Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters

We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on information forensics and security Vol. 15; pp. 666 - 680
Main Authors Krishnamurthy, Prashanth, Karri, Ramesh, Khorrami, Farshad
Format Journal Article
LanguageEnglish
Published New York IEEE 2020
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Anomalies
Anomaly detection
Classifiers
cyber security
Cyber-physical systems
Embedded systems
Hardware
Hardware-in-the-loop simulation
Machine learning
Malware
Methodology
Microprocessors
Monitoring
Process control
Program processors
programmable logic controller
Programmable logic controllers
Real time
Real-time systems
resilient control
Time measurement
Time series
Time series analysis
Windows (intervals)
Online AccessGet full text

Cover

Abstract We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.
AbstractList We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.
Author Khorrami, Farshad
Karri, Ramesh
Krishnamurthy, Prashanth
Author_xml – sequence: 1
  givenname: Prashanth
  orcidid: 0000-0001-8264-7972
  surname: Krishnamurthy
  fullname: Krishnamurthy, Prashanth
  email: prashanth.krishnamurthy@nyu.edu
  organization: Department of Electrical and Computer Engineering, NYU Tandon School of Engineering, Brooklyn, NY, USA
– sequence: 2
  givenname: Ramesh
  orcidid: 0000-0001-7989-5617
  surname: Karri
  fullname: Karri, Ramesh
  email: rkarri@nyu.edu
  organization: Department of Electrical and Computer Engineering, NYU Tandon School of Engineering, Brooklyn, NY, USA
– sequence: 3
  givenname: Farshad
  orcidid: 0000-0002-8418-004X
  surname: Khorrami
  fullname: Khorrami, Farshad
  email: khorrami@nyu.edu
  organization: Department of Electrical and Computer Engineering, NYU Tandon School of Engineering, Brooklyn, NY, USA
BookMark eNp9kD1PwzAURS1UJNrCD0AslphT_BHHyVgVSisVUUGYGCLHeQFXqV3sRKj_nkZFHRiY3h3ueVc6IzSwzgJC15RMKCXZXb6cv04YodmEZYwLKc_QkAqRRAlhdHDKlF-gUQgbQuKYJukQvU-t26pmj--hBd0aZ7Gx-AVUE-VmC_ipa1oT5Z8eVAUVXnunIQQI-C0Y-4EXylffygNeg6-d3yqrAc9cZ1vw4RKd16oJcPV7xyifP-SzRbR6flzOpqtIs4y3EeekTAVjRGqpKyjLOmWlIBqEBnoIIqMxSF5pkCzhQKpE0pJrKVRSC8b5GN0e3-68--ogtMXGdd4eFgvGslRSGqd9ix5b2rsQPNTFzput8vuCkqJXWPQKi15h8avwwMg_jDat6iW1XpnmX_LmSBoAOC2lksssI_wH96GArA
CODEN ITIFA6
CitedBy_id crossref_primary_10_1109_TDSC_2022_3231632
crossref_primary_10_3390_technologies11040107
crossref_primary_10_1007_s11276_024_03833_y
crossref_primary_10_1088_1742_6596_1962_1_012010
crossref_primary_10_1016_j_cose_2021_102434
crossref_primary_10_1016_j_sysconle_2021_105066
crossref_primary_10_12677_CSA_2022_1212294
crossref_primary_10_1109_TCAD_2020_3026960
crossref_primary_10_1109_TII_2020_3047416
crossref_primary_10_1016_j_comnet_2023_109967
crossref_primary_10_1016_j_cose_2024_103884
crossref_primary_10_1109_TASE_2021_3073396
crossref_primary_10_1109_JETCAS_2021_3084400
crossref_primary_10_1109_TCAD_2022_3159749
crossref_primary_10_1109_TVLSI_2022_3171174
crossref_primary_10_3390_pr11030918
crossref_primary_10_1109_JSEN_2025_3526362
crossref_primary_10_1109_MM_2023_3300713
crossref_primary_10_1016_j_ijcip_2022_100516
crossref_primary_10_1109_TDSC_2020_2973959
crossref_primary_10_1109_MDAT_2022_3143438
crossref_primary_10_1109_ACCESS_2022_3179047
crossref_primary_10_1109_TCAD_2020_3012649
crossref_primary_10_1109_TICPS_2024_3524185
crossref_primary_10_1109_JETCAS_2021_3077442
crossref_primary_10_1109_TC_2022_3146217
crossref_primary_10_1109_JSYST_2022_3186619
crossref_primary_10_1109_TIFS_2024_3420233
crossref_primary_10_1145_3476996
crossref_primary_10_1016_j_ijepes_2021_107150
crossref_primary_10_1007_s41635_024_00146_6
Cites_doi 10.1007/978-3-540-35488-8
10.2172/911775
10.1016/j.ifacol.2017.08.178
10.1109/TIFS.2018.2833063
10.1109/MDAT.2016.2594178
10.1145/3125501.3125529
10.1145/2463209.2488831
10.1109/TMSCS.2016.2569467
10.1016/0098-1354(93)80018-I
10.1145/2485922.2485970
10.1145/2046707.2093511
10.1109/VLSID.2016.115
10.1109/ICCKE.2014.6993402
10.1145/2857055
10.1109/JPROC.2015.2512235
10.1017/CBO9780511811357
10.1109/ICCCN.2017.8038393
10.7551/mitpress/4175.001.0001
10.1109/TEST.2016.7805855
10.1109/TCAD.2015.2474374
10.1145/2046582.2046596
10.1016/j.ijcip.2013.05.001
10.1007/978-3-319-11379-1_6
10.23919/TRONSHOW.2017.8275073
10.1145/3052973.3052999
10.1109/GHTC.2014.6970342
10.1109/MSPEC.2013.6471059
ContentType Journal Article
Copyright Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2020
Copyright_xml – notice: Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2020
DBID 97E
RIA
RIE
AAYXX
CITATION
7SC
7SP
7TB
8FD
FR3
JQ2
KR7
L7M
L~C
L~D
DOI 10.1109/TIFS.2019.2923577
DatabaseName IEEE Xplore (IEEE)
IEEE All-Society Periodicals Package (ASPP) 1998–Present
IEEE Electronic Library (IEL)
CrossRef
Computer and Information Systems Abstracts
Electronics & Communications Abstracts
Mechanical & Transportation Engineering Abstracts
Technology Research Database
Engineering Research Database
ProQuest Computer Science Collection
Civil Engineering Abstracts
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts – Academic
Computer and Information Systems Abstracts Professional
DatabaseTitle CrossRef
Civil Engineering Abstracts
Technology Research Database
Computer and Information Systems Abstracts – Academic
Mechanical & Transportation Engineering Abstracts
Electronics & Communications Abstracts
ProQuest Computer Science Collection
Computer and Information Systems Abstracts
Engineering Research Database
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts Professional
DatabaseTitleList
Civil Engineering Abstracts
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library (IEL)
  url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Engineering
Computer Science
EISSN 1556-6021
EndPage 680
ExternalDocumentID 10_1109_TIFS_2019_2923577
8737990
Genre orig-research
GrantInformation_xml – fundername: Defense Advanced Research Projects Agency
  grantid: FA8750-16-C-0179
  funderid: 10.13039/100000185
– fundername: Office of Naval Research; U.S. Office of Naval Research
  grantid: N00014-15-1-2182; N00014-17-1-2006
  funderid: 10.13039/100000006
GroupedDBID 0R~
29I
4.4
5GY
5VS
6IK
97E
AAJGR
AARMG
AASAJ
AAWTH
ABAZT
ABQJQ
ABVLG
ACGFS
ACIWK
AENEX
AETIX
AGQYO
AGSQL
AHBIQ
AKJIK
AKQYR
ALMA_UNASSIGNED_HOLDINGS
ATWAV
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
CS3
DU5
EBS
EJD
HZ~
IFIPE
IPLJI
JAVBF
LAI
M43
O9-
OCL
P2P
PQQKQ
RIA
RIE
RNS
AAYXX
CITATION
RIG
7SC
7SP
7TB
8FD
FR3
JQ2
KR7
L7M
L~C
L~D
ID FETCH-LOGICAL-c293t-330b852207c7cdebbf82b50ce5ce1b505914e73dce7263e0d671b3c75a6f5233
IEDL.DBID RIE
ISSN 1556-6013
IngestDate Mon Jun 30 05:46:35 EDT 2025
Tue Jul 01 02:34:14 EDT 2025
Thu Apr 24 22:54:16 EDT 2025
Wed Aug 27 08:33:24 EDT 2025
IsPeerReviewed true
IsScholarly true
Language English
License https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/IEEE.html
https://doi.org/10.15223/policy-029
https://doi.org/10.15223/policy-037
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c293t-330b852207c7cdebbf82b50ce5ce1b505914e73dce7263e0d671b3c75a6f5233
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ORCID 0000-0002-8418-004X
0000-0001-8264-7972
0000-0001-7989-5617
PQID 2298711483
PQPubID 85506
PageCount 15
ParticipantIDs crossref_citationtrail_10_1109_TIFS_2019_2923577
proquest_journals_2298711483
ieee_primary_8737990
crossref_primary_10_1109_TIFS_2019_2923577
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate 20200000
2020-00-00
20200101
PublicationDateYYYYMMDD 2020-01-01
PublicationDate_xml – year: 2020
  text: 20200000
PublicationDecade 2020
PublicationPlace New York
PublicationPlace_xml – name: New York
PublicationTitle IEEE transactions on information forensics and security
PublicationTitleAbbrev TIFS
PublicationYear 2020
Publisher IEEE
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Publisher_xml – name: IEEE
– name: The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
References ref13
ref34
(ref44) 2019
ref15
ref31
ref30
ref33
ref11
kravets (ref12) 2009
(ref7) 2015
ref2
ref1
ref16
ref19
ref18
schölkopf (ref36) 2001
hastie (ref39) 2009
xia (ref17) 2012
falliere (ref5) 2011; 5
ref46
garcia-serrano (ref24) 2015
ref23
ref26
ref25
ref20
ref42
ref41
(ref45) 2019
ref22
ref21
ref43
murphy (ref38) 2012
alam (ref29) 2018
(ref6) 2014
kovacs (ref14) 2014
ref28
robertson (ref10) 2014
ref27
bishop (ref35) 2006
(ref8) 2016
ref3
byres (ref4) 2004; 116
vapnik (ref37) 1999
blask (ref9) 2011
ref40
(ref32) 2019
References_xml – ident: ref34
  doi: 10.1007/978-3-540-35488-8
– ident: ref11
  doi: 10.2172/911775
– ident: ref3
  doi: 10.1016/j.ifacol.2017.08.178
– year: 2014
  ident: ref6
  publication-title: ICS-CERT year in review-2014
– ident: ref43
  doi: 10.1109/TIFS.2018.2833063
– ident: ref2
  doi: 10.1109/MDAT.2016.2594178
– ident: ref33
  doi: 10.1145/3125501.3125529
– ident: ref18
  doi: 10.1145/2463209.2488831
– ident: ref25
  doi: 10.1109/TMSCS.2016.2569467
– year: 2011
  ident: ref9
  publication-title: ICS cybersecurity Water water everywhere
– ident: ref41
  doi: 10.1016/0098-1354(93)80018-I
– ident: ref21
  doi: 10.1145/2485922.2485970
– ident: ref16
  doi: 10.1145/2046707.2093511
– ident: ref26
  doi: 10.1109/VLSID.2016.115
– year: 2019
  ident: ref44
  publication-title: Wago Programmable Fieldbus Controllers
– year: 2019
  ident: ref45
  publication-title: OpenPLC (Open Source PLC)
– ident: ref23
  doi: 10.1109/ICCKE.2014.6993402
– ident: ref19
  doi: 10.1145/2857055
– year: 2018
  ident: ref29
  article-title: RAPPER: Ransomware prevention via performance counters
  publication-title: arXiv 1802 03909
– year: 2015
  ident: ref24
  article-title: Anomaly detection for malware identification using hardware performance counters
  publication-title: arXiv 1508 07482
– year: 1999
  ident: ref37
  publication-title: The Nature of Statistical Learning Theory
– year: 2014
  ident: ref14
  publication-title: Cyberattack on german steel plant caused significant damage
– ident: ref1
  doi: 10.1109/JPROC.2015.2512235
– year: 2009
  ident: ref12
  publication-title: Feds Hacker disabled offshore oil platforms' leak-detection system
– year: 2016
  ident: ref8
  publication-title: ICS-CERT Year in Review
– ident: ref40
  doi: 10.1017/CBO9780511811357
– ident: ref31
  doi: 10.1109/ICCCN.2017.8038393
– year: 2001
  ident: ref36
  publication-title: Learning With Kernels Support Vector Machines Regularization Optimization and Beyond
  doi: 10.7551/mitpress/4175.001.0001
– ident: ref42
  doi: 10.1109/TEST.2016.7805855
– year: 2012
  ident: ref38
  publication-title: Machine Learning A Probabilistic Perspective
– ident: ref20
  doi: 10.1109/TCAD.2015.2474374
– ident: ref15
  doi: 10.1145/2046582.2046596
– start-page: 1
  year: 2012
  ident: ref17
  article-title: CFIMon: Detecting violation of control flow integrity using performance counters
  publication-title: Proc IEEE/IFIP Int Conf Dependable Syst Netw
– volume: 116
  start-page: 213
  year: 2004
  ident: ref4
  article-title: The myths and facts behind cyber security risks for industrial control systems
  publication-title: proceedings of the VDE-Congress
– ident: ref30
  doi: 10.1016/j.ijcip.2013.05.001
– volume: 5
  year: 2011
  ident: ref5
  publication-title: W32 stuxnet Dossier
– ident: ref22
  doi: 10.1007/978-3-319-11379-1_6
– year: 2006
  ident: ref35
  publication-title: Pattern Recognition and Machine Learning
– year: 2014
  ident: ref10
  publication-title: Mysterious '08 Turkey pipeline blast opened new cyberwar
– ident: ref28
  doi: 10.23919/TRONSHOW.2017.8275073
– year: 2019
  ident: ref32
  publication-title: Papi - the performance application programming interface
– year: 2009
  ident: ref39
  publication-title: The Elements of Statistical Learning Data Mining Inference and Prediction
– ident: ref27
  doi: 10.1145/3052973.3052999
– year: 2015
  ident: ref7
  publication-title: Nccic/ics-cert year in review 2015
– ident: ref46
  doi: 10.1109/GHTC.2014.6970342
– ident: ref13
  doi: 10.1109/MSPEC.2013.6471059
SSID ssj0044168
Score 2.4230797
Snippet We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time...
SourceID proquest
crossref
ieee
SourceType Aggregation Database
Enrichment Source
Index Database
Publisher
StartPage 666
SubjectTerms Anomalies
Anomaly detection
Classifiers
cyber security
Cyber-physical systems
Embedded systems
Hardware
Hardware-in-the-loop simulation
Machine learning
Malware
Methodology
Microprocessors
Monitoring
Process control
Program processors
programmable logic controller
Programmable logic controllers
Real time
Real-time systems
resilient control
Time measurement
Time series
Time series analysis
Windows (intervals)
Title Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters
URI https://ieeexplore.ieee.org/document/8737990
https://www.proquest.com/docview/2298711483
Volume 15
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3PaxUxEB7anurB2lbxaVty6EnMazbZbDbHYvuohZaiTyh4WPJjFqR1n7T7EP3rTbLZp1URbzkkEPiSmfmS-WYADotWeYm8pNZrQ0uLFa1bNLQt0ZXeGlXbVO3zsjr7UJ5fy-s1eL3SwiBiSj7DaRymv3y_cMv4VHZUK6GC9VyH9UDcBq3WaHWDVx9kb1JWNJAMkX8wC6aP5m9n72MSl55yHau7qAc-KDVV-cMSJ_cy24KLcWNDVsnNdNnbqfv-W83G_935E3ic40xyPByMbVjDbge2xh4OJF_pHXj0S0HCXfh43C0-m9tv5AT7lKPVkU8deReCSRq1IiTJdek84G88epJVBnhPUuYBiWkAX80dkqufcgQSVe-xhOdTmM9O52_OaG6_QF2IAXoqBLN1CM-Ycsp5tLatuZXMoXRYhIHURYlKeIeKVwKZr1RhhVPSVG2gt-IZbHSLDp8DsdyaEAeZVrrgDLnSrPSKaSvQOu2knQAb8WhcLk0eO2TcNomiMN1ECJsIYZMhnMCr1ZIvQ12Of03ejZCsJmY0JrA3gt7km3vfcK4DhwwkUbz4-6qXsMkj507PMHuw0d8tcT8EJr09SCfyB9VL4Ek
linkProvider IEEE
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3PaxQxFH7UelAPVluLW1vNwZOYbSaZTCbHYrtstS2iIxQ8DJPkDYh1VtpZiv71JpnMqlXEWw4JBL7k_Uje9z2A51mrnESeU-N0Q3ODBS1bbGibo82daVRpotrnWTH_kL8-l-dr8HLFhUHEWHyG0zCMf_luYZfhqWy_VEJ563kLbnu_L7OBrTXaXe_XB-KblAX1aYZIf5gZ0_vV8ex9KOPSU66Dvov6zQvFtip_2OLoYGYbcDpubagr-Txd9mZqv99QbfzfvT-A-ynSJAfD0XgIa9htwsbYxYGkS70J936RJNyCjwfd4ktz8Y0cYh-rtDryqSPvfDhJA1uERMIurfwJaBw6kngGeEVi7QEJhQDXzSWStz8JCSTw3oOI5yOoZkfVqzlNDRio9VFAT4VgpvQBGlNWWYfGtCU3klmUFjM_kDrLUQlnUfFCIHOFyoywSjZF6xNcsQ3r3aLDx0AMN42PhJpWWu8OudIsd4ppI9BYbaWZABvxqG0SJw89Mi7qmKQwXQcI6wBhnSCcwIvVkq-DMse_Jm8FSFYTExoT2B1Br9Pdvao51z6L9Gmi2Pn7qmdwZ16dntQnx2dvnsBdHjLw-CizC-v95RL3fJjSm6fxdP4Asb3jkg
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Anomaly+Detection+in+Real-Time+Multi-Threaded+Processes+Using+Hardware+Performance+Counters&rft.jtitle=IEEE+transactions+on+information+forensics+and+security&rft.au=Krishnamurthy%2C+Prashanth&rft.au=Karri%2C+Ramesh&rft.au=Khorrami%2C+Farshad&rft.date=2020&rft.pub=IEEE&rft.issn=1556-6013&rft.volume=15&rft.spage=666&rft.epage=680&rft_id=info:doi/10.1109%2FTIFS.2019.2923577&rft.externalDocID=8737990
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1556-6013&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1556-6013&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1556-6013&client=summon