--305.
[14]
Z. Jiang, M. S. Pajic, R. Moarref, R. Alur, and R. Mangharam. 2012. Modeling and verification of a dual chamber implantable pacemaker. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems. 188--203.
[15]
L. Kaufman and P. J. Rousseeuw. 1990. Finding Groups in Data: An Introduction to Cluster Analysis. John Wiley.
[16]
F. Khan, M. Arnold, and W. Pottenger. 2005. Hardware-based support vector machine classification in logarithmic number systems. In Proceedings of the International Symposium on Circuits and Systems (ISCAS’05). 5154--5157.
[17]
A. Kim, B. Wampler, J. Goppert, I. Hwang, and H. Aldridge. 2012. Cyberattack Vulnerabilities Analysis for Unmanned Aerial Vehicles. Technical report, The American Institute of Aeronautics and Astronautics, Reston, VA.
[18]
A. Kulkarni, Y. Pino, M. French, and T. Mohsenin. 2016. Real-time anomaly detection framework for many-core router through machine-learning techniques. J. Emerg. Technol. Comput. Syst. 13, 1, Article 10 (2016).
[19]
Y. Lee, J. Lee, I. Heo, D. Hwang, and Y. Paek. 2016. Integration of ROP/JOP monitoring IPs in an ARM-based SoC. In Proceedings of the Conference on Design, Automation 8 Test in Europe.
[20]
S. Lu and R. Lysecky. 2018. Time and sequence integrated runtime anomaly detection for embedded system. ACM Trans. Embed. Comput. 17, 38 (2018).
[21]
Mcafee and Lab. 2017. Threats Predictions Report. Retrieved from https://www.mcafee.com/us/resources/reports/rp-threatspredictions-2017.pdf.
[22]
MicroBlaze. 2012. MicroBlaze Processor Reference Guide Embedded Development Kit EDK 11.4. 102--104.
[23]
S. Mohan, J. Choi, M.-K. Yoon, L. Sha, and J.-E. Kim. 2013. SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems. In Proceedings of the Real-Time and Embedded Technology and Applications Symposium. 21--32.
[24]
C. Moreno and S. Fischmeister. 2018. Non-intrusive runtime monitoring through power consumption to enforce safety and security properties in embedded. Formal Methods Softw. Des. 53, 1 (2018), 113--137.
[25]
J. Mu, K. Shankar, and R. Lysecky. 2013. Profiling and online system-level performance and power estimation for dynamically adaptable embedded systems. ACM Trans. Embed. Comput. Syst. 12, 3 (2013), 1--20.
[26]
S. Omar, A. Ngadi, and H. H. Jebur. 2013. Machine-learning techniques for anomaly detection: An overview. Int. J. Comput. Appl. 79, 2 (2013) 33--41.
[27]
K. Patel and S. Parameswaran. 2008. SHIELD: A software hardware design methodology for security and reliability of MPSOCs. In Proceedings of the Design Automation Conference. 858--861.
[28]
K. Patel, S. Parameswaran, and R. Ragel. 2010. Architectural frameworks for security and reliability of MPSOCs. IEEE Trans. Very Large Scale Integration Systems 99 (2010), 1--14.
[29]
M. Rahmatian, H. Kooti, I. Harris, and E. Bozorgzadeh. 2012. Hardware-assisted detection of malicious software in embedded systems. IEEE Embed. Syst. Lett. 4, 4 (2012), 94--97.
[30]
M. Reif, M. Goldstein, A. Stahl, and T. M. Breuel. 2008. Anomaly detection by combining decision trees and parametric densities. In Proceedings of the International Conference on Pattern Recognition.
[31]
S. Rogers and M. Girolami. 2011. A First Course in Machine Learning. CRC Press, Boca Raton, FL.
[32]
J. Sametinger, J. Rozenblit, R. Lysecky, and P. Ott. 2015. Security challenges for medical devices. Commun. ACM 58, 4 (2015), 74--82.
[33]
B. Schlkopf, R. C. Williamson, A. J. Smola, J. Shawe-Taylor, and J. Platt. 1999. Support vector method for novelty detection. In Proceedings of the Conference on Neural Information Processing Systems (NIPS’99). 526--532.
[34]
D. Shim, H. Kim, S. Sastry. 2000. Control system design for rotorcraft-based unmanned aerial vehicles using time-domain system identification. In Proceedings of the IEEE Conference on Control Applications. 808--813.
[35]
N. K. Singh, A. J. Wellings, and A. L.C. Cavalcanti. 2012. The cardiac pacemaker case study and its implementation in safety-critical Java and Ravenscar Ada. In Proceedings of the International Workshop on Java Technologies for Real-time and Embedded Systems.
[36]
X. Song. 2014. FPGA implementation of a support vector machine-based classification system and its potential application in smart grid. In Proceedings of the Conference on Information Technology: New Generations (ITNG’14). 397--402.
[37]
MathWorks. 2018. Statistics and Machine Learning Toolbox User's Guide. Retrieved from https://www.mathworks.com/help/pdf_doc/stats/stats.pdf.
[38]
N. Stollon. 2011. On-chip Instrumentation: Design and Debug for Systems on Chip. Springer U.S.
[39]
S. Sun, S. Kwong, B. Lei, and S. Zheng. 2007. Advances in multimedia information processing. In Proceedings of the 8th Pacific Rim Conference on Multimedia (PCM’07). 367--375.
[40]
D. M. J. Tax and R. P. W. Duin. 2004. Support vector data description. Mach. Learn. 54, 1 (2004) 45--66.
[41]
J. Vert, K. Tsuda, and B. Scholkopf. 2004. A primer on kernel methods. Kernel Methods in Computational Biology. MIT Press, Cambridge, MA, 55--72.
[42]
D. Wagner and P. Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the ACM Conference on Computer and Communications Security. 255--264.
[43]
A. Wasicek, P. Derler, and E. A. Lee. 2014. Aspect-oriented modeling of attacks in automotive cyber-physical systems. In Proceedings of the 51st Annual Design Automation Conference. 1--6.
[44]
J. Weston, S. Mukherjee, O. Chapelle, M. Pontil, T. Poggio, and V. Vapnik. 2000. Feature selection for SVMs. In Proceedings of the Conference on Neural Information Processing Systems (NIPS’00).
[45]
R. Wilhelm, J. Engblom, A. Ermedahl, N. Holsti, S. Thesing, D. Whalley, G. Bernat, C. Ferdinand, R. Heckmann, T. Mitra, F. Mueller, I. Puaut, P. Puschner, J. Staschulat, and P. Stenstrom. 2008. The worst-case execution-time problem- overview of methods and survey of tools. ACM Trans. Embed. Comput. Syst. 7, 36 (2008) 1--47.
[46]
M. Yoon, S. Monhan, and J. Choi. 2015. Memory heat map: Anomaly detection in real-time embedded systems using memory behavior. In Proceedings of the Design Automation Conference. 1--6.
[47]
C. Zimmer, B. Bhat, F. Mueller, and S. Mohan. 2010. Time-based intrusion detection in cyber-physical systems. In Proceedings of the ACM/IEEE International Conference on Cyber-Physical Systems. 109--118.

Cited By

View all
  • (2024)A Survey on Security of UAV Swarm Networks: Attacks and CountermeasuresACM Computing Surveys10.1145/370362557:3(1-37)Online publication date: 22-Nov-2024
  • (2024)Hybrid and co-learning approach for anomalies prediction and explanation of wind turbine systemsEngineering Applications of Artificial Intelligence10.1016/j.engappai.2024.108046133:PAOnline publication date: 1-Jul-2024
  • (2023)Anomaly Behaviour tracing of CHERI-RISC V using Hardware-Software Co-design2023 21st IEEE Interregional NEWCAS Conference (NEWCAS)10.1109/NEWCAS57931.2023.10198103(1-5)Online publication date: 26-Jun-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Design Automation of Electronic Systems
ACM Transactions on Design Automation of Electronic Systems  Volume 24, Issue 3
May 2019
266 pages
ISSN:1084-4309
EISSN:1557-7309
DOI:10.1145/3319359
  • Editor:
  • Naehyuck Chang
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

Publication History

Published: 02 April 2019
Accepted: 01 September 2018
Revised: 01 September 2018
Received: 01 October 2017
Published in TODAES Volume 24, Issue 3

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. One-class SVM
  2. anomaly detection
  3. embedded system security
  4. software security
  5. timing-based detection

Qualifiers

  • Research-article
  • Research
  • Refereed

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)45
  • Downloads (Last 6 weeks)0
Reflects downloads up to 18 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A Survey on Security of UAV Swarm Networks: Attacks and CountermeasuresACM Computing Surveys10.1145/370362557:3(1-37)Online publication date: 22-Nov-2024
  • (2024)Hybrid and co-learning approach for anomalies prediction and explanation of wind turbine systemsEngineering Applications of Artificial Intelligence10.1016/j.engappai.2024.108046133:PAOnline publication date: 1-Jul-2024
  • (2023)Anomaly Behaviour tracing of CHERI-RISC V using Hardware-Software Co-design2023 21st IEEE Interregional NEWCAS Conference (NEWCAS)10.1109/NEWCAS57931.2023.10198103(1-5)Online publication date: 26-Jun-2023
  • (2023)Designing an Evaluation Framework for IoT Environmental Monitoring SystemsProcedia Computer Science10.1016/j.procs.2023.01.284219(220-227)Online publication date: 2023
  • (2022)Context-Aware Security Modes For Medical Devices2022 Annual Modeling and Simulation Conference (ANNSIM)10.23919/ANNSIM55834.2022.9859283(372-382)Online publication date: 18-Jul-2022
  • (2022)Benchmark Tool for Detecting Anomalous Program Behaviour on Embedded Devices2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom56396.2022.00164(1187-1192)Online publication date: Dec-2022
  • (2021)Application-Aware Intrusion Detection: A Systematic Literature Review, Implications for Automotive Systems, and Applicability of AutoMLFrontiers in Computer Science10.3389/fcomp.2021.5678733Online publication date: 24-Aug-2021
  • (2021)Probabilistic Estimation of Threat Intrusion in Embedded Systems for Runtime DetectionACM Transactions on Embedded Computing Systems10.1145/343259020:2(1-27)Online publication date: 4-Jan-2021
  • (2021)Multi-mode Systems for Resilient Security in Industry 4.0Procedia Computer Science10.1016/j.procs.2021.01.167180(301-307)Online publication date: 2021
  • (2020)Statistical time-based intrusion detection in embedded systemsProceedings of the 23rd Conference on Design, Automation and Test in Europe10.5555/3408352.3408479(562-567)Online publication date: 9-Mar-2020
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media