Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters

We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on information forensics and security Vol. 15; pp. 666 - 680
Main Authors Krishnamurthy, Prashanth, Karri, Ramesh, Khorrami, Farshad
Format Journal Article
LanguageEnglish
Published New York IEEE 2020
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Anomalies
Anomaly detection
Classifiers
cyber security
Cyber-physical systems
Embedded systems
Hardware
Hardware-in-the-loop simulation
Machine learning
Malware
Methodology
Microprocessors
Monitoring
Process control
Program processors
programmable logic controller
Programmable logic controllers
Real time
Real-time systems
resilient control
Time measurement
Time series
Time series analysis
Windows (intervals)
Online AccessGet full text

Cover

More Information
Summary:We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1556-6013
1556-6021
DOI:10.1109/TIFS.2019.2923577